WO2011157012A1 - Method for generating alarm association graph and device thereof, and method for determining association alarm and device thereof - Google Patents

Method for generating alarm association graph and device thereof, and method for determining association alarm and device thereof Download PDF

Info

Publication number
WO2011157012A1
WO2011157012A1 PCT/CN2010/077229 CN2010077229W WO2011157012A1 WO 2011157012 A1 WO2011157012 A1 WO 2011157012A1 CN 2010077229 W CN2010077229 W CN 2010077229W WO 2011157012 A1 WO2011157012 A1 WO 2011157012A1
Authority
WO
WIPO (PCT)
Prior art keywords
alarm
association
alarms
type
relationship
Prior art date
Application number
PCT/CN2010/077229
Other languages
French (fr)
Chinese (zh)
Inventor
林伟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011157012A1 publication Critical patent/WO2011157012A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/065Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving logical or physical relationship, e.g. grouping and hierarchies

Definitions

  • the present invention relates to the field of network management technologies, and in particular, to an alarm association graph generation method, an alarm association graph generation device, an associated alarm determination method, and an associated alarm determination device. Background technique
  • IP Internet Protocol
  • multimedia services are becoming more and more abundant, from the initial telegraph and telephone services to the Internet Protocol (IP, Internet Protocol) and multimedia services.
  • IP Internet Protocol
  • multimedia services are accompanied by a diversification of the types of devices in the communication network, which makes it increasingly difficult to manage and maintain the communication network.
  • a communication network there is an association between each network device.
  • an alarm is reported.
  • the network device that has a relationship with the failed network device also reports related alarms. It can be seen that the correlation between alarms is particularly important for the management of the entire network. For example, a simple application of an alarm correlation can find the root cause alarm from the massive alarms, that is, find the root cause of the fault.
  • the existing alarm correlation analysis technology mainly analyzes the alarm association by rules, but the rules need to be predefined. If an alarm can cause a chain reaction of the associated alarms, multiple rules need to be established correspondingly, and the association relationship between different alarms is determined. The complexity is high and the intuitiveness is poor. The network scale is expanding continuously, and the number of rules is bound to increase correspondingly. It is difficult to maintain the network. Summary of the invention
  • the invention provides a method for generating an alarm association graph, which is used for simply and directly reflecting the association relationship between alarms, and is not limited to the network scale, and is easy to expand.
  • the method includes:
  • the alarms of the associated relationship are classified according to the alarm attribute, and the probability of the association between the alarm set of the first alarm type and the alarm set of the second alarm type calculated by each alarm type exceeds the first preset probability.
  • the alarm set of the first alarm type is associated with the alarm set of the second alarm type, and the association relationship is displayed on the alarm association map.
  • the present invention also provides a method for determining an association alarm by applying an alarm association graph, which is used to simply and directly reflect the association relationship between alarms, and is not limited to the network scale, and is easy to expand.
  • the method includes:
  • the alarm set of the other alarm types associated with the alarm type of the alarm type is the same, and the alarm association diagram includes the association relationship between the alarm sets of the alarm types.
  • an alarm associated with the alarm is determined.
  • the present invention also provides an alarm correlation graph generating device for simply and directly reflecting the association relationship between the alarms, and is not limited to the network scale and is easy to expand.
  • the device includes:
  • a first determining unit configured to sequentially determine, according to the topology diagram of the network device, two top nodes that have physical connections;
  • An acquiring unit configured to separately obtain all the alarms currently existing by the two topology nodes, and search for an alarm having an association relationship therein;
  • a classification unit configured to classify alarms having an association relationship according to an alarm attribute, and form an alarm set of each alarm type
  • a display unit configured to determine an alarm set of the first alarm type when the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value
  • the alarm set of the two alarm types has an association relationship, and the association relationship is displayed on the alarm association graph.
  • the present invention also provides an apparatus for applying an alarm correlation map generating device to perform an associated alarm determination, which is used to simply and directly reflect the association relationship between alarms, and is not limited to the network scale and is easy to expand.
  • the device includes:
  • a second determining unit configured to determine an alarm type of the alarm when an alarm occurs on the network device
  • a search unit configured to search, in the generated alarm association diagram, an alarm set of other alarm types associated with the alarm set of the alarm type of the alarm, where the alarm association diagram includes an association relationship between alarm sets of each alarm type ;
  • a third determining unit configured to determine, in the alarm included in the alarm set of the associated alarm type, an alarm associated with the alarm.
  • the alarm association diagram includes an association relationship between alarm sets of each alarm type, and an alarm associated with the alarm is determined in an alarm included in the associated alarm set of each alarm type.
  • the association alarm determination method provided by the embodiment of the present invention determines the other alarms associated with the generated alarms by using the alarm association graph.
  • the alarm association graph can directly and effectively reflect the association of the alarm sets of different alarm types by using the characteristics of the image display.
  • Relationships after receiving an alarm, directly refer to the alarm association graph, and do not need to analyze the alarm association through a predefined rule, which can simply and effectively reflect the association relationship between the alarms, and determine other associations associated with the received alarms.
  • the alarm is used to reduce the complexity of the association between alarms. Because the alarm association graph does not depend on the NE, it is not hard coded by the internal program of the NE. It can be modified according to the actual situation. Therefore, when the network is expanded or reduced, it can be modified according to the increase or decrease of network devices in the network. It is not limited to the network scale and is easy to expand.
  • the alarm correlation graph can be more accurate and fast. Find the source fault.
  • FIG. 1 is a flowchart of a method for determining an associated alarm according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for generating an alarm association graph in a method for determining an associated alarm according to an embodiment of the present invention
  • FIG. 4 is a connection diagram of an alarm management system according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for generating an alarm association graph according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a first associated alarm determining apparatus according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of a second associated alarm determining apparatus according to an embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a fourth associated alarm determining apparatus according to an embodiment of the present invention
  • FIG. 10 is a schematic structural diagram of a first alarm correlation graph generating apparatus according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a second alarm correlation graph generating apparatus according to an embodiment of the present invention. detailed description
  • the alarm correlation analysis technology mentioned in the prior art analyzes the alarm association by using predefined rules.
  • the association relationship between different alarms is high in complexity, difficult to implement, and poor in intuitiveness. If the number of rules is increased, the maintenance of the network is difficult.
  • the embodiment of the present invention provides an association alarm determination method, which uses the alarm association diagram to determine and generate an alarm.
  • Associated other Alarms and alarm correlation graphs can easily and effectively reflect the relationship between alarms. They are not limited to network scale and are easy to expand. They can find source faults more accurately and quickly.
  • FIG. 1 The specific processing flow of the associated alarm determining method provided by the embodiment of the present invention is as shown in FIG. 1 , and includes the following steps:
  • Step 101 When an alarm occurs on the network device, determine an alarm type of the alarm.
  • Step 102 Search for an alarm set of other alarm types associated with the alarm type of the alarm type in the generated alarm association diagram, where the alarm association diagram includes an association relationship between alarm sets of each alarm type.
  • Step 103 Determine an alarm associated with the alarm in the alarm included in the alarm set of the associated alarm type.
  • the alarm has multiple alarm attributes. For example, multiple alarm attribute types, such as alarm code, alarm level, alarm occurrence time, and alarm recovery time, can be classified into different alarm types. Each alarm has its own alarm type. Step 101: When the network device generates an alarm, the alarm type of the alarm is determined first, for example, a critical alarm or a reminder alarm. The specific alarm type depends on the actual situation.
  • the alarm association diagram of the alarm type associated with the alarm type of the alarm is searched for, and the alarm association diagram includes the association relationship between the alarm sets of the alarm types.
  • Figure 2 shows the association between alarms of different alarm types, that is, there is only one alarm in each alarm set.
  • There are alarms of the alarm types of 0, A, B, C, D, and E and there is a topology relationship between the network devices belonging to the 0, A, B, C, D, and E alarms.
  • the alarm association graph is generated by using a plurality of methods, for example, generating an alarm association graph according to the binary tree principle, and generating an alarm association graph according to different alarm severity levels, and generating an alarm association graph by using other principles.
  • a method for generating an alarm correlation graph is provided. The specific processing flow is as shown in FIG. 3, and includes the following steps:
  • Step 301 Determine two top nodes of the physical connection according to the topology diagram of the network device.
  • Step 302 Obtain all the alarms currently existing by the two topology nodes, and find an alarm with an association relationship.
  • Step 303 Classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as different alarm types.
  • Step 304 Determine the alarm set and the second alarm of the first alarm type when the calculated probability that the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value
  • the type of alarm set has an association relationship and is displayed on the alarm association graph.
  • the alarms of the network device usually include two parts. One part is the processed alarm, which is usually stored in the historical alarm database, and the other part is the alarm that has not been processed. It is usually stored in the current alarm cache. In the figure, the historical alarm database and the data in the current alarm cache are analyzed.
  • the step 302 is configured to obtain all the alarms that the two topology nodes currently have, and find the alarms that have the associated relationship, including: acquiring all the alarms currently owned by the two topology nodes, and analyzing the The alarm that a topology node has with the alarm of the second topology node in time is used to find an alarm with an association relationship.
  • the difference in time, the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm.
  • the probability of occurrence of the association between the alarm set of one alarm type and the alarm set of another alarm type is as follows: The number of alarms satisfying the alarm set of one alarm type is used as a denominator, and the alarm set is The number of alarms that have an association relationship between the alarm sets of another alarm type is taken as a numerator, and the calculated value is the calculated probability.
  • the relationship between the alarm sets of the two types of alarm types is calculated. There may be a certain deviation between the probability of the second preset probability value (usually referring to the actual probability), and the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type and the second If the preset probability value does not match, the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type is adjusted according to the second preset probability value, for example, if the second preset If the probability value is less than the calculated probability, the calculated probability is lowered. Similarly, if the second preset probability value is greater than the calculated probability, the calculated probability is increased.
  • the alarm association map in order to make the association relationship obtained according to the alarm association graph more accurate, the alarm association map needs to be periodically updated, and the update period may be one hour, one day, or one month, and the specific update time is specific according to the specific Depending on the situation. Usually in a one-day cycle to meet the accuracy requirements.
  • the updated alarm association map is used to search for an alarm set of other alarm types associated with the alarm set of the same type of the new alarm; Among the alarms included in the alarm set of the alarm type, the alarm associated with the new alarm is determined.
  • the associated alarm determination method may be used to create an alarm management system, including the following parts: a network device, a current alarm cache, a historical alarm database, an alarm association graph, an alarm correlation analysis engine, and an alarm analysis engine.
