KR101964412B1 - Method for diagnosing anomaly log of mobile commmunication data processing system and system thereof - Google Patents

Abstract

The present invention provides a method for diagnosing the occurrence of an anomaly log of a mobile communication data processing system which can diagnose an anomaly of a log outputted in real time by a mobile communication data processing system by using a machine learning algorithm. According to an embodiment of the present invention, the method for diagnosing the occurrence of an anomaly log of a mobile communication data processing system comprises: a second log generation step of accumulating a log collected at each first unit time to collect logs for a second unit time; a group classification step of classifying the logs for the second unit time into one or more groups based on the similarity between the logs; a sequence generation step of generating a log sequence for the second unit time based on a temporal order in which the logs are collected and the classified groups; and an anomaly diagnosis step of accumulating the log sequence to generate a log sequence matrix, and applying the generated log sequence matrix to a module which performs a machine learning algorithm to diagnose an anomaly occurrence of the mobile communication data processing system.

Description

TECHNICAL FIELD [0001] The present invention relates to a method and a system for diagnosing abnormal log generation in a mobile communication data processing system,

The present invention relates to a method for diagnosing abnormal log generation in a mobile communication data processing system and an invention related to the system, and more particularly, to a mobile communication data processing system for processing a vast amount of data, And a system and method for automatically diagnosing an abnormality by analyzing the system log through a deep running technique.

In the modern era, called the Big Data Age, various industrial groups are building and operating large-scale data processing systems. Among these, the amount of data generated by mobile communication is petabyte scale. In order to store the data generated in seconds in real time while maintaining the integrity of data, the stability of the data center is absolutely necessary.

In order to secure the stability of the data center, it is essential to operate various devices. When various devices are used, the data generated from the devices are distributed and stored. Therefore, Integrity can be ensured.

Although the normal operation and malfunction of a large number of devices (modules) can be detected through the system log generated by the corresponding device, when an existing data processing system log is measured in size and generation speed, There is a limitation that it is practically impossible to directly check the log.

In order to overcome this limitation, a method of diagnosing whether an anomaly log is outputted from a mobile communication data processing system by analyzing a log of the mobile communication data processing system by using a machine learning algorithm is known in the past, All methods are not optimized, and their utility is not high.

Here, the unoptimized method is not a problem of the machine learning module (machine) that receives the log of the mobile communication data processing system as input and performs the machine learning, It is reasonable to assume that pro-processing of logs has not been sufficient. Therefore, in order to efficiently diagnose the abnormal log of the mobile communication data processing system, it is necessary to consider a methodology for appropriately preprocessing the log input to the machine learning module.

Korean Registered Patent No. 10-1621959 (published on June, 2016)

SUMMARY OF THE INVENTION It is an object of the present invention to provide a method and system for diagnosing an abnormality of a log output by a mobile communication data processing system in real time using a machine learning algorithm.

According to another aspect of the present invention, there is provided a method of diagnosing occurrence of an abnormal log in a mobile communication data processing system, the method comprising: accumulating logs collected every first unit time, A second log generation step of collecting logs; A grouping step of classifying the logs of the second unit time into at least one cluster based on the similarity between logs; A sequence generation step of generating a log sequence for a second unit time based on the temporal order in which the logs are collected and the classified clusters; And an abnormality diagnosis step of accumulating the log sequence to generate a log sequence matrix and applying the generated log sequence matrix to a module for performing a machine learning algorithm to diagnose an abnormality of the mobile communication data processing system .

According to another aspect of the present invention, there is provided a system for diagnosing abnormal log generation in a mobile communication data processing system, the system comprising: A second log generation unit for generating logs for the first log generation unit; A cluster classifier for classifying the logs of the second unit time into at least one cluster based on the similarity between logs; A sequence generator for generating a log sequence for a second unit time based on the temporal order in which the logs are collected and the classified clusters; And an abnormality diagnosis unit for accumulating the log sequence to generate a log sequence matrix and applying the generated log sequence matrix to a module for performing a machine learning algorithm to diagnose an abnormality of the mobile communication data processing system .

An embodiment of the present invention can provide a computer-readable recording medium storing a program for executing the method.

According to the present invention, it is possible to quickly and accurately diagnose an abnormality of a log output from a mobile communication data processing system that processes a large amount of data in real time.

1 is a diagram schematically illustrating a process of diagnosing an anomaly log of a mobile communication data processing system according to the present invention.
2 is a block diagram of an example of an abnormal log diagnosis system according to the present invention.
FIG. 3 is a diagram showing an example of the log for the second unit time.
4 is a diagram showing an example of an event template preset in the cluster classification unit.
FIG. 5 is a view for explaining a process in which logs included in the log for the second unit time are classified into a cluster by the cluster classifier, and the results classified according to the process.
FIG. 6 is a flowchart illustrating an example of a method for diagnosing abnormal log generation in the mobile communication data processing system according to the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. The effects and features of the present invention and methods of achieving them will be apparent with reference to the embodiments described in detail below with reference to the drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings, wherein like reference numerals refer to like or corresponding components throughout the drawings, and a duplicate description thereof will be omitted .

In the following embodiments, the terms first, second, and the like are used for the purpose of distinguishing one element from another element, not the limitative meaning.

In the following examples, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise.

