TWM622216U - Apparatuses for service anomaly detection and alerting - Google Patents

Abstract

An apparatus for service anomaly detection and alerting considers business operating data and system data to perform service anomaly/risk detection and alarm, and based on the operating data (for example, business operations, public information such as community, public news, etc.) and system data (for example, system software and hardware information, log) categorizes a system to be monitored that provide services to a group to determine its service characteristics. Even, in order to further improve the accuracy of detection and alarm, when detecting an abnormal behavior exist in the service, it will further determine whether the detected abnormal behavior of the service occurs in the group of the same service characteristics, and whether it is an abnormal event. Therefore, compared with the prior art, the apparatus has the beneficial technical effects of improving the efficiency of system monitoring and reducing the risk of maintenance and operation.

Description

Device for service anomaly detection and alarm

The new model relates to a detection and alarm device for analyzing whether the service of a monitored system is abnormal, and in particular to an intelligent service abnormality detection and alarm device.

In general enterprises, whether for internal or external online services, there are usually several to dozens of systems and hundreds of software and hardware modules in the server, of which daily (even every minute or second) A large number of system monitoring values or a large number of log files (Log) may be recorded. When a service or system abnormality, information security attack and other events occur, system administrators or maintenance personnel need to monitor the monitoring values and logs, etc. Do interpretation (or detection), find out the abnormal cause and eliminate it. In the maintenance and operation of traditional information technology (IT), system administrators will define the rules of abnormal events based on past experience, but with the popularization and expansion of IT infrastructure and cloud services, system architecture and maintenance As the environment becomes complex, mistakes or complex rules often trigger a large number of false alarms, leaving system administrators overwhelmed and more likely to ignore serious threats due to negligence. In addition, traditional maintenance personnel often deal with problems passively after abnormal events or signals occur.

In recent years, human-based maintenance has not only progressed to automated monitoring, but many maintenance methods, enterprises and services have introduced artificial intelligence (AI) and machine learning into IT infrastructure and maintenance management. For example, using past historical system load monitoring values (such as, but not limited to, central processing unit (CPU) usage or memory load), using machine learning to train normal system load curves and allowable values, and monitoring in real time in the future If the value deviates from the allowable value, a system alarm can be triggered to speed up maintenance and response time.

There are also technical methods that use artificial intelligence to analyze the correlation of abnormal events, analyze historical logs through technologies such as algorithms and text analysis, and group seemingly unrelated events to find out the implicit correlation of events. For example, it is found that seemingly unrelated conditions such as service page outages (recording response codes for hypertext transfer protocol errors), high CPU usage, and low page views often occur at the same time. Root Cause Analysis of incidents will enable early warning in the future to increase IT maintenance and operation efficiency.

One of the methods in the prior art can completely collect three heterogeneous data such as the device health status of the global devices in the unit, the amount of network traffic used by the unit, and various logs (including information security events), and perform correlation analysis, eliminating the need for manual comparison and search. time-consuming and trending algorithms that leverage artificial intelligence. Then, according to the collected historical data of various logs and/or the amount of network traffic used by the unit, it automatically learns to establish a dynamic benchmark, and continuously compares the various logs that come in every minute and/or the amount of data about the amount of network traffic used by the unit. , to instantly detect the number of events (Hit Count), the number of traffic packets or the abnormal sudden increase of the number of bytes (Byte), the source Internet Protocol (IP) address (usually the attack side) and the destination IP address (usually the attacked end). This method does not need to manually set the thresholds one by one, so it makes maintenance, operation and information security protection easier.

Another method in the prior art is to use machine learning algorithms to sort out events with similar behaviors after comparing each abnormal event, and automatically detect whether the latency of system services suddenly increases, whether the system error rate increases, and even Check whether the public cloud vendor's network is abnormal. This approach allows users to not need to set alarm trigger conditions, and the system will automatically monitor the platform for abnormal performance events.

The above artificial intelligence detection only collects system monitoring data of a single company or service, etc. The relevant domain knowledge of such artificial intelligence maintenance cannot be connected with the actual business operation, and it does not consider that different service systems have the same or different characteristics , so the monitoring accuracy still has room for improvement.

According to the purpose of the present invention, an embodiment of the present invention provides a device for serving abnormality detection and alarm, which includes a plurality of electrically connected hardware circuits, the hardware circuits are configured into a plurality of units, and the units Used to: receive the operation data and system data of one of the monitored systems corresponding to a service, and perform data preprocessing on the operation data and the system data of the monitored system to obtain the monitored system Multiple status parameters of the system; group each of the status parameters of the monitored system to obtain a cluster label corresponding to each of the status parameters of the monitored system; according to the status parameters of the monitored system The cluster tags group the monitored system to obtain a group number corresponding to the monitored system; detect whether the monitored system has an abnormal behavior according to at least one of the state parameters of the monitored system; and When detecting that the monitored system has the abnormal behavior, determine whether there are more than a certain number of the monitored systems in a group corresponding to the group number of the monitored system also have abnormal behavior, if the group number If the monitored systems corresponding to the group that do not exceed the specific number also behave abnormally, an alarm is generated.

The novel embodiment also provides a service anomaly detection and alarm method, which is similar to the aforementioned service anomaly detection and alarm method, but a plurality of monitored systems are grouped in advance without a related grouping step.

The novel embodiment also provides a device for detecting anomalies and issuing an alarm, which is configured with a plurality of units to execute the above-mentioned service anomaly/risk detection and alarm method, and the novel embodiment further provides a storage medium, which is used for Stores a plurality of code codes associated with the above-mentioned service abnormality detection and alarm method.

The novel embodiment also provides a plurality of computer software programs for determining the occurrence of an abnormal event in the monitored system and generating an abnormal alarm for the abnormal event.

To sum up, the service abnormality/risk detection and alarm method, the cloud device using the method, and the storage medium storing the method can accurately detect the service abnormality/risk.

In order to further understand the technology, means and effects of the present invention, reference may be made to the following detailed description and accompanying drawings, so that the purpose, features and concepts of the present invention can be fully and specifically understood. However, the following detailed description and accompanying drawings are only used to refer to and illustrate the implementation of the present invention, and are not intended to limit the present invention.

Reference will now be made in detail to exemplary embodiments of the present invention, exemplary embodiments of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used in the drawings and the description to refer to the same or like parts. In addition, the practice of the exemplary embodiment is only one implementation of the design concept of the present invention, and the following examples are not intended to limit the present invention.

The prior art using artificial intelligence to detect service anomalies probably has the following technical problems: (1) It is impossible to connect with the real business operation. For example, the traffic of news websites often surges during the daily lunch break, but this surge is normal. , if managers and AI alarms regard the CPU usage and system load increase during this period as abnormal, they may issue false alarms; (2) Generally, IT monitoring values or historical logs are mostly based on a single system or a single enterprise. Facility maintenance data, different service systems have different characteristics, even similar systems may have different response monitoring records or logs for enterprises in different industries. If there is no machine for different business or service characteristics For the establishment of learning models, the correctness of preventive alarms is often insufficient; and (3) traditional AI requires a large amount of data to train models, but abnormal service conditions do not often occur, so only infrastructure and environmental data will enable machine learning If there is not enough abnormal data and labels to train the model, even if the curve of the normal service state is trained, a conservative alarm trigger threshold should be set to cope with unexpected risks.

In order to solve the above-mentioned technical problems, the novel embodiment provides a service abnormality detection and alarm method and a device and system using the method to perform service abnormality detection and alarm by considering operational data and system data, and based on operational data (for example, business operations face, public information (such as community, public news, etc.) and system data (such as system software and hardware information, operation logs) to group the monitored systems that provide services to determine their service characteristics, in order to further improve detection and alarming When an abnormality is detected, it will further determine whether the detected abnormal behavior also occurs frequently in the same service feature group, or it is a common behavior rather than a real abnormality, that is, Determine whether the detected abnormal behavior is the same or similar to the common behavior that occurs more frequently or the abnormal behavior that occurs less frequently in the same service characteristic group. Therefore, compared with the prior art, the service abnormality detection and alarm method provided by the novel embodiment and the device and system using the method have beneficial technical effects of improving system monitoring efficiency and reducing maintenance and operation risks.