  • a network device including the following parts: a current alarm cache, a historical alarm database, an alarm association graph, an alarm correlation analysis engine, and an alarm analysis engine.
  • User interface please refer to Figure 4 for the specific connection relationship. The functions of each part are as follows:
  • the network device is a managed device in the system. When the network device runs out of fault, an alarm is generated and the alarm is reported to the network management system.
  • Historical Alarm Database Saves all historical alarm data generated by the network device.
  • the alarm correlation analysis engine analyzes the historical alarm database and the data in the current alarm cache to obtain the alarm association relationship.
  • Network device topology A location relationship diagram based on the physical location of a network device.
  • Alarm correlation diagram Used to save the analysis and get the alarm association relationship.
  • the current alarm generated by the network device is saved.
  • the current alarm is an alarm that has not been processed.
  • the device fault corresponding to the current alarm has not been eliminated.
  • the alarm analysis engine analyzes and processes the alarm data in the current alarm cache according to the alarm correlation graph to find the root alarm.
  • User interface An alarm interface that is displayed to the user.
  • the alarm association graph and root alarm are displayed on the interface to facilitate network maintenance personnel to maintain the view, analyze the association relationship on the association graph, and locate the fault.
  • Step 1 Use the current alarm cache and historical alarm database to collect alarm data generated by network devices.
  • Step 2 Analyze and mine the alarm data, and find the association relationship between the alarm data based on the network device topology map.
  • Step 3 Generate an alarm correlation diagram by using the association relationship between the alarm data.
  • Step 4 Use the generated alarm correlation graph to analyze and process the current alarms on the network to find the root alarm and quickly locate the fault.
  • Step 5 For the newly generated current alarm and historical alarm mining analysis, repeat the second step and the third step to obtain the association relationship, continuously correct the alarm correlation diagram, and realize the automatic learning function to improve the accuracy.
  • the network devices belonging to the A, B, C, D, E, and 0 types of alarms have a topology association, according to The arrow points in the direction, and the probability that the pointed alarm is accompanied by the occurrence of the alarm pointing to it is greater than the first preset probability value. For example, the type A alarm occurs, and the probability that the type D alarm must occur is 98%.
  • the embodiment of the present invention further provides a method for generating an alarm association graph.
  • the specific processing flow is as shown in FIG. 5, and includes the following steps:
  • Step 501 Determine two top nodes of the physical connection according to the topology diagram of the network device.
  • Step 502 Obtain all the alarms currently existing by the two topology nodes, and find an alarm with an association relationship.
  • Step 503 Classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as different alarm types.
  • Step 504 Determine an alarm set and a second alarm of the first alarm type when the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value
  • the type of alarm set has an association relationship and is displayed on the alarm association graph.
  • the alarms that are currently associated with the two topology nodes are respectively obtained, and the alarms with the associated relationship are found.
  • the specific processing flow is as follows: The time difference between the alarm and the second alarm that is generated by the second topology node and the alarm recovery time difference.
  • the time difference between the alarm occurrence time is the difference between the occurrence time of the second alarm and the occurrence time of the first alarm, and the alarm recovery time difference is the second.
  • the calculated probability of the association between the alarm sets of the two types of alarm types may be different from the second preset probability value (usually the actual probability), and the calculated alarm of the alarm type is calculated.
  • the calculated result is calculated according to the second preset probability value pair.
  • the probability of the association between the alarm type and another alarm type is adjusted. For example, if the second preset probability value is less than the calculated probability, the calculated probability is lowered, and similarly, if the second preset probability is The value is greater than the calculated probability and the calculated probability is increased.
  • an embodiment of the present invention further provides an associated alarm determining apparatus.
  • the specific structure is as shown in FIG. 6, and includes the following steps:
  • a second determining unit 601 configured to determine an alarm type of the alarm when an alarm occurs on the network device
  • the searching unit 602 is configured to search, in the generated alarm association diagram, an alarm set of other alarm types associated with the alarm set of the same type of the alarm, and the alarm association diagram includes an association relationship between the alarm sets of the alarm types.
  • the third determining unit 603 is configured to determine, in the alarm included in the alarm set of the associated alarm type, an alarm associated with the alarm.
  • the searching unit 602 may include:
  • the first determining subunit 701 is configured to sequentially determine, according to the network device topology, two top nodes that have physical connections.
  • the obtaining sub-unit 702 is configured to separately obtain all the alarms currently owned by the two topology nodes, and find an alarm having an association relationship therein.
  • the identifier sub-unit 703 is configured to classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as the alarm sets of the alarm types.
  • the display sub-unit 704 is configured to determine an alarm set of the first alarm type when the calculated probability that the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value There is an association relationship with the alarm set of the second alarm type, and is displayed on the alarm association graph.
  • the obtaining subunit 702 specifically includes:
  • the calculating module 801 is configured to calculate a first alarm and a second topology that the first topology node has The difference between the alarm occurrence time and the alarm recovery time difference between the second alarms of the node, the difference between the alarm occurrence time and the time when the second alarm occurs, and the alarm recovery time difference is the recovery time of the second alarm and the first The difference between the recovery time of the alarm.
  • the determining module 802 is configured to determine, when the alarm time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm level of the first alarm is not less than the alarm level of the second alarm, determining the first alarm and The second alarm has an association relationship.
  • the display sub-unit 704 is further configured to: when the calculated association between the alarm set of the alarm type and the alarm set of another alarm type occurs, and the second When the preset probability value does not match, the calculated probability of occurrence of the association relationship is adjusted according to the second preset probability value.
  • the associated alarm determining apparatus may further include: an updating unit 901, configured to periodically update the alarm association map.
  • the searching unit 602 is further configured to: when the network device generates a new alarm, use the updated alarm association map to search for an alarm set of other alarm types associated with the alarm set of the same alarm type as the new alarm.
  • the third determining unit 603 is further configured to: determine an alarm associated with the new alarm in the alarm included in the associated alarm set of each alarm type.
  • the embodiment of the present invention further provides an alarm correlation graph generating device.
  • the specific structure is as shown in FIG. 10, and includes:
  • the first determining unit 1001 is configured to sequentially determine, according to the network device topology, two top nodes that have physical connections.
  • the obtaining unit 1002 is configured to separately obtain all the alarms currently owned by the two topology nodes, and search for an alarm having an association relationship therein.
  • the classification unit 1003 is configured to classify the alarms having the associated relationship according to the alarm attribute, and identify the alarm types as different alarm types, and form an alarm set of each alarm type.
  • the display unit 1004 is configured to determine, when the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value, determine the alarm set of the first alarm type.
  • the alarm set of the second alarm type has an association relationship and is displayed on the alarm association map.
  • the classification unit 1003 is specifically configured to: classify alarms having an association relationship according to an alarm code and/or an alarm level.
  • the obtaining unit 1002 is specifically configured to: obtain all the alarms currently owned by the two top nodes, and analyze the alarms of the first topology node and the alarms of the second topology node in time. The associated relationship, find the alarm with the associated relationship.
  • the obtaining unit 1002 specifically includes:
  • the calculation sub-unit 1101 is configured to calculate an alarm occurrence time difference and an alarm recovery time difference between the first alarm that is included in the first topology node and the second alarm that is included in the second topology node, and the alarm occurrence time difference is the occurrence of the second alarm.
  • the difference between the time and the occurrence time of the first alarm, and the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm.
  • the second determining subunit 1102 is configured to: when the alarm occurrence time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm severity of the first alarm is not less than the alarm level of the second alarm, An alarm has an association relationship with the second alarm.
  • the display unit 1004 is further configured to: when the calculated relationship between the alarm set of the first alarm type and the alarm set of the second alarm type occurs, and the second When the preset probability value does not match, the calculated probability of occurrence of the association relationship is adjusted according to the second preset probability value.
  • the alarm type of the alarm is determined, and an alarm of another alarm type associated with the same alarm type of the alarm type is found in the generated alarm association map.
  • the set, the alarm association graph includes the association relationship between the alarm sets of each alarm type, and the alarms included in the alarm set of each associated alarm type.
  • the alarm associated with the alarm is determined.
  • the association alarm determination method provided by the embodiment of the present invention determines the other alarms associated with the generated alarms by using the alarm association graph.
  • the alarm association graph can directly and effectively reflect the association of the alarm sets of different alarm types by using the characteristics of the image display.
  • Relationships after receiving an alarm, directly refer to the alarm association graph, and do not need to analyze the alarm association through a predefined rule, which can simply and effectively reflect the association relationship between the alarms, and determine other associations associated with the received alarms.
  • the alarm is used to reduce the complexity of the association between alarms. Because the alarm association graph does not depend on the network element, it is not hard coded by the internal program of the network element, but can be modified according to the actual situation. Therefore, when the network is expanded or reduced.
  • the network device can be modified according to the increase or decrease of network devices in the network. It is not limited to the network scale and is easy to expand.
  • the alarm correlation graph can be used to find the source fault more accurately and quickly.
  • the alarm association graph is periodically updated.
  • the alarm correlation diagram is generated by analyzing and synthesizing the existing alarm data, and the association relationship included in the alarm association diagram can be used to intuitively provide a decision basis for the user, for example, to find the root cause alarm; the alarm association diagram is provided for the maintenance personnel.
  • Intuitive association relationship can dynamically correct the association relationship; and the alarm association graph is generated through the topology relationship of the network device, and can be more effective when the association relationship is searched and located;
  • the root cause alarm is determined in the case of lower computational complexity; the alarm association graph can automatically learn automatically according to the latest alarm data, so that the association relationship is more accurate, and the root source alarm search and analysis is more accurate.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and device for generating an alarm association graph, and a method and device for determining association alarms are disclosed. The method for generating an alarm association graph includes the following steps: determining successively two topologic nodes connected physically according to a network equipment topologic graph; acquiring all the alarms currently contained in the two topologic nodes respectively, and searching the alarms therein having association relationships; classifying the alarms having association relationships according to alarm properties, and generating an alarm collection for each alarm type; determining that an association relationship exists between the alarm collection of a first alarm type and the alarm collection of a second alarm type when the calculated probability of the occurrence of the association relationship between the alarm collection of the first alarm type and the alarm collection of the second alarm type, exceeds a first preset probability value,, and displaying the association relationship on the alarm association graph. The method could reflect the association relationships between the alarms simply and directly, and not be restricted to the network size, and be extended easily.