In the following embodiments, terms such as inclusive or possessed mean that a feature or element described in the specification is present, and does not exclude the possibility that one or more other features or components are added in advance.

If certain embodiments are otherwise feasible, the particular process sequence may be performed differently from the sequence described. For example, two processes that are described in succession may be performed substantially concurrently, and may be performed in the reverse order of the order described.

1 is a diagram schematically illustrating a process of diagnosing an anomaly log of a mobile communication data processing system according to the present invention.

First, the mobile communication data processing system 100 communicates with a mobile terminal such as a smart phone, a tablet personal computer, etc., and communicates with at least one mobile terminal, . Since the mobile communication data processing system 100 can communicate with a large number of mobile terminals, the accumulated capacity of the system log output from the mobile communication data processing system 100 can be reduced from few bytes to several thousands of bytes petabytes) can be counted.

The mobile communication data processing system 100 may be configured to receive data from the mobile communication data processing system 100 if an error has occurred in the mobile communication data processing system 100, If there is a problem with the data received by the system 100, an operation for quickly grasping it is essential. According to the above-mentioned necessity, the mobile communication data processing system 100 outputs the system log according to a unique period, and the manager analyzes the system log 110 to monitor the operation characteristics of the mobile communication data processing system 100 .

However, in consideration of the fact that it is virtually impossible for a manager who is a natural person to completely analyze the system log 110 in real time, the system log 110 is applied to a module that performs a machine learning algorithm and is described in the system log We propose a method to detect the error.

The system log 110 is output from the mobile communication data processing system 100 and processed by the sequence template 120 into the first log sequence 130. More specifically, when the system log 110 is output from the mobile communication data processing system 100, it is collected by the sequence template 120, and the sequence template 120 is structured according to an internally defined sequence conversion policy And converts the unstructured system log 110 into the first log sequence 130.

The sequence template 120 converts the unstructured unstructured system log 110 into a form that is easy to learn through the machine learning algorithm module according to a certain conversion policy. The sequence conversion policy previously set in the sequence template 120 may be changed by the administrator as needed.

The first log sequence 130 refers to sequence information obtained by dividing the system log 110 by a specific unit time as a result of the system log 110 being converted by the sequence template 120. The same system log 110 may also be used for changing the sequence conversion policy previously set in the sequence template 120 or the output period time in which the mobile communication data processing system 100 outputs the system log 110 May be converted into a first log sequence 130 of different values each time. The first log sequence 130 functions as training data that can be learned by the machine learning algorithm module 140 and may correspond to a second log sequence 160 to be described later. Although not shown in FIG. 1, according to an embodiment, the first log sequence 130 accumulates the first log sequence 130 for several intervals before being input to the machine learning algorithm module 140 as input data, And may be further processed into a sequence matrix. The description of the output unit time and the learning data will be described later with reference to FIG.

The machine learning algorithm module 140 is a module for performing a machine learning algorithm using the first log sequence 130 as input data and is a module for not only a physical device but also a logical device implemented by a machine code or a code written in a computer language It is a concept that includes everything. The machine learning algorithm module 140 may be learned through various machine learning algorithms. For example, the machine learning algorithm module 140 may be an autoencoder module. As another example, the machine learning algorithm module 140 may be a short or long term memory encoder decoder (LSTM Encoder-Decoder) module. Since the auto-encoder and the short-term and long-term memory encoder decoders are well-known deep-learning algorithms, a further description thereof will be omitted.

The learned machine learning algorithm module 150 is a module in which the machine learning algorithm module 140 that receives the first log sequence 130 as input data undergoes an iterative learning process and performs a learning process on the first log sequence 130 . For example, if the machine learning algorithm module 140 is an auto encoder module and has learned the first log sequence 130, the learned auto-encoder module receives the first log sequence 130 at the input layer, It is possible not only to output the same value as the first log sequence 130 in the layer but also in the case where the input layer receives the first log sequence 130 with added noise, (130). That is, the auto-encoder module, which has completed learning with respect to the first log sequence 130, has a denoising function with respect to the first log sequence 130.

The second log sequence 160 is data generated from the system log output by the mobile communication data processing system 110 and is transmitted to the system log 110 at a time point different from the system log 110 described above, Means a system log generated at a point in time after a point in time when the data is output from the data processing system 110 and is changed into a log sequence by the sequence template 120. Based on the machine learning algorithm module 140, the first log sequence 130 is training data and the second log sequence 160 functions as validation data. The second log sequence 160 may also be applied to the learned machine learning algorithm module 150, further processed in log sequence matrix form, as in the first log sequence 130, according to an embodiment.

The abnormal log diagnostic system 170 monitors the process of outputting data after the learned machine learning algorithm module 150 receives the second log sequence 160 to generate the second log sequence 160 And diagnoses whether the abnormal operation of the system is recorded in the raw log of the used system (meaning mobile communication data processing system). The anomaly log diagnosis system 170 according to the present invention may be physically or logically connected to the mobile communication data processing system 100 or included in the mobile communication data processing system 100 .

