KR20190104759A - System and method for intelligent equipment abnormal symptom proactive detection - Google Patents

Abstract

A system for previously detecting abnormalities in network equipment comprises: a graph similarity deriving module normalizing a plurality of resource usages collected from network equipment to generate resource usage graphs and comparing a difference between a reference resource graph selected from the resource usage graphs and the remaining resource graphs to extract at least one associated resource graph associated with the reference resource graph; a failure occurrence information storage module storing failure history information on the graph similarity deriving module and failed network device; and a failure detecting module comparing the associated resource graph with the failure history information to define an abnormality-prone equipment and comparing the resource usage graph and failure history information of the network equipment defined as the abnormality-prone equipment to detect equipment in which an abnormality is highly likely to occur, and detecting the abnormality in advance.

Description

System and method for intelligent equipment abnormal symptom proactive detection

The present invention relates to an intelligent equipment abnormal symptom proactive detection system and method.

Various detection methods have been proposed to detect network overload. In order to detect network overload, if a network device fails, an alarm is issued to the person concerned. The failure alarm is an alarm after a failure, and the service is interrupted because it is a way to solve the problem after the service of the network equipment is stopped.

In addition, network equipment personnel, advanced technicians who need to know knowledge of multiple different network devices, are required for network overload detection. In addition, in order to maintain network equipment in accordance with a changing network system such as new expansion / design, there is a problem in that a large number of high-quality manpower is constantly required.

In addition, there is a limitation that the person concerned with the network equipment can determine the relationship with the occurrence of the failure of the network equipment by checking the current state of the network resources generated from the various equipment types. In addition, there is a problem that can not determine the failure of all network equipment only by grasping the network status.

In addition, in the case of the conventional technology that detects the abnormality of the network equipment, the learning is performed based on the information of the entire resource, so that the learning time is long and the information is handed over to the related parties in a time when it is urgent to solve the abnormality of the network equipment. Have In addition, if the network device is configured in such a way that a threshold value is specified for the usage of the network equipment, and the abnormality of the network equipment is generated when the threshold is exceeded, information cannot be communicated to the related party until the usage of the network equipment exceeds the threshold. There is a problem.

Accordingly, the present invention provides a system and method for proactively detecting abnormal symptoms of intelligent equipment by learning the correlation of changes in network equipment resources.

The system for detecting in advance the abnormal symptoms of the network equipment which is one feature of the present invention for achieving the technical problem of the present invention,

Resource usage graphs are generated by normalizing a plurality of resource usages collected from a network device, and comparing the difference between the reference resource graph selected from the resource usage graphs and the remaining resource graphs and at least one association associated with the reference resource graph. A graph similarity derivation module for extracting a resource graph, a fault occurrence information storage module for storing fault history information on a faulty network device, and a fault-prone device are defined by comparing the related resource graph with the fault history information. And a failure detection module that detects the abnormal symptoms and detects the abnormal symptom by comparing the resource usage graph of the network equipment defined as the possible equipment with the failure history information.

According to the present invention, by analyzing based on the resource associations of the collected network equipment and providing the analyzed contents compared with the existing details on the abnormalities of various network equipment, it is possible to expect an improvement in network quality.

In addition, the detailed learning start time can be detected through the preceding learning method, and the abnormal response time for the network equipment can be shortened using the later learning method.

In addition, human resources can be improved by proactively detecting and providing information on newly designed and installed network equipment to help network equipment managers make decisions.

In addition, by analyzing the collected network equipment resources based on the association, it is possible to provide a system for automatically detecting network equipment abnormality information to network equipment personnel in advance.

1 is an exemplary diagram of an environment to which a prior detection system according to an embodiment of the present invention is applied.
2 is a structural diagram of a pre-detection system according to an embodiment of the present invention.
3 is a flowchart illustrating an intelligent device abnormal symptom pre-detection method according to an embodiment of the present invention.
4 is an exemplary diagram of data normalization for resource usage per device according to an embodiment of the present invention.
5 is an exemplary diagram of a resource usage graph for each device according to an embodiment of the present invention.
6 is another exemplary diagram of graphing resource usage by equipment according to an embodiment of the present invention.
7 is an exemplary diagram illustrating a graph distance based association degree for each resource with traffic according to an embodiment of the present invention.
8 is an exemplary diagram of filtered resource usage-based variation similarity analysis according to an embodiment of the present invention.
9 is an exemplary diagram of a similarity trailing analysis according to an embodiment of the present invention.
10 is an exemplary diagram of information added to an abnormal occurrence history according to an embodiment of the present invention.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise.