In several embodiments of the present invention, the service generally refers to a digitalized service composed of software and hardware of information equipment, which includes an online business system, an enterprise operation system, etc., or the service can generally refer to a digitalized information interaction system. , such as online purchase transactions of physical or virtual goods, financial transactions, information exchange and release, uploading, browsing and downloading of audio, video, graphics, and texts. The service can be identified and reflected by the actual workload, and the data related to the service can be structured or unstructured data, wherein the data related to the service can refer to various data related to the operation or system of the service, such as Input, output, and operation data processed by the service or system, or the setting, operation, and monitoring data of the service or system itself, or data derived from the aforementioned data, etc. In several embodiments of the present invention, the collected service-related data includes operation data and system data, wherein the operation data includes the number of real-time orders (Gross Merchandise Volume, GMV for short), turnover, number of online users, and number of page views. (Page View, referred to as PV), repeat visitors (referred to as RV), number of visits (Unique Visitor, referred to as UV), number of IP addresses, traffic sources, regions, devices used, user browsing events, services At least one of website or application operation behavior and customer service call records, and system data including at least one of system log files (Log), infrastructure operation data and system indicators. Infrastructure may refer to IT equipment, its software and hardware, or the environment or structure of its software and hardware. Infrastructure operation data may refer to the energy consumption data, flow data, data of other resources of the used infrastructure, or data of the performance of the used infrastructure that the system needs to use when providing these services. . System metrics may refer to the data or performance data of the resources used by the monitored system that provides these services, such as CPU usage, memory usage, I/O counts (Read/Write PS), network outflow/inflow , Packet outflow/incoming volume, Number of machines/clusters enabled elastically, Number of swaps (Swap), Number of queries per second (Queries Per Second, QPS), Responses Per Second (RPS), database connection At least one of the number of lines and the response time of the machine, but the new model is not limited by the types of the above-mentioned operation data and system data.

First, please refer to FIG. 1 . FIG. 1 is a block diagram of an abnormality alarm system using a service abnormality detection and alarm method according to a new embodiment of the present invention. The present invention can also be applied to an on-premises system or a hybrid system of on-premises and cloud; for example, the cloud device 11 in FIG. 1 can be replaced by an on-premises system or a hybrid cloud device. The abnormality alarm system 1 of this novel embodiment includes a cloud device 11 , and a plurality of monitored systems 121 - 12N are connected to the cloud device 11 in communication, for example, directly or indirectly through wired or wireless connection. The monitored systems 121-12N may include at least one of the following: services provided by the system, workloads carried by the system, servers providing services, networks, network-related devices such as switches, gateways, etc., firewalls or storage devices Such equipment, components of such equipment such as CPU, memory, I/O ports, etc., virtual machines, containers, virtual private clouds, databases, software programs, etc. running on such equipment. The monitored systems 121-12N may include cloud equipment, ground equipment, terminal equipment, and the like. The monitored systems 121-12N may belong to a plurality of different service providers, or may belong to the same service provider, or a part of the monitored systems 121-12N may belong to one of the service providers, and the monitored systems 121-12N may belong to one of the service providers. Another part of 12N belongs to another service provider.

The monitored systems 121-12N are used to provide the above-mentioned various services, wherein the service characteristics of multiple services may not all be the same as each other. For example, the monitored systems involved in online shopping services are labeled as the same group, and the monitored systems involved in online consulting services are labeled as another same group), or interpreted through other supervised machine learning grouping methods. The service characteristics of the service can also not be known in advance, but after the data is collected, the state parameters are found through the collected data and the unsupervised machine learning grouping method is used to interpret, among which a number of state parameters include CPU usage, number of online users, and turnover. , operational data such as page views, memory usage and the number of input/output and system data. After unsupervised machine learning clustering, each cluster can be labeled, and each label can represent the service characteristics of different clusters. Labels can be automatically marked by order variables, type or category variables, index values, unique values, numbers, etc. For example, labels can be automatically obtained by stylized methods of clustering models. Labels can also have label descriptions attached. For example, clusters can be tagged or described as "live broadcast", "portal", "e-commerce platform", "forum", etc. depending on the commercial nature of the service, or as "heavy evenings", "weekends" depending on load or traffic trends Active", "Winter Period", "Office Worker Mode", etc., or flagged or described by technology type or monitoring parameters such as I/O trends, connection frequency, etc., or by characteristics of abnormal problems that have occurred in the cluster Flags or descriptions such as overload, underload, overclock, timeout, spike, etc. Multiple services marked with the same service characteristics through manual labeling in advance may also belong to groups with different service characteristics after being grouped according to data. may also belong to the same service feature group. The cloud device 11 is used to accept the operation data and system data provided by the monitored systems 121-12N, and thereby monitor whether the monitored systems 121-12N have service abnormalities, so as to achieve the purpose of service abnormality detection and alarm, wherein the operation data and the system The information can be described above, so it is not repeated here.

Please refer to FIG. 2 , which is a block diagram of a cloud device using a service abnormality detection and alarm method according to a new embodiment of the present invention. As shown in FIG. 2 , the cloud device 11 includes a data preprocessing unit 111 , a state parameter grouping unit 112 , an individual grouping unit 113 , a group comparison unit 114 and a detection unit 115 , which can be executed through hardware circuits and software programs. to realize the above-mentioned multiple functional units 111-115, but the present invention is not limited by the implementation manner of the functional units 111-115. The data preprocessing unit 111 is connected to the state parameter grouping unit 112 and the detection unit 115 by the signal, the state parameter grouping unit 112 is connected to the individual grouping unit 113 by the signal, and the individual grouping unit 113 is connected to the group comparison unit 114 by the signal. The cloud device 11 may further include an alarm unit 116 signally connected to the peer comparison unit 114 .

The data preprocessing unit 111 receives the aforementioned operational data and system data of the monitored systems 121 to 12N, and performs data preprocessing on the operational data and the system data. For example, the pre-processing is to perform text analysis on the system log file, and establish the keyword frequency at different time points, such as the access log file (Access.log) or the error log file (Error. log), there will be different keywords such as "emerg", "alert", "err", "warning" (the keywords may be different for different monitored systems), and TF-IDF (Term Frequency–Inverse Document Frequency ) to obtain the word frequency, and the obtained word frequency will be used as different status parameters later, for example, by parsing the error log file to know the memory overflow frequency or quantity. Pre-processing can also be recording infrastructure operation indicators, such as CPU usage, memory usage, and I/O numbers, or anonymizing business operation data output by customer service. The purpose of pre-processing is to obtain a plurality of state parameters of each monitored system 121-12N from operational data and system data (state parameters can be used to represent quantitative indicators of the resource usage or performance of the monitored system), so as to be used later. Perform grouping of service characteristics. In some embodiments, 1000 state parameters are to be observed, and seven days a week is used as an observation period, and each state parameter collects its parameter value in units of one minute, then each state parameter will have 7*24* 60=10080 data points (each data point has a parameter value).

The state parameter grouping unit 112 receives a plurality of state parameters of each monitored system 121-12N, and groups each state parameter (parameter value) based on the grouping model, and can assign relevant grouping labels. For example, the CPU usage of the monitored system 121 can be grouped based on the clustering model, and can be marked with corresponding cluster labels of various types. From the analysis of the clustering results, the corresponding cluster labels may represent those that are busy at night, busy in the morning, or busy at noon. Service characteristics for different CPU usage patterns. In several embodiments of the present invention, the clustering model can be periodically updated and trained according to real-time data, or it can be used after pre-training, and the training or updating of the clustering model can be performed by means of unsupervised machine learning (without pre-training). Know the type and labeling) to achieve. For example, periodically obtain the CPU usage of each monitored system 121-12N, and establish a clustering model according to K-means (K-means), Hierarchical Agglomerative Clustering (HAC) or Density-Based Clustering (DBSCAN), The CPU usage is grouped into clusters, and cluster labels can be given according to the clustering results. Training or updating a clustering model can also be implemented using supervised learning clustering algorithms (labeling known classes) such as Support Vector Machines (SVM), K-Nearest Neighbors (KNN), Decision Trees ) or Random Forests.