An example of diagnosing that the abnormal log diagnostic system 170 outputs an abnormal log from the mobile communication data processing system 100 includes a second log sequence 160 constructed from a raw log when an abnormal condition of the system occurs, The auto encoder module outputs the same value as the second log sequence 160 while passing through the input layer, the hidden layer, and the output layer, and reconstructs the second log sequence 160 The reconstruction error value calculated in the process exceeds the threshold value. The abnormal log diagnostic system 170 can detect that the abnormal log is generated from the mobile communication data processing system 100 based on whether the threshold value is exceeded or not. Here, the threshold value can be set to a reasonable value by data accumulated by mathematical, experimental, and empirical.

2 is a block diagram of an example of an abnormal log diagnosis system according to the present invention.

2, the abnormal log diagnosis system 200 includes a second log generation unit 210, a cluster classification unit 230, a sequence generation unit 250, and an abnormality diagnosis unit 270 . 1 will be described below with reference to FIG. 1. Unless otherwise specified, the log is regarded as meaning the system log 110 in FIG.

The second log generator 210, the cluster classifier 230, the sequence generator 250 and the abnormality diagnosis unit 270 included in the abnormality log diagnosis system 200 according to the present invention include at least one processor ), Or may include at least one or more processors. Accordingly, the second log generation unit 210, the grouping unit 230, the sequence generation unit 250, and the abnormality diagnosis unit 270 are driven in a form contained in another hardware device such as a microprocessor or a general purpose computer system .

The second log generation unit 210 accumulates logs collected every first unit time and generates logs for the second unit time. The first unit time means a period in which the mobile communication data processing system 100 outputs the system log. For example, if the mobile communication data processing system 100 outputs the system log 110 every second, one second may be the first unit time. Here, one second is an example of a first unit time, and depending on the embodiment, the first unit time may be shorter or longer than one second.

The second unit time refers to the sum of the first unit times of the system logs 110 included in the log generated by accumulating the logs collected every first unit time, which is longer than the first unit time. For example, if the second log generator 210 generates a log of the second unit time by accumulating the system log 110 for 8 seconds, the first unit time and the second unit time are 1 second and 8 Seconds. According to the above example, the logs of the second unit time that can be generated in a state where the system log 110 of the mobile communication data processing system 100 is reserved for 40 seconds can be total 5 units. The second unit time is a positive integral multiple of the first unit time, and 8 seconds is an example of the second unit time, depending on the embodiment, the second unit time may be shorter or longer than 8 seconds.

The cluster classifier 230 classifies the logs for the second unit time into at least one cluster based on the similarity between logs. The community classifying unit 230 calculates the similarity between the logs according to a predetermined similarity formula after first recognizing the number of logs of the second unit time collected, . In order to perform the above process, the community classifying unit 230 previously stores a reference value for classifying the logs of the second unit time into at least one cluster based on the mathematical formula for calculating the similarity and the calculated similarity have. Hereinafter, a specific method in which the cluster classifier 230 classifies the logs of the second unit time into at least one cluster will be described.

First, the cluster classifier 230 determines the number of units of the system log 110 included in the logs for the second unit time. For example, if the second unit time is 8 seconds and the first unit time is 1 second, then the unit number of the system log 110 becomes 8, and the maximum value of the community that the cluster classifier 230 can generate 8.

The cluster classifier 230 tokenizes the system logs 110 included in the logs for the second unit time. The system log 110 output from the mobile communication data processing system 100 includes a fixed value and a variable value. The fixed value is a part that is fixedly generated by the source code constituting the system, and the variable value means a part that is dynamically generated such as an Internet protocol (IP) or a port. The cluster classifier 230 performs log parsing as a preprocessing process for the logs of the second unit time, and the characteristic information included in the log is logically divided into individual tokens .

The community classifying unit 230 may calculate the similarity for each log of the first unit time, and classify the clusters for each log of the first unit time when the similarity exceeds the threshold value.

Equations (1) and (2) are examples of mathematical equations used by the cluster classifier 230 to calculate the similarity for each log of the first unit time included in the log for the second unit time. In the equation (1), S (log _i , log _j ) is the similarity between two logs, log _i is the log of the first unit time of an arbitrary _ith , log _i | Log _i (j) means the j-th token in the log for any i-th first unit time. In Equation 2, the D function compares the tokens contained in the two logs and returns 1 if both tokens are real, all are the same word, or all are the same symbol, otherwise 0 is returned. Since the method of calculating the degree of similarity between logs is not limited to a specific method in the present invention, the grouping unit 230 may classify the degree of similarity between the logs by using a method other than Equations (1) and (2) It is obvious that it can be calculated.

FIG. 3 is a diagram showing an example of the log for the second unit time.

Referring to FIG. 3, it can be seen that the second log generation unit 210 generates a log of the second unit time by grouping four system logs output from the system every first unit time. In FIG. 3, the log number means a time sequence in which the system log is output from the mobile communication data processing system 100. For example, assuming that the first unit time is 1 second, the mobile communication data processing system 100 outputs the log 310 having the log number # 1, And outputs the log 330. Since the second unit time is determined to be a multiple of four times the first unit time, the second log generation unit 210 generates the log # 310 and the log # A log 370, and a log of the second unit time are generated by including the above four logs.

As an alternative embodiment, the cluster classifier 230 may classify the logs into different clusters at least twice according to different classification criteria. Since the cluster analysis tends to exponentially increase as the amount of log increases as the amount of log increases, the cluster classifier 230 may perform a log analysis based on a simple, The first clusters may be formed by a method of classifying the first clusters, and a second clusters may be formed based on the first clusters formed after the first clusters are formed.