In the present specification, a terminal is a mobile station (MS), a mobile terminal (MT), a subscriber station (SS), a portable subscriber station (PSS), a user device (User). It may also refer to an Equipment (UE), an Access Terminal (AT), or the like, and may include all or some functions of a mobile terminal, a subscriber station, a portable subscriber station, a user device, and the like.

Hereinafter, a system and method for detecting abnormal symptoms of intelligent equipment according to an embodiment of the present invention in advance will be described in detail.

1 is an exemplary diagram of an environment to which a prior detection system according to an embodiment of the present invention is applied.

As shown in FIG. 1, an intelligent equipment abnormality pre-detection system (hereinafter, referred to as a "pre-detection system" for convenience of description) 100 in conjunction with a plurality of network equipments 200-1 to 200-n. Collects resource usage information used in each of the network devices 200-1 to 200-n.

After analyzing the collected resource usage information, it analyzes the resource history of the sudden change in the resource history. The preliminary detection system 100 detects the possibility of a problem occurring in the network devices 200-1 to 200-n by using the information of the resource analysis previously analyzed and the resource information in which an abnormality has occurred in the existing network equipment. The preliminary detection system 100 that detects the possibility of a problem transmits information on a problem occurrence possibility to the terminal 300 possessed by a network equipment official.

The advance detection system 100 subdivides and detects the time point of occurrence of the abnormal phenomenon. And, based on the network equipment resource history that detects the similarity to the abnormal occurrence of a certain level or more, the user learns all the resources from the starting point of the rapidly changing resource change that performed the previous learning, and compares them with the existing network equipment history where the abnormality has occurred. Proactively detect network anomalies based on automated learning and similarity.

Here, the structure of the pre-detection system 100 for collecting the resource usage information used in the network devices (200-1 ~ 200-n) to analyze the resource history of the rapidly changing usage, and detect the possibility of problems It demonstrates with reference to 2.

2 is a structural diagram of a pre-detection system according to an embodiment of the present invention.

As shown in FIG. 2, the proactive detection system 100 controlled and operated by at least one processor includes a resource collection module 110, a graph similarity derivation module 120, a failure detection module 130, and an expression module ( 140, the failure occurrence information storage module 150.

The resource collection module 110 collects resource usage used by each network device from the plurality of network devices 200-1 to 200-n. The resource usage includes identification information of each network device, time information at which resource usage is collected, and various resource usages used by each network device.

In the embodiment of the present invention, the resource usage used by the network equipment includes resource usage used by the CPU, memory, and disk, which are components constituting the network equipment, resource usage used to process traffic by the network equipment, and temperature of the network equipment. A description will be given by taking an example in which a plurality of resource usages are collected due to resource usage by the server. However, it is not necessarily limited to this.

The graph similarity derivation module 120 normalizes and quantifies the resource usage collected by the resource collection module 110 to generate resource usage information. The reason for normalizing the resource usage is to represent the resource usage collected from different kinds of components as a unified number. Since the method of normalizing the resource usage by the graph similarity derivation module 120 can be performed in various ways, In the embodiment of the present invention, detailed description is omitted.

The graph similarity derivation module 120 generates a resource usage graph of the 2D plane based on the quantized resource usage information. Resource usage graphs generated for any network device include CPU graphs, memory graphs, disk I / O graphs, traffic graphs, and temperature graphs. Since the graph similarity derivation module 120 may generate the resource usage information as the resource usage graph, various descriptions are omitted in the exemplary embodiment of the present invention.

The graph similarity derivation module 120 identifies a distance difference between the traffic volume graph as a reference graph and other graphs (CPU graph, memory graph, disk I / O graph, and temperature graph) in a resource usage graph including a plurality of graphs. . In the embodiment of the present invention, a traffic graph is used as a reference graph, but is not limited thereto.

The graph similarity derivation module 120 checks the difference between the distances between the graphs and determines whether there is a graph exceeding a preset threshold distance. If there is a graph exceeding the threshold distance, only the graphs drawn at the previous time point (the first time point) and the subsequent time point (the second time point) with respect to the time point determined to exceed the threshold distance (hereinafter, referred to as a 'reference time point') To generate a distance difference graph. Here, the distance difference graph is a graph of a distance difference between the reference graph and other graphs, and is generated as a graph only from the first time point to the reference time point to the second time point.

