WO2019019429A1 - 一种虚拟机异常检测方法、装置、设备及存储介质 - Google Patents
一种虚拟机异常检测方法、装置、设备及存储介质 Download PDFInfo
- Publication number
- WO2019019429A1 WO2019019429A1 PCT/CN2017/106655 CN2017106655W WO2019019429A1 WO 2019019429 A1 WO2019019429 A1 WO 2019019429A1 CN 2017106655 W CN2017106655 W CN 2017106655W WO 2019019429 A1 WO2019019429 A1 WO 2019019429A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- gaussian
- virtual machine
- data
- time series
- component
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 37
- 238000000034 method Methods 0.000 claims abstract description 27
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 19
- 238000000513 principal component analysis Methods 0.000 claims description 75
- 230000005856 abnormality Effects 0.000 claims description 23
- 238000010197 meta-analysis Methods 0.000 claims description 16
- 230000001186 cumulative effect Effects 0.000 claims description 15
- 238000011084 recovery Methods 0.000 claims description 8
- 238000000354 decomposition reaction Methods 0.000 claims description 6
- 238000012880 independent component analysis Methods 0.000 abstract description 37
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000004891 communication Methods 0.000 abstract description 2
- 239000000306 component Substances 0.000 description 59
- 238000004422 calculation algorithm Methods 0.000 description 46
- 230000002159 abnormal effect Effects 0.000 description 30
- 238000012545 processing Methods 0.000 description 17
- 238000012360 testing method Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 238000012549 training Methods 0.000 description 9
- 238000004458 analytical method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 239000000523 sample Substances 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 238000012896 Statistical algorithm Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 230000009885 systemic effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0712—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
- G06F18/2134—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on separation criteria, e.g. independent component analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
- G06F18/2135—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/815—Virtual
Definitions
- the present disclosure relates to the field of computer performance index monitoring and anomaly detection of Information and Communication Technologies (ICT), and particularly relates to a virtual machine anomaly detection method, device, device and storage medium.
- ICT Information and Communication Technologies
- Cloud computing integrates related hardware resources through virtualization and other technologies to form a shared resource pool, enabling business systems to acquire computing, storage, and network resources on demand, effectively solving the problems of traditional IT infrastructure.
- the virtual machine is the core component of the cloud platform and is responsible for providing computing and storage resources for the business system to ensure the normal operation of the business system.
- the existence of virtual machine anomalies not only causes the business system to fail to operate properly, but also causes various incalculable losses; it also causes enterprises to worry about cloud computing and hinder the development and application of cloud computing. Therefore, you need to introduce virtual machine anomaly detection technology to discover the abnormal behavior of the virtual machine in time to remind the administrator to take necessary measures to ensure the normal operation of the virtual machine.
- PCA Principal Component Analysis
- SPE Squared Prediction Error
- T 2 reflects systemic changes
- SPE reflects non-systematic changes
- SPE based on residual space can more accurately reflect abnormal features.
- the problem with PCA is that it is an analysis method based on the second-order statistical properties of the signal, and it is generally assumed that the process variable obeys a Gaussian distribution.
- the abnormal alarm detection system using the PCA algorithm is shown in FIG. 1.
- the PCA algorithm service receives time series source data (ie, time series data), and after processing, outputs the detected abnormal time point and serves as an input of the alarm service, thereby generating an abnormal alarm. .
- ICA Independent Component Analysis
- the problem with ICA is that its assumption is that the independent component needs to have a non-Gaussian distribution, otherwise the hybrid matrix will not be determined.
- the abnormal alarm detection system using the ICA algorithm is shown in FIG. 2.
- the ICA algorithm service receives the time series source data, and after processing, outputs the detected abnormal time point and serves as an input of the alarm service, thereby generating an abnormal alarm.
- the method, device, device and storage medium for detecting an abnormality of a virtual machine provided by the embodiment of the present disclosure solve the problem that the related technology cannot accurately detect the time point at which the abnormal behavior of the virtual machine occurs.
- a residual acquisition module configured to obtain non-Gaussian residual data of the virtual machine
- the abnormality determining module is configured to perform independent meta-analysis on the non-Gaussian residual data to determine a time point at which the virtual machine experiences an abnormal behavior.
- a processor configured to acquire non-Gaussian residual data of the virtual machine, and perform independent meta-analysis on the non-Gaussian residual data to determine a time point at which the virtual machine has an abnormal behavior
- a memory arranged to store a program for execution by the processor.
- a storage medium is stored thereon with a program executable by a processor, which causes the processor to perform the following steps:
- the embodiment of the present disclosure extracts non-Gaussian independent elements in the PCA residual space by using ICA, and the obtained detection result is more accurate and effective;
- the embodiment of the present disclosure preserves non-Gaussian information to a certain extent by the residual space processed by the PCA, and can more completely capture the abnormal information.
