KR20230030542A - AI-based facility data anomaly detection system and method using random cut forest algorithm - Google Patents

Abstract

Disclosed are an AI-based facility data anomaly detection system using the Random Cut Forest (RCF) algorithm and a method thereof. The present invention is to solve problems including a non-labeled data problem, a data imbalance problem, a detection performance problem, and a computing performance problem, which are features of facility data. Accordingly, the present invention can improve a problem that production is delayed since a facility operation is impossible and time is consumed for collecting broken components when a facility breaks down in a factory operating the facility, detect a facility breakdown in advance when a facility anomaly is detected by collecting facility data, inspect the anomaly in advance to order a component of the breakdown so as to minimize facility stop time, repair the facility, improve productivity, and prevent reduction in quality due to the breakdown, and improve a safety problem of workers and a problem of high costs caused by a severely broken facility when a severe breakdown occurs by not detecting the facility breakdown in advance.

Description

AI-based facility data anomaly detection system and method using random cut forest algorithm {AI-based facility data anomaly detection system and method using random cut forest algorithm}

The present invention detects an AI-based facility data anomaly using a random cut forest algorithm for facility data anomaly detection by utilizing an improved random cut forest algorithm based on spindle load data and robot vibration data collected from cutting facilities. It is about the system and its methods.

In general, artificial intelligence (AI)-based anomaly detection algorithms using facility data have been disclosed.

Specifically, the algorithm that dynamically configures the learning model is the Random Cut Forest Algorithm (RCF), which is used for detecting anomalies in streaming data and is installed as a major algorithm for anomaly detection by Amazon in the United States.

However, the random cut forest algorithm (RCF) is specialized in processing streaming data and goes through insertion and deletion processes to reconstruct the learning model. In this part, the amount of computational computation is large, so it takes a long time to calculate the ideal score, There was a disadvantage in that the capacity of the learning model was heavy because data was stored for each node in the bounding box for each characteristic for reconstruction (e.g. minimum value, maximum value).

On the other hand, anomaly detection for equipment data is also called "anomaly detection", and this means that if you try to apply the anomaly detection of a small amount of abnormal data and a lot of normal data to actual work, there are very few abnormal patterns to be found and most of the normal data is There are many. Therefore, since it is necessary to search through a large amount of data to find a small number of strange pattern data or quickly detect it, the value of the result is very low compared to the cost consumed.

○ [Time series data analysis and anomaly detection]

It would be convenient to think of anomaly detection as a kind of time series or sequence analysis when first grasping the concept from a technical point of view. However, it is important to note that it is not exactly the same as time series and sequence analysis in statistics.

Anomaly detection is to find a strange pattern, and the word pattern means to find something that appears different from the past flow in the time stream or different from multiple data flows, although there are things such as repeated shapes and locations.

Anomaly detection is a field of data mining, and in data mining, it is used regardless of whether it is a statistical technique, a mathematical method, or machine learning.

○ [Anomaly detection of time series data]

In time-series data, it is to find rare patterns, facts, or target entities that deviate from or show signs of departing from the general patterns of other data in the past or at a similar point in time. All common anomaly detections fall under this category.

This is because anomaly detection is important in real-time whether it detects something unusual in the present or a pattern that could create a big risk in the near future.

○ [Anomaly detection of cross section data]

Finding outliers in non-time series is mostly covered by outlier detection. There are cases where outlier detection and anomaly detection are treated the same or not distinguished, because anomaly detection can also be regarded as outlier detection in a broad sense. However, finding outliers is not included in anomaly detection, theoretically speaking.

This is because it does not mean that the outliers are abnormal. Methods for finding outliers are often covered in descriptive statistics in statistics.

○ [Anomaly Detection and Machine Learning]

Among those who are new to anomaly detection, those who have prior knowledge or have been trained in machine learning distinguish whether anomaly detection should be done with machine learning, statistical methods, or other approaches, compared to those who have no knowledge at all. often can't

In conclusion, anomaly detection can use either a machine learning algorithm or a statistical method. In anomaly detection, in fact, the means are not so important and the result is given priority. But in general, so far, supervised machine learning methods have not worked well. As for the anomaly detection technique that is most commonly used to date, statistical techniques used in statistics are used more often, and some deep learning or unsupervised learning are used.

○ [Reason for failure of anomaly detection model through machine learning]

Among those new to the problem of anomaly detection, those with knowledge of machine learning tend to use a supervised learning model for anomaly detection, but this in itself is not a wrong approach. However, in real life, there are several barriers to this approach. To put it simply, we don't try to solve the anomaly detection with this method anymore.

If you need to detect anomalies with supervised machine learning, the following thoughts will often come to your mind first.

[One]. After making the data (training set) tagged as strange and creating a model, try to detect anomalies in the new data with the created model.

[2]. We attempt to detect anomalies after creating a model by creating a learning dataset with a balanced amount of positive and negative by properly mixing previously found abnormal cases and normal data.

[3]. As an algorithm, a discriminant model is created using an algorithm such as regression or SVM, decision tree, or deep learning.

Thinking in [1], [2], and [3] is exactly the same as making classification and prediction models with machine learning techniques.

However, the problem is that there are too few cases of actual abnormal cases, so it is difficult to secure proper training data.

That is, the following problem arises.

[One]. There are very few cases that can be defined as strange. There are very few or no true data in the training set.

[2]. What people refer to as strange is very vague and is not clearly distinguished from other normal things. It is difficult to find a clear variable or feature that can be distinguished.

[3]. Circumstantial (experience), it is judged about a certain situation or data that something strange is correct, but there is no observation data to quantitatively determine it, or it is difficult to make it. It is not possible to obtain data to be used as a variable or feature that can be used when detecting, and it is inevitable to find out as a result after the fact.

From the point of view of people who prefer deep learning, there are few ground-truths, and this is because training data is sorely lacking.

Therefore, it is not realistic if it is not a model that amplifies learning data or automatically collects correct answer data. Due to this problem, algorithms such as Decision Tree, SVM, Regression, and DNN, which are commonly used to solve classification (prediction, classification) problems among supervised machine learning, are known to be difficult to use for anomaly detection.

○ [Anomaly detection through unsupervised learning]

If it is difficult to detect anomalies with supervised learning, you can try to solve the problem with unsupervised learning. The above unsupervised learning is also difficult in fact, but since anomaly detection is a problem of discrimination, it is difficult to separate and accomplish it arbitrarily like unsupervised learning. One way or another, you have to find some things that are defined as strange.

Unsupervised learning is generally unsuitable for solving problems of giving correct answers and finding similar ones. It is not strange, but we will present separately grouped clusters, but it is very difficult to create a model in which only strange groups are gathered among separated clusters.