The individual grouping unit 113 groups the monitored systems 121 to 12N to give the monitored systems 121 to 12N corresponding group numbers (or labels, order variables, type variables, index values, unique values, etc.) The manner of grouping the monitoring systems 121-12N may be based on a grouping model and performing grouping according to a plurality of cluster labels of a plurality of state parameters of each of the monitored systems 121-12N. In some embodiments, the monitored system can be regarded as the services it provides or the workloads it carries, and the individual grouping unit 113 can be said to group these services or workloads; the monitored system can also be regarded as all Persons, customers, users, enterprises, users, service objects, etc., the individual grouping unit 113 can be said to group such owners, customers, users, enterprises, users, or service objects. For example, when a single monitored system represents a single user, the grouping of monitored systems can be regarded as a grouping of users; when a single monitored system represents a single service, the grouping of monitored systems can be regarded as a grouping of services; a single monitored system represents a single In the case of equipment or software programs, the grouping of monitored systems can be regarded as the grouping of equipment or software programs. For example, based on the clustering model, the monitored systems 121 to 12N are determined based on the cluster labels of the CPU usage, the cluster labels of the number of people online, the cluster labels of the turnover, and the cluster labels of the network outflow/inflow of the monitored systems 121 to 12N. Which groups the provided services belong to, each group can represent that the services grouped into each group have certain same or similar service characteristics, and can be given related group numbers, variables, or labels. Likewise, the models used for clustering can likewise be trained and updated with unsupervised machine learning or supervised machine learning. Without specifying service characteristics, the cluster labels of multiple state parameters can be used for unsupervised learning model training (such as K-means, HAC or DBSCAN), or, service labels for some known characteristics in advance, such as electricity. For commercial services, enterprise resource planning systems (ERP) systems, transaction systems, live broadcast systems, etc., the cluster labels of multiple state parameters of the labelled services are subjected to supervised learning model training (such as SVM, KNN, decision tree or randomization). Forest), after which there are unknown services, which can be used to group groups and summarize the service characteristics of services.

The detection unit 115 performs modeling according to a plurality of state parameters of the monitored systems 121-12N based on the model, so as to detect whether the monitored systems 121-12N are abnormal (for example, predicting that the future or current state parameters exceed the thresholds) value, or, there may be specific abnormal events in the future), where the model here can be a time series model, a historical data model and/or a risk prediction model. The historical data model of each monitored system 121-12N can be applied to multiple state parameters collected in the past using machine learning algorithms to establish a time series model under normal conditions. The algorithm used can be differential integration moving average autoregressive calculus ARIMA, Long Short Term Memory (LSTM) or Random Cut Forests (RCF). For example, a time series model of the CPU usage rate of the monitored system 121 can be established, and through the prediction of the time series model, it can be known whether the CPU usage rate is abnormal at present or may be abnormal in the future. In some embodiments, if it is known that some abnormal conditions such as system problems, information security events, and attacks have occurred that have occurred, the parameter values of multiple state parameters of the monitored system can be combined to carry out risk value annotation, so as to train the The risk prediction model of each monitored system 121-12N at a single time point, wherein the algorithm for training the risk prediction model may be random forest or extreme gradient boosting algorithm (XGBoost). For example, in the risk prediction model of the monitored system 121, the risk value of a single data can be marked according to the actual abnormal situation (the parameter observation value of this data may be CPU usage = 0.5, memory usage = 15GB) , the number of input/output = 2500, etc.), so by labeling the risk of each data in the historical data set and fitting the data set to train the risk prediction model, the monitored system can be predicted for the new data Whether 121 suffers from anomalies. A risk value sequence can be formed for these risk values, and a time series model can be trained for the risk value sequence, whereby the risk value at the next time point can be predicted. As will be explained below, by comparing the risk values predicted by the risk prediction model and the time series model, and by the determination of the cohort comparison unit 114, it can be determined whether an abnormality is encountered.

In some embodiments, for the service provided by the monitored system, for a service of a certain service characteristic, the abnormal behavior detected by the detection unit 115 may not be really abnormal, and may be in the same service characteristic group, This detected abnormal behavior will actually be judged as normal behavior within the group. Therefore, the group comparison unit 114 determines whether the detected abnormal behavior is abnormal behavior or normal behavior in the monitored system of the group with the same service characteristic (eg, the same group number). For example, the monitored systems 121, 122, 129 and 12N all provide online shopping services, and during the Mother's Day period, the number of online users of the monitored system 121 was detected as a sudden increase, so it was first judged as abnormal behavior, and Through the peer comparison unit 114, it is found that the monitored systems 122, 129 and 12N also detected a sudden increase in the number of online users. Therefore, the peer comparison unit 114 determines that the detected abnormal increase in the number of online users of the monitored system 121 is abnormal. The behavior belongs to the normal behavior in the group, so it is determined that the monitored system 121 is not abnormal. For another example, the monitored systems 123, 126 and 129 are all accounting systems, and during the tax filing period, the traffic sources of the monitored system 123 increase rapidly, and the risk prediction model is used to detect that there is a risk of being attacked, but the same group is more likely to be at risk of being attacked. The pairing unit 114 detects that the traffic sources of the monitored systems 126 and 129 also increase rapidly, so the cohort comparison unit 114 does not regard the risk of detecting a rapid increase in the traffic sources of the monitored system 121 as an abnormal event, that is, it does not. The monitored system 121 would be considered at risk of being attacked. The cloud device 11 can be signally connected to an alarm unit 116, and the alarm unit 116 can generate an abnormal alarm according to the abnormal event determined above, and can send the abnormal alarm to a terminal device (not shown) that is signally connected to the cloud device 11. , so that the terminal device displays the abnormal alarm. In this way, the cloud device 11 can avoid erroneously alerting the system administrator, making the service provider more efficient in operation.

Please refer to FIG. 3 . FIG. 3 is a flowchart of the service abnormality detection and alarm method according to the new embodiment of the present invention operating in the interpretation mode. The service abnormality detection and alarm method can be executed by the above-mentioned cloud device 11 . After training or updating each model, the cloud device 11 can operate in the interpretation mode, and perform the following steps in the interpretation mode. First, in step S31, the operation data and system data corresponding to each monitored system are received, and data preprocessing is performed to generate a plurality of state parameters of each monitored system. Then, in step S32, each state parameter of each monitored system is grouped based on the model used to group the category of each state parameter to give each state parameter of each monitored system a cluster label. Then, in step S33, based on the model for grouping the service characteristics of each service, each monitored system is grouped according to a plurality of cluster labels corresponding to a plurality of state parameters of each monitored system to give each monitored system a Group number (or another set of cluster labels).

In step S34 , based on a plurality of historical data models and/or a plurality of risk prediction models of each monitored system, whether each monitored system has abnormal behavior is detected according to a plurality of state parameters of each monitored system. If no abnormal behavior is detected, no alarm is required, and if abnormal behavior is detected, step S35 is performed. In step S35, it is determined whether the detected abnormal behavior of each monitored system is abnormal behavior or normal behavior in the group of its group number, that is, whether it is abnormal. At least a specific number of the multiple monitored systems of the number are also detected to have this abnormal behavior, where the specific number can be half, all, one quarter or half of the multiple monitored systems of the same group number. Other values, such as "1" (one monitored system in the group), "2" (two monitored systems in the group), etc. Simply put, as long as more than a certain number of monitored systems in the same group number group have the same or similar abnormal behavior detected, the detected abnormal behavior is not the real abnormal behavior in the group. It should be a normal behavior, so there is no need to alert. If the group of the same group number does not exceed the specified number of monitored systems all have the same abnormal behavior detected, then go to step S36. In step S36, an abnormal alarm is sent to a terminal device electrically connected to the cloud device 11, and the terminal device is caused to display the abnormal alarm, so as to alert the corresponding system administrator or maintenance personnel.

Next, please refer to FIG. 4 . FIG. 4 is a flowchart of the service abnormality detection and alarm method according to the novel embodiment operating in the modeling mode. The model in the interpretation mode is created by the cloud device 11 in the modeling mode, and the steps in the modeling mode are as follows. In step S41, operation data and system data corresponding to a plurality of monitored systems are received, and data preprocessing is performed to generate a plurality of state parameters of each of the plurality of monitored systems. Next, in step S42, for each state parameter, a model for grouping state parameters is established according to a plurality of the same state parameters of a plurality of monitored systems. Afterwards, in step S43, for each monitored system, each state parameter of the monitored system is grouped to give each state parameter a cluster label. Then, in step S44, a clustering model for service characteristics of the monitored systems is established according to the cluster labels of the plurality of state parameters of the plurality of monitored systems. Next, in step S45, for each state parameter of each monitored system, a model for detecting anomalies is established according to the numerical sequence of each state parameter over a period of time.

The novel embodiment also provides a storage medium, which is a non-volatile storage medium, such as a flash memory, an optical disk, or a hard disk, which stores a plurality of code codes, and the code codes can be used by a computer device read, so as to allow the computer device that reads these codes to perform the steps of the service abnormality detection and alarm method as shown in FIG. 3 and FIG. 4 .