Description

告警关联图生成方法、 装置及关联告警确定方法、 装置 技术领域  Alarm association graph generation method, device and associated alarm determination method and device
本发明涉及网络管理技术领域, 尤其涉及一种告警关联图生成方法、 告警关联图生成装置以及关联告警确定方法、 关联告警确定装置。 背景技术  The present invention relates to the field of network management technologies, and in particular, to an alarm association graph generation method, an alarm association graph generation device, an associated alarm determination method, and an associated alarm determination device. Background technique
随着通信网络技术的迅速发展, 通信业务越来越丰富, 从最初的电报、 电话业务, 发展到互联网协议(IP, Internet Protocol ), 多媒体等业务。 通 信业务的多样化, 伴随而来的是通信网络中的设备种类呈现多样化, 导致 后续对通信网络的管理和维护变得越来越困难。  With the rapid development of communication network technology, communication services are becoming more and more abundant, from the initial telegraph and telephone services to the Internet Protocol (IP, Internet Protocol) and multimedia services. The diversification of communication services is accompanied by a diversification of the types of devices in the communication network, which makes it increasingly difficult to manage and maintain the communication network.
在通信网络中, 各个网络设备间存在关联关系, 当其中一个网络设备 发生故障时, 会上报告警, 与发生故障的网络设备间存在关联关系的网络 设备也会上报相关告警。 由此可以看出, 告警之间的关联性, 对于整个网 络的管理显得尤为重要, 例如, 一个告警关联的一个简单应用, 可以从海 量的告警中找到根源告警, 即找到故障的根本原因。  In a communication network, there is an association between each network device. When one of the network devices fails, an alarm is reported. The network device that has a relationship with the failed network device also reports related alarms. It can be seen that the correlation between alarms is particularly important for the management of the entire network. For example, a simple application of an alarm correlation can find the root cause alarm from the massive alarms, that is, find the root cause of the fault.
现有的告警关联分析技术主要是通过规则对告警关联进行分析, 但是 规则需要预定义, 若一个告警能够引起关联告警的连锁反应, 就需要对应 建立多个规则, 不同告警间的关联关系确定起来复杂度高, 直观性差, 而 网络规模在不断扩展, 规则数目必然相应增多, 对网络的维护难度较大。 发明内容  The existing alarm correlation analysis technology mainly analyzes the alarm association by rules, but the rules need to be predefined. If an alarm can cause a chain reaction of the associated alarms, multiple rules need to be established correspondingly, and the association relationship between different alarms is determined. The complexity is high and the intuitiveness is poor. The network scale is expanding continuously, and the number of rules is bound to increase correspondingly. It is difficult to maintain the network. Summary of the invention
本发明提供了一种告警关联图生成方法, 用以简单、 直接地反映告警 之间的关联关系, 且不受限于网络规模, 易于扩展, 该方法包括:  The invention provides a method for generating an alarm association graph, which is used for simply and directly reflecting the association relationship between alarms, and is not limited to the network scale, and is easy to expand. The method includes:
根据网络设备拓朴图依次确定存在物理连接的两个拓朴节点; 分别获取所述两个拓朴节点当前具有的所有告警, 查找其中具有关联 关系的告警; Determining, according to the topology diagram of the network device, two top nodes having physical connections; Obtaining all the alarms that the two top nodes currently have, and finding an alarm with an association relationship;
根据告警属性对具有关联关系的告警进行分类, 组成各告警类型的告 当计算出的第一告警类型的告警集合与第二告警类型的告警集合间的 关联关系出现的机率超出第一预设机率值时, 确定第一告警类型的告警集 合与第二告警类型的告警集合存在关联关系, 并将所述关联关系显示在告 警关联图上。  The alarms of the associated relationship are classified according to the alarm attribute, and the probability of the association between the alarm set of the first alarm type and the alarm set of the second alarm type calculated by each alarm type exceeds the first preset probability. When the value is determined, the alarm set of the first alarm type is associated with the alarm set of the second alarm type, and the association relationship is displayed on the alarm association map.
本发明还提供了一种应用告警关联图进行关联告警确定的方法, 用以 简单、 直接地反映告警之间的关联关系, 且不受限于网络规模, 易于扩展, 该方法包括:  The present invention also provides a method for determining an association alarm by applying an alarm association graph, which is used to simply and directly reflect the association relationship between alarms, and is not limited to the network scale, and is easy to expand. The method includes:
当网络设备发生告警时, 确定所述告警的告警类型;  Determining an alarm type of the alarm when an alarm occurs on the network device;
在已生成的告警关联图中, 查找与所述告警的告警类型相同的告警集 合相关联的其他告警类型的告警集合, 所述告警关联图包括各告警类型的 告警集合间的关联关系;  In the generated alarm association diagram, the alarm set of the other alarm types associated with the alarm type of the alarm type is the same, and the alarm association diagram includes the association relationship between the alarm sets of the alarm types.
在相关联的告警类型的告警集合包含的告警中, 确定出与所述告警相 关联的告警。  Among the alarms included in the alarm set of the associated alarm type, an alarm associated with the alarm is determined.
本发明还提供了一种告警关联图生成装置, 用以简单、 直接地反映告 警之间的关联关系, 且不受限于网络规模, 易于扩展, 该装置包括:  The present invention also provides an alarm correlation graph generating device for simply and directly reflecting the association relationship between the alarms, and is not limited to the network scale and is easy to expand. The device includes:
第一确定单元, 用于根据网络设备拓朴图依次确定存在物理连接的两 个拓朴节点;  a first determining unit, configured to sequentially determine, according to the topology diagram of the network device, two top nodes that have physical connections;
获取单元, 用于分别获取所述两个拓朴节点当前具有的所有告警, 查 找其中具有关联关系的告警;  An acquiring unit, configured to separately obtain all the alarms currently existing by the two topology nodes, and search for an alarm having an association relationship therein;
分类单元, 用于根据告警属性对具有关联关系的告警进行分类, 组成 各告警类型的告警集合; 显示单元, 用于当计算出的第一告警类型的告警集合与第二告警类型 的告警集合间的关联关系出现的机率超出第一预设机率值时, 确定第一告 警类型的告警集合与第二告警类型的告警集合存在关联关系, 并将所述关 联关系显示在告警关联图上。 a classification unit, configured to classify alarms having an association relationship according to an alarm attribute, and form an alarm set of each alarm type; a display unit, configured to determine an alarm set of the first alarm type when the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value The alarm set of the two alarm types has an association relationship, and the association relationship is displayed on the alarm association graph.
本发明还提供了一种应用告警关联图生成装置进行关联告警确定的装 置, 用以简单、 直接地反映告警之间的关联关系, 且不受限于网络规模, 易于扩展, 该装置包括:  The present invention also provides an apparatus for applying an alarm correlation map generating device to perform an associated alarm determination, which is used to simply and directly reflect the association relationship between alarms, and is not limited to the network scale and is easy to expand. The device includes:
第二确定单元, 用于当网络设备发生告警时, 确定所述告警的告警类 型;  a second determining unit, configured to determine an alarm type of the alarm when an alarm occurs on the network device;
查找单元, 用于在已生成的告警关联图中, 查找与所述告警的告警类 型相同的告警集合相关联的其他告警类型的告警集合, 告警关联图包括各 告警类型的告警集合间的关联关系;  a search unit, configured to search, in the generated alarm association diagram, an alarm set of other alarm types associated with the alarm set of the alarm type of the alarm, where the alarm association diagram includes an association relationship between alarm sets of each alarm type ;
第三确定单元, 用于在相关联的告警类型的告警集合包含的告警中, 确定出与所述告警相关联的告警。  And a third determining unit, configured to determine, in the alarm included in the alarm set of the associated alarm type, an alarm associated with the alarm.
根据本发明提供的方法, 当网络设备发生告警时, 确定该告警的告警 类型, 在已生成的告警关联图中查找与该告警的告警类型相同的告警集合 相关联的其他告警类型的告警集合, 告警关联图包括各告警类型的告警集 合间的关联关系, 在相关联的每个告警类型的告警集合包含的告警中, 确 定出与该告警相关联的告警。 本发明实施例提供的关联告警确定方法, 利 用告警关联图确定与发生的告警关联的其他告警, 告警关联图利用其图像 显示的特性, 能够直白、 有效地反映不同告警类型的告警集合的关联关系, 在接收到告警后, 直接参考告警关联图, 而不需要通过预定义的规则对告 警关联进行分析, 能够简单、 有效地反映告警之间的关联关系, 确定与接 收的告警相关联的其他告警, 降低告警间关联关系确定的复杂度; 由于告 警关联图不依赖于网元, 不是通过网元内部程序硬编码实现的, 而是可以 根据实际情况修改的, 因此, 在网络扩展或缩小时, 均可以根据网络中网 络设备的增多或减少对其进行修改, 不受限于网络规模, 易于扩展, 利用 告警关联图可以更加准确, 快速地找出源头故障。 附图说明 According to the method provided by the present invention, when an alarm occurs on the network device, determining the alarm type of the alarm, and searching for the alarm set of other alarm types associated with the alarm set having the same alarm type as the alarm in the generated alarm association map, The alarm association diagram includes an association relationship between alarm sets of each alarm type, and an alarm associated with the alarm is determined in an alarm included in the associated alarm set of each alarm type. The association alarm determination method provided by the embodiment of the present invention determines the other alarms associated with the generated alarms by using the alarm association graph. The alarm association graph can directly and effectively reflect the association of the alarm sets of different alarm types by using the characteristics of the image display. Relationships, after receiving an alarm, directly refer to the alarm association graph, and do not need to analyze the alarm association through a predefined rule, which can simply and effectively reflect the association relationship between the alarms, and determine other associations associated with the received alarms. The alarm is used to reduce the complexity of the association between alarms. Because the alarm association graph does not depend on the NE, it is not hard coded by the internal program of the NE. It can be modified according to the actual situation. Therefore, when the network is expanded or reduced, it can be modified according to the increase or decrease of network devices in the network. It is not limited to the network scale and is easy to expand. The alarm correlation graph can be more accurate and fast. Find the source fault. DRAWINGS
图 1为本发明实施例提供的关联告警确定方法的流程图;  FIG. 1 is a flowchart of a method for determining an associated alarm according to an embodiment of the present invention;
图 2为本发明实施例提供的告警关联图;  2 is an alarm association diagram according to an embodiment of the present invention;
图 3 为本发明实施例提供的关联告警确定方法中告警关联图的生成方 法的流程图;  FIG. 3 is a flowchart of a method for generating an alarm association graph in a method for determining an associated alarm according to an embodiment of the present invention;
图 4为本发明实施例提供的告警管理系统的连接关系图;  4 is a connection diagram of an alarm management system according to an embodiment of the present invention;
图 5为本发明实施例提供的告警关联图生成方法的流程图;  FIG. 5 is a flowchart of a method for generating an alarm association graph according to an embodiment of the present invention;
图 6为本发明实施例提供的第一种关联告警确定装置的结构示意图; 图 7为本发明实施例提供的第二种关联告警确定装置的结构示意图; 图 8为本发明实施例提供的第三种关联告警确定装置的结构示意图; 图 9为本发明实施例提供的第四种关联告警确定装置的结构示意图; 图 10 为本发明实施例提供的第一种告警关联图生成装置的结构示意 图;  FIG. 6 is a schematic structural diagram of a first associated alarm determining apparatus according to an embodiment of the present invention; FIG. 7 is a schematic structural diagram of a second associated alarm determining apparatus according to an embodiment of the present invention; FIG. 9 is a schematic structural diagram of a fourth associated alarm determining apparatus according to an embodiment of the present invention; FIG. 10 is a schematic structural diagram of a first alarm correlation graph generating apparatus according to an embodiment of the present invention; ;