- FIG. 1 is a block diagram of an abnormal alarm detection system using a PCA algorithm
- FIG. 2 is a block diagram of an abnormal alarm detection system using an ICA algorithm
- FIG. 3 is a flowchart of a virtual machine anomaly detection method according to an embodiment of the present disclosure
- FIG. 4 is a schematic diagram of actual operation of a virtual machine anomaly detection system according to an embodiment of the present disclosure
- FIG. 5 is a flow chart of the PCA algorithm service processing of Figure 4.
- FIG. 6 is a flowchart of the ICA algorithm service processing of FIG. 5;
- FIG. 7 is a block diagram of a virtual machine anomaly detecting apparatus according to an embodiment of the present disclosure.
- FIG. 8 is a set of data diagrams processed by an embodiment of the present disclosure, including data of six dimensions, such as CPU, disk read and write, network I/O, and memory, with a training set on the left and a test set on the right;
- FIG. 9 is a processing result diagram of the conventional PCA method for the data of FIG. 8, the left side is for the training set data, and the right side is for the test set data;
- FIG. 10 is a processing result diagram of the ICA algorithm based on the PCA residual for the data of FIG. 8, the left side is for the training set data, and the right side is for the test set data;
- 11 is another set of data maps processed by the embodiment of the present disclosure, which also includes data of six dimensions such as CPU, disk read and write, network I/O, and memory.
- the left side is a training set, and the right side is a test set;
- FIG. 12 is a processing result diagram of the conventional PCA method for the data of FIG. 11, the left side is for the training set data, and the right side is for the test set data;
- FIG. 13 is a processing result diagram of the ICA algorithm based on the PCA residual for the data of FIG. 11, the left side is for the training set data, and the right side is for the test set data.
- the embodiment of the present disclosure is applicable to detecting abnormal behavior of a virtual machine.
- the non-Gaussian residual data of the virtual machine obtained by processing the time series data of the virtual machine is subjected to independent meta-analysis to obtain an abnormality of the virtual machine. The point in time of the act.
- FIG. 3 is a flowchart of a method for detecting an abnormality of a virtual machine according to an embodiment of the present disclosure. As shown in FIG. 3, the steps include:
- Step S10 Acquire non-Gaussian residual data of the virtual machine.
- the step S10 includes:
- Step S101 Perform principal component analysis on the time series data of the virtual machine to obtain a strong Gaussian principal element of the time series data.
- performing principal component decomposition on the time series data to obtain a principal element of the time series data extracting a strong Gaussian component from the principal elements of the time series data, and by the strong Gaussian property
- the components constitute a strong Gaussian principal of the time series data.
- the extracting the strong Gaussian component from the principal elements of the time series data includes: calculating a statistical value (ie, a JB value) of each component of the principal element of the time series data that characterizes the Gaussian strength; Statistical value of component Sum; sorting each component according to the statistical value from small to large, and calculating the cumulative sum of the statistical values of each of the components in the sequence and the pre-sorted components; The cumulative sum of the statistical values, the sum of the statistical values of all the components, the Gaussian component ratio is calculated, and the component of the strong Gaussian is determined according to the proportion of the Gaussian component.
- a statistical value ie, a JB value
- the step S10 further includes:
- Step S102 Obtain non-Gaussian residual data according to the strong Gaussian principal element and the time series data.
- data recovery is performed to obtain strong Gaussian time series recovery data; and the non-Gaussian residual is obtained according to the time series data and the time series recovery data. data.
- Step S20 Perform independent element analysis on the non-Gaussian residual data to determine a time point at which the virtual machine experiences abnormal behavior, that is, an abnormal time point of the time series data.
- the step S20 includes:
- Step S201 performing independent meta-analysis on the non-Gaussian residual data, obtaining a statistical value (ie, I 2 ) for measuring the amount of information included in the independent meta-model, and using the independent meta-model for measuring The statistical value of the amount of information described (ie SPE).
- Step S202 Determine, according to the I 2 and the SPE, a time point at which the virtual machine experiences an abnormal behavior.
- the abnormal time point extracted by the I 2 and the abnormal time point extracted by the SPE are combined as an abnormal time point of the virtual machine.
- step S10 to step S20 are included.
- the present disclosure may further provide a storage medium having stored thereon a computer program, the program being executed by the processor to at least implement the following steps: acquiring non-Gaussian residual data of the virtual machine; The non-Gaussian residual data is subjected to independent meta-analysis to determine the time point at which the virtual machine experiences abnormal behavior.
- the storage medium may include a ROM/RAM, a magnetic disk, an optical disk, and a USB flash drive.
- Figure 4 is a diagram of the actual operation of the virtual machine system.
- the time series data source is first input into the PCA algorithm service module as input, and the PCA residual data is extracted, and then the residual data is flowed into the ICA algorithm service module to output I 2 and SPE statistics.