Based on the above, a practical example is used below to illustrate. In some embodiments, if the CPU usage rate of the monitored system is greater than 80% for more than 5 minutes, the alarm will be raised, or if the same external IP connection exceeds 50 times in 1 minute, the alarm will be raised, but the threshold value often needs to be consistent with the actual system. The running business and service are related, and as the business runs, the alarm threshold value also needs to be adjusted according to different time periods, not necessarily a fixed value. In addition, as time passes and rules continue to be added, it is difficult for system administrators to clarify the relationship or logic between different rules, and system differences between systems of different services are likely to cause noise or false positives.

Therefore, the service abnormality detection and alarm method used by the system or device of the present novel embodiment can solve the above-mentioned technical problems. First of all, taking the status parameter "number of people online" as an example, the number of people online in a system that operates a certain type of e-commerce is usually large between 20 and 24 o'clock, while a certain type of news website system has a peak online number of people. Usually from 7 to 9, 12 to 13 and 18 to 21. In the stage of grouping state parameters, the grouping method of unsupervised learning can be used for each state parameter. What type of online population patterns belong to, and give corresponding cluster labels (such as order variable labels of 1, 2, 3...). Similarly, what kind of CPU usage rate of each monitored system belongs to can also be obtained by using the above-mentioned grouping method. After each cluster label of each state parameter of each monitored system is obtained, each monitored system can be grouped. In the following Tables 1 to 3, examples of the status parameter grouping and the monitored system grouping are clearly given.

Table 1: Examples of cluster labels after online population grouping time point 1 time point 2 time point 3 time point 4 time point 5 time point 6 … time point N Cluster labels for people online Monitored System #1 100 people 2 people 4 people 5-people 111 people 121 people … 4 people 1 Monitored System #2 101 people 6 people 3 people 5-people 100 people 151 people … 4 people 1 Monitored System #3 0 people 55 people 55 people 55 people 0 people 0 people … 7 people 6 Monitored System #4 21 people 22 people 19 people 18 people 20 people 23 people … 21 people 7 … … … … … … … … … … Monitored System#N 80 people 77 people 75 people 4 people 3 people 0 people … 0 people 3

Table 2: Example of cluster labels after CPU usage clustering time point 1 time point 2 time point 3 time point 4 time point 5 time point 6 … time point N Cluster label for CPU usage Monitored System #1 55% 3% 6% 50% 9% 54% … 51% 9 Monitored System #2 50% 3% 4% 57% 9% 51% … 45% 9 Monitored System #3 3% 3% 3% 20% 40% 80% … 88% 2 Monitored System #4 20% twenty two% twenty one% twenty two% twenty one% twenty one% … twenty two% 1 … … … … … … … … … … Monitored System#N 50% 49% 49% 3% 1% 1% … 1% 3

Table 3: Examples of each monitored system grouping Cluster labels for people online Cluster label for CPU usage … Cluster labels for page views Cluster labels for turnover group number Monitored System #1 1 9 … 4 5 1 Monitored System #2 1 9 … 4 6 1 Monitored System #3 6 2 … 1 1 4 Monitored System #4 7 1 … 2 2 5 … … … … … … Monitored System#N 3 3 … 2 2 3

As an example in the above table, the cluster labels of the state parameters of the monitored system #1 and the monitored system #2 are similar, so they are given the same group number to indicate that they are classified into groups with the same service characteristics. Next, the observed values of the online population and CPU usage of the monitored system #1 in the future can be compared with the predicted values of the historical data model and/or the risk prediction model of the online population and CPU usage to detect the online population and CPU usage. Whether the usage is behaving abnormally. If any state parameter has abnormal behavior, compare the number of online users or CPU usage of each monitored system in the group with group number 1 (ie, other monitored systems in the group) to see if abnormal behavior is also detected. , if not, it means that the detected abnormal behavior of the number of people online or the CPU usage of the monitored system #1 is an abnormal event in the group, and the system administrator or maintenance personnel of the monitored system #1 needs to be alerted . Furthermore, when the detected abnormal behavior of the number of people online or the CPU usage rate of the monitored system #1 is regarded as an abnormal event, the abnormal data or the historical data before the abnormal occurrence can be used to train another historical data. A model or risk prediction model to allow the same group of monitored systems to use this historical data model or risk prediction model to detect anomalies.

Based on the above, in some embodiments, the operational data and system data corresponding to the plurality of monitored systems are still received and subjected to data preprocessing to generate a plurality of state parameters for each of the plurality of monitored systems. However, multiple monitored systems are pre-grouped manually, or grouped by unsupervised learning grouping methods. For each monitored system, a risk value is marked on the parameter value combination of multiple state parameters of the monitored system according to whether or not actual abnormal behaviors occurred in the past (eg, hacking, service interruption, system downtime, etc.). In one embodiment, it is known that the CPU usage of a monitored system is 0.6 when hacked, its memory usage is 20 GB, and its input/output quantity is 3000, then the data can be Label the risk value as 1. For other data without abnormal occurrence, the risk value is marked as 0. Next, a machine learning algorithm (eg XGBoost) is used to establish (train) a risk prediction model of the monitored system according to the data marked with the risk value, and the risk prediction model can predict the risk value at a future time point. Incidentally, the risk prediction model of the monitored system may be cyclical, or change after a long period of time, or after specific events (such as system software and hardware version updates, new modules added to the system, business model changes). , changes in market demand, etc.) will change. For example, the new model can use the time series analysis such as seasonality and periodicity to determine the risk trend from the time series graph learned from historical data, so as to find the change trend of the risk value, thereby retraining the model or adjusting the model hyperparameters etc. to get a model for the new cycle. After the risk prediction model corresponding to the monitored system is established, after obtaining new multiple state parameters (parameter values) of the monitored system, the predicted risk can be calculated based on the risk prediction model according to the new multiple state parameters (parameter values). value, which can range from 0 to 1. If the predicted risk value is greater than a certain value, such as 0.5, it is equivalent to detecting abnormal behavior. At this time, according to whether there are other monitored systems in the same group that exceed a certain number, the predicted risk value is greater than a certain value. If not, The detected abnormal behavior is regarded as abnormal (abnormal event), otherwise, it is regarded as non-abnormal (non-abnormal event). In this practical example, the result of predicting the risk value may come from the influence of many parameters, and the relationship between the parameters is too complicated to be understood by manual rules, but the implicit relationship between the parameters and the time series relationship can be determined by the model training to obtain.

Incidentally, if the monitored system #1 has an abnormal behavior detected in status parameters such as the number of online users or CPU usage, the reason is the launch of a specific event (for example, the monitored system #1 provides an online shopping service such as an anniversary event). Celebrating a specific online activity) or a specific event (such as adjusting the CPU usage policy), etc., the number of people online and the CPU usage of other monitored systems with group number 1 have not been detected abnormal behavior, so although this The service abnormality detection and alarm method provided by the new embodiment and the device and system using the method will recognize the detected abnormal behavior of the number of people online or the CPU usage rate of the monitored system #1 as abnormal. In the real-time learning method, after the system administrator or maintenance personnel of the monitored system 1 confirms that the actual cause of the detected abnormality can be determined, the number of online users and the CPU number of the next detected monitored system #1 can be determined. Abnormal usage rate can be comprehensively judged with the specific activity. In addition, the historical data model or risk prediction model can also be revised, updated or retrained by adjusting the risk value, so that the specific activity will not be predicted as abnormal behavior. .