Still, in unsupervised learning, an algorithm called Random Cut Forest has recently been known, and it is known as the model algorithm that can be used most powerfully for anomaly detection. The actual performance is generally good compared to other algorithms.

○ [Anomaly Detection through Semi-Supervised Learning]

It is probably the most powerful method among the methods using machine learning. It is a method of finding something similar using a small amount of correct answer data or expanding the learning data. The problem is that this technique itself is a very difficult technique and it takes too long to create a good model. In addition, there remains a problem of determining to what level the expanded answer data should be recognized as a correct answer.

○ [Anomaly Detection and Statistical Methods]

The reason why statistical methods are mainly used for anomaly detection is that the most basic thing that statistics deals with is to check whether or not it goes against universality. This is because “strange things” in a narrow sense refer to things that deviate from universality. Here, the deviation from universality is called an "outlier." Dealing with the outliers is all about statistics.

In order to detect anomalies through the above statistics, it is common to start from the following branches.

- Outlier detection

- Utilization of time series analysis techniques

- Use a probabilistic model (Bayesian)

The above are too numerous to list here. That is, among the models and algorithms related to the above, there is still no most powerful and good algorithm or method that can solve most of the problems.

Among the above, the best performance is known as the Bayesian model, but there is no special algorithm that stands out.

○ [Classification according to the time of occurrence of the problem of the subject]

Anomaly detection can be divided into two categories based on the time when the problem to be found occurs.

[One]. Detecting if an object's current state is abnormal

[2]. Detecting which objects are likely to cause problems in the future

The above [1] and [2] seem to be almost the same, but the difficulty is very different and the approach is very different. Until now, most of the anomaly detection in reality has dealt with the case of [1], but there are many overlaps with the field of forecasting whether there is a problem in the future mentioned in [2], and it is very difficult to predict the future. am.

The above [1] can be said to be a kind of wide-ranging monitoring, but it does not refer to a generally speaking based on a threshold, but to quickly find a variable threshold or situation different from the previous common pattern.

[2] above can be seen as part of time-series forecasting. Time-series forecasting accurately predicts what will happen in the future, but anomaly detection is much more technically challenging as it predicts whether there is a risk of anomaly in the future or an increased probability of anomaly occurring. In reality, data scientists are often asked for this, and creating such a model is not impossible, but it is actually close to fantasy.

The characteristics of objects that produce strange behavior are as follows.

- Weird pattern, but not clear

- Mixed in common, but relatively few in number

- Patterns with subtle differences that are not a problem now, but are likely to cause problems in the future

The pattern to be found in anomaly detection is often not clear. If the pattern is distinct and easily recognizable, detection can also be achieved using a combination of rule-based methods. However, the obscure or difficult to see must be found first and revealed, which itself is not easy.

○ [Abnormal Pattern]

The pattern mentioned in the anomaly is very broad, and it is ambiguous to define it. In more detail, it is as follows. Virtually all of them mean outliers.

- Things that happened very rarely in the past suddenly happen frequently

- things that cannot logically occur together or must not be represented by a logically coherent combination

- To see things that do not appear in other clusters, groups, groups, etc.

These are in fact not very different from those mentioned above.

Anomaly detection can be seen as finding outliers, but when looking for outliers, the comparison target is the past time or other similar clusters, and in many cases, a combination of these things.

○ [Difference between anomaly detection and outlier detection]

A term often seen alongside anomaly detection is outlier detection (or outlier detection). Simply put, outliers look at the positions of numbers representing objects regardless of time and find things that deviate from common objects. to find other things.

Anomaly detection is related to time series, and outliers are mostly not related to time.

In a narrow sense, it is

- Anomaly detection is to find outliers in time series data

- Outlier detection is to find outliers in cross-sectional data

○ [Approach]

The goal of anomaly detection is detection. The main goal is to find the odd one as quickly as possible.

You need to clarify and start with the following defining steps:

[One]. If you want to notice the strange, you have to define "what isn't strange," i.e. what is normal. It's obvious, but it's hard to do without a proper definition of this.

[2]. Define "unusual" as normal, then define "weird" by comparing it with the universal, and create a model to find it, or find something that matches the abnormal through analysis.

The next step is to select a detection method, which is the most difficult part because there is no set method.

Start by checking the checklist for:

[One]. Is there correct answer data for machine learning? isn't it?

[2]. Is it time series data? is not it?

[3]. Is it univariate? Is it multivariate?

[4]. Should it be a scoring model? Should it be a prediction model?

In the case of [1] above, if there is correct answer data, you can try to solve the problem through supervised learning or semi-supervised learning. It is common to proceed with the following algorithm as a candidate.

- Regression series

- Time-series series

- Decision tree series (mainly Random Forest or Monte Carlo applied series)

- Bayesian Network Series

If there is no or very little correct answer data, it is very difficult to find anomalies with classification-based machine learning algorithms.

The problem in [2] above is to distinguish between outlier detection and anomaly detection, and anomaly detection requires a lot of computation and is more difficult. Anomaly detection is generally time-series data. If it is not time series data, you can find and use various algorithms or well-known models to find outliers.

The problem of [3] above is that univariate and multivariate problems are usually problems in time series, but multivariate is very difficult because it comprehensively judges abnormal conditions by looking at all variables. Currently, there is no well-known dominant algorithm.

The problem in [4] above is whether it is enough to mark “odd” or whether to set the score for “strangeness” and adjust the accuracy and sensitivity of detection with a threshold value later. The latter is also more difficult.

○ [Definition of weirdness]

After all, in most cases, training data cannot be used, so before finding an anomalous object, it is necessary to organize the concept of what is normal and to approach it by distinguishing the normal from the normal. looking for something to get out of Numerically, anything close to the average or close to the majority is usually considered not unusual.

○ [Anomaly detection and data processing]

Algorithms are also important for the problem of anomalies, but they tend to consume a lot of calculations.

The reason why it is difficult to approach anomaly detection with machine learning is that in most cases it is not possible to create a classification model because there is no training set that can detect and define a strange pattern in reality, or it is very insufficient, so unsupervised learning However, statistical and mathematical models are created. At this time, in order to find anomalies, it is often necessary to combine and search large amounts of data in various ways.

○ [Problems with False Alarms]

If an anomaly is detected and the loss caused by the false detection is large, anomaly detection becomes a more difficult problem. All classification and prediction-related machine learning techniques face the same problem, but if the cost of false alarms is high, they require very high accuracy from the detection model, which again makes the problem more difficult.

The person giving the requirements must precisely define how much accuracy is desired and how many false alarms can be accommodated, and if not, the data scientist in charge of the task must make suggestions.

○ [Anomaly detection, fraud detection, and abuse detection]

Anomaly Detection and Fraud Detection are closely related.

However, fraud detection is broader in scope and more demanding than anomaly detection. Scammers always try very hard to stay undetected, because to find them, they have to look for oddities that haven't surfaced yet, very intermittent odd patterns, or very rare but odd patterns.