In the distance difference graph, the graph similarity derivation module 120 checks only the graphs in which the absolute difference between each time point is smaller than a predetermined threshold value. Then, identify the components of the network equipment that collected the resource usage generated by the graph smaller than the threshold. The graph similarity derivation module 120 defines the resource usage collected by the identified network equipment components as 'associated resource' and generates an associated resource graph.

The failure detection module 130 detects the similarity by comparing the failure history graph stored in the failure occurrence information storage module 150 with the associated resource graph generated by the similarity derivation module 120. Here, the failure history graph refers to a graph generated by resource usage for a network device which has already occurred.

When the failure detection module 130 compares two graphs and detects similarity, if the distance difference between the graphs is smaller than a preset similarity threshold distance, the similarity is detected as high, but is not necessarily limited thereto. In addition, in the embodiment of the present invention, for convenience of description, it will be referred to as the 'disability detection module 130', but may be described as a concept of learning.

When the detected similarity is greater than or equal to a preset first similarity threshold, the failure detection module 130 may be configured to generate network equipment for which resource usage is collected. Equipment). In addition, the failure detection module 130 collects from the first time point Δt-1, which is a previous time point, to the second time point Δt-2, which is a later time point, based on the reference time point Δt in the equipment capable of abnormality. The resource usage graph for the total used resource usage is compared with the fault history graph.

If the graph similarity analysis of the resource usage graph and the failure graph from the first point of view is similar to the preset second similarity threshold or higher, the network equipment that is likely to cause an abnormality as a result of the subsequent analysis is described below. For convenience, it is referred to as 'anomalous potent equipment'). Here, the first similarity threshold and the second similarity threshold may or may not be the same, and are not limited to any one numerical value.

The failure detection module 130 finally compares the resource usage data of the abnormal occurrence potential equipment with the actual equipment abnormality information having the actual failure history once more. Here, the actual equipment failure information may be stored in the failure occurrence information module 150 or may be managed in a separate database.

When the resource usage graph generated by the resource usage used by the trouble-bearing power equipment coincides with the graph representing resource usage included in the fault information of the actual equipment where the actual fault occurred, the information of the network equipment corresponding to the fault-prone power equipment is matched. The collected resource usage and the graph are temporarily stored in the failure information module 150.

The expression module 140 transmits the information on the abnormal occurrence potency equipment analyzed by the failure detection module 130 and the history of the occurrence of the existing network failure, which has a high similarity, to the terminal 300 possessed by the network equipment official. In addition, the terminal 300 receives information indicating whether the warning information has developed beyond the actual network equipment.

If the warning information has developed into an abnormality of the actual network equipment, the information on the network equipment that may have an abnormality is stored in the failure occurrence information storage module 150 as a failure occurrence history.

A method of detecting in advance an abnormal symptom of an intelligent network device using the pre-detection system 100 described above will be described with reference to FIGS. 3 to 10.

3 is a flowchart illustrating an intelligent device abnormal symptom pre-detection method according to an embodiment of the present invention.

As shown in FIG. 3, the proactive detection system 100 collects resource usage used by each network device from the plurality of network devices 200-1 to 200-n. The collected resource usage is normalized and digitized (S100). Here, an example of data normalizing and quantifying resource usage of any network device among a plurality of network devices will be described with reference to FIG. 4.

4 is an exemplary diagram of data normalization for resource usage per device according to an embodiment of the present invention.

As shown in (a) of FIG. 4, resource usage, including components constituting arbitrary network equipment, resource usage for processing traffic generated from the network equipment, temperature of the network equipment, and the like, are collected over time. . In the embodiment of the present invention, the resource usage used by the CPU, the resource usage used in the memory, the resource usage used for the input / output of the disk, the traffic volume in the network equipment and the temperature of the network equipment as the resource usage will be described as an example. .

Here, the CPU, memory, disk I / O, and traffic volume are collected as a percentage of the amount of traffic used by each component in the total resource usage used by the network equipment. For example, the resource usage used by the CPU at the first time point? T-1 is 17%. The temperature of the network equipment at the first time point is 20 degrees.