In some embodiments, the present invention can be implemented by a computer software program for determining the occurrence of an abnormal event in a monitored system and generating an abnormal alarm for the abnormal event, which program can be loaded into a computer device such as a server. The computer software program can perform the following steps after being loaded into the computer device: receiving a plurality of first monitoring data sets, each of the first monitoring data sets including a plurality of monitoring data, and the monitoring data including the first monitoring data parameters and second monitoring parameters, the first monitoring parameters and the second monitoring parameters respectively include a plurality of monitoring data points, each of the data points includes a monitoring parameter value, and the first monitoring data sets respectively include different monitoring data points The monitoring data of the monitored system, the plurality of monitoring data of each of the first monitoring data sets include operation data and system data; the monitoring parameters of the first monitoring parameters of the first monitoring data sets using the first clustering model The values are grouped and a plurality of first cluster labels are generated, so that each of the first monitoring data sets corresponds to one of the corresponding first cluster labels, and the first clustering model is used to classify the first monitoring data sets. The monitoring parameter values of the second monitoring parameter are grouped and a plurality of second cluster labels are generated, so that each of the first monitoring data sets corresponds to one of the second cluster labels; The first cluster label and the second cluster label of the first monitoring data set are grouped to generate a plurality of third cluster labels, so that each of the first monitoring data sets corresponds to one of the third cluster labels, and the At least a plurality of the first monitoring data sets are corresponding to one of the third cluster labels to form a first monitoring group, and the first monitoring group includes a plurality of corresponding first monitoring data sets corresponding to the first monitoring data set. a plurality of monitored systems, the plurality of monitored systems in the first monitoring group include a first monitored system; a plurality of second monitoring data sets are received from the first monitoring group, the second monitoring data sets are respectively received from a plurality of monitored systems in the first monitoring group, each of the second monitoring data sets includes the first monitoring parameter and the second monitoring parameter; based on the second monitoring data sets, Using a time series algorithm to predict a plurality of first monitoring parameter predicted values and a plurality of second monitoring parameter predicted values respectively corresponding to the first monitoring parameter and the second monitoring parameter of the first monitoring group, so that the first monitoring parameter Each of the plurality of monitored systems in the monitoring group corresponds to its first monitoring parameter predicted value and the second monitoring parameter predicted value; the first monitoring parameter is received from the plurality of monitored systems in the first monitoring group The plurality of first monitoring parameter observed values, the first monitoring parameter observed values are respectively corresponding to the first monitoring parameter predicted value; The observed value of the first monitoring parameter and the predicted value of the first monitoring parameter are compared, and it is determined that the observed value of the first monitoring parameter corresponding to the first monitored system does not conform to its corresponding predicted value of the first monitoring parameter, and it is determined that the first monitoring parameter The number of monitored systems whose observed values of the first monitoring parameter corresponding to the other monitored systems other than the first monitored system in the group do not meet the predicted value of the corresponding first monitored parameter is lower than a number of monitored systems Threshold value, thereby judging that an abnormal event occurs in the first monitored system, wherein the number of the monitored system The threshold is less than the number of monitored systems in the first monitoring group; and an abnormal alarm is generated according to the judgment of the abnormal event.

In some embodiments, the steps performed by the aforementioned computer software program may include the following implementations. A monitoring data set can be received directly or indirectly from a monitored system; the monitoring data set can be a historical data set, such as the data set that has occurred in the monitored system or has been collected by monitoring. The monitoring data set can be received at different time periods or time points, for example, the first monitoring data set can be received at the first time point, and the second monitoring data set can be received at the second time point. The first monitoring data set and the second monitoring data set may contain monitoring data of the same feature dimension. For example, the first monitoring data set and the second monitoring data set may contain the same monitoring parameters. When there are twenty-five monitoring parameters such as CPU usage, the second monitoring data set also includes the same twenty-five monitoring parameters. The first monitoring parameter and the second monitoring parameter may be different monitoring parameters of the monitored system, for example, the first monitoring parameter may be the number of people online, and the second monitoring parameter may be CPU usage. The monitoring parameters may be parameters related to the operation of the monitored system or system-related parameters of the monitored system. Data preprocessing may be performed on the monitoring data set to form a plurality of monitoring parameters and/or monitoring data points. Monitoring data may refer to data generated by the monitoring of a monitored system, and such data may include those exemplified in this disclosure. The monitoring parameters included in the monitoring data may include operational data parameters and/or system data parameters, and the monitoring data may also include status values indicating the status of these parameters. A monitoring data may refer to a data containing monitoring parameters received from a monitored system. If the data is processed in tabular form, the monitoring data can be in the form of "row" as its data form. Monitoring data points may refer to different time points, and a plurality of monitoring data points may include a time series pattern. The monitoring data points can be the time points in Table 1, and the monitoring parameter values can be the corresponding parameter values of the monitored system at each time point. The first monitoring data set and the second monitoring data set may contain monitoring data of different time periods or time points, for example, each monitoring data set contains a time value, and the time value can be used as the time point or a time in the concerned time period point. The first monitoring data set may include monitoring data of a first period, and the second monitoring data set may include monitoring data of a second period. The first clustering model and the second clustering model can use the same clustering algorithm. The first clustering model and the second clustering model may include different hyperparameters, eg, may include different numbers of clusters. The distinction between the first clustering model and the second clustering model may only be made according to the different stages of clustering performed. The relationship between monitoring data sets and cluster labels may be many-to-one, that is, one or more monitoring data sets may correspond to one cluster label. When the monitoring data set has a one-to-one relationship with the monitored system, the monitored system and the cluster label therefore have a many-to-one relationship, that is, a cluster label can be assigned or correspond to one or more monitored systems. Through the grouping method of the present disclosure, a plurality of monitoring groups can be generated, and each monitoring group corresponds to or is assigned a cluster label, such as one of the third cluster labels. Groups can be distinguished from each other, that is, similar monitored systems can be grouped into the same group, so that each monitored group can contain one or more monitored systems. The time series algorithm can adopt ARIMA, LSTM, RCF and other algorithms that can be applied to time series type data. The second monitoring data set can be input into a model established by a time series algorithm, thereby producing a forecast value predicted based on the second monitoring data set. For example, the second monitoring data set may be the data points of the previous week of the data points to be predicted. If every minute is one data point, for a single monitoring parameter, the second monitoring data set may include 10080 data points. The time series model can be modeled through historical data training. For example, the historical data of each monitoring parameter of each monitored system is used to establish the time series model of each monitored system, so the time series model corresponding to each monitored system is generated. . When the second monitoring data set includes twenty-five monitoring parameters such as the number of people online, CPU usage, etc., the historical data may include the same twenty-five monitoring parameters as the second monitoring data set. A confidence interval can be set so that the predicted value of the monitoring parameter includes a value within a range, for example, the confidence interval can be set to 95%. For different monitoring parameters, confidence intervals of different values can be set. Confidence intervals can be automatically calculated and set by using a time series module or library. The observed value of the monitoring parameter can correspond to the predicted value of the monitoring parameter at the same time point. For example, for a certain monitoring parameter, the predicted value of the monitoring parameter of the next data point of a monitored system can be predicted, and the monitored value of the monitored system can be obtained. Monitoring parameter observations for the same data point. When comparing the observed value of the monitoring parameter with the predicted value of the monitoring parameter, the observed value of the monitoring parameter can be compared with the confidence interval of the predicted value of the monitoring parameter. If the observed value of the monitoring parameter is not within the confidence interval, it can be judged that the observed value of the monitoring parameter does not meet the Monitor parameter predictions. The observation value of the monitoring parameter that is not in the confidence interval may refer to the observation value exceeding the confidence interval, for example, the observation value being larger or smaller than the upper limit value or the lower limit value of the confidence interval. The comparison between the observed value of the monitoring parameter and the predicted value of the monitoring parameter may include calculating or receiving multiple values at multiple time points and then performing an overall comparison. One monitoring parameter observation value time series, each time series contains the monitoring parameter predicted value or monitoring parameter observation value corresponding to multiple time points in the period, and compare the two time series, if the judgment between the two time series is There is a set of observed values that do not match the predicted values, there are arrays of observed values that do not match the predicted values, there are arrays of observed values that do not match the predicted values continuously, and there is a continuous set of observed and predicted values. If it does not match, or there is an array of observed values that do not match the predicted values continuously and then a group of observed values does not match the predicted values, it can be judged that the observed values of the monitoring parameters do not match the predicted values of the monitoring parameters. Or, after a set of observed values and predicted values have occurred, there is no inconsistency between the continuous array of observed values and predicted values, it can be judged that no observed values of monitoring parameters do not meet the predicted values of monitoring parameters. The threshold for the number of monitored systems can be set according to the number of monitored systems in the monitoring group. The threshold for the number of monitored systems can be set to "2", so that in the group, except for the monitored system concerned (such as the first monitored system) that determines that the observed value of the monitored parameter does not meet the predicted value of the monitored parameter, there are only Another monitored system also judges that there is a situation where the observed value of the monitoring parameter does not conform to the predicted value of the monitoring parameter, or when no other monitored system judges that the observed value of the monitoring parameter does not meet the predicted value of the monitoring parameter, it can determine that an abnormal event occurs; If the criterion for judging abnormal events is to be set looser, in other words, to reduce the sensitivity of abnormal detection, the threshold can be set to a higher value, such as "3", etc.; if a stricter criterion is to be adopted, the threshold It can be set to "1", so that when only the monitored system in the group determines that the observed value of the monitoring parameter does not meet the predicted value of the monitoring parameter, it can determine that an abnormal event occurs. The threshold for the number of monitored systems can also be set to a percentage, such as 10%. In addition, if the observed values in other monitored systems in the group other than the monitored system of interest do not meet the predicted values, it can be judged that an abnormal event has occurred, that is, it is judged that the judgment in the other monitored system An abnormal event occurs for each of the observed values that do not meet the predicted value, thereby issuing an alarm for each abnormal event; in this case, it can be judged that the number of monitored systems in the group that have abnormal events is less than that of the same group The number of monitored systems in the group that are not judged to have abnormal events, and the proportion of the number can be set by a method similar to the threshold value set in the present disclosure. According to the principle of judging abnormal events in a group of the present disclosure, the present invention also includes the opposite judgment method according to the same principle, for example, it can judge all the other monitored systems in the first monitoring group except the first monitored system. The number of monitored systems whose observed value of the first monitoring parameter corresponds to the predicted value of the corresponding first monitoring parameter is higher than a threshold for the number of monitored systems, thereby determining that an abnormal event occurs in the first monitored system, and setting the threshold to a higher value. Higher numbers reflect stricter standards, etc. Anomaly alerts can include messages, notifications, flags, labels, audio, etc. The abnormal alarm may include information related to the monitored system to be concerned (such as the first monitored system), for example, indicating that the abnormal person is the monitored system to be concerned about, so that the abnormal alarm and/or the monitored system can be Carry out follow-up processing such as recording, statistics, and reflection.