○ [Use field]

Anomaly detection is widely used in system operation, security-related systems, and process data management such as manufacturing, and can also be used for user behavior. Other than that, it can be used for most businesses. It can be said to be very broad. This is because there are many anomalies and outliers that match the values that are sought in data mining.

○ [Business Analysis]

Anomaly detection in business analytics is mostly similar to data mining problems. If you try to find problems related to anomaly detection in related realities, there are infinitely many.

○ [Sales channels with lower sales than before]

Find out whether a particular sales channel of a company that sells a certain retail product has increased or decreased in sales compared to the past or other sales channels. Once found, it can be used to determine what the problem is and take action. However, selling to consumers is not easy because there are problems with seasonal components and external components.

○ [Customers whose order volume has increased compared to before]

It can be asked if this is not an anomaly detection, but a management analysis using BI (Business Intelligence). However, it is not easy to find a customer who has not exceeded the standard but whose order volume is increasing compared to the past. Although the order volume has not increased very significantly, you will have to find out why the business of the customer is really booming. And if the number of customers with signs of further growth has increased, you will have to increase product production in advance for sales.

○ [Items whose purchase volume has increased or decreased compared to the previous time]

In a case similar to the above, although the purchase volume decreased slightly compared to the previous one, it did not fall significantly.

In addition, as application areas, [customers of shopping malls or services that show signs of leaving to other competitors], [products that are not problematic by themselves but are affected by the sale of other products], [vehicles with unusual spatial movement patterns or a mobile device user] and the like.

○ [Computer System Management]

Computer system management is one of the fields in which anomaly detection has been best applied and has developed a lot. In particular, failures of servers, storage, and network equipment are directly related to failures, and failures are often directly related to sales and operating expenses.

○ [System with increased resource usage (memory/disk IO/network IO) compared to before]

Increase in system access from IP addresses that have never been accessed (symptom of DDOS)

Systems or clusters of systems that are fine now, but will undoubtedly go down at this rate.

○ [Online Service Management]

Sign-in failure record increased compared to before

Records of previously non-occurring error codes or records that have become more frequent

Users who show movement or access patterns different from other users

○ [Process Management]

Processes that show signs of increasing defective products

There is no difference in the current defect rate, but a product line that is likely to be recalled due to the large number of defective products

equipment likely to fail

○ [Security]

Employees who relatively increased the number of handouts of confidential documents

Increased security access failures within a range that does not exceed the threshold

Slightly higher traffic than before in areas with little human access

○ [Related Algorithms and Methods]

Many people are looking for an anomaly detection algorithm, but the number of algorithms defined as anomaly detection is smaller than expected. The ones introduced below are relatively well-known algorithms, and there are many others that are used for utilization. Algorithms or methods corresponding to outliers were excluded.

○ [Twitter Anomaly Detection]

It is called Twitter Anomaly Detection, and there is an anomaly detection algorithm announced by Twitter. The official name of the algorithm is S-H-ESD, a very complicated-looking name. However, it is more commonly referred to as "Twitter Anomaly Detection Algorithm" than its official name.

○ [Statistical anomaly detection]

This cannot be called an algorithm name, but it is about anomaly detection using statistical methods used by eBay.

It is known as the prototype of the Twitter algorithm. The Twitter Anomaly Detection Algorithm is an improvement on this algorithm.

○ [Holly Twins Filter]

It is a Hol Twin Winters filter that is widely used for anomaly detection. Elastic promotes X-pack's anomaly detection algorithm, claiming that X-pack's anomaly detection performs better when compared to this algorithm (benchmark).

○ [Elastic X pack abnormality detection]

It would be more appropriate to call it an engine rather than an algorithm. It is known that various methods are mixed, and the source code is said to be open, but I can't actually find it.

○ [Robust Random Cut Forest]

The one known to perform best in unsupervised learning is the Robust Random Cut Forest, an algorithm created by Amazon. It uses the concept of the famous Ensemble Decision Tree algorithm, Random Forest.

It has many good features and has good performance, but it has the disadvantage of slow model generation. That is, learning is very slow and uses a lot of computing resources.

In other words, although the above AI-based anomaly detection algorithms apply and utilize various AI algorithms to detect anomalies in factories and facilities, there are problems in applying AI due to the characteristics of facility data as follows.

First, as data that is not labeled, a lot of data can be obtained by installing sensors such as current, vibration, and temperature in facilities and facilities, but it is very difficult to apply AI because the data is not labeled.

Second, as a data imbalance phenomenon, since most facilities and facilities are in a normal state, it is difficult to obtain abnormal data and it is difficult to create an anomaly detection learning model, resulting in data imbalance with poor detection performance.

Third, as a problem of facility data, a lot of data can be obtained by collecting data by installing sensors such as current, vibration, and temperature in facilities and facilities. However, since this data is automatically collected from sensors, normal and abnormal It is difficult to collect by labeling, and since most of the equipment and facilities are in a normal state, an imbalance of data (many normal states) occurs. When a model was created by learning with imbalanced data, it was difficult to detect abnormalities and the detection performance was poor.

Fourth, as a problem of detection performance, most companies and facility operators aim to automatically control facilities and facilities through AI abnormality detection, but when facilities and facilities are stopped due to misjudgment, productivity decreases and actual utilization occurs. it becomes difficult Therefore, errors should not occur.

Fifth, as a problem of computing performance, factories and facilities operating organizations are operating numerous facilities and facilities. Currently, a model is created to detect an anomaly of one type of equipment, and an anomaly is detected based on the model.

Registered Patent Publication No. 10-0579083 (Announcement Date 2006.05.12.) Publication No. 10-2008-0070543 (published on July 30, 2008) Registered Patent Publication No. 10-1611299 (Announcement Date 2016.04.11.) Registered Patent Publication No. 10-1776956 (Public date 2017.09.19.)

The present invention is proposed to solve the above problems, AI-based equipment using a random cut forest algorithm to solve the problem of unlabeled data, data imbalance problem, detection performance problem, and computing performance problem, which are characteristics of facility data. It is intended to provide a data anomaly detection system and its method.

The random cut forest algorithm (IRCF) applied in the embodiment of the present invention is a probability-based calculation method (optimization calculation of CoDISP) that predicts how many abnormal scores will come out when new data is inserted into the learning model instead of a method of inserting and deleting new data. ), it is possible to inherit the advantage of anomaly detection by using a dynamic model, and the advantage of significantly reducing the amount of computation by using a method of calculating only anomaly scores based on probability instead of adding and deleting nodes that consume a lot of association. It is intended to provide an AI-based equipment data anomaly detection system and method using a random cut forest algorithm with

The Ramdon Cut Forest Algorithm (IRCF) according to an embodiment of the present invention has the advantage that the learned model is relatively light because it does not have a dynamic tree, while improving detection accuracy through the future sampling method (Feature sampling method), and the same It is intended to provide an AI-based equipment data anomaly detection system and method using a random cut forest algorithm that can expect the effect of improving other problems (Deterministic anomaly score) when anomaly scores are measured with data.