The similarity derivation module 120 normalizes and quantizes the resource usage collected in FIG. 4A as shown in FIG. 4B. Since the similarity derivation module 120 normalizes and quantifies resource usage, various methods may be performed, and thus detailed descriptions thereof will be omitted.

On the other hand, as shown in Figure 3, the prior detection system 100 generates a resource usage graph using the resource usage for the plurality of network equipment (200-1 to 200-n) digitized in step S100 ( S101). An example of generating a resource usage graph with the quantified resource usage will be described with reference to FIG. 5.

5 is an exemplary diagram of a resource usage graph for each device according to an embodiment of the present invention.

FIG. 5A is a table in which resource usage is normalized and digitized. As shown in FIG. 5B, the graph similarity derivation module 120 generates a resource usage graph based on a normalized and calculated value. Here, the X axis is a time axis and the Y axis represents a normalized and calculated value.

It can be seen that the network equipment used 17pt of resources in the CPU, 26pt of resources for the traffic volume at any time Δt, and 9pt of resources were used for disk I / O. In addition, it can be seen that one network device generates a resource usage graph including a plurality of graphs.

On the other hand, as shown in Figure 3, when the resource usage graph is generated in step S101, the pre-detection system 100 compares the distance between the reference graph and the remaining graph in the resource usage graph including a plurality of graphs ( S102). In the embodiment of the present invention, a traffic graph is taken as a reference graph.

The pre-detection system 100 checks whether there is a graph in which the difference in the distance between the traffic volume graph and the other graphs exceeds the threshold at each time point at which resource usage is collected (S103). If there is no graph exceeding the threshold distance, the method continues from step S100.

However, if there is a graph exceeding the threshold distance among the plurality of graphs, the preliminary detection system 100 sets a time point exceeding the threshold distance as a reference time point, and is a time point immediately after the reference time point from the first time point immediately before the reference time point. A distance difference graph for the second time point is extracted. In addition, the associated resource graph is generated based on the distance difference graph (S104). This will be described with reference to FIGS. 6 and 7.

6 is another exemplary diagram of graphing resource usage by equipment according to an exemplary embodiment of the present invention, and FIG. 7 is an exemplary diagram illustrating a graph distance-based association diagram according to resources with traffic according to an exemplary embodiment of the present invention.

As shown in FIG. 6, the distance difference between the traffic graph and the CPU graph as the reference graph is 3pt, and the distance difference between the traffic graph and the disk in / out graph is 17pt. In the embodiment of the present invention, assuming that the threshold distance is set to 5pt, it can be seen that the distance difference between the traffic volume disk and the disk graph occurs at 5pt or more, which is the threshold distance at an arbitrary time Δt.

However, it can be seen that the distance difference between the traffic graph and the CPU graph at that point is 3pt shorter than the threshold distance. In this case, it is assumed that any time point at which the distance difference between graphs is greater than or equal to the threshold distance 5pt is Δt, and the time point Δt is the reference time point.

In this case, when the distance difference between the graphs is smaller than the threshold distance, it means that the components of the pre-detection system 100 are also changed according to the change in the traffic volume generated by the reference graph. And the distance difference between the graphs appear wider than the threshold distance means that the components of the preliminary detection system 100 are changed or not, regardless of the change in the traffic volume.

Based on the reference time point, a distance difference graph between the previous time point Δt-1 and the reference time point Δt and the distance difference between the reference time point Δt and the next time point Δt + 1 are extracted. do. Referring to FIG. 7 for a distance difference graph, FIG. 7A illustrates a distance difference between a traffic volume graph, which is a reference graph, and other graphs. And (b) of FIG. 7 is a graph of the calculated distance difference.

In the extracted graph as shown in (b) of FIG. 7, the distance difference between the traffic volume-CPU graph and the traffic volume-disk graph is smaller than the distance between the time points of the traffic volume-memory graph and the traffic volume-temperature graph. It can be seen.

For example, referring to the distance difference graph of the traffic volume-CPU graph, the first distance difference between the previous time point Δt-1 and the reference time point Δt is 1pt (8pt-9pt) and the reference time point Δ It can be seen that the second distance difference between the next time point Δt + 1 at t) is also 1pt (9pt-8pt). Assuming that the threshold distance is 1pt, it can be seen that the distance difference between the time points between the first distance difference and the second distance difference in the traffic volume-CPU graph is 0pt (1pt-1pt), which is narrower than the threshold distance.