The cluster classifier 230 classifies logs according to the number of log tokens as part of forming a primary cluster. For example, logs with six tokens will belong to a cluster where the token only belongs to six logs.

Then, the community classifying unit 230 classifies the primary clusters logically based on the identity of the first token of each log, when the first-class houses are formed based on the logs. For example, since the first token with the first token is 'at' and the second to 'system' can be classified from the first to the last token having six tokens, the total number of secondary clusters Is always greater than the number of primary clusters.

The cluster classification unit 230 may form a final cluster (a third cluster) by applying a similarity formula to the secondarily classified clusters based on the number of tokens and the identity of the first token. Equation 1 and Equation 2 may be used for the similarity formula, but even if the grouping unit 230 calculates the similarity in a manner other than Equations 1 and 2, it does not depart from the scope of the present invention.

After the final cluster is formed, the cluster classifier 230 classifies the messages of the logs belonging to each final cluster before extracting the log event (representative log message) from each final cluster, The Smith-Waterman algorithm can be applied. The Smith Waterman algorithm is a known algorithm, and a description of well-known methods other than those necessary for implementing the present invention will be omitted below. After the logs are classified into the final cluster by the cluster classifier 230 and the strings of the logs belonging to the respective final clusters are sorted by the Smith Waterman algorithm, a log event is defined for each cluster by a process described below.

4 is a diagram showing an example of an event template preset in the cluster classification unit.

The event template 400 according to FIG. 4 is a table that the cluster classification unit 230 transforms information stored in the log into a token through log parsing, and refers to a standard referred to in the process of classifying each log into a specific number of events , And may be changed by the administrator as needed. The event template 400 of FIG. 4 includes a first template 410, a second template 430, and a third template 450.

The first template 410 defines a log of the first unit time in which the three packet tokens are all defined as a first event after defining PacketResponder, for block blk_ and terminating of the log as tokens, respectively.

The second template 430 defines the received block blk_, of size, and from of the log as tokens, respectively, and then defines the log of the first unit time in which all three tokens exist, as the second event.

The third template 450 defines the log of the verification unit succeeding for blk_ as a token, and then defines the log of the first unit time with the token as the third event.

Although the event template 400 of FIG. 4 defines three events in total, it is apparent that the number of events defined in the event template 400 may be smaller or larger than three according to the embodiment.

FIG. 5 is a view for explaining a process in which logs included in the log for the second unit time are classified into a cluster by the cluster classifier, and the results classified according to the process.

The following description will be made with reference to Figs. 3 and 4. Fig.

The cluster classifier 230 applies the logs of the four first unit times included in the log for the second unit time of FIG. 3 to the event template 400 of FIG. The cluster classifier 230 classifies the messages stored in each log on the basis of whitespace and classifies the messages stored in the logs into the anomaly log diagnosis system 200 for the second unit time according to the events defined in the event template 400 And classifies the logs of the included first unit time into at least one or more events.

For example, in FIG. 3, logs corresponding to log number 1 and log number 2 including PacketResponder, for block blk_, and terminating are classified as the first event. In this process, the cluster classifier 230 classifies the parts not commonly included in the logs corresponding to the log numbers 1 and 2, except for the tokens commonly included, such as PacketResponder, for block blk_, and terminating It is assumed to be a variable value of the log and replaced by a predefined field value. As an example, < * > in FIG. 4 may be a predefined field value, and other predefined field values may exist in various forms.

The cluster classification unit 230 applies the log of the first unit time to the event template 400 on the basis of the remaining token after the variable value is replaced with the predefined field value, Generates the same number of events as the number of logs. The cluster classification unit 230 classifies events having the same number into the same cluster.

Referring to FIG. 5, after the variable value is defined as a predefined field value, the cluster classification unit 230, which detects that only three tokens are left, terminates the PacketResponder, for block blk_, 1, respectively. In addition, logs of log number 2 and logs of log number 4 are classified as event 1, event 2, and event 3, respectively. Logs of log number 1 and log number 2, which had the same token, And belong to the same cluster.

The cluster classifying unit 230 classifies all logs included in the log for the second unit time into two to classify the similarities, and classifies the logs whose similarity exceeds the reference value (threshold value) to belong to the same cluster. For example, if four logs are included in the log of the second unit time as shown in FIG. 3, the cluster classifier 230 calculates a total of six similarities according to a combination formula, Equation 1 and Equation 2, By comparison, at least one cluster can be classified.

If the log of the second unit time is classified into at least one of the clusters based on the degree of similarity by the cluster classifying unit 230, the sequence generating unit 250 generates a first unit A log sequence for the second unit time is generated on the basis of the collected time sequence and the group classified by the grouping unit 230.

5, the sequence generation unit 250 generates event 1, event 1, event 2, and event 3 according to the temporal order in which data is output from the mobile communication data processing system 100 , And generate a log sequence [E1, E1, E2, E3]. Here, E means an event, and the number after E means an event number. Eventually, the component of the log sequence can be understood as an event number or a cluster number, and can be converted into a log sequence vector through additional operations.