An AI-based equipment data abnormality detection system using a random cut forest algorithm, which is a means for solving the problems of the present invention, diagnoses equipment failure, and includes an AI-based failure diagnosis smart sensor; a facility fault diagnosis monitoring unit that monitors a result diagnosed by the AI-based fault diagnosis smart sensor; And, a manager analysis processing unit having an improved random cut forest (IRCF) algorithm to which a probability-based calculation method is applied to analyze the result monitored by the equipment failure diagnosis monitoring unit; is to include

In addition, the AI-based fault diagnosis smart sensor and the facility fault diagnosis monitoring unit are communicatively connected through a cloud server.

In addition, a divided database and a big database are connected to the cloud server.

According to another aspect, an AI-based facility data anomaly detection method using a random cut forest algorithm, which is a problem solving means of the present invention, includes generating a learning model for anomaly detection; and an ideal score prediction and operation step of predicting an ideal score from the learning model generated in the generating step. is to include

In addition, the generating of the learning model may include pre-processing data collected from an AI-based fault diagnosis smart sensor installed in a facility; Storing preprocessed data from the preprocessing step; generating a learning model based on normal data by constructing a random tree from the preprocessed data stored from the storing step; and storing the learning model generated from the generating step. is to include

In addition, the abnormal score prediction and operation step may include pre-processing by collecting data from an AI-based fault diagnosis smart sensor installed in the facility; Calculating an ideal score (Optimize calculation of CoDISP) as data to be measured using a random cut forest algorithm (IRCF) based on the learning model stored from the storing step; and generating a facility alarm when the ideal score calculated from the calculating step is high. is to include

In addition, the random cut forest algorithm (IRCF) applies a probability-based calculation method that predicts an abnormal score using a dynamic learning model without having a dynamic tree.

- (1) 이고, 상기 학습 데이터(X) 집합에서 n(≤N)을 무작위 선택하면,

- (2) 이며, 상기 X1을 기반으로 RRC Tree를 생성하는 트리 생성 단계; According to another aspect, an AI-based facility data abnormality detection method using a random cut forest algorithm, which is a problem solving means of the present invention, normal learning data (X)

- (1), if n (≤ N) is randomly selected from the set of learning data (X),

- (2), a tree creation step of generating an RRC Tree based on the X1;

tree creation step; adding data and creating a transformation tree; removing data after calculating an outlier score (CoDISP); and obtaining an ideal score by repeating the above process to obtain a new ideal score based on the average of the ideal scores (CoDISP). is to include

The step of creating the tree is to reduce the size and speed of the tree and increase the anomaly detection effect of small-scale data, while introducing feature sampling along with data sampling when the tree is created.

Also, in the transformation tree generation step, by adding the transformed tree without generating it, only the abnormal score (CoDISP) of the data is calculated so that a high speed can be expected.

In addition, in the step of obtaining the ideal score, since the ideal score CoDISP is a value obtained probabilistically, in order to fix the value of the ideal score CoDISP, which changes each time, a probabilistic expected value of the ideal score CoDISP is used as a result value. will be used as

As such, the present invention provides a random cut forest algorithm method and system for detecting anomalies in AI-based facility data that solves the problem of unlabeled data, data imbalance, detection performance, and computing performance, which are characteristics of facility data. while improving the problem of production delays due to the time-consuming sourcing of faulty parts and failing to operate the facility if the facility breaks down in the factory that operates the facility, and collects facility data to detect facility failure in advance. It can detect abnormalities in advance, order faulty parts in advance, minimize equipment downtime, improve productivity by repairing equipment, prevent quality deterioration due to failures, and prevent equipment failures from being detected in advance. When a breakdown occurs, worker stability problems also occur, and the effect of improving the problem that the repair cost is very high due to a large failure of the facility can be expected.

The present invention has the advantage of detecting anomalies using a dynamic model by applying a probability-based calculation method (Optimize calculation of CoDISP) that predicts how many anomalies will be obtained when new data is inserted and deleted instead of inserting and deleting new data in the learning model. can be inherited as it is, and instead of adding nodes and deleting nodes that consume a lot of association, it provides an effect of significantly reducing the amount of calculation by using a method of calculating only anomaly scores based on probability.

The present invention also has the advantage that the learned model is relatively light because it does not have a dynamic tree, the detection accuracy is improved through the future sampling method (Feature sampling method), and when the abnormal score is measured with the same data, the score is It is to provide the effect of improving other problems (Deterministic anomaly score).

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description of the claims.

1 is a schematic configuration diagram showing an AI-based equipment data anomaly detection system using a random cut forest algorithm as an embodiment of the present invention.
2 is a schematic configuration diagram showing a state in which a cloud server is connected to an AI-based equipment data anomaly detection system using a random cut forest algorithm according to an embodiment of the present invention.
3 is a flow chart of generating a learning model in an AI-based facility data anomaly detection method using a random cut forest algorithm according to an embodiment of the present invention.
4 is a flow chart of prediction and operation of anomaly scores in an AI-based facility data anomaly detection method using a random cut forest algorithm according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

1 is a schematic configuration diagram showing an AI-based facility data anomaly detection system using a random cut forest algorithm as an embodiment of the present invention, and FIG. 2 is an AI-based facility using a random cut forest algorithm as an embodiment of the present invention. It shows a schematic configuration diagram showing a state in which the cloud server is connected to the data anomaly detection system.

Referring to FIGS. 1 and 2, the AI-based facility data anomaly detection system using the random cut forest algorithm according to an embodiment of the present invention includes an AI-based fault diagnosis smart sensor 10, a facility fault diagnosis monitoring unit (20), the manager analysis processing unit 30 is included.

The AI-based fault diagnosis smart sensor 10 diagnoses faults in facilities.

The facility fault diagnosis monitoring unit 20 monitors a result diagnosed by the AI-based fault diagnosis smart sensor 10 .

The manager analysis processing unit 30 analyzes the result monitored by the equipment failure diagnosis monitoring unit 20 .

Here, the AI-based fault diagnosis smart sensor 10 and the facility fault diagnosis monitoring unit 20 may be connected through communication through a cloud server 40, and the cloud server 40 includes a divided database 41 And the big data base 42 can be connected.