图 11 为本发明实施例提供的第二种告警关联图生成装置的结构示意 图。 具体实施方式  FIG. 11 is a schematic structural diagram of a second alarm correlation graph generating apparatus according to an embodiment of the present invention. detailed description
现有技术中提到的告警关联分析技术通过预定义的规则对告警关联进 行分析, 在规则较多的情况下, 不同告警间的关联关系确定起来复杂度较 高, 难以实现, 直观性差, 且规则数目增多会导致对网络的维护难度增大, 为解决现有的告警关联分析技术存在的上述技术问题, 本发明实施例提供 了一种关联告警确定方法, 利用告警关联图确定与发生的告警关联的其他 告警, 告警关联图能够简单、 有效地反映告警之间的关联关系, 且不受限 于网络规模, 易于扩展, 可以更加准确, 快速地找出源头故障。 The alarm correlation analysis technology mentioned in the prior art analyzes the alarm association by using predefined rules. In the case of a large number of rules, the association relationship between different alarms is high in complexity, difficult to implement, and poor in intuitiveness. If the number of rules is increased, the maintenance of the network is difficult. To solve the above technical problem of the existing alarm correlation analysis technology, the embodiment of the present invention provides an association alarm determination method, which uses the alarm association diagram to determine and generate an alarm. Associated other Alarms and alarm correlation graphs can easily and effectively reflect the relationship between alarms. They are not limited to network scale and are easy to expand. They can find source faults more accurately and quickly.
本发明实施例提供的关联告警确定方法的具体处理流程如图 1 所示, 包括以下步骤:  The specific processing flow of the associated alarm determining method provided by the embodiment of the present invention is as shown in FIG. 1 , and includes the following steps:
步骤 101、 当网络设备发生告警时, 确定该告警的告警类型。  Step 101: When an alarm occurs on the network device, determine an alarm type of the alarm.
步骤 102、在已生成的告警关联图中查找与该告警的告警类型相同的告 警集合相关联的其他告警类型的告警集合, 告警关联图包括各告警类型的 告警集合间的关联关系。  Step 102: Search for an alarm set of other alarm types associated with the alarm type of the alarm type in the generated alarm association diagram, where the alarm association diagram includes an association relationship between alarm sets of each alarm type.
步骤 103、在相关联的告警类型的告警集合包含的告警中, 确定出与该 告警相关联的告警。  Step 103: Determine an alarm associated with the alarm in the alarm included in the alarm set of the associated alarm type.
实施时, 告警具有多种告警属性, 例如, 可以根据告警码、 告警级别、 告警发生时间、 告警恢复时间等多个告警属性参数分为不同的告警类型, 每个告警均有自身的告警类型, 步骤 101 在实施时, 当网络设备发生告警 时, 首先要确定该告警的告警类型, 例如, 是严重告警还是提醒类告警, 具体的告警类型根据实际情况而定。  In the implementation, the alarm has multiple alarm attributes. For example, multiple alarm attribute types, such as alarm code, alarm level, alarm occurrence time, and alarm recovery time, can be classified into different alarm types. Each alarm has its own alarm type. Step 101: When the network device generates an alarm, the alarm type of the alarm is determined first, for example, a critical alarm or a reminder alarm. The specific alarm type depends on the actual situation.
步骤 102在实施时, 在已生成的告警关联图中查找与该告警的告警类 型相同的告警集合相关联的其他告警类型的告警集合, 告警关联图包括各 告警类型的告警集合间的关联关系, 为更形象更直白地对告警关联图进行 说明, 请参见图 2, 图 2反映了不同告警类型的告警之间的关联关系, 即, 每个告警集合中只有一个告警, 具体的, 本例中, 包括 0、 A、 B、 C、 D和 E六类告警类型的告警, 且 0、 A、 B、 C、 D和 E类告警所属网络设备间存 在拓朴关系。 在具体实施时, 每个告警集合中可以有一个告警, 也可以有 多个告警, 也可能不存在该类型的告警, 具体的根据事际情况而定。  In the implementation of the step 102, the alarm association diagram of the alarm type associated with the alarm type of the alarm is searched for, and the alarm association diagram includes the association relationship between the alarm sets of the alarm types. For more detailed and straightforward description of the alarm correlation diagram, refer to Figure 2, which shows the association between alarms of different alarm types, that is, there is only one alarm in each alarm set. Specifically, in this example, There are alarms of the alarm types of 0, A, B, C, D, and E, and there is a topology relationship between the network devices belonging to the 0, A, B, C, D, and E alarms. In the specific implementation, there may be one alarm in each alarm set, or multiple alarms, or there may be no such alarms, depending on the circumstances.
根据图 2 可以不需要通过预定义的规则对告警关联进行分析, 而能够 直白地从图像上获得各告警间的关联关系, 当网络中不同网络设备发出多 个告警时, 能够直白地获知不同告警间的关联关系, 降低告警间关联关系 确定的复杂度。 According to FIG. 2, it is not necessary to analyze the alarm association by using a predefined rule, and the association relationship between the alarms can be obtained directly from the image, when different network devices in the network emit more When an alarm is generated, the association between different alarms can be learned in a straightforward manner, and the complexity of determining the association relationship between alarms is reduced.
实施时, 告警关联图的生成方法有多种, 例如, 按照二叉树原理生成 告警关联图, 也可以根据不同告警的告警级别生成告警关联图, 还可以利 用其他原理生成告警关联图, 本发明实施例提供了一种较优的告警关联图 的生成方法, 具体处理流程如图 3所示, 包括以下步骤:  In the implementation, the alarm association graph is generated by using a plurality of methods, for example, generating an alarm association graph according to the binary tree principle, and generating an alarm association graph according to different alarm severity levels, and generating an alarm association graph by using other principles. A method for generating an alarm correlation graph is provided. The specific processing flow is as shown in FIG. 3, and includes the following steps:
步骤 301、 根据网络设备拓朴图依次确定存在物理连接的两个拓朴节 点。  Step 301: Determine two top nodes of the physical connection according to the topology diagram of the network device.
步骤 302、分别获取两个拓朴节点当前具有的所有告警, 查找其中具有 关联关系的告警。  Step 302: Obtain all the alarms currently existing by the two topology nodes, and find an alarm with an association relationship.
步骤 303、 根据告警码和 /或告警级别对具有关联关系的告警进行分类, 并标识为不同的告警类型, 组成各告警类型的告警集合。  Step 303: Classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as different alarm types.
步骤 304、当计算出的第一告警类型的告警集合与第二告警类型的告警 集合间的关联关系出现的机率超出第一预设机率值时, 确定第一告警类型 的告警集合与第二告警类型的告警集合存在关联关系, 并将其显示在告警 关联图上。  Step 304: Determine the alarm set and the second alarm of the first alarm type when the calculated probability that the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value The type of alarm set has an association relationship and is displayed on the alarm association graph.
实施时, 网络设备具有的告警通常包括两部分, 一部分是已处理完毕 的告警, 通常存储在历史告警数据库中, 另一部分是尚未处理完毕的告警, 通常存储在当前告警緩存中, 在生成告警关联图时, 对历史告警数据库和 当前告警緩存中的数据均进行分析。  In the implementation, the alarms of the network device usually include two parts. One part is the processed alarm, which is usually stored in the historical alarm database, and the other part is the alarm that has not been processed. It is usually stored in the current alarm cache. In the figure, the historical alarm database and the data in the current alarm cache are analyzed.
在一个实施例中, 步骤 302在实施时, 分别获取两个拓朴节点当前具 有的所有告警, 查找其中具有关联关系的告警, 具体包括: 获取两个拓朴 节点当前具有的所有告警, 分析第一个拓朴节点具有的告警与第二个拓朴 节点具有的告警在时间上的伴随关系, 查找其中具有关联关系的告警。  In an embodiment, the step 302 is configured to obtain all the alarms that the two topology nodes currently have, and find the alarms that have the associated relationship, including: acquiring all the alarms currently owned by the two topology nodes, and analyzing the The alarm that a topology node has with the alarm of the second topology node in time is used to find an alarm with an association relationship.
实施时, 分析第一个拓朴节点具有的告警与第二个拓朴节点具有的告 警在时间上的伴随关系, 查找其中具有关联关系的告警, 具体的处理流程 下: When implemented, analyze the alarms of the first topology node and the advertisements of the second topology node. In the accompanying relationship of the police, look for the alarms with the associated relationship. The specific processing flow is as follows:
计算第一个拓朴节点具有的第一告警与第二个拓朴节点具有的第二告 警间的告警发生时间差及告警恢复时间差, 告警发生时间差为第二告警的 发生时间与第一告警的发生时间的差值, 告警恢复时间差为第二告警的恢 复时间与第一告警的恢复时间的差值。  Calculating an alarm occurrence time difference and an alarm recovery time difference between the first alarm of the first topology node and the second alarm of the second topology node, and the alarm occurrence time difference is the occurrence time of the second alarm and the occurrence of the first alarm The difference in time, the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm.
当告警发生时间差大于 0小于预设发生时间差、告警恢复时间差大于 0 小于预设恢复时间差且第一告警的告警级别不小于第二告警的告警级别 时, 确定第一告警与第二告警间具有关联关系。  Determining that the first alarm is associated with the second alarm when the alarm time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm level of the first alarm is not less than the alarm level of the second alarm. relationship.
现以一个具体的实例对告警关联图的生成进行具体说明:  The specific generation of the alarm correlation diagram is described in detail with a specific example:
4叚设当前拓朴节点为 A, 具有告警 a, 4叚设告警 a的告警发生时间为 Ta, 告警恢复时间 Ta2, 告警级别为 Sa, 如果与拓朴节点 A关联的拓朴节 点 B具有告警 b, 其告警发生时间为 Tb, 告警恢复时间为 Tb2, 告警级别 为 Sb , 若 0<Tb - Ta<m, 0<Tb2 - Ta2<n(m为预设发生时间差, n为预设恢 复时间差), 且 Sa>=Sb, 则认为告警 a和告警 b存在关联, 告警 b伴随着告 警 a的产生而产生, 恢复而恢复。  4, if the current topology node is A, with alarm a, 4, the alarm occurrence time of the alarm a is Ta, the alarm recovery time Ta2, the alarm level is Sa, if the topology node B associated with the topology node A has an alarm b, the alarm occurrence time is Tb, the alarm recovery time is Tb2, and the alarm level is Sb. If 0<Tb - Ta<m, 0<Tb2 - Ta2<n (m is the preset time difference, n is the preset recovery time difference) ), and Sa>=Sb, it is considered that the alarm a is associated with the alarm b, and the alarm b is generated along with the generation of the alarm a, and is restored and restored.
釆用上述方法计算节点 A的所有告警和节点 B的所有告警, 找到具有 关联关系的告警, 提炼分类 TA和 TB , 然后根据分类条件计算关联关系出 现的机率, 如果机率大于 r ( r为第一预设机率值, 假设为 90%, 当然也可 以是其他值), 则认为 TA类型的告警和 TB类型的告警有关联关系。  计算 Calculate all the alarms of node A and all the alarms of node B by the above method, find the alarms with association relationship, refine the classifications TA and TB, and then calculate the probability of the association relationship according to the classification conditions, if the probability is greater than r (r is the first The preset probability value, which is assumed to be 90%, and of course other values, is considered to be related to the alarm of the TA type and the alarm of the TB type.
步骤 302在实施时, 一个告警类型的告警集合与另一告警类型的告警 集合间的关联关系出现的机率的计算方法为: 满足一个告警类型的告警集 合的告警数量作为分母, 该告警集合中与另一个告警类型的告警集合间存 在关联关系的告警的数目作为分子, 计算得到的数值即为计算出的机率。  In the implementation of step 302, the probability of occurrence of the association between the alarm set of one alarm type and the alarm set of another alarm type is as follows: The number of alarms satisfying the alarm set of one alarm type is used as a denominator, and the alarm set is The number of alarms that have an association relationship between the alarm sets of another alarm type is taken as a numerator, and the calculated value is the calculated probability.