Second unit time (every 4 seconds) Log sequence Log sequence vector T1 [E1, E1, E2, E3] [2, 1, 1, 0] T2 [E1, E3, E2, E3] [1, 1, 2, 0] T3 [E1, E4, E4, E4] [1, 0, 0, 3]

Table 1 is a table showing an example of a log sequence and a log sequence vector that are generated assuming that the first unit time is 1 second and the second unit time is 4 seconds. In Table 1, in the log sequence when the second unit time is T1, event 1 occurs twice, event 2 occurs once, event 3 occurs once, and the log sequence vector is [2, 1, 1, 0 ].

As another example, since the event 1 occurs once and the event 4 occurs three times in the log sequence when the second unit time is T3, the log sequence vector becomes [1, 0, 0, 3].

The abnormality diagnosis unit 270 accumulates log sequences to generate a log sequence matrix, and applies the log sequence matrix to a module that performs a machine learning algorithm to diagnose an abnormality in the mobile communication data processing system 100.

Equation (3) is an equation representing the log sequence matrix generated by adding the log sequence vectors generated at T 1 to T 3 described in Table 1 by the abnormality diagnosis unit 270. In Equation (3), E is a log sequence matrix generated by the abnormality diagnosis unit 270, and X _{i, j, which} is an element of the log sequence matrix, indicates how many times an event j occurred in the i-th log sequence.

The abnormality diagnosis unit 270 generates a log sequence matrix as shown in Equation (3), and applies the log sequence matrix to the machine learning algorithm module. The machine learning algorithm module may be an autoencoder described in FIG. 1, and may not be limited to a specific type, and may be a machine learning algorithm module or a deep learning algorithm module other than an auto encoder.

The machine learning algorithm module can recognize the normal pattern of the log output from the mobile communication data processing system 100 by receiving the log sequence matrix from the abnormality diagnosis unit 270 and learning it as learning data. After the learning is completed, the machine learning algorithm module receives the log sequence matrix from the abnormality diagnosis unit 270 and outputs the log (more precisely, the log sequence matrix generated through the series of processes from the log) generated by the mobile communication data processing system 100 Log sequence matrix), the manager can output information that allows the administrator to recognize the anomaly of the received log.

For example, if a log sequence matrix generated from the log output from the mobile communication data processing system 100 is input to the auto-encoder module that has completed learning, a matrix identical to the log sequence matrix input from the module is output, Based on whether the reconstruction error value calculated in the process of reconstructing the matrix through a hidden layer and an output layer implemented in the auto encoder exceeds a threshold value It can be determined that an abnormal log has occurred.

According to an embodiment, the abnormality diagnosis unit 270 may include a machine learning algorithm module, and may further include a function of directly implementing an algorithm for the administrator to determine the abnormality log. In this embodiment, the abnormality diagnosis unit 270 additionally stores a threshold value for comparison with the reconstruction error value, and the threshold value may be changed by the administrator from time to time to diagnose the occurrence of the abnormality logically .

In an alternative embodiment, the abnormality diagnosis unit 270 extracts a representative pattern from a log belonging to a cluster classified by the cluster classification unit 230, and generates a representative pattern in the log sequence generated by the sequence generation unit 250 The weights generated based on the frequency of appearance may be applied to the log sequence matrix. According to the present optional embodiment, the abnormality diagnosis unit 270 applies a weight generated based on the frequency at which the representative pattern appears in the log sequence to the log sequence matrix, thereby obtaining a log sequence matrix different from the above embodiment Can be generated.

More specifically, the abnormality diagnosis unit 270 calculates a weight multiplied by the matrix value of the log sequence matrix through a series of processes, and applies the calculated weight to the log sequence matrix to calculate the log characteristic So that the learning efficiency of the machine learning algorithm module can be maximized.

Hereinafter, the meaning of the representative pattern and the calculation method of the weight will be described.

First, the representative pattern means a log event that occurs at least once in the log sequence. As an example, referring to Table 1, Event 1, Event 2, and Event 3 are possible as representative patterns at the second unit time T 1, but event 4 can not be a representative pattern. In other words, event 4 means information that does not function as a meaningful value in the log sequence for the second unit time T1.

If the representative pattern is determined to be an event in the log sequence, the abnormality diagnosis unit 270 generates a weight based on the frequency at which the representative pattern appears. The weight generated by the above method can be applied only to the representative pattern later.

Equation (4) is an example of a mathematical expression used by the abnormality diagnosis unit 270 to generate a weight. In equation (4), TFIDF denotes a weight, p _i denotes a representative pattern, e _t denotes a log sequence, E denotes a log sequence matrix, TF denotes a word frequency, and IDF denotes a reverse document frequency. In Equation (4), assuming that the representative pattern corresponding to a log event corresponds to one word, the log sequence for the second unit time corresponds to one document.

 Term Frequency (TF) is an index of how often a representative pattern appears in a log sequence. For example, the abnormality diagnosis unit 270 may search the entire log sequence for a specific second unit time, measure whether there is a log event identical to the representative pattern, and compare the measured value with a word frequency (TF) . For example, the word frequency of the representative pattern E3 at time T1 in Table 1 can be 1/4 or 1.

According to the embodiment, the abnormality diagnosis section 270 may use a unique mathematical expression to determine the word frequency.