On the other hand, the anomaly detection method implemented by the AI-based facility data anomaly detection system using the random cut forest algorithm as described above is a learning model generation step, and anomaly score prediction and operation steps, as shown in the attached FIGS. 3 and 4 that can include

As shown in the attached FIG. 3, the learning model creation step is the step of pre-processing the data collected from the AI-based fault diagnosis smart sensor 10 installed in the facility, and the pre-processed data from the pre-processing step is transferred to the cloud server 40. Storing in the database 41 and / or big data base 42 of ), constructing a random tree from the preprocessed data stored from the storing step to generate a learning model based on normal data, and generating the A step of storing the learning model generated from the step in the database 41 and/or the big data base 42 may be included.

In addition, the abnormal score prediction and operation step is, as shown in the attached FIG. 4, when data is collected from the AI-based fault diagnosis smart sensor 10 installed in the facility, it is provided through the cloud server 40 and pre-processed. , Random cut forest algorithm (IRCF ;

Product defect detection and machine abnormality detection in the production manufacturing process are performed in real time. In addition, since it is difficult to secure a lot of defective data due to the nature of sensor data collected in actual factories, it is necessary to be able to detect defects by learning only with normal data in reality. Therefore, the present invention is capable of real-time processing and aims to develop a One class classification (hereinafter OCC, or Novelty detection) anomaly detection algorithm that learns only with normal data and solves the problem with the goal of mathematical improvement.

The start of the present invention is a tree-based anomaly detection model called Isolation Forest, which is loaded in Scikit-learn and has superior performance compared to existing classical anomaly detection models.

This model utilizes a random tree and is fast and has strengths in outlier detection. However, it is difficult to apply the present invention to the intended purpose because the efficiency of detecting defects is low when learning with only normal data (Isolation forest shows high performance for outlier detection problems).

In addition, this is a Robust Random Cut Forest (Robust Random Cut Forest, introduced in ICML in 2016) that has been recently researched to overcome the masking problem, which is a problem in which a given bad sample is mistakenly judged as normal due to a colluder that makes it look normal. Hereinafter referred to as 'RRCF') was applied.

The biggest feature of the RRCF is that it has a dynamic tree structure, unlike the isolation forest. That is, the tree structure can be sequentially changed for new input even in the tree structure after learning has been completed. Due to these characteristics, it can be used for an anomaly detection problem for real-time streaming data.

In addition, unlike the anomaly detection scoring method based on the depth of the isolation forest, a scoring method called Collusive Displacement (CoDISP) is used, which plays an important role in solving the masking problem.

The present inventors confirmed that the RRCF algorithm is very effective for the sensor data OCC problem through prior research. That is, high accuracy and high AUROC values were obtained from various benchmark data including CNC current and production robot vibration data.

However, there were problems in that the speed was so slow that it was difficult to apply RRCF to real-time anomaly detection and the size of the model was large. A lot of computational cost is required to have a dynamic tree structure. That is, a relatively large amount of time is consumed in the prediction process even when learning has already been completed.

Second, the size of the model is large. In order to have a dynamic tree structure, each node of the tree must have bounding box information, which causes the size of the model to increase. In fact, to reduce the size of the model, it is also possible to consider a method of excluding bounding box information from the model and inserting training data in the inference process.

However, this method increases the computational cost because the bounding box must be recalculated at every inference step. In other words, model size has a trade off relationship with speed.

The present invention optimizes the RRCF algorithm to a level that can be used in the actual industry, studies the appropriate hyperparameters of the improved RRCF, compares and analyzes it with the existing anomaly detection algorithm, and finally the scoring method used in RRCF (Collusive Displacement) The mathematical meaning of is summarized.

RRCF is a powerful random cut forest-based anomaly detection in streams. It was introduced in Proceedings of the 33rd ICML, New York (2016), and it is a method designed to fit the isolation forest algorithm introduced in 2008 to detection of anomalies in streaming data. A common feature of isolation forest and RRCF is a random tree-based bagging ensemble model, which uses multiple (default = 100) random trees to learn and detect anomalies.

Isolation forest shows a high AUROC index for the outlier detection problem compared to conventional anomaly detection models. It also shows faster speed compared to the existing distance-based and density-based anomaly detection algorithms.

Since it uses a random sampling method, it can be effectively applied even to very large data, and has the advantage of being relatively unaffected even if there are unnecessary dimensions for actual anomaly detection. RRCF has the following differences from IF (Isolation forest).

IF (Isolation forest) is selected on a uniform distribution when selecting a feature for each binary tree branch, as shown in the attached FIG.

로서(단, E(h(x))는 모든 i당 관측치에 대한 평균 길이, c(n)은 iTree의 평균 경로 길이).That is, after selecting column (q) with a random value, the split point is designated randomly uniformly among the column (q) range (min-max), and scoring is

as (where E(h(x)) is the average length over all observations per i, and c(n) is the average path length of the iTree).

when E(h(x))→c(n), s→0.5

when E(h(x))→0, s→1

when E(h(x))→n-1, s→0

That is, referring to FIGS. 5 and 6, IF (Isolation forest) measures the anomaly score based on the depth (distance from the root node) of the sample, but in the RRCF (for the purpose of mitigating the masking problem), CoDISP Anomaly score is measured.

Isolation Forest detects defects by fixing the previously created tree and burning it to the existing tree when a new sample (test set) comes in, but RRCF detects defects in streaming data by transforming the tree with Insertion and Deletion methods.

에 있어, 상기 St로 만들어진 T(St)에서 Xt-255)를 삭제하고, Xt+1를 추가하여 새로운 판단 트리를 생성할 수 있는 것이다.For example, 256 data

, it is possible to create a new decision tree by deleting Xt-255) from T(St) made of St and adding Xt+1.

Here, T(St+1) is to create a new tree from scratch, and T'(St+1) is an addition/deletion operation performed on the St tree, and the T(St+1) and T'(St+1) The probability of 1) is different, and the T (St + 1) needs to recreate the tree every moment. The Random Cut Forest Algorithm (IRCF) is used.

16 and FIG. 16 and FIG. 17 is illustrated.

Here, the calculation of the ideal score in the calculating step uses the random cut forest algorithm (IRCF) to which a probability-based calculation method for predicting the ideal score using a dynamic learning model without having a dynamic tree is applied.

That is, in the embodiment of the present invention, in many cases, only normal data is secured and stored in the database 41 and the big database 42 through the cloud server 40, and there is no abnormal data or only a small part of the facility data is collected. . Therefore, even if abnormal data is received, there is a high possibility that the manager analysis processing unit 30 will not judge it as abnormal from the data monitored by the facility failure diagnosis and monitoring unit 20, and there may be many cases in which normal data is judged to be abnormal.

Therefore, the random cut forest algorithm of the manager analysis processing unit 30 dynamically changes the learned model by inserting abnormal data in order to detect abnormalities even when it is learned with only normal data, and detects anomalies in abnormal data to be verified When you want to do this, you insert abnormal data into the learning model to reconstruct the model and verify the abnormal data so that you can predict very high abnormal scores.