In some embodiments, the present invention can use a computer software program that generates abnormal alarms, and after the program is loaded through a computer, the steps include the following: receiving the first set of monitoring data of each of the plurality of monitored systems, Each of the first set of monitoring data includes the monitored operation data and system data of the corresponding monitored system, and the operation data and system data are classified by a plurality of state parameters; the state of the first set of monitoring data is used. The parameters are grouped to the monitored systems to generate a plurality of state parameter cluster labels, so that each of the monitored systems corresponds to one of the state parameter cluster labels; the state parameter clusters of the state parameters are used The labels group the monitored systems to generate a plurality of monitored system cluster labels, so that each of the monitored systems corresponds to one of the monitored system cluster labels, and the monitored systems form a plurality of monitored system cluster labels. Monitoring system clusters, the monitored system clusters correspond to the monitored system cluster labels respectively, the monitored system clusters include the first monitored system cluster, and the first monitored system cluster includes corresponding to the same monitored system cluster a plurality of monitored systems of the tag; for each of the state parameters, receiving a monitoring observation for each of the plurality of monitored systems of the first monitored system cluster, and for each of the first monitored system cluster Each of the plurality of monitored systems generates a monitoring data time series corresponding to each of the corresponding state parameters, and generates a monitoring forecast value according to each monitoring data time series, and the monitoring forecast value corresponds to the monitoring data on a time axis Observation value; determine whether the monitoring observed value of each of the plurality of monitored systems in the first monitored system cluster conforms to its corresponding monitoring predicted value, if not, it is determined that an abnormal behavior has occurred in the corresponding monitored system, And when the number of monitored systems that are determined to have abnormal behavior in the first monitored system cluster is greater than one and less than or equal to an abnormal threshold, it is determined that an abnormal event occurs in the at least one monitored system that has abnormal behavior, and the abnormal threshold is less than the number of all monitored systems in the first monitored system cluster; and when it is determined that the abnormal event occurs, an abnormal alarm is generated, and the abnormal alarm indicates that the abnormal event is the at least one monitored system.

In some embodiments, the aforementioned steps can be implemented in the following manner. The so-called abnormal behavior may refer to or represent the judgment result that the parameter value does not match, and does not necessarily refer to the abnormal event based on which the abnormal alarm is generated. Abnormal behavior can be regarded as the preliminary result or the relay result of abnormal judgment, and the final result is judged after the comprehensive judgment of multiple abnormal behaviors, such as judging the number of monitored systems that have abnormal behavior, etc., for example, the final result is judged as abnormal Events, with abnormal events as the basis for generating abnormal alarms. Abnormal behavior can be used as the abnormal judgment result of a single monitored system. Since the new model can perform the overall judgment of multiple monitored systems in a group, multiple abnormal behaviors in a group can be regarded as a single monitored system as a whole as a result of whether an abnormal event occurs. Judgments based. For example, when the first monitored system cluster includes 15 monitored systems, the abnormality threshold can be set to 50%, and when it is judged that at least one and no more than seven monitored systems in the cluster have abnormal behaviors, it can be judged that these abnormal behaviors have occurred. An abnormal event occurs in the monitored system of the behavior, according to which an abnormal alarm can be generated, and the generated abnormal alarm can indicate that an abnormal event occurs in the at least one and no more than seven monitored systems. In addition, if it is determined that more than seven monitored systems have abnormal behaviors, an abnormal alarm can be generated for the monitored systems that do not have abnormal behaviors in the cluster. It is to judge a monitored system that does not have abnormal behavior as an abnormal event. In this way, a small number of people whose behavior is different from other monitored systems in the cluster can be judged to have an abnormal event. Accordingly, this method can be implemented by the following steps: judging whether the monitoring observed value of each of the plurality of monitored systems in the first monitored system cluster conforms to its corresponding monitoring predicted value, and if not, determining that the An abnormal behavior occurs in the corresponding monitored system, and when the number of monitored systems that are judged to have abnormal behavior in the first monitored system cluster is greater than the number of monitored systems that are not judged to have abnormal behavior in the cluster, the The at least one monitored system that is not determined to have an abnormal behavior determines that an abnormal event has occurred, and when it is determined that the at least one abnormal event occurs, an abnormal alarm is generated, and the abnormal alarm indicates the at least one monitored system where the abnormal event occurred. . Of course, in this way, the number judgment in the cluster (such as majority/minority judgment, or distinguishing two sub-clusters in the cluster by judging abnormal behavior) can be regarded as equivalent to setting a threshold, or can be controlled by setting a threshold this judgment method. For example, for a specific monitored system cluster including multiple monitored systems, the method for judging abnormal behavior of the present disclosure is used to establish a first abnormal event judgment condition, that is, when less than half of the monitored systems in the cluster have abnormal behavior, It is judged that an abnormal event occurs in less than half of the monitored systems; in addition, a second abnormal event judgment condition can be established, that is, when more than half of the monitored systems in the cluster have abnormal behavior, it is judged that the remaining and not judged as occurrences An abnormal event occurs in the monitored system with abnormal behavior, and the second abnormal event judgment condition can be used independently as the judgment of the abnormal event in the cluster, or used together with the first abnormal event judgment condition. In addition, this method can be simultaneously implemented by using other threshold methods of the present disclosure to establish judgment conditions in different situations, and the present invention can set a plurality of threshold values to alert different abnormal event judgment methods. For example, different or hierarchical numerical thresholds can be set to represent abnormal events of different levels. For example, the first type of abnormality threshold can be set to "2" and the second type of moderate abnormality threshold can be set to "5". When the abnormal behavior of the monitored system is regarded as the first type of abnormal event, the abnormal alarm can indicate the occurrence of the first type of abnormal event, and the abnormal behavior of the monitored system of more than three to less than five is regarded as the second type of abnormal event. , the abnormal alarm may indicate the occurrence of a second type of abnormal event, etc.; different types of abnormal events may represent different abnormal degrees, etc. For each cluster of monitored systems, the method of alarming anomalies within the cluster disclosed in the present disclosure can be adopted, thereby ensuring that each monitored system can be monitored in its own cluster and generate an alarm when an abnormal event occurs.