在一个实施例中, 计算得到的两类告警类型的告警集合间的关联关系 的机率与第二预设机率值(通常指实际机率)可能存在一定的偏差, 当计 算出的第一告警类型的告警集合与第二告警类型的告警集合间的关联关系 出现的机率与第二预设机率值不符时, 根据第二预设机率值对计算出的第 一告警类型的告警集合与第二告警类型的告警集合间的关联关系出现的机 率进行调整, 例如, 若第二预设机率值小于计算出的机率, 则将计算出的 机率调低, 同理, 若第二预设机率值大于计算出的机率, 将计算出的机率 调高。 In an embodiment, the relationship between the alarm sets of the two types of alarm types is calculated. There may be a certain deviation between the probability of the second preset probability value (usually referring to the actual probability), and the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type and the second If the preset probability value does not match, the probability of occurrence of the association between the calculated alarm set of the first alarm type and the alarm set of the second alarm type is adjusted according to the second preset probability value, for example, if the second preset If the probability value is less than the calculated probability, the calculated probability is lowered. Similarly, if the second preset probability value is greater than the calculated probability, the calculated probability is increased.
在本发明实施例中, 为使得根据告警关联图获取的关联关系更加准确, 需要周期性更新告警关联图, 更新的周期可以是一个小时, 一天, 也可以 是一个月, 具体的更新时间根据具体情况而定。 通常以一天为周期, 以满 足准确性的要求。  In the embodiment of the present invention, in order to make the association relationship obtained according to the alarm association graph more accurate, the alarm association map needs to be periodically updated, and the update period may be one hour, one day, or one month, and the specific update time is specific according to the specific Depending on the situation. Usually in a one-day cycle to meet the accuracy requirements.
在告警关联图更新后, 当网络设备发生新的告警时, 利用更新后的告 警关联图查找与新的告警的告警类型相同的告警集合相关联的其他告警类 型的告警集合; 在相关联的每个告警类型的告警集合包含的告警中, 确定 出与新的告警相关联的告警。  After the alarm association graph is updated, when a new alarm occurs on the network device, the updated alarm association map is used to search for an alarm set of other alarm types associated with the alarm set of the same type of the new alarm; Among the alarms included in the alarm set of the alarm type, the alarm associated with the new alarm is determined.
实施时, 应用本发明实施例提供的关联告警确定方法, 可以创建一个 告警管理系统, 包括以下部分: 网络设备、 当前告警緩存、 历史告警数据 库、 告警关联图、 告警关联关系分析引擎、 告警分析引擎、 用户界面, 具 体连接关系请参见图 4, 各部分的功能如下:  In an implementation, the associated alarm determination method provided by the embodiment of the present invention may be used to create an alarm management system, including the following parts: a network device, a current alarm cache, a historical alarm database, an alarm association graph, an alarm correlation analysis engine, and an alarm analysis engine. User interface, please refer to Figure 4 for the specific connection relationship. The functions of each part are as follows:
网络设备: 网络设备在本系统中是被管理的设备, 当网络设备运行出 现故障时, 将产生告警, 告警上报到网管系统中。  Network device: The network device is a managed device in the system. When the network device runs out of fault, an alarm is generated and the alarm is reported to the network management system.
历史告警数据库: 保存网络设备已产生的所有历史告警数据。  Historical Alarm Database: Saves all historical alarm data generated by the network device.
告警关联关系分析引擎: 对历史告警数据库和当前告警緩存中的数据 进行分析, 以得到告警关联关系。  The alarm correlation analysis engine analyzes the historical alarm database and the data in the current alarm cache to obtain the alarm association relationship.
网络设备拓朴图: 根据网络设备物理位置关系建立的一种位置关系图。 告警关联图: 用于保存分析得到告警关联关系。 Network device topology: A location relationship diagram based on the physical location of a network device. Alarm correlation diagram: Used to save the analysis and get the alarm association relationship.
当前告警緩存: 保存网络设备产生的当前告警, 当前告警即尚未被处 理的告警, 当前告警对应的设备故障尚未被消除。  Current alarm cache: The current alarm generated by the network device is saved. The current alarm is an alarm that has not been processed. The device fault corresponding to the current alarm has not been eliminated.
告警分析引擎: 告警分析引擎根据告警关联图对当前告警緩存中的告 警数据进行分析处理, 以找出根源告警。  Alarm Analysis Engine: The alarm analysis engine analyzes and processes the alarm data in the current alarm cache according to the alarm correlation graph to find the root alarm.
用户界面: 呈现给用户的告警界面, 该界面中显示告警关联图和根源 告警, 以方便网络维护人员维护查看、 分析关联图上的关联关系, 以及定 位故障。  User interface: An alarm interface that is displayed to the user. The alarm association graph and root alarm are displayed on the interface to facilitate network maintenance personnel to maintain the view, analyze the association relationship on the association graph, and locate the fault.
釆用如图 4所示的告警管理系统时, 其具体的关联告警确定方法的流 程如下:  When the alarm management system shown in Figure 4 is used, the process of the specific associated alarm determination method is as follows:
第一步: 使用当前告警緩存与历史告警数据库来收集网络设备产生的 告警数据。  Step 1: Use the current alarm cache and historical alarm database to collect alarm data generated by network devices.
第二步: 对告警数据进行分析挖掘, 基于网络设备拓朴图, 找出告警 数据间的关联关系。  Step 2: Analyze and mine the alarm data, and find the association relationship between the alarm data based on the network device topology map.
第三步: 使用告警数据间的关联关系生成告警关联图。  Step 3: Generate an alarm correlation diagram by using the association relationship between the alarm data.
第四步: 釆用生成的告警关联图, 对网络中的当前告警进行分析处理, 以找出根源告警, 快速定位故障原因。  Step 4: Use the generated alarm correlation graph to analyze and process the current alarms on the network to find the root alarm and quickly locate the fault.
第五步: 对新产生的当前告警和历史告警挖掘分析, 重复第二步和第 三步, 获取关联关系, 不断修正告警关联图, 实现自动学习的功能, 以提 高准确性。  Step 5: For the newly generated current alarm and historical alarm mining analysis, repeat the second step and the third step to obtain the association relationship, continuously correct the alarm correlation diagram, and realize the automatic learning function to improve the accuracy.
釆用本发明实施例提供的关联告警确定方法, 现以一具体实施说明如 何确定关联告警, 参见图 2, A、 B、 C、 D、 E、 0类告警所属网络设备存在 拓朴关联, 根据箭头指向方向, 被指向的告警伴随着指向它的告警的发生 而发生的机率大于第一预设机率值, 比如 A类型告警发生, D类型告警必 然发生的概率是 98%。 基于同一发明构思, 本发明实施例还提供了一种告警关联图生成方法, 具体处理流程如图 5所示, 包括以下步骤: Using the associated alarm determination method provided by the embodiment of the present invention, how to determine the associated alarm is described in a specific implementation. Referring to FIG. 2, the network devices belonging to the A, B, C, D, E, and 0 types of alarms have a topology association, according to The arrow points in the direction, and the probability that the pointed alarm is accompanied by the occurrence of the alarm pointing to it is greater than the first preset probability value. For example, the type A alarm occurs, and the probability that the type D alarm must occur is 98%. Based on the same inventive concept, the embodiment of the present invention further provides a method for generating an alarm association graph. The specific processing flow is as shown in FIG. 5, and includes the following steps:
步骤 501、 根据网络设备拓朴图依次确定存在物理连接的两个拓朴节 点。  Step 501: Determine two top nodes of the physical connection according to the topology diagram of the network device.
步骤 502、分别获取两个拓朴节点当前具有的所有告警, 查找其中具有 关联关系的告警。  Step 502: Obtain all the alarms currently existing by the two topology nodes, and find an alarm with an association relationship.
步骤 503、 根据告警码和 /或告警级别对具有关联关系的告警进行分类, 并标识为不同的告警类型, 组成各告警类型的告警集合。  Step 503: Classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as different alarm types.
步骤 504、当计算出的第一告警类型的告警集合与第二告警类型的告警 集合间的关联关系出现的机率超出第一预设机率值时, 确定第一告警类型 的告警集合与第二告警类型的告警集合存在关联关系, 并将其显示在告警 关联图上。  Step 504: Determine an alarm set and a second alarm of the first alarm type when the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value The type of alarm set has an association relationship and is displayed on the alarm association graph.
在一个实施例中, 步骤 503在实施时, 分别获取两个拓朴节点当前具 有的所有告警, 查找其中具有关联关系的告警, 具体的处理流程如下: 计算第一个拓朴节点具有的第一告警与第二个拓朴节点具有的第二告 警间的告警发生时间差及告警恢复时间差, 告警发生时间差为第二告警的 发生时间与第一告警的发生时间的差值, 告警恢复时间差为第二告警的恢 复时间与第一告警的恢复时间的差值。  In an embodiment, when the step 503 is implemented, the alarms that are currently associated with the two topology nodes are respectively obtained, and the alarms with the associated relationship are found. The specific processing flow is as follows: The time difference between the alarm and the second alarm that is generated by the second topology node and the alarm recovery time difference. The time difference between the alarm occurrence time is the difference between the occurrence time of the second alarm and the occurrence time of the first alarm, and the alarm recovery time difference is the second. The difference between the recovery time of the alarm and the recovery time of the first alarm.
当告警发生时间差大于 0小于预设发生时间差、告警恢复时间差大于 0 小于预设恢复时间差且第一告警的告警级别不小于第二告警的告警级别 时, 确定第一告警与第二告警间具有关联关系。  Determining that the first alarm is associated with the second alarm when the alarm time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm level of the first alarm is not less than the alarm level of the second alarm. relationship.
在一个实施例中, 计算得到的两类告警类型的告警集合间的关联关系 的机率与第二预设机率值(通常指实际机率)可能存在一定的偏差, 当计 算出的该告警类型的告警集合与另一告警类型的告警集合间的关联关系出 现的机率与第二预设机率值不符时, 根据第二预设机率值对计算出的该告 警类型与另一告警类型间的关联关系出现的机率进行调整, 例如, 若第二 预设机率值小于计算出的机率, 则将计算出的机率调低, 同理, 若第二预 设机率值大于计算出的机率, 将计算出的机率调高。 In an embodiment, the calculated probability of the association between the alarm sets of the two types of alarm types may be different from the second preset probability value (usually the actual probability), and the calculated alarm of the alarm type is calculated. When the probability of occurrence of the association between the set and the alarm set of another alarm type does not match the second preset probability value, the calculated result is calculated according to the second preset probability value pair. The probability of the association between the alarm type and another alarm type is adjusted. For example, if the second preset probability value is less than the calculated probability, the calculated probability is lowered, and similarly, if the second preset probability is The value is greater than the calculated probability and the calculated probability is increased.
基于同一发明构思, 本发明实施例还提供了一种关联告警确定装置, 具体结构如图 6所示, 包括以下步骤:  Based on the same inventive concept, an embodiment of the present invention further provides an associated alarm determining apparatus. The specific structure is as shown in FIG. 6, and includes the following steps:
第二确定单元 601 , 用于当网络设备发生告警时, 确定该告警的告警类 型;  a second determining unit 601, configured to determine an alarm type of the alarm when an alarm occurs on the network device;
查找单元 602,用于在已生成的告警关联图中查找与该告警的告警类型 相同的告警集合相关联的其他告警类型的告警集合, 告警关联图包括各告 警类型的告警集合间的关联关系;  The searching unit 602 is configured to search, in the generated alarm association diagram, an alarm set of other alarm types associated with the alarm set of the same type of the alarm, and the alarm association diagram includes an association relationship between the alarm sets of the alarm types.
第三确定单元 603 , 用于在相关联的告警类型的告警集合包含的告警 中, 确定出与该告警相关联的告警。  The third determining unit 603 is configured to determine, in the alarm included in the alarm set of the associated alarm type, an alarm associated with the alarm.
在一个实施例中, 如图 7所示, 查找单元 602可以包括:  In an embodiment, as shown in FIG. 7, the searching unit 602 may include:
第一确定子单元 701 ,用于根据网络设备拓朴图依次确定存在物理连接 的两个拓朴节点。  The first determining subunit 701 is configured to sequentially determine, according to the network device topology, two top nodes that have physical connections.
获取子单元 702, 用于分别获取所述两个拓朴节点当前具有的所有告 警, 查找其中具有关联关系的告警。  The obtaining sub-unit 702 is configured to separately obtain all the alarms currently owned by the two topology nodes, and find an alarm having an association relationship therein.