That is, the normal learning data (X) is,

; X의 내부데이터x로부터 xn번째까지 - (1)로서,

; From the internal data x of X to the xnth - (1),

If n (≤N) is randomly selected from the set of learning data (X),

- (2)이고,

- (2),

If the RRC Tree is created based on the X1, the tasks (1) and (2) above can be performed sufficiently.

Here, the number of RRC Trees, which is the result of performing (1) and (2), is called number of trees, and the collection of RRC Trees is called RRC Forest.

Therefore, the RRCF is,

로서,

as,

The point used to generate the RRC Tree is that the abnormal score (CoDISP) can be measured in a manner related to the amount of change in total depth.

Meanwhile, a modified tree may be created by adding the data P to be determined whether it is normal or not and the new data P to the tree described above by an insertion algorithm.

{T1', T2', ... ,T'}

Here, the T1' is {x ₁₍₁₎ ,... ,x _1(n) , P}, and P is used in all transformed trees.

Therefore, it is possible to calculate the outlier score (CoDISP) of P in all transformed trees and define the outlier score of P as the average value of these calculated values.

Also, P points are removed from all transformed trees, returning them to the collection of original trees.

At this time, if the process of tree creation → data addition and transformation tree creation → data removal after calculating the outlier score (CoDISP) is repeated, a new anomaly score can be obtained as the average of the outlier scores (CoDISP).

That is, while introducing feature sampling along with data sampling when creating a tree, it is possible to reduce the tree size and improve speed, and to increase the anomaly detection effect of small-scale data.

In addition, by adding the deformed tree without generating it, high speed can be expected by calculating only the outlier score (CoDISP) of the data.

In addition, since the ideal score CoDISP is a value obtained probabilistically, a probabilistic expected value of the ideal score CoDISP is used as a result value in order to fix the value of the ideal score CoDISP, which changes each time.

(1) Isolation forest.

The reasons for the slow speed and large model capacity of RRCF are as follows.

First, unlike the isolation forest, it takes time to calculate because the range of all features must be calculated every time the tree branches during training (Isolation forest randomly selects features). Also, when performing the insertion algorithm that transforms the tree by adding new samples to the existing tree, the range information (bounding box) of the feature must be stored in all internal nodes.

In other words, RRCF is an algorithm that takes a long time to train a model of data and increases the size of the model when the dimension is high.

[Equation 1]

일 때, That is, referring to the attached FIG. 14, the column selection probability

when,

이고,

ego,

After selection, the split point is designated randomly and uniformly among the column (q) range (min-max).

In addition, as shown in the attached FIG. 15, in the scoring method called Displacement (DISP), the abnormal data in Displacement (Real Time) has a large effect on the tree, and when T(s)-{x}, the sample depth of the sister node ( depth) can represent the total amount of change.

Here, the Real Time Streaming is determined by modifying the tree according to the data changing in real time. (A large number of training data can be avoided by sampling method). To solve this problem, the present invention proposes the following method.

(2) Optimize calculation of CoDISP

First, the Insertion and Deletion methods are methods of reforming a tree by adding a new sample or subtracting an existing sample, as shown in FIG. 7 . The purpose of creating a tree in this way is to process streaming data. The method of inserting the latest newly measured data and deleting the most recent data is a key method for detecting anomalies in time-series streaming data by dynamically transforming the tree.

In order to process streaming time series data, a transformed tree is needed for processing the next time series data. An important part of this tree creation process is that a different tree can be created each time as a random process in the insertion process. However, if a fixed sample is inserted and deleted, it naturally returns to the initial tree. Based on these observations, we propose a model optimization method through a method of scoring only without tree generation.

The problem is to determine whether a new incoming sample is normal or bad in a situation where normal data is obtained. The RRCF method combines the process of transforming the tree for new samples and the process of scoring. However, if the tree transformation process is not essential, the process of inserting a new sample, scoring, and then deleting can be simplified. That is, in the OCC problem, it is not necessary to change the tree into a dynamic structure and store it. Therefore, the present inventors propose a method of calculating only the CoDISP abnormality score without a tree generation process.

The insertion method transforms the existing tree by probabilistically determining whether a new sample will branch as it descends the internal node of the given tree. The present inventors optimized with an algorithm that calculates only the score of the sample in consideration of the case where the tree is branched without transforming.

(3) Feature sampling method

Feature sampling is a method of generating a tree using only those features by uniformly randomly selecting a fixed number of features (parameters) instead of using all features when creating an RRCTree as training data. For example, if the parameter is 1, one of the features is randomly selected and an RRCTree is created with only that one feature. When creating a RRCTree, features are selected randomly considering the range of features in the internal node. It has the advantage of being able to reduce the influence of small-scale features, but on the contrary, it is highly unlikely to be selected when anomaly detection must be performed on such features. Therefore, it is difficult to detect the singular value of a feature with a small scale as an anomaly. On the other hand, if the feature sampling method is used, the probability of selecting a feature with a small scale can be increased because the feature is selected uniformly random regardless of the range before tree generation.

Figure 8 compares the results of models with and without feature sampling for outliers that occur in small-scale features. Also, as described above, all internal nodes of the RRCTree store range information of each dimension, but the model size can be reduced because the number of features of the data constituting the tree is small through feature sampling. The size decreases linearly with the number of features sampled. Of course, since the size of the data matrix is reduced, speed improvement can also be expected. In addition, a few features to be selected were tested with various data and the default value was presented.

This feature sampling method can also be interpreted in other ways. In the tree generation of the IF method, each feature is regarded as independent, and the feature and cut value are determined at each node with uniform randomness. On the other hand, in the case of RRCF, features are selected considering the maximum-minimum range, which can be seen as giving different weights to each feature according to each scale.

Through the feature sampling method, the IF method and the RRCF method can be parametrized and an appropriate middle point can be found and used. For example, if the feature sampling parameter is set to 1, the tree construction method of RRCF is the same as that of IF. As the parameter is increased, RRCF follows the tree generation method considering the scale for a larger number of features.

(4) Deterministic anomaly score

Unlike IF, RRCF gives different scoring results each time for a fixed test sample. It occurs because of the random process that exists in the process of scoring after learning is complete. It is proposed to replace the random process with a deterministic process in order to give a fixed score for a fixed test sample.

When calculating an anomaly score for a new sample, an insertion algorithm is used without creating a tree. The method presented above randomly determines whether a new sample diverges at each internal node with an insertion algorithm, and calculates CoDISP when it diverges, so a different value is derived each time the anomaly score of the same data is executed.

However, the Disp has a problem in masking in which abnormal data are grouped to appear normal, as shown in FIG. 18.