In some embodiments, the present invention can be implemented by a computer software program that generates abnormal alarms. After the program is loaded through a computer, the following steps can be performed: grouping a plurality of state parameters of a plurality of monitored systems and generating a plurality of first cluster label sets each including a plurality of first cluster labels, causing each of the monitored systems to be assigned a first cluster label in each of the first cluster label sets, the The first cluster label sets are respectively corresponding to the corresponding state parameters, and the plurality of state parameters include the operation data of the monitored systems and the state parameters of the system data; a plurality of first clusters of the first cluster label sets are used The tags group the monitored systems and generate a second cluster tag set comprising a plurality of second cluster tags, such that each of the monitored systems is assigned a second cluster tag in the second cluster tag set, wherein , a plurality of monitored systems in these monitored systems form a first monitored system group, so that all monitored systems in the first monitored system group are assigned the same second cluster label, and the first monitored system group is assigned the same second cluster label. The monitoring system group includes a target monitored system; for the first monitored system group, a training data set for each monitored system in the group is formed, and each of the training data sets includes the state parameters and It further includes an abnormal value parameter, the abnormal value parameter indicates an abnormal state of the corresponding monitored system; establishes a first abnormal prediction corresponding to each monitored system in the first monitored system group based on the training data sets models, each of the first anomaly prediction models is used to predict the predicted value of the first outlier parameter of the corresponding monitored system; an outlier parameter is formed from the outlier parameter in each of the training data sets time series, establishing a second anomaly prediction model corresponding to each monitored system in the first monitored system group based on the outlier parameter time series, each of the second anomaly prediction models is used to predict the corresponding The predicted value of the second abnormal value parameter of the monitored system; for each monitored system in the first monitored system group, the first abnormal value predicted at a target time point using the corresponding one of the first abnormal prediction models Parameter prediction value, using the second outlier parameter prediction value predicted at the target time point corresponding to the second anomaly prediction models, when the first outlier parameter prediction value does not match the second outlier parameter prediction value When the corresponding monitored system is judged to have abnormal behavior, the target monitored system is judged to have abnormal behavior according to the aforementioned abnormal behavior judgment method, and the target monitored system is judged according to the aforementioned abnormal behavior judgment method. Abnormal behavior occurs in other monitored systems outside the system below a specific number, the number being lower than the number of monitored systems in the first monitored system group; and an abnormal alarm associated with the target monitored system is generated.

In some embodiments, the outlier parameter of the aforementioned training data set represents an outlier or risk value, such as the risk value described in this disclosure. The outlier parameter can include outliers at multiple time points or a time series, and these outliers can be marked with or without abnormality or risk. If there is an abnormality, it is marked as "1", and if there is no abnormality, it is marked as "0"; for For this outlier parameter, the data marked with "1" in the training data set can represent that the abnormal state of the monitored system is abnormal, and the data marked with "0" can represent that the abnormal state of the monitored system is not abnormal. The training data set may contain historical data, such as data containing outliers or values at risk. Each piece of data in the training data set may include data at a specific time point, and accordingly, the abnormal value parameter reflects the abnormal state of the monitored system at the specific time point. Using the training data set, a first anomaly prediction model can be trained, and the algorithm used for this model can include a suitable supervised machine learning algorithm. In other words, the abnormal value parameter is the data for marking the state parameter union, so that all state parameters can be monitored as a whole without monitoring individual state parameters, and the first abnormal prediction model can be used accordingly. to predict anomalies. In addition, outliers at each time point can be formed into a time series, and the formed outlier parameter time series can be used to train a second anomaly prediction model formed by using an LSTM algorithm or the like. For example, for a monitored system, every minute is a data point, and each data point is marked with an outlier parameter. If there is data marked for a week, there are 10080 outlier parameters. The parameter values (or the outlier parameters include the data points of the week), these parameter values can form an outlier parameter time series and used to build a time series model. For a new piece of data, such as a new observation value, the new data may include state parameters but not outlier parameters, and the first and second anomaly prediction models can be used to predict the predicted values of each model respectively. When there is a difference, it can be judged that there is abnormal behavior. For example, when the second anomaly prediction model is used as the benchmark model, the predicted value of the second outlier parameter can be used as the prediction benchmark value. If the predicted value of the first outlier parameter does not conform to the predicted value of the second outlier parameter or exceeds its confidence interval , the lower limit value, the abnormal behavior can be judged.

To sum up the above, the service abnormality detection and alarm method and the device and system using the method provided by the new embodiment of the present invention can include the following advantages compared with the prior art: (1) It can avoid data such as IT maintenance and operation only. Use logs to monitor or judge abnormal events, increase the chance of early warning, and reduce the possibility of false positives; (2) Judging or training with data from the same type of service or company to avoid insufficient data and improve model accuracy; Based on the data and modeling of the same type of service or company, the comparison and alarming efficiency of abnormal conditions can be improved; (4) The abnormality can be predicted in advance without obvious characteristics or combination of characteristics, and no artificial definition logic is required; ( 5) The periodicity, seasonality of events, and the impact of long-term and short-term data can be considered; and (6) preventive alarms that integrate time series trends, and risk value assessment methods, to avoid the subjective bias of traditional risk prediction methods, and to deal with A situation where the efficiency and accuracy of a large amount of data are too low. In addition, the service anomaly detection and alarm method and the device and system using the method provided by this novel embodiment can be applied to various AI-related products and services, such as anomaly detection in e-commerce, game industry, and anomaly detection in manufacturing industry. , Financial Statement Insurance System (FSI) fraud detection in the financial and insurance industry, and automated maintenance of Management Service Providers (MSP), etc.

It should be understood that the examples and embodiments described herein are for illustrative purposes only, and the disclosed embodiments and technical features may be combined in various ways within the spirit of the present invention, and various modifications or changes in view thereof will be suggested to the present invention. those skilled in the art and are to be included within the spirit and scope of this application and the scope of the appended claims.

1: Abnormal alarm system 11: Cloud Devices 121～12N: Monitored system 111: Data preprocessing unit 112: Individual parameter clustering unit 113: Individual grouping unit 114: Cohort alignment unit 115: Detection unit 116: Alarm unit S31～S45: Steps

The accompanying drawings are provided to enable those having ordinary skill in the art to which the present invention pertains to further understand the present invention, and are incorporated in and constitute a part of the description of the present invention. The drawings illustrate exemplary embodiments of the invention, and together with the description of the invention serve to explain the principles of the invention.

FIG. 1 is a block diagram of an abnormality alarm system using a service abnormality detection and alarm method according to a new embodiment of the present invention.

FIG. 2 is a block diagram of a cloud device using a service abnormality detection and alarm method according to a new embodiment of the present invention.

FIG. 3 is a flowchart of the service abnormality detection and alarm method operating in the interpretation mode according to the new embodiment of the present invention.

FIG. 4 is a flowchart of the service abnormality detection and alarm method operating in the modeling mode according to the novel embodiment.

11: Cloud Devices

111: Data preprocessing unit

112: Individual parameter clustering unit

113: Individual grouping unit

114: Cohort alignment unit

115: Detection unit

116: Alarm unit

Claims (10)