Equation (5) is stored in advance in the abnormality diagnosis section 270 as an example of a mathematical expression used by the abnormality diagnosis section 270 to determine the word frequency of the representative pattern. In Equation (5), f _pi , e _t means the frequency of the representative pattern p _i in the log sequence e _t .

Next, the document frequency (DF) is determined by how much the representative pattern p _i appears uniformly in the log sequence matrix E, not the log sequence e _t . As an example, the abnormality diagnosis unit 270 may divide the log sequence matrix into a plurality of log sequences, measure whether the representative pattern appears completely in each log sequence, and determine the measured value as the document frequency of the representative pattern . For example, if the representative pattern is E4 in the log sequence matrix E as in Equation (3), the abnormality diagnosis unit 270 can determine the document frequency of the representative pattern E4 appearing in the third log sequence to be 1 or 1/3 .

Inverse Document Frequency (IDF) is an indicator of how uniformly a particular word appears in an e-mail. Unlike the document frequency, the larger the value, the less representative pattern appears in the log sequence matrix. As an example, the inverse document frequency can be calculated by dividing the number of log sequences constituting the log sequence matrix E by the number of log sequences including the representative pattern, and taking a log of the log sequence.

In the same context as the word frequency, depending on the embodiment, the abnormality diagnosis section 270 may use a unique mathematical expression to determine the frequency of the inverse document.

는 로그 이벤트 p_i가 출현하는 로그시퀀스의 개수를 의미한다.Equation (6) is stored in advance in the abnormality diagnosis section 270 as an example of an equation used by the abnormality diagnosis section 270 to determine the frequency of the inverse document of the representative pattern. In Equation (6), | E | denotes an absolute value of the number of log sequences included in the log sequence matrix. For example, according to Equation (3), 3 | In Equation 6,

Denotes the number of log sequences in which the log event p _i appears.

In this optional embodiment, when the word frequency TF and the inverse document frequency IDF are determined through Equations (5) and (6) as described above, by multiplying the two values, the weight the weight can be calculated. Since the weight TFIDF is a value corresponding to the representative pattern, in the case of the log sequence matrix as in Equation (3), the weight TFIDF is calculated as eight as the number of representative patterns (the number of non-zero log events included in the log sequence matrix) do. The calculated weight value TFIDF may be applied to each matrix component of the log sequence matrix, and a new log sequence matrix to which the weight value TFIDF is applied becomes the input data of the machine learning algorithm module, 100) of the log of the abnormality can be utilized.

According to another preferred embodiment of the present invention, if there is information on the temporal order of the logs generated during the second unit time, the mobile communication data processing system 100, through the LSTM-Encoder Decoder module, May be detected. When the machine learning algorithm module is set as an auto-encoder module, it is possible to detect an abnormality of a log by using the log sequence matrix as input data as it is. However, if the memory encoder decoder module is set as a machine learning algorithm module, Is required.

First, the sequence generation unit 250 generates a sequence from the logs for the third unit time, which is a positive integer multiple of the second unit time, based on the temporal order in which the logs are collected and the cluster classified by the grouping unit 230 , And generates a log sequence for the third unit time.

Third unit time The log sequence for the third unit time The third unit time log sequence vector NEW_T1 [[E1, E1, E2, E3], [E1, E3, E2, E3] [[2, 1, 1, 0], [1, 1, 2, 0]] NEW_T2 [[E1, E3, E2, E3], [E1, E4, E4, E4] [[1, 1, 2, 0], [1, 0, 0, 3]]

Table 2 shows that the sequence generation unit 250 generates a log sequence for the third unit time based on the temporal order in which the logs for the first unit time are collected and the clusters classified by the grouping unit 230 It is a table to explain the process. Hereinafter, for convenience of explanation, Table 2 is a log sequence and a loss sequence vector generated based on Table 1, and it is assumed that 8 seconds, which is twice the second unit time, is adopted as the third unit time.

The sequence generator 250 first determines the third unit time, which is a positive integral multiple of 4 seconds, in order to generate the input sequence of the short-term memory encoder decoder module after first obtaining the information according to Table 1 do. In the table 2, the third unit time is determined to be 8 seconds which is twice the second unit time. However, according to the embodiment, the sequence generation unit 250 may calculate the third unit time as a positive integer May be arbitrarily determined.

The sequence generator 250 determines a third unit time, and then generates a log sequence for the third unit time. Since the third unit time is determined to be 8 seconds, the length of the log sequence for the third unit time is twice the length of the log sequence for the second unit time in Table 1, and the length of the log sequence for the input sequence Depending on the characteristics, there are log events overlapping in the log sequence for each third unit time. As an example, the log event located at the rear of the log sequence for the first third unit time (New_T1) and the log event located at the beginning of the log sequence for the second unit time (New_T2) are both E1 and E3 , E2, and E3. In Table 2, the third unit time is set to twice the second unit time for convenience of explanation, but it may be any positive integer other than 2 according to the embodiment as described above. The sequence generator 250 may further process the log sequence for the third unit time as a log sequence vector.

Then, the abnormality diagnosis unit 270 generates a log sequence matrix by accumulating the log sequence (vector) for the third unit time, and outputs the generated log sequence matrix to the module for performing the machine learning algorithm by the short-term memory encoder decoder method Thereby diagnosing an abnormality in the mobile communication data processing system 100.