On the other hand, the scoring method called Collusive Displacement (CoDISP) according to an embodiment of the present invention is calculated as shown in FIG. 19,

로서, 이상 데이터의 집합 c를 모두 제거하였을 때의 총 변화량 최대값이고, 이는 상기 x의 조상들을 마스킹을 야기하는 colluder로 간주하여 계산하기 때문이다.(x의 자매 노드에 있는 데이터 개수/1, x의 부모 노드의 자매 노드에 있는 데이터 개수/부모 노드의 크기)

, which is the maximum value of the total change when all sets of abnormal data c are removed, because it is calculated by considering the ancestors of x as colluders that cause masking. (The number of data in sister nodes of x / 1, The number of data in the sister nodes of the parent node of x/size of the parent node)

[Equation 2]

Given a tree T(S) of samples S and a point (p), it is possible to efficiently compute a random tree of T(S∪{p}), so intuitively the simultaneous distribution containing the points differs significantly from the distribution excluding them. In this case, we will label point p as abnormal, since we will be able to sketch the simultaneous distribution containing point p efficiently.

Instead of measuring the influence of the sampled data point on point p to determine the label (as measured by concepts such as expected depth), we measure the influence of p on the sampled point.

In addition, assuming that bit 0 is assigned to the left branch and bit 1 to the right branch in the tree of the random cut forest for movement quantification, one has to consider the bit specifying the point p (stores the attribute value of the point itself). except for the bits required to do so).

Thus, the number of bits required to represent a point corresponds to the depth of the tree, so given a set of points Z and a point y ∈ Z, we define f(y, Z, T) to be the depth of y in the tree T, and x Considering the tree generated by deleting T(Z-{x}), given T and x tree T(Z-{x}) is uniquely determined to be 1.

If the depth of y in T(Z-{x}) is f(y, Z-{x},T), as in the attached FIG. 20, considering the point y in subtree c, at T The bit representation represents the model complexity denoted by q0,...,qr, 0, 0,...|M(T)|. Therefore, the number of bits required to write the description of every point y intree T is |M(T)|=y∈Z f (y, Z, T ), and removing x, the new model complexity is:

where T'= T(Z-{x}) is a tree over Z-{x}, taking into account the expected change in model complexity for any model. However, since there is a many-to-one mapping from T(Z) to T(Z-{x}), we can express the second sum over T(Z) instead of T = T(Z) (T'=T(Z-{x}). }).

We define the bit displacement or displacement of point x as the increase in the model complexity of all other points. That is, we define to capture the externality introduced by x on the set Z, as T = T(Z - {x}),

The total change in model complexity is DISP(x, Z )+g(x, Z ), where g(x, Z )=T Pr [T] f (x, Z, T ) is the expected depth. Point x in any model. If we focus on larger values of DISP() instead of assuming that the anomaly corresponds to large g(), the name displacement may become clearer based on the following lemma:

However, while pointing to possible definitions of anomalies, the stated definitions are not robust against overlap or near-overlap. Considering one dense cluster and a point p far from the cluster, the displacement of p will be large. However, if there is a point q that is very close to p, the displacement of q is small when p is present. This phenomenon is called outlier masking, and since duplication and near duplication are natural, the semantics of all anomaly detection algorithms must accommodate it.

For example, in redundancy elasticity, given the notion that Waldo has a few friends who help him hide, these friends could be conspirators, in which case removing all the conspirators would change the description significantly. Specifically, instead of eliminating the point x, we eliminate the set C using x ∈ C.

where DISP(C, Z) is the concept of displacement extended to the subset denoted by T" = T(Z-C),

Without domain knowledge, it appears that the displacement should be equally attributed to all points in C. So the natural choice to determine C is max DISP(C, Z)/|C | It is subject to x ∈ C ⊆ Z, but this causes two problems.

First, there are too many subsets of C, and second, there is a high probability of using samples S ⊂ Z in the streaming setup. Therefore, assuming natural selection does not extend to samples, and to avoid both of the above problems, we must allow different C selections for different samples S, in effect allowing Waldo to collude with other members in different tests, This can motivate you to:

The collusive displacement of x denoted by CoDISP(x, Z, |S|) of point x is defined by the formula below.

CoDISP(x, Z, |S|) can be estimated efficiently.

CoDISP(x, Z, |S|) depends on |S|, but the dependency is minor. The largest sample size permitted by resource constraints can be used, and outliers can correspond to large CoDISP().

Therefore, in the method of dynamically maintaining Robust Random Cut Tree (RRCT), if RRCF(S) is the distribution for the tree by executing Definition 1 in S, the distribution RRC F(S) and p ∈ extracted from S Given T, yields T extracted from RRC F(S ∪{p}), and given T extracted from the distribution RRC F(S) and p ∈ S, yields T extracted from RRC F(S-{p}). It can be considered that T is generated.

As an example, the separation of point sets S and p using an axis-parallel cut is possible only if the minimum axis-aligned bounding box B(S) and p can be separated using an axis-parallel cut.

It also provides structural properties for the RRCF tree, which, given a particular tree, (i) new points to be deleted (respective insertions) do not separate into the first cut, and (ii) new points are deleted (respectively inserted). Inset) is separated by the first cut, noting that there are two exhaustive cases.

Then, the problem can be solved for a collection of trees (not just one tree) satisfying the above (i) and (ii), respectively, where there is a minimum bounding box B(S) whose axis is parallel to the given point p. A set S can be given as:

(i) Using the weighted isolation forest algorithm for any dimension i, the probability of choosing an axis-parallel cut in dimension i that divides S is exactly equal to the conditional probability of choosing an axis-parallel cut that divides S, ∪{p} It is conditional on not separating p at every point of S in dimension i.

(ii) Given a random tree of RRCF(S ∪{p}) and the fact that the first cut separates p at every point in S, the rest of the tree is a random tree of RRCF(S).

1. Find a node v in a tree where p is separated by T, and let u be a sibling of v.

2. Remove the parent of v (and u) and replace the parent with u (i.e. short-circuit the root path from u).

3. Updates all bounding boxes from the (new) parent upwards, this state is not necessary for deletes, but can be useful for inserts.

4. Return the modified tree T'.

Therefore, if the T is extracted from the distribution RRCF(S), the algorithm can generate a tree T randomly extracted from the probability distribution RRC F(S -{p}), and the deletion operation takes O(d) time If you delete an arbitrary point from the tree, the running time of the deletion operation is O(d) times the expected depth of the point. Likewise, deleting points that are shallower than most points in the tree can improve execution time.

The present inventors have found and suggested a method in which the same score is obtained each time it is executed in order to obtain a reliable ideal score from the user's point of view. In the insertion algorithm, the expected value is obtained using the probability that the sample diverges and CoDISP calculated when it diverges, and this decisive value is defined as expected CoDISP.

(5) Test results

In order to confirm the degree of improvement in the RRCF speed and model size, a test was conducted in the environment shown in FIG. 9 .