标识子单元 703 , 用于根据告警码和 /或告警级别对具有关联关系的告 警进行分类, 并标识为不同的告警类型, 组成各告警类型的告警集合。  The identifier sub-unit 703 is configured to classify the alarms with the associated relationship according to the alarm code and/or the alarm level, and identify the alarm types as the alarm sets of the alarm types.
显示子单元 704,用于当计算出的第一告警类型的告警集合与第二告警 类型的告警集合间的关联关系出现的机率超出第一预设机率值时, 确定第 一告警类型的告警集合与第二告警类型的告警集合存在关联关系, 并将其 显示在告警关联图上。  The display sub-unit 704 is configured to determine an alarm set of the first alarm type when the calculated probability that the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value There is an association relationship with the alarm set of the second alarm type, and is displayed on the alarm association graph.
在一个实施例中, 如图 8所示, 获取子单元 702具体包括:  In an embodiment, as shown in FIG. 8, the obtaining subunit 702 specifically includes:
计算模块 801 ,用于计算第一个拓朴节点具有的第一告警与第二个拓朴 节点具有的第二告警间的告警发生时间差及告警恢复时间差, 告警发生时 间差为第二告警的发生时间与第一告警的发生时间的差值, 告警恢复时间 差为第二告警的恢复时间与第一告警的恢复时间的差值。 The calculating module 801 is configured to calculate a first alarm and a second topology that the first topology node has The difference between the alarm occurrence time and the alarm recovery time difference between the second alarms of the node, the difference between the alarm occurrence time and the time when the second alarm occurs, and the alarm recovery time difference is the recovery time of the second alarm and the first The difference between the recovery time of the alarm.
确定模块 802, 用于当告警发生时间差大于 0小于预设发生时间差、告 警恢复时间差大于 0 小于预设恢复时间差且第一告警的告警级别不小于第 二告警的告警级别时, 确定第一告警与第二告警间具有关联关系。  The determining module 802 is configured to determine, when the alarm time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm level of the first alarm is not less than the alarm level of the second alarm, determining the first alarm and The second alarm has an association relationship.
在一个实施例中, 如图 7所示装置, 显示子单元 704还可以用于: 当 计算出的该告警类型的告警集合与另一告警类型的告警集合间的关联关系 出现的机率与第二预设机率值不符时, 根据第二预设机率值对计算出的该 关联关系出现的机率进行调整。  In an embodiment, as shown in FIG. 7, the display sub-unit 704 is further configured to: when the calculated association between the alarm set of the alarm type and the alarm set of another alarm type occurs, and the second When the preset probability value does not match, the calculated probability of occurrence of the association relationship is adjusted according to the second preset probability value.
在一个实施例中, 如图 9所示, 关联告警确定装置还可以包括: 更新单元 901 , 用于周期性更新告警关联图。  In an embodiment, as shown in FIG. 9, the associated alarm determining apparatus may further include: an updating unit 901, configured to periodically update the alarm association map.
查找单元 602进一步用于: 当网络设备发生新的告警时, 利用更新后 的告警关联图查找与新的告警的告警类型相同的告警集合相关联的其他告 警类型的告警集合。  The searching unit 602 is further configured to: when the network device generates a new alarm, use the updated alarm association map to search for an alarm set of other alarm types associated with the alarm set of the same alarm type as the new alarm.
第三确定单元 603进一步用于: 在相关联的每个告警类型的告警集合 包含的告警中, 确定出与新的告警相关联的告警。  The third determining unit 603 is further configured to: determine an alarm associated with the new alarm in the alarm included in the associated alarm set of each alarm type.
基于同一发明构思, 本发明实施例还提供了一种告警关联图生成装置, 具体结构如图 10所示, 包括:  Based on the same inventive concept, the embodiment of the present invention further provides an alarm correlation graph generating device. The specific structure is as shown in FIG. 10, and includes:
第一确定单元 1001 , 用于根据网络设备拓朴图依次确定存在物理连接 的两个拓朴节点。  The first determining unit 1001 is configured to sequentially determine, according to the network device topology, two top nodes that have physical connections.
获取单元 1002, 用于分别获取两个拓朴节点当前具有的所有告警, 查 找其中具有关联关系的告警。  The obtaining unit 1002 is configured to separately obtain all the alarms currently owned by the two topology nodes, and search for an alarm having an association relationship therein.
分类单元 1003 , 用于根据告警属性对具有关联关系的告警进行分类, 并标识为不同的告警类型, 组成各告警类型的告警集合。 显示单元 1004, 用于当计算出的第一告警类型的告警集合与第二告警 类型的告警集合间的关联关系出现的机率超出第一预设机率值时, 确定第 一告警类型的告警集合与第二告警类型的告警集合存在关联关系, 并将其 显示在告警关联图上。 The classification unit 1003 is configured to classify the alarms having the associated relationship according to the alarm attribute, and identify the alarm types as different alarm types, and form an alarm set of each alarm type. The display unit 1004 is configured to determine, when the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value, determine the alarm set of the first alarm type The alarm set of the second alarm type has an association relationship and is displayed on the alarm association map.
在一个实施例中, 分类单元 1003具体用于: 根据告警码和 /或告警级别 对具有关联关系的告警进行分类。  In an embodiment, the classification unit 1003 is specifically configured to: classify alarms having an association relationship according to an alarm code and/or an alarm level.
在一个实施例中, 获取单元 1002具体用于: 获取所述两个拓朴节点当 前具有的所有告警, 分析第一个拓朴节点具有的告警与第二个拓朴节点具 有的告警在时间上的伴随关系, 查找其中具有关联关系的告警。  In an embodiment, the obtaining unit 1002 is specifically configured to: obtain all the alarms currently owned by the two top nodes, and analyze the alarms of the first topology node and the alarms of the second topology node in time. The associated relationship, find the alarm with the associated relationship.
在一个实施例中, 如图 11所示, 获取单元 1002具体包括:  In an embodiment, as shown in FIG. 11, the obtaining unit 1002 specifically includes:
计算子单元 1101 , 用于计算第一个拓朴节点具有的第一告警与第二个 拓朴节点具有的第二告警间的告警发生时间差及告警恢复时间差, 告警发 生时间差为第二告警的发生时间与第一告警的发生时间的差值, 告警恢复 时间差为第二告警的恢复时间与第一告警的恢复时间的差值。  The calculation sub-unit 1101 is configured to calculate an alarm occurrence time difference and an alarm recovery time difference between the first alarm that is included in the first topology node and the second alarm that is included in the second topology node, and the alarm occurrence time difference is the occurrence of the second alarm. The difference between the time and the occurrence time of the first alarm, and the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm.
第二确定子单元 1102, 用于当告警发生时间差大于 0小于预设发生时 间差、 告警恢复时间差大于 0 小于预设恢复时间差且第一告警的告警级别 不小于第二告警的告警级别时, 确定第一告警与第二告警间具有关联关系。  The second determining subunit 1102 is configured to: when the alarm occurrence time difference is greater than 0, less than the preset time difference, and the alarm recovery time difference is greater than 0, less than the preset recovery time difference, and the alarm severity of the first alarm is not less than the alarm level of the second alarm, An alarm has an association relationship with the second alarm.
在一个实施例中, 如图 10所示装置, 显示单元 1004还可以用于: 当 计算出的第一告警类型的告警集合与第二告警类型的告警集合间的关联关 系出现的机率与第二预设机率值不符时, 根据第二预设机率值对计算出的 该关联关系出现的机率进行调整。  In an embodiment, as shown in FIG. 10, the display unit 1004 is further configured to: when the calculated relationship between the alarm set of the first alarm type and the alarm set of the second alarm type occurs, and the second When the preset probability value does not match, the calculated probability of occurrence of the association relationship is adjusted according to the second preset probability value.
根据本发明实施例提供的方法, 当网络设备发生告警时, 确定该告警 的告警类型, 在已生成的告警关联图中查找与该告警的告警类型相同的告 警集合相关联的其他告警类型的告警集合, 告警关联图包括各告警类型的 告警集合间的关联关系, 在相关联的每个告警类型的告警集合包含的告警 中, 确定出与该告警相关联的告警。 本发明实施例提供的关联告警确定方 法, 利用告警关联图确定与发生的告警关联的其他告警, 告警关联图利用 其图像显示的特性, 能够直白、 有效地反映不同告警类型的告警集合的关 联关系, 在接收到告警后, 直接参考告警关联图, 而不需要通过预定义的 规则对告警关联进行分析, 能够简单、 有效地反映告警之间的关联关系, 确定与接收的告警相关联的其他告警, 降低告警间关联关系确定的复杂度; 由于告警关联图不依赖于网元, 不是通过网元内部程序硬编码实现的, 而 是可以根据实际情况修改的, 因此, 在网络扩展或缩小时, 均可以根据网 络中网络设备的增多或减少对其进行修改, 不受限于网络规模, 易于扩展, 利用告警关联图可以更加准确, 快速地找出源头故障。 According to the method provided by the embodiment of the present invention, when an alarm occurs on the network device, the alarm type of the alarm is determined, and an alarm of another alarm type associated with the same alarm type of the alarm type is found in the generated alarm association map. The set, the alarm association graph includes the association relationship between the alarm sets of each alarm type, and the alarms included in the alarm set of each associated alarm type. The alarm associated with the alarm is determined. The association alarm determination method provided by the embodiment of the present invention determines the other alarms associated with the generated alarms by using the alarm association graph. The alarm association graph can directly and effectively reflect the association of the alarm sets of different alarm types by using the characteristics of the image display. Relationships, after receiving an alarm, directly refer to the alarm association graph, and do not need to analyze the alarm association through a predefined rule, which can simply and effectively reflect the association relationship between the alarms, and determine other associations associated with the received alarms. The alarm is used to reduce the complexity of the association between alarms. Because the alarm association graph does not depend on the network element, it is not hard coded by the internal program of the network element, but can be modified according to the actual situation. Therefore, when the network is expanded or reduced. The network device can be modified according to the increase or decrease of network devices in the network. It is not limited to the network scale and is easy to expand. The alarm correlation graph can be used to find the source fault more accurately and quickly.
进一步, 为保证根据告警关联图获取的关联关系的准确性, 本发明实 施例中, 周期性更新告警关联图。  Further, in order to ensure the accuracy of the association relationship obtained according to the alarm association graph, in the embodiment of the present invention, the alarm association graph is periodically updated.
进一步, 通过对已有的告警数据的分析挖掘生成告警关联图, 通过告 警关联图包含的关联关系, 可以直观地为用户提供决策依据, 比如用来查 找根源告警; 告警关联图为维护人员提供了直观的关联关系, 根据需要, 可以动态纠错关联关系; 并且告警关联图是通过网络设备拓朴关系来生成 的, 在关联关系查找、 定位时, 能够更加有效; 通过关联关系链的遍历, 可以在较低的计算复杂度的情况下确定根源告警; 告警关联图能够根据最 新的告警数据不断自动学习, 使得关联关系更加准确, 根源告警的查找和 分析也会更加准确。 本发明的精神和范围。 这样, 倘若本发明的这些修改和变型属于本发明权 利要求及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在 内。  Further, the alarm correlation diagram is generated by analyzing and synthesizing the existing alarm data, and the association relationship included in the alarm association diagram can be used to intuitively provide a decision basis for the user, for example, to find the root cause alarm; the alarm association diagram is provided for the maintenance personnel. Intuitive association relationship, according to requirements, can dynamically correct the association relationship; and the alarm association graph is generated through the topology relationship of the network device, and can be more effective when the association relationship is searched and located; The root cause alarm is determined in the case of lower computational complexity; the alarm association graph can automatically learn automatically according to the latest alarm data, so that the association relationship is more accurate, and the root source alarm search and analysis is more accurate. The spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims

权利要求书 Claim
1、 一种告警关联图生成方法, 其特征在于, 该方法包括:  A method for generating an alarm correlation graph, the method comprising:
根据网络设备拓朴图依次确定存在物理连接的两个拓朴节点; 分别获取所述两个拓朴节点当前具有的所有告警, 查找其中具有关联 关系的告警;  Determining, according to the topology diagram of the network device, two top nodes having a physical connection; respectively acquiring all the alarms currently existing by the two top nodes, and searching for an alarm having an association relationship;
根据告警属性对具有关联关系的告警进行分类, 组成各告警类型的告 当计算出的第一告警类型的告警集合与第二告警类型的告警集合间的 关联关系出现的机率超出第一预设机率值时, 确定第一告警类型的告警集 合与第二告警类型的告警集合存在关联关系, 并将所述关联关系显示在告 警关联图上。  The alarms of the associated relationship are classified according to the alarm attribute, and the probability of the association between the alarm set of the first alarm type and the alarm set of the second alarm type calculated by each alarm type exceeds the first preset probability. When the value is determined, the alarm set of the first alarm type is associated with the alarm set of the second alarm type, and the association relationship is displayed on the alarm association map.
2、 根据权利要求 1所述的方法, 其特征在于, 根据告警属性对具有关 联关系的告警进行分类包括:  2. The method according to claim 1, wherein classifying the alarms having the associated relationship according to the alarm attribute comprises:
根据告警码和 /或告警级别, 对具有关联关系的告警进行分类。  Classify alarms with associations based on alarm codes and/or alarm levels.
3、 根据权利要求 1所述的方法, 其特征在于, 分别获取所述两个拓朴 节点当前具有的所有告警, 查找其中具有关联关系的告警包括:  The method according to claim 1, wherein each of the alarms currently associated with the two topological nodes is obtained, and the alarms having the associated relationship are:
获取所述两个拓朴节点当前具有的所有告警, 分析第一个拓朴节点具 有的告警与第二个拓朴节点具有的告警在时间上的伴随关系, 查找其中具 有关联关系的告警。  Obtain all the alarms that the two top nodes currently have, analyze the time-related relationship between the alarms of the first topology node and the alarms of the second topology node, and find the alarms with the associated relationship.
4、 根据权利要求 3所述的方法, 其特征在于, 所述查找其中具有关联 关系的告警包括:  The method according to claim 3, wherein the searching for an alarm having an association relationship therein comprises:
计算第一个拓朴节点具有的第一告警与第二个拓朴节点具有的第二告 警间的告警发生时间差及告警恢复时间差; 所述告警发生时间差为第二告 警的发生时间与第一告警的发生时间的差值, 所述告警恢复时间差为第二 告警的恢复时间与第一告警的恢复时间的差值; 当告警发生时间差大于 0且小于预设发生时间差、 告警恢复时间差大 于 0且小于预设恢复时间差且第一告警的告警级别不小于第二告警的告警 级别时, 确定第一告警与第二告警间具有关联关系。 Calculating an alarm occurrence time difference and an alarm recovery time difference between the first alarm of the first topology node and the second alarm of the second topology node; the alarm occurrence time difference is the occurrence time of the second alarm and the first alarm The difference between the occurrence time and the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm; When the alarm occurrence time difference is greater than 0 and less than the preset occurrence time difference, the alarm recovery time difference is greater than 0, and is less than the preset recovery time difference, and the alarm level of the first alarm is not less than the alarm level of the second alarm, the first alarm and the second alarm are determined. Have an association.
5、 根据权利要求 1所述的方法, 其特征在于, 确定第一告警类型的告 警集合与第二告警类型的告警集合存在关联关系之后, 将其显示在告警关 联图上之前, 该方法还包括:  The method according to claim 1, wherein after determining that the alarm set of the first alarm type is associated with the alarm set of the second alarm type, displaying the same on the alarm association map, the method further includes: :
当计算出的第一告警类型的告警集合与第二告警类型的告警集合间的 关联关系出现的机率与第二预设机率值不符时, 根据第二预设机率值对计 算出的所述关联关系出现的机率进行调整。  When the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type does not match the second preset probability value, the calculated association is calculated according to the second preset probability value The probability of a relationship occurring is adjusted.
6、 一种关联告警确定的方法, 其特征在于, 该方法包括:  6. A method for determining an associated alarm, the method comprising:
当网络设备发生告警时, 确定所述警的告警类型;  Determining the type of the alarm of the alarm when an alarm occurs on the network device;
在已生成的告警关联图中, 查找与所述告警的告警类型相同的告警集 合相关联的其他告警类型的告警集合, 所述告警关联图包括各告警类型的 告警集合间的关联关系;  In the generated alarm association diagram, the alarm set of the other alarm types associated with the alarm type of the alarm type is the same, and the alarm association diagram includes the association relationship between the alarm sets of the alarm types.
在相关联的告警类型的告警集合包含的告警中, 确定出与所述告警相 关联的告警。  Among the alarms included in the alarm set of the associated alarm type, an alarm associated with the alarm is determined.
7、 一种告警关联图生成装置, 其特征在于, 该装置包括:  7. An alarm correlation map generating device, the device comprising:
第一确定单元, 用于根据网络设备拓朴图依次确定存在物理连接的两 个拓朴节点;  a first determining unit, configured to sequentially determine, according to the topology diagram of the network device, two top nodes that have physical connections;
获取单元, 用于分别获取所述两个拓朴节点当前具有的所有告警, 查 找其中具有关联关系的告警;  An acquiring unit, configured to separately obtain all the alarms currently existing by the two topology nodes, and search for an alarm having an association relationship therein;
分类单元, 用于根据告警属性对具有关联关系的告警进行分类, 组成 各告警类型的告警集合;  a classification unit, configured to classify alarms having an association relationship according to an alarm attribute, and form an alarm set of each alarm type;
显示单元, 用于当计算出的第一告警类型的告警集合与第二告警类型 的告警集合间的关联关系出现的机率超出第一预设机率值时, 确定第一告 警类型的告警集合与第二告警类型的告警集合存在关联关系, 并将所述关 联关系显示在告警关联图上。 a display unit, configured to determine, when the calculated probability of occurrence of the association between the alarm set of the first alarm type and the alarm set of the second alarm type exceeds the first preset probability value, The alarm type alarm set is associated with the second alarm type alarm set, and the association relationship is displayed on the alarm association graph.
8、 根据权利要求 7所述的装置, 其特征在于, 所述分类单元, 进一步 用于根据告警码和 /或告警级别, 对具有关联关系的告警进行分类。  The device according to claim 7, wherein the classifying unit is further configured to classify the alarms having the associated relationship according to the alarm code and/or the alarm level.
9、 根据权利要求 7所述的装置, 其特征在于, 所述获取单元, 进一步 用于获取所述两个拓朴节点当前具有的所有告警, 分析第一个拓朴节点具 有的告警与第二个拓朴节点具有的告警在时间上的伴随关系, 查找其中具 有关联关系的告警。  The device according to claim 7, wherein the acquiring unit is further configured to acquire all the alarms currently owned by the two top nodes, and analyze the alarms and the second information of the first topology node. The alarms of the alarms of the topology nodes in time are used to find alarms with associated relationships.
10、 根据权利要求 9所述的装置, 其特征在于, 所述获取单元, 进一 步包括:  The device according to claim 9, wherein the acquiring unit further comprises:
计算子单元, 用于计算第一个拓朴节点具有的第一告警与第二个拓朴 节点具有的第二告警间的告警发生时间差及告警恢复时间差; 所述告警发 生时间差为第二告警的发生时间与第一告警的发生时间的差值, 所述告警 恢复时间差为第二告警的恢复时间与第一告警的恢复时间的差值;  a calculation subunit, configured to calculate an alarm occurrence time difference and an alarm recovery time difference between the first alarm that is included in the first topology node and the second alarm that is included in the second topology node; the alarm occurrence time difference is the second alarm The difference between the occurrence time and the occurrence time of the first alarm, where the alarm recovery time difference is the difference between the recovery time of the second alarm and the recovery time of the first alarm;
第二确定子单元, 用于当告警发生时间差大于 0且小于预设发生时间 差、 告警恢复时间差大于 0且小于预设恢复时间差且第一告警的告警级别 不小于第二告警的告警级别时, 确定第一告警与第二告警间具有关联关系。  The second determining sub-unit is configured to: when the alarm occurrence time difference is greater than 0 and less than the preset occurrence time difference, the alarm recovery time difference is greater than 0, and less than the preset recovery time difference, and the alarm severity of the first alarm is not less than the alarm level of the second alarm, There is an association relationship between the first alarm and the second alarm.
11、 根据权利要求 7 所述的装置, 其特征在于, 所述显示单元, 进一 步用于当计算出的第一告警类型的告警集合与第二告警类型的告警集合间 的关联关系出现的机率与第二预设机率值不符时, 根据第二预设机率值对 计算出的所述关联关系出现的机率进行调整。  The device according to claim 7, wherein the display unit is further configured to: when the calculated relationship between the alarm set of the first alarm type and the alarm set of the second alarm type occurs, When the second preset probability value does not match, the calculated probability of occurrence of the association relationship is adjusted according to the second preset probability value.
12、 一种关联告警确定的装置, 其特征在于, 该装置包括:  12. An apparatus for determining an associated alarm, the apparatus comprising:
第二确定单元, 用于当网络设备发生告警时, 确定所述告警的告警类 型;  a second determining unit, configured to determine an alarm type of the alarm when an alarm occurs on the network device;
查找单元, 用于在已生成的告警关联图中, 查找与所述告警的告警类 型相同的告警集合相关联的其他告警类型的告警集合, 告警关联图包括各 告警类型的告警集合间的关联关系; a search unit, configured to search for an alarm class with the alarm in the generated alarm association diagram An alarm set of other alarm types associated with the same type of alarm set, and the alarm association diagram includes an association relationship between alarm sets of each alarm type;
第三确定单元, 用于在相关联的告警类型的告警集合包含的告警中, 确定出与所述告警相关联的告警。  And a third determining unit, configured to determine, in the alarm included in the alarm set of the associated alarm type, an alarm associated with the alarm.
PCT/CN2010/077229 2010-06-18 2010-09-21 Method for generating alarm association graph and device thereof, and method for determining association alarm and device thereof WO2011157012A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010211808.6 2010-06-18
CN2010102118086A CN102291247A (en) 2010-06-18 2010-06-18 Alarm association diagram generation method and device and association alarm determination method and device