A device for serving abnormality detection and alarm, comprising a plurality of electrically connected hardware circuits, the hardware circuits are configured into a plurality of units, and the units are used for: Receive the operational data and system data of one of the monitored systems corresponding to a service, and perform data preprocessing on the operational data and the system data of the monitored system to obtain multiple data of the monitored system. a state parameter; Grouping each of the state parameters of the monitored system to obtain a cluster label corresponding to each of the state parameters of the monitored system; Group the monitored system according to the cluster labels of the state parameters of the monitored system to obtain a group number corresponding to the monitored system; Detecting whether the monitored system has an abnormal behavior according to at least one of the status parameters of the monitored system; and When detecting that the monitored system has the abnormal behavior, determine whether there are more than a certain number of the monitored systems in a group corresponding to the group number of the monitored system also have abnormal behavior, if the group If the monitored systems of the group corresponding to the group number that do not exceed the specified number also behave abnormally, an alarm is generated. The apparatus for serving anomaly detection and alerting as claimed in claim 1, wherein the units are used to group each of the state parameters of the monitored system based on a model, and the model is based on the monitored systems The state parameters corresponding to each of them are obtained by training. The apparatus for service anomaly detection and alerting as claimed in claim 1, wherein the units are used to group the monitored system according to the cluster labels of the state parameters of the monitored system based on a model, and the The model is obtained by training on the cluster labels of the state parameters of the monitored systems. The device for serving abnormality detection and alarming as described in claim 1, wherein the units are configured to determine whether the monitored system has the abnormal behavior according to at least one of the state parameters of the monitored system based on at least one model, At least one of the models includes a risk prediction model. The device for serving abnormality detection and alarming as described in claim 4, wherein the units are used to mark the state parameters corresponding to the monitored system when abnormality occurred in the past with a risk value of 1, and the monitored system When no abnormality has occurred in the system in the past, the corresponding state parameters are marked with a risk value of 0, and the risk prediction model is established according to the risk value. The apparatus for service anomaly detection and alarm as described in claim 5, wherein the units are configured to calculate whether a predicted risk value exceeds a specific value based on the risk prediction model according to the current state parameters of the monitored system, to detect whether the monitored system has the abnormal behavior. A device for detecting anomalies and issuing alarms, including: A data preprocessing unit, receiving operation data and system data of a monitored device corresponding to a service, and performing data preprocessing on the operation data and system data of the monitored device to obtain multiple states of the monitored device parameter; a state parameter grouping unit for grouping each state parameter of the monitored device to obtain a cluster label corresponding to each state parameter of the monitored device; a grouping unit, which groups the monitored equipment according to the cluster labels of the state parameters of the monitored equipment to obtain a group number corresponding to the monitored equipment; a detection unit for detecting whether the monitored device has an abnormal behavior according to at least one of the state parameters of the monitored device; and A group comparison unit, when detecting that the monitored equipment has the abnormal behavior, determines whether there are a plurality of monitored equipments exceeding a certain number in a group corresponding to the group number of the monitored equipment. The abnormal behavior is detected. If the group corresponding to the group number does not exceed the specified number of the monitored devices that also have the abnormal behavior, it is determined that the abnormal behavior of the monitored device is detected as: an unusual event; and An alarm unit generates an abnormal alarm according to the abnormal event. A device for judging the occurrence of an abnormal event in a monitored system and generating an abnormal alarm for the abnormal event, which includes a plurality of electrically connected hardware circuits, the hardware circuits are configured into a plurality of units, and the units Used for: Receive a plurality of first monitoring data sets, each of the first monitoring data sets includes a plurality of monitoring data, the monitoring data includes a first monitoring parameter and a second monitoring parameter, the first monitoring parameter and the second monitoring The parameters respectively include a plurality of monitoring data points, each of the data points includes a monitoring parameter value, the first monitoring data sets respectively include monitoring data of different monitored systems, and each of the first monitoring data sets The plurality of monitoring data include operational data and system data; A first clustering model is used to group the monitoring parameter values of the first monitoring parameters of the first monitoring data sets and generate a plurality of first cluster labels, so that each of the first monitoring data sets corresponds to the first one of the cluster labels, and using the first clustering model to group the monitoring parameter values of the second monitoring parameters of the first monitoring data sets to generate a plurality of second cluster labels, so that each of the first monitoring data sets is One corresponds to one of the labels that should wait for the second cluster; The first cluster label and the second cluster label of the first monitoring data sets are grouped by the second clustering model to generate a plurality of third cluster labels, so that each of the first monitoring data sets corresponds to the rank One of the three cluster labels, at least plural ones of the first monitoring data sets correspond to one of the third cluster labels to form a first monitoring group, and the first monitoring group is based on the corresponding pluralities a first monitoring data set includes a corresponding plurality of monitored systems, and the plurality of monitored systems in the first monitoring group includes a first monitored system; A plurality of second monitoring data sets are received from the first monitoring group, the second monitoring data sets are respectively received from a plurality of monitored systems in the first monitoring group, and each of the second monitoring data sets is which includes the first monitoring parameter and the second monitoring parameter; Based on the second monitoring data sets, a time series algorithm is used to predict a plurality of first monitoring parameter predicted values and a plurality of second monitoring parameters respectively corresponding to the first monitoring parameter and the second monitoring parameter of the first monitoring group monitoring the predicted value of the parameter, so that each of the plurality of monitored systems in the first monitoring group corresponds to the predicted value of the first monitoring parameter and the predicted value of the second monitoring parameter; A plurality of first monitoring parameter observed values for the first monitoring parameter are received from a plurality of monitored systems in the first monitoring group, and the first monitoring parameter observed values are respectively corresponding to the corresponding first monitoring parameter predicted values ; Compare the observed value of the first monitoring parameter and the predicted value of the first monitoring parameter corresponding to each of the plurality of monitored systems in the first monitoring group, and determine the first monitoring parameter corresponding to the first monitored system The observed value does not conform to its corresponding predicted value of the first monitoring parameter, and it is determined that the observed value of the first monitoring parameter corresponding to the other monitored systems in the first monitoring group except the first monitored system does not conform to the corresponding predicted value. The number of monitored systems corresponding to the predicted value of the first monitoring parameter is lower than a threshold of the number of monitored systems, thereby determining that an abnormal event occurs in the first monitored system, wherein the threshold of the number of monitored systems is smaller than the first monitoring group the number of monitored systems for the group; and An abnormal alarm is generated according to the judgment of the abnormal event. A device for generating an abnormal alarm, which includes a plurality of electrically connected hardware circuits, the hardware circuits are configured into a plurality of units, and the units are used for: Receive the first set of monitoring data of each of the plurality of monitored systems, each of the first set of monitoring data includes the monitored operational data and system data of the corresponding monitored system, and the operational data and system data are Plural state parameter classification; grouping the monitored systems using the state parameters of the first set of monitoring data to generate a plurality of state parameter cluster labels, so that each of the monitored systems corresponds to one of the corresponding state parameter cluster labels; The monitored systems are grouped using the state parameter cluster labels of the state parameters to generate a plurality of monitored system cluster labels such that each of the monitored systems corresponds to one of the monitored system cluster labels or, the monitored systems form a plurality of monitored system clusters, the monitored system clusters are respectively corresponding to the monitored system cluster labels, and the monitored system clusters include a first monitored system cluster, the first monitored system cluster The monitoring system cluster includes a plurality of monitored systems corresponding to the same monitored system cluster label; For each of the state parameters, receive a monitoring observation for each of the plurality of monitored systems of the first cluster of monitored systems, and for each of the plurality of monitored systems of the first cluster of monitored systems generating a monitoring data time series corresponding to each of the equivalent state parameters, and generating a monitoring forecast value according to each monitoring data time series, and the monitoring forecast value corresponds to the monitoring observation value on a time axis; Determine whether the monitoring observed value of each of the plurality of monitored systems in the first monitored system cluster conforms to its corresponding monitoring predicted value, if not, it is determined that an abnormal behavior has occurred in the corresponding monitored system, and when the When the number of monitored systems that are determined to have abnormal behaviors in the first monitored system cluster is greater than one and less than or equal to an abnormality threshold, it is determined that at least one monitored system with abnormal behaviors has an abnormal event, and the abnormality threshold is less than the number of all monitored systems in the first monitored system cluster; and Based on the at least one abnormal event, an abnormal alarm is generated, and the abnormal alarm indicates the at least one monitored system in which the abnormal event occurred. A device for generating an abnormal alarm, which includes a plurality of electrically connected hardware circuits, the hardware circuits are configured into a plurality of units, and the units are used for: grouping a plurality of state parameters of a plurality of monitored systems and generating a plurality of first cluster label sets each including a plurality of first cluster labels such that each of the monitored systems is assigned the first cluster a first cluster label in each of the label sets, the first cluster label sets are respectively corresponding to the corresponding state parameters, the plurality of state parameters include the operation data of the monitored systems and the state parameters of the system data; clustering the monitored systems with a plurality of first cluster labels of the first cluster label sets and generating a second cluster label set including a plurality of second cluster labels such that each of the monitored systems is assigned A second cluster label in the second cluster label set, wherein a plurality of monitored systems in the monitored systems form a first monitored system group, so that all monitored systems in the first monitored system group are assigned the same second cluster label, the first monitored system group includes a target monitored system; For the first monitored system group, a training data set for each monitored system in the group is formed, each of the training data sets includes the state parameters and further includes an outlier parameter, the outlier parameter It indicates an abnormal state of the corresponding monitored system; A first anomaly prediction model corresponding to each monitored system in the first monitored system group is established based on the training data sets, and each of the first anomaly prediction models is used to predict the first anomaly of the corresponding monitored system an outlier parameter prediction value; An outlier parameter time series is formed from the outlier parameters in each of the training data sets, and a second anomaly prediction corresponding to each monitored system in the first monitored system group is established based on the outlier parameter time series a model, each of the second anomaly prediction models is used to predict the predicted value of the second anomaly parameter of the corresponding monitored system; For each monitored system in the first monitored system group, the predicted value of the first anomaly parameter predicted at a target time point by the corresponding one of the first anomaly prediction models is used, and the second anomaly prediction model is used The predicted value of the second outlier parameter at the target time point corresponding to the one in According to the aforementioned abnormal behavior judgment method, it is judged that the target monitored system has abnormal behavior, and according to the aforementioned abnormal behavior judgment method, it is judged that there are less than a certain number of other monitored systems in the first monitored system group except the target monitored system. An abnormal behavior occurs in the monitoring system, and the number is lower than the number of monitored systems in the first monitored system group; and Generate an exception alarm associated with the target monitored system.

Images