Speed improvement: The data is 10k vibration data collected during the production process, and the number of training data is 128. The number of random trees was also tested in various ways, such as 128, 256, and 512. As a result, the improved model is about 7.5 times faster than the previous one. If additional feature sampling is applied, it is expected to decrease more (linearly) due to the smaller data size.

Model size improvement: The data is CNC 512-dimensional current data, and the number of training data is 128. When a tree is created by applying feature sampling, as described above, the number of data to be stored in the internal node is reduced by the reduced feature. It can be seen in FIG. 10 that the model using all 512 features and the model using only 64 features decrease linearly by about 8 times.

(6) Effect on Feature sampling

The results of improving the RRCF speed and model size were introduced above, and below, we will introduce the results of improving the accuracy with the feature sampling presented in the present invention.

When creating a tree in RRCF, features are selected in proportion to the min-max range, so it is difficult to detect anomalies that exist in small scale areas. Using the feature sampling method with virtual data can confirm that this problem is solved. . Normal label data follows the following distribution with 100 dimensions.

(Expression).... (Unif (0, 10) Х 95, Unif (0, 1) Х 5)

And the bad label data follow the following distribution.

(Formula).... (Unif (0, 10) Х 95, Unif (1, 2) Х 5)

The characteristic of the data is that the min-max range of the first 95 dimensions is 10, which is larger than that of the next 5 dimensions. And the difference between normal and defective occurs later in a dimension with a small scale. Since the RRCF model using all dimensions selects only the 95th dimension before the min-max range is large, defects occurring in the 5th dimension at the end cannot be detected. The result of applying this virtual data without feature sampling (left) and four features is as follows.

(7) RRCF performance

The score comparison between the existing RRCF and the improved RRCF algorithm and the OCC problem performance comparison between the improved RRCF and IF are attached as attached codes.

compare robust random cut forest (original RRCF and abnormal score comparison)

plot robust random_cut forest (Isolation forest and OCC problem performance comparison)

(8) Reference

[1] S. Guha, N. Mishra, G. Roy, & O. Schrijvers, Robust random cut forest based anomaly detection on streams, in Proceedings of the 33rd International conference on machine learning, New York, NY, 2016 (pp. 2712-2721).

[2] Liu, Fei Tony, Ting, Kai Ming, and Zhou, Zhi-Hua. Isolation-based anomaly detection, ACM Trans. Knowl. Discov. Data, 6(1):3:1-3:39, March 2012.

[3] Liu, F. T., Ting, K. M., and Zhou, Z.-H. 2008a. Isolation Forest. In ICDM '08: Proceedings of the 2008 Eighth IEEE International Conference on Data Mining. IEEE Computer Society, 413-422.

In the above, the AI-based equipment data anomaly detection system using the random cut forest algorithm of the present invention and the technical idea of the method have been described together with the accompanying drawings, but this is an illustrative example of the most preferred embodiment of the present invention. does not limit

The present invention is not limited to the specific embodiments described above, and various modifications can be implemented by anyone having ordinary knowledge in the art to which the present invention belongs without departing from the gist of the present invention claimed in the claims. and such changes are within the scope of the claims.

10; AI-based fault diagnosis smart sensor
20; Facility fault diagnosis monitoring department
30; manager analysis processing unit
40; cloud server
41; database
42; big data base

Claims (11)

AI-based fault diagnosis smart sensor for diagnosing faults in facilities;
a facility fault diagnosis monitoring unit that monitors a result diagnosed by the AI-based fault diagnosis smart sensor; and,
a manager analysis processing unit having a random cut forest algorithm (IRCF; Improve Random Cut Forest) to which a probability-based calculation method is applied to analyze the result monitored by the equipment failure diagnosis monitoring unit; An AI-based facility data anomaly detection system using a random cut forest algorithm, characterized in that it comprises a. According to claim 1,
AI-based facility data anomaly detection system using a random cut forest algorithm, characterized in that the AI-based fault diagnosis smart sensor and the facility fault diagnosis monitoring unit are communicatively connected through a cloud server. According to claim 2,
An AI-based facility data anomaly detection system using a random cut forest algorithm, characterized in that the divided database and the big data base are connected to the cloud server. generating a learning model for anomaly detection; and,
an anomaly score prediction and operation step of predicting an ideal score from the learning model generated in the generating step; AI-based facility data anomaly detection method using a random cut forest algorithm, characterized in that it comprises a. According to claim 4,
The step of generating the learning model is,
Pre-processing the data collected from the AI-based fault diagnosis smart sensor installed in the facility;
Storing preprocessed data from the preprocessing step;
generating a learning model based on normal data by constructing a random tree from the preprocessed data stored in the storing step; and,
storing the learning model generated from the generating step; AI-based facility data anomaly detection method using a random cut forest algorithm, characterized in that it comprises a. According to claim 5,
The ideal score prediction and operation step,
Collecting and pre-processing data from AI-based fault diagnosis smart sensors installed in facilities;
Calculating an ideal score (Optimize calculation of CoDISP) as data to be measured using a random cut forest algorithm (IRCF) based on the learning model stored from the storing step; and,
generating a facility alarm when the ideal score calculated from the calculating step is high; AI-based facility data anomaly detection method using a random cut forest algorithm, characterized in that it comprises a. According to claim 6,
The random cut forest algorithm (IRCF) is an AI-based facility using a random cut forest algorithm, characterized in that a probability-based calculation method for predicting anomaly scores using a dynamic learning model without having a dynamic tree is applied. How to detect data anomalies. Normal training data (X)

- (1) is,
If n (≤N) is randomly selected from the set of learning data (X),

- is (2),
A tree creation step of generating an RRC Tree based on the X1;
adding data and creating a transformation tree;
removing data after calculating an outlier score (CoDISP); and
Obtaining an ideal score by repeating the above process to obtain a new ideal score based on the average of the ideal scores (CoDISP); AI-based facility data anomaly detection method using a random cut forest algorithm, characterized in that it comprises a. According to claim 8,
The tree generation step introduces feature sampling along with data sampling during tree generation, reducing the size and speed of the tree, and increasing the anomaly detection effect of small-scale data. An AI-based equipment data anomaly detection method using a random cut forest algorithm. According to claim 8,
In the transformation tree generation step, AI-based equipment data anomalies using a random cut forest algorithm, characterized in that by adding a deformed tree without generating it, only the outlier score (CoDISP) of the data is calculated so that a high speed can be expected. detection method. According to claim 8,
In the step of obtaining the ideal score, since the ideal score CoDISP is a value obtained probabilistically, a stochastic expected value of the ideal score CoDISP is used as a result value to fix the value of the ideal score CoDISP, which changes each time. An AI-based facility data anomaly detection method using a random cut forest algorithm, characterized in that.

Images