- the abnormal time point detected by the quantity flows into the alarm service module to generate an alarm.
- the processing flow of the PCA algorithm service module is shown in FIG. 4, and the processing flow of the ICA algorithm service module is shown in FIG. 5.
- FIG. 4 is a schematic diagram of actual operation of a virtual machine anomaly detection system according to an embodiment of the present disclosure, as shown in FIG. 4.
- An exemplary scenario is as follows:
- Step 1 The PCA algorithm service in the system receives time series data (ie, raw data) from the data source as input.
- time series data ie, raw data
- Step 2 Suppose the original data X ⁇ R n*m , where n is the number of samples, m is the number of variables or the number of dimensions), and the PCA algorithm is executed on X to obtain the principal element X_T ⁇ R n*p , where p is the number of the main component.
- Step 3 Further extracting a Gaussian component from the principal element X_T.
- An exemplary approach is as follows:
- Step 3.1 Calculate the value of the JB (Jarque-Bera) statistic for each component of the pivot.
- JB Jarque-Bera
- n is the number of sample points
- S is the sample skewness
- K is the sample kurtosis. The larger the JB value, the stronger the non-Gaussian property and the weaker the Gaussian property.
- Step 3.3 Calculate the above sorted JB sequence values: cumulative sum / sum, ie calculate: [JB1/sum(JB), (JB1+JB2)/sum(JB), ..., (JB1+...+JBp)/ Sum(JB)], obtain a score sequence of a value size range (0, 1), set a Gaussian component ratio threshold, retain a value less than the threshold in the score sequence, and extract the principal component corresponding to the sequence value Form a new principal X_Tnew.
- an embodiment of the present disclosure implements an improved algorithm for PCA residuals.
- the residual data of the obtained PCA is a residual that is further calculated after the PCA principal element is further filtered by Gaussian to form a new principal element. Poor, so the residual calculated by the traditional PCA algorithm directly after extracting the principal element by the energy size is different.
- Step 5 The ICA algorithm service in the system receives the output X_Res data from the PCA algorithm service, performs an ICA algorithm on X_Res, performs independent meta-decomposition, and calculates I 2 and SPE statistics.
- the detection threshold is set for the I 2 and SPE statistic, and the abnormal time points are respectively extracted, and then the abnormal detection results of I 2 and SPE are combined to be the output of the ICA algorithm service.
- the PCA service does not directly output the abnormal time point, but only outputs the residual data of the PCA.
- the input of the ICA algorithm service is not the original data, but the residual data of the PCA.
- the final detection result comes from the ICA data processing of the PCA residual data.
- Step 6 The alarm service in the system receives the output from the ICA algorithm service, that is, the abnormal time point, and generates a corresponding alarm.
- FIG. 5 is a flowchart of the PCA algorithm service processing of FIG. 4, as shown in FIG. 5, including: first performing a PCA algorithm on the original data X ⁇ R n*m , extracting the principal element X_T; and then further extracting the Gaussian property from the principal element X_T The strong component forms a new principal X_Tnew; finally, the new principal X_Tnew is restored to the original data space, and the residual X_Res ⁇ R n*m is calculated and output.
- FIG 6 is a flowchart of processing service ICA algorithm of FIG. 5, 6, comprising: a first residual X_Res ⁇ R n * m ICA algorithm execution, independent component decomposed; I 2, and then calculating SPE statistics were extracted Abnormal; finally merge the abnormal detection results of I 2 and SPE and output.
- the residual data obtained by the PCA decomposition in the original data is more favorable for reflecting the abnormal features than the principal element space, and therefore the embodiment of the present disclosure considers the residual space of the PCA as the basis for the continuous analysis.
- the residual of the traditional PCA algorithm is not directly obtained, but the PCA principal element is further extracted according to the Gaussian property.
- the PCA residual is calculated, and then the independent element is extracted by the ICA in the PCA residual space, and the I 2 and SPE statistics are calculated to detect the abnormality, and finally the detection result is combined.
- FIG. 7 is a block diagram of a virtual machine anomaly detecting apparatus according to an embodiment of the present disclosure. As shown in FIG. 7, the method includes a residual acquiring module and an abnormality determining module.
- the residual acquisition module is configured to acquire non-Gaussian residual data of the virtual machine.
- the residual obtaining module includes, in an embodiment, a principal component computing submodule and a residual computing submodule, wherein the principal component computing submodule is configured to perform principal component analysis on the time series data of the virtual machine, to obtain A strong Gaussian principal element of the time series data; the residual calculation submodule is configured to obtain non-Gaussian residual data based on the strong Gaussian principal element and the time series data.
- the abnormality determining module is configured to perform independent meta-analysis on the non-Gaussian residual data, and determine a time point at which the virtual machine generates an abnormal behavior, that is, an abnormal time point of the time series data.