Equation (7) shows an example of a log sequence matrix generated by accumulating log sequence vectors for the third unit time by the abnormality diagnosis unit 270. [ In Equation (7), E ₃ denotes a log sequence matrix for the third unit time. More specifically, E ₃ denotes a log sequence matrix for 16 seconds obtained by accumulating the second unit time of 8 seconds twice in Table 2 . After generating the log sequence matrix as shown in Equation (7), the abnormality diagnostic unit 270 further calculates the weights of the TF and IDF and applies the calculated weights to the E ₃ , and then inputs the weighted values to the input unit of the short- and long-term memory encoder decoder module It is possible.

As an alternative embodiment, the abnormality diagnosis unit 270 may be configured to apply the log sequence matrix for the third unit time, to which the weights of TF and IDF are applied, to both the auto encoder and the short-term memory encoder decoder module The abnormal log of the mobile communication data processing system 100 may be diagnosed. This optional embodiment corresponds to an embodiment in which both an auto encoder and a short-term memory encoder decoder have a common point of learning a potential representation of data using an encoder and decoder network as an unsupervised model .

The encoder included in both models compresses the existing data and extracts the characteristics. In this process, the extracted characteristics are inputted to the decoder network existing in the hidden layer and output layer, and learned to reproduce the input data that was input to the model for the first time If the learned data and other abnormal data are input as described above, relatively high reconstruction error values are calculated in the process of reconstructing the output data in the decoder network. The abnormality diagnosis unit 270 can diagnose that the anomaly log is output from the mobile communication data processing system 100 based on whether the reconstruction error value exceeds a preset threshold value.

In this optional embodiment, the log sequence matrix for the third unit time is applied as input data to the auto encoder and short and long term memory encoder decoder modules, but in another embodiment, the log sequence matrix for the second unit time is applied to the auto encoder The abnormality diagnosis unit 270 diagnoses the occurrence of an anomaly in the mobile communication data processing system 100 through a result obtained by inputting the log sequence matrix for the third unit time as input data and the input data of the auto encoder respectively It is possible. Since the specific procedure is the same as the above-mentioned method, the following description will be omitted.

As described above, according to the present invention, in order to analyze a raw log periodically output from a mobile communication data processing system 100 for processing large-scale large-scale data using a deep learning technique, It is possible to diagnose an abnormal occurrence of the mobile communication data processing system 100 without an artificial log analysis of the manager when an abnormality occurs in the mobile communication data processing system 100. [

FIG. 6 is a flowchart illustrating an example of a method for diagnosing abnormal log generation in the mobile communication data processing system according to the present invention.

6 can be implemented by the system 200 for diagnosing abnormal log generation in the mobile communication data processing system 100 according to FIG. 2, and will be described below with reference to FIG. 2, The description overlapping with that described in FIG. 5 will be omitted.

The second log generator 210 accumulates logs collected every first unit time to generate logs for the second unit time (S610).

The cluster classifier 230 classifies the logs of the second unit time into at least one cluster based on the degree of similarity (S620).

The sequence generator 250 generates a log sequence for the second unit time based on the collected temporal order and the cluster (S630).

The abnormality diagnosis unit 270 accumulates the log sequence according to a preset method to generate a log sequence matrix (S640).

The abnormality diagnostic unit 270 applies the calculated weight to the log sequence matrix based on the log event (S650). Step S650 may be omitted depending on the embodiment.

The abnormality diagnosis unit 270 applies the log sequence matrix to the machine learning algorithm module (S660). If step S650 is not omitted, it has already been described that the weighted log sequence matrix is applied to the machine learning algorithm module in step S660, and that the machine learning algorithm module can be an auto-encoder module or a short-term memory encoder decoder module.

The abnormality diagnosis unit 270 determines whether learning of the machine learning algorithm module for the input data is completed (S670). If the learning is completed, the abnormality diagnosis unit 270 processes the new log collected every first unit time in the new section into a log sequence matrix , Inputs it to the learned machine learning algorithm module, determines whether the reconstruction error value output from the machine learning algorithm module exceeds a threshold value, and outputs the error log from the mobile communication data processing system Is output (S680). The step of processing the new log collected every first unit time in step S680 into a log sequence matrix follows steps S610 to S650 described above.

The embodiments of the present invention described above can be embodied in the form of a computer program that can be executed on various components on a computer, and the computer program can be recorded on a computer-readable medium. At this time, the medium may be a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical recording medium such as CD-ROM and DVD, a magneto-optical medium such as a floptical disk, , A RAM, a flash memory, and the like, which are specifically configured to store and execute program instructions.

Meanwhile, the computer program may be designed and configured specifically for the present invention or may be known and used by those skilled in the computer software field. Examples of computer programs may include machine language code such as those produced by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like.

The specific acts described in the present invention are, by way of example, not intended to limit the scope of the invention in any way. For brevity of description, descriptions of conventional electronic configurations, control systems, software, and other functional aspects of such systems may be omitted. Also, the connections or connecting members of the lines between the components shown in the figures are illustrative of functional connections and / or physical or circuit connections, which may be replaced or additionally provided by a variety of functional connections, physical Connection, or circuit connections. Also, unless explicitly mentioned, such as &quot; essential &quot;, &quot; importantly &quot;, etc., it may not be a necessary component for application of the present invention.