Publications (1)

Publication Number Publication Date
WO2011157012A1 true WO2011157012A1 (en) 2011-12-22

Family

ID=45337371

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/077229 WO2011157012A1 (en) 2010-06-18 2010-09-21 Method for generating alarm association graph and device thereof, and method for determining association alarm and device thereof

Country Status (2)

Country Link
CN (1) CN102291247A (en)
WO (1) WO2011157012A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112988522A (en) * 2021-03-08 2021-06-18 北京明略软件系统有限公司 Method, device and equipment for alarm signal association
CN114500227A (en) * 2020-11-13 2022-05-13 中国移动通信集团安徽有限公司 Alarm analysis method, device, equipment and computer storage medium

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104065496B (en) * 2013-03-18 2017-05-31 中国移动通信集团设计院有限公司 The generation method and device of network topological diagram
CN103440730B (en) * 2013-07-22 2016-04-06 清华大学 The recognition methods that a kind of association of extracting based on data is reported to the police
CN104518905A (en) * 2013-10-08 2015-04-15 华为技术有限公司 Fault locating method and fault locating device
CN106330533B (en) * 2016-01-21 2019-12-17 华南师范大学 large-scale network alarm real-time topology establishing method
CN108964960B (en) * 2017-05-27 2021-10-19 阿里巴巴集团控股有限公司 Alarm event processing method and device
CN109951306B (en) * 2017-12-20 2022-04-01 中国移动通信集团湖北有限公司 Alarm processing method, device, equipment and medium
CN108737173B (en) * 2018-05-17 2022-02-25 武汉微创光电股份有限公司 Network alarm filtering method and system
CN108829794B (en) * 2018-06-04 2022-04-12 北京交通大学 Alarm analysis method based on interval graph
CN108900353B (en) * 2018-07-18 2021-08-13 平安科技(深圳)有限公司 Fault warning method and terminal equipment
CN109450677B (en) * 2018-10-29 2021-07-13 中国联合网络通信集团有限公司 Method and device for positioning root fault
CN111147300B (en) * 2019-12-26 2022-04-29 绿盟科技集团股份有限公司 Network security alarm confidence evaluation method and device
CN111193627B (en) * 2019-12-31 2022-08-12 中国移动通信集团江苏有限公司 Information processing method, device, equipment and storage medium
CN112583644B (en) * 2020-12-14 2022-10-18 华为技术有限公司 Alarm processing method, device, equipment and readable storage medium
CN113844976B (en) * 2021-09-10 2023-04-25 北京声智科技有限公司 Alarm data processing method, device, computer equipment and storage medium
CN114286208A (en) * 2021-12-14 2022-04-05 云南电网有限责任公司玉溪供电局 Site-based optical transmission network topology layout and display method
CN114500229B (en) * 2021-12-30 2024-02-02 国网河北省电力有限公司信息通信分公司 Network alarm positioning and analyzing method based on space-time information
US20230239206A1 (en) * 2022-01-24 2023-07-27 Rakuten Mobile, Inc. Topology Alarm Correlation
CN115720186A (en) * 2022-10-26 2023-02-28 中盈优创资讯科技有限公司 Abnormal root cause positioning method and device based on equipment topology and causal relationship

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6707795B1 (en) * 1999-04-26 2004-03-16 Nortel Networks Limited Alarm correlation method and system
CN101188523A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 Generation method and generation system of alarm association rules
CN101212367A (en) * 2007-12-25 2008-07-02 北京亿阳信通软件研究院有限公司 Alarm message processing method and device
CN101582807A (en) * 2009-07-02 2009-11-18 北京讯风光通信技术开发有限责任公司 Method and system based on northbound interface to realize network management

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006057588A1 (en) * 2004-11-29 2006-06-01 Telefonaktiebolaget Lm Ericsson (Publ) Service alarm correlation
CN101316187B (en) * 2007-06-01 2010-08-25 杭州华三通信技术有限公司 Network management method and network management system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6707795B1 (en) * 1999-04-26 2004-03-16 Nortel Networks Limited Alarm correlation method and system
CN101188523A (en) * 2007-12-10 2008-05-28 中兴通讯股份有限公司 Generation method and generation system of alarm association rules
CN101212367A (en) * 2007-12-25 2008-07-02 北京亿阳信通软件研究院有限公司 Alarm message processing method and device
CN101582807A (en) * 2009-07-02 2009-11-18 北京讯风光通信技术开发有限责任公司 Method and system based on northbound interface to realize network management

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500227A (en) * 2020-11-13 2022-05-13 中国移动通信集团安徽有限公司 Alarm analysis method, device, equipment and computer storage medium
CN114500227B (en) * 2020-11-13 2023-11-21 中国移动通信集团安徽有限公司 Alarm analysis method, device, equipment and computer storage medium
CN112988522A (en) * 2021-03-08 2021-06-18 北京明略软件系统有限公司 Method, device and equipment for alarm signal association

Also Published As

Publication number Publication date
CN102291247A (en) 2011-12-21

Similar Documents

Publication Publication Date Title
WO2011157012A1 (en) Method for generating alarm association graph and device thereof, and method for determining association alarm and device thereof
WO2022257423A1 (en) Warning information association method and apparatus, and electronic device and readable storage medium
US9928155B2 (en) Automated anomaly detection service on heterogeneous log streams
US11789901B2 (en) Source type definition configuration using a graphical user interface
US10353756B2 (en) Cluster-based processing of unstructured log messages
US11366842B1 (en) IT service monitoring by ingested machine data with KPI prediction and impactor determination
US20210075667A1 (en) Generating actionable alert messages for resolving incidents in an information technology environment
US10860655B2 (en) Creating and testing a correlation search
US9794113B2 (en) Network alert pattern mining
US11727025B2 (en) Method and system for implementing a log parser in a log analytics system
US20200218751A1 (en) Automatic ontology generation for internet of things applications
CN104636130B (en) For generating the method and system of event tree
WO2014169869A1 (en) Alarm processing method and alarm system
CN114461792A (en) Alarm event correlation method, device, electronic equipment, medium and program product
CN114257493B (en) Fault early warning method and device for network node, medium and electronic equipment
CN111628888B (en) Fault diagnosis method, device, equipment and computer storage medium
EP2992430B1 (en) Method and system for generating directed graphs
US20230385135A1 (en) Auto Pause Incident Notification
CN117201045A (en) Method and device for detecting network traffic abnormality
US11888595B2 (en) Alert resolution based on identifying information technology components and recommended actions including user selected actions
WO2022228062A1 (en) Network fault analysis method and apparatus, and device and storage medium
CN116781340A (en) Attack association relation detection method based on multi-step attack and related equipment
CN117544475A (en) Alarm data processing method and device of wavelength division system, medium and electronic equipment
CN115801545A (en) Method, system, equipment and medium for reporting abnormity of hybrid cloud pipe in real time

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10853121

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10853121

Country of ref document: EP

Kind code of ref document: A1