Similarly, when looking at the distance difference graph of the traffic volume-disc graph, the first distance difference between the previous time point Δt-1 and the reference time point Δt is 4pt (13pt-17pt) and the reference time point Δt It can be seen that the second distance difference between the next time point (Δt + 1) is also 4pt (17pt-13pt). Since the threshold distance is assumed to be 1pt, it can be seen that the distance difference between the time points between the first distance difference and the second distance difference of the traffic volume-disk graph is 0pt (4pt-4pt), which is narrower than the threshold distance.

On the other hand, looking at the distance difference graph of the traffic volume-memory graph, the first distance difference between the previous time point Δt-1 and the reference time point Δt is 7pt (7pt-14pt) and the reference time point Δt It can be seen that the second distance difference between the next time point Δt + 1 at is 5pt (9pt-8pt). Since the threshold distance is assumed to be 1pt, it can be seen that the distance difference between the time points between the first distance difference and the second distance difference in the traffic volume-memory graph is 2pt (7pt-5pt), which is wider than the threshold distance.

In the distance difference graph of the traffic volume-temperature graph, the first distance difference between the previous time point Δt-1 and the reference time point Δt is 3pt (2pt-5pt) and the reference time point Δt It can be seen that the second distance difference between the next time Δt + 1 at is 5pt (5pt-0pt). Since the threshold distance is assumed to be 1pt, it can be seen that the distance difference between the time points between the first distance difference and the second distance difference in the traffic volume-memory graph is 2pt (3pt-5pt), which is wider than the threshold distance.

As such, the resource usage used in the component in which graphs in which the distance difference between viewpoints is smaller than the threshold distance is drawn is defined as the associated resource. In addition, the prior detection system 100 generates a related resource graph shown by ① in FIG.

On the other hand, as shown in Figure 3, the prior detection system 100 compares the failure history graph previously stored with the associated resource graph generated in step S104, the degree of similarity indicating how similar the associated resource graph with the failure history graph Is detected (S105). If the detected similarity is greater than the preset first similarity threshold (S106), and if the detected similarity is less than the preset first similarity threshold, the procedure after step S105 is repeated.

However, if the detected threshold is greater than the first similarity threshold set in advance, the preliminary detection system 100 defines the corresponding network equipment as an abnormally possible equipment (S107). This will be described first with reference to FIG. 8.

8 is an exemplary diagram of filtered resource usage-based variation similarity analysis according to an embodiment of the present invention.

As shown in FIG. 8, the preliminary detection system 100 compares a pre-stored fault history graph of the related resource graph generated with the related resource, and checks whether there is a fault history graph having a similar shape of the related resource graph to detect similarity. . In the exemplary embodiment of the present invention, the traffic, CPU, and disk are used as examples of related resources, but the present invention is not limited thereto.

 If the detected similarity is above a certain level, that is, comparing the failure history graph and the associated resource graph called based on the existing category, and displaying a similar type of graph, the network equipment is regarded as an abnormal occurrence that may cause an abnormality. define. Here, the category refers to a traffic amount, a CPU, and a disk detected as an associated resource, respectively.

At this time, in the embodiment of the present invention, the image of the associated resource graph is vectorized and the image of the failure history graph is also vectorized, thereby comparing the two vectors to detect similarity. However, it is not necessarily limited to this.

In FIG. 8, it can be seen that the resource usage pattern is generated in an arbitrary network device similarly to the resource usage pattern of the network device, which has occurred due to a DDoS attack, as a result of analyzing the associated resource as the filtered resource. Therefore, the preliminary detection system 100 is defined as a device in which a corresponding network device is exposed to a DDoS attack and thus a failure may occur.

Meanwhile, referring to FIG. 3, when an abnormally possible device is defined in step S107, the preliminary detection system 100 uses the total resource usage from the first time point to the second time point for the network equipment defined as the abnormally possible device. The resource usage graph for is compared with a failure history graph stored in advance (S108).

The pre-detection system 100 checks whether the similarity detected by comparing in step S108 is greater than a preset second similarity threshold value (S109). If less than the preset second similarity threshold value, the procedure after step S108 is repeated. However, if the detected threshold is greater than the second similarity threshold, the pre-detection system 100 defines the network equipment as an abnormal occurrence potent equipment (S110). This will be described first with reference to FIG. 9.