The use of the terms &quot; above &quot; and similar indication words in the specification of the present invention (particularly in the claims) may refer to both singular and plural. In addition, in the present invention, when a range is described, it includes the invention to which the individual values belonging to the above range are applied (unless there is contradiction thereto), and each individual value constituting the above range is described in the detailed description of the invention The same. Finally, the steps may be performed in any suitable order, unless explicitly stated or contrary to the description of the steps constituting the method according to the invention. The present invention is not necessarily limited to the order of description of the above steps. The use of all examples or exemplary language (e.g., etc.) in this invention is for the purpose of describing the present invention only in detail and is not to be limited by the scope of the claims, It is not. It will also be appreciated by those skilled in the art that various modifications, combinations, and alterations may be made depending on design criteria and factors within the scope of the appended claims or equivalents thereof.

Claims (15)

A method for diagnosing abnormal log generation in a mobile communication data processing system,
A second log generation step of accumulating logs collected every first unit time and collecting logs of a second unit time;
A grouping step of classifying the logs of the second unit time into at least one cluster based on the similarity between logs;
A sequence generation step of generating a log sequence for a second unit time based on the temporal order in which the logs are collected and the classified clusters; And
An error diagnosis step of accumulating the log sequence to generate a log sequence matrix and diagnosing an abnormality of the mobile communication data processing system by applying the generated log sequence matrix to a module for performing a machine learning algorithm; How to diagnose abnormal log generation of communication data processing system The method according to claim 1,
Wherein the log collected every first unit time includes a fixed value and a variable value,
The community classification step may include:
And classifying the logs of the second unit time into at least one or more clusters based on the similarity between the logs in which the variable value is replaced with a specific value. How to. The method according to claim 1,
The community classification step may include:
A method for diagnosing abnormal log generation in a mobile communication data processing system, the method comprising: sorting logarithm of logs classified into the cluster based on a Smith-Waterman algorithm. The method according to claim 1,
In the abnormality diagnosis step,
Extracting a representative pattern from a log belonging to the classified group and applying a weight generated based on the frequency of appearance of the extracted representative pattern in the generated log sequence to the generated log sequence matrix. A method for diagnosing abnormal log generation in a mobile data processing system. 5. The method of claim 4,
The frequency of occurrence
Wherein the first threshold value is a value calculated based on a word frequency (TF) and an inverse document frequency (IDF). The method according to claim 1,
Wherein the second unit time is a positive integral multiple of the first unit time. The method according to claim 1,
Wherein the sequence generation step comprises:
Generating a log sequence for the third unit time from logs for a third unit time that is a positive integer multiple of the second unit time based on the temporal order in which the logs are collected and the grouped clusters,
In the abnormality diagnosis step,
A log sequence matrix is generated by accumulating the log sequence for the third unit time, and the generated log sequence matrix is applied to a module for performing a machine learning algorithm in a long-short term memory (LSTM) And diagnosing an abnormal occurrence of the mobile communication data processing system. A computer-readable recording medium storing a program for executing the method according to any one of claims 1 to 7. A system for diagnosing abnormal log generation in a mobile communication data processing system,
A second log generation unit for accumulating logs collected every first unit time to generate logs for a second unit time;
A cluster classifier for classifying the logs of the second unit time into at least one cluster based on the similarity between logs;
A sequence generator for generating a log sequence for a second unit time based on the temporal order in which the logs are collected and the classified clusters; And
And an abnormality diagnosis unit for generating a log sequence matrix by accumulating the log sequences and diagnosing an abnormality of the mobile communication data processing system by applying the generated log sequence matrix to a module for performing a machine learning algorithm, A system for diagnosing abnormal log generation in a communication data processing system. 10. The method of claim 9,
Wherein the log collected every first unit time includes a fixed value and a variable value,
Wherein,
And classifying the logs of the second unit time into at least one or more clusters based on the similarity between the logs in which the variable value is replaced with a specific value. System. 10. The method of claim 9,
Wherein,
And sorting the strings of the logs classified into the cluster based on a Smith-Waterman algorithm. 10. The method of claim 9,
The abnormality diagnosis unit,
Extracting a representative pattern from a log belonging to the classified group and applying a weight generated based on the frequency of appearance of the extracted representative pattern in the generated log sequence to the generated log sequence matrix. A system for diagnosing abnormal log generation in a mobile communication data processing system. 13. The method of claim 12,
The frequency of occurrence
(TF) and an inverse document frequency (IDF) of the mobile communication data processing system. The system for diagnosing abnormal log generation in a mobile communication data processing system according to claim 1, 10. The method of claim 9,
Wherein the second unit time is a positive integral multiple of the first unit time. 10. The method of claim 9,
Wherein the sequence generator comprises:
Generating a log sequence for the third unit time from logs for a third unit time that is a positive integer multiple of the second unit time based on the temporal order in which the logs are collected and the grouped clusters,
The abnormality diagnosis unit,
A log sequence matrix is generated by accumulating the log sequence for the third unit time, and the generated log sequence matrix is applied to a module for performing a machine learning algorithm in a long-short term memory (LSTM) Wherein the mobile communication data processing system diagnoses an abnormal occurrence of the mobile communication data processing system.

Images