9 is an exemplary diagram of a similarity trailing analysis according to an embodiment of the present invention.

As shown in FIG. 9, the proactive detection system 100 compares the resource usage graph generated based on all resource usage of the network equipment collected before and after the reference time point with the failure history graph detected by the similarity preceding analysis. Similarity is detected whether the shape of the graph is similar to the detected disability history graph. When the detected similarity is above a certain level, the network equipment is defined as an error generating high-potential equipment that is likely to have an abnormality.

On the other hand, referring to Figure 3, after defining the error-prone potent equipment in step S110, the pre-detection system 100 is the actual out of all the actual network equipment stored in the failure information storage module 150 or an external database The similarity is confirmed by comparing the actual equipment failure information of the failure with the resource usage graph of the faulty potential network equipment once more (S111 and S112). If the compared similarity is higher than a preset threshold, the preliminary detection system 100 temporarily stores identification information, resource usage, and graphs of abnormally occurring potent equipment, and then provides an abnormal history list to the manager terminal 300. (S113, S114).

However, if the similarity is lower than the threshold value, the abnormal history list is directly provided to the manager terminal 300 without temporarily storing the data (S114). If the administrator provides a separate feedback based on the abnormal history list provided to the manager terminal 300 in step S114, the pre-detection system 100 temporarily stored information or feedback content in step S113 with the received feedback content Only the failure occurrence information storage module 150 is stored as a failure history (S115). This will be described with reference to FIG. 10.

10 is an exemplary diagram of information added to an abnormal occurrence history according to an embodiment of the present invention.

FIG. 10A illustrates an example of adding information to an abnormal occurrence history by comparing the actual equipment abnormality information with information of the potential occurrence equipment, and FIG. 10B includes feedback input from an administrator. This is an example of adding information.

If the network equipment result that is likely to cause an abnormality matches the result of the actual device abnormality, the proactive detection system 100 transmits information, resource usage, graph information, etc., of the network device that is likely to cause an error to the failure information storage module 150. Add. Based on this, it is used as reference information for detecting the failure of new network equipment later.

In addition, the information fed back from the terminal 300 of the administrator who manages the network equipment is also stored along with the information of the network equipment, resource usage, and graph information, and is used as reference information to detect the failure of the new network equipment in advance. Here, the information fed back includes information indicating whether an abnormality has occurred in the actual network equipment or whether the abnormality has not occurred.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (4)

As a system for detecting abnormality of network equipment in advance,
Resource usage graphs are generated by normalizing a plurality of resource usages collected from a network device, and comparing the difference between the reference resource graph selected from the resource usage graphs and the remaining resource graphs and at least one association associated with the reference resource graph. Graph similarity derivation module for extracting resource graphs,
A failure information storage module for storing failure history information on a failed network device, and
An abnormal symptom is defined by comparing the associated resource graph and the failure history information, and a problem symptom is detected by comparing a resource usage graph of the network equipment defined as the abnormal capable device and the failure history information. Fault detection module to detect errors in advance
Abnormal symptoms proactive detection system comprising a. The method of claim 1,
Fault detection module,
Comparing the association resource graph with the failure history information to detect a similarity between the association resource graph and the failure history information, and when the detected similarity is higher than a preset first similarity threshold value, the network device is defined as an abnormal occurrence device. ,
Comparing the resource usage graph with the failure history information to detect a similarity between the resource usage graph and the failure history information, and when the detected similarity is higher than a second preset similarity threshold, the network equipment defined as the abnormality occurrence equipment. Anomaly detection system defined as anomalous potent equipment. The method of claim 1,
The graph similarity derivation module,
A distance difference graph includes at least one resource graph between a reference time point at which a difference between the reference resource graph and the remaining resource graphs exceeds a threshold difference and a second time point immediately after a first time point immediately after the reference time point and a second time point immediately after the reference time point. Extracted with
The abnormal symptom pre-detection system extracts an absolute distance difference from a first time point to a reference time point and an absolute distance difference from a reference time point to a second time point in the distance difference graph to the associated resource graph. The method of claim 1,
A resource collection module for collecting a plurality of resource usages for a plurality of device components constituting a network device; and
An expression module for providing information on the abnormal occurrence potent equipment detected by the failure detection module to a terminal of an administrator managing the network equipment.
Abnormal symptoms proactive detection system further comprising.

Images