- the working process of the device includes: a principal component calculation sub-module performing principal component decomposition on the time series data, obtaining a principal component of the time series data, and extracting a strong Gaussian component from a principal component of the time series data And consisting of the strong Gaussian component of the strong Gaussian principal component of the time series data.
- the residual calculation sub-module uses the strong Gaussian principal element to perform data recovery, obtains strong Gaussian time series recovery data, and recovers data according to the time series data and the time series to obtain a non-Gaussian residual. Poor data.
- the abnormality determining module performs independent meta-analysis on the non-Gaussian residual data to obtain I 2 and SPE statistics, and determines an abnormal time point of the time series data.
- the principal component calculation sub-module calculates a sum of a JB value of each component of the principal elements of the time series data and a JB value of all components, and sorts each component according to a JB value in a small to large order, and calculates a cumulative sum of each of said components in the sequence and the JB values of the prior components, and then Gauss is calculated based on the sum of the JB values of the preceding components and the sum of the JB values of all the components.
- the sex component is proportioned, and the component of the strong Gaussian property is determined according to the proportion of the Gaussian component.
- This embodiment provides a virtual machine abnormality detecting device, including:
- a processor configured to acquire non-Gaussian residual data of the virtual machine, and perform independent meta-analysis on the non-Gaussian residual data to determine a time point at which the virtual machine has an abnormal behavior
- a memory is arranged to store a program for execution by the processor, which can be coupled to the processor.
- the method for evaluating the algorithm of the embodiment of the present disclosure is improved according to the traditional algorithm, that is, setting the same training set and test set, wherein the test set is the time period corresponding to the abnormality of the feedback according to the data collection site, and the detection statistic is set to be the same.
- the threshold judgment criterion is to investigate whether the algorithm of the embodiment of the present disclosure can detect more abnormal data points on the known abnormal time period.
- the data collected in Figure 8 includes the time period 2016.10.1 ⁇ 2016.11.11, and the on-site feedback is between 18:00 on November 7 and 12:00 on the next day.
- the business has experienced many abnormalities.
- the abnormality detection result using the traditional PCA algorithm is shown in Fig. 9.
- the PCA principal component energy ratio is set to 85%
- the detection statistics T 2 and SPE are estimated by the kernel density method
- the probability density distribution is taken according to the cumulative probability distribution value.
- a threshold of 99.7% was extracted abnormally. The results showed that in the test set, PCA T 2 did not detect an abnormality, and PCA SPE detected an abnormality for a period of time.
- the abnormality detection result of the ICA algorithm based on the PCA residual is shown in Fig. 10.
- the PCA principal component energy ratio threshold is also set to 85%, and four principal component X_T[0], X_T[1], X_T are obtained. 2], X_T[3], calculate the JB values of the four principal components, first sort from small to large, and then calculate the cumulative sum / sum, as shown in Table 1.
- the main element Gaussian component is set to account for 85% of the threshold value, and the actual extracted principal elements are X_T[0], X_T[2], X_T[3], and X_T[1] is eliminated because it is non-Gaussian.
- the new principal space formed by X_T[0], X_T[2], and X_T[3] is returned to the original data space to calculate the PCA residual.
- the detection statistic takes a threshold value of a cumulative probability distribution value of 99.7%.
- the results showed that in the test set, ICA I 2 and SPE each detected an abnormality for a period of time, and the detection result of I 2 was consistent with the time period detected by PCA SPE.
- the number of abnormal points detected by the method of the embodiment of the present disclosure is more than that of the conventional PCA method, and from the original data, the system resources do have a large change in the time period of the PCA missed detection.
- the data collected in Figure 11 includes the time period 2017.1.1 ⁇ 2017.2.28, and the on-site feedback is between February 8th and 8:00-12:00.
- the service experience is abnormal.
- the 2017.2.25 8:00 ⁇ 2017.2.25 12:00 time period is set as the test set, and the remaining data is set as the training set after the data is removed.
- the abnormality detection result using the traditional PCA algorithm is shown in Fig. 12, wherein the PCA principal component energy ratio threshold is set to 85%, the detection statistics T 2 and SPE are estimated by the kernel density method, and the cumulative probability distribution value is used. Take 99.7% of the threshold to extract the anomaly. The results showed that in the test set, neither PCA T 2 nor PCA SPE detected an abnormality, which was completely inconsistent with the business experience.
- the abnormality detection result of the ICA algorithm based on PCA residual is shown in Fig. 13.
- the PCA principal component energy ratio is also set to 85%, and four principal component X_T[0], X_T[1], X_T[2 are obtained. ], X_T[3], calculate the JB values of the four principal components, first sort from small to large, and then calculate the cumulative sum / sum, as shown in Table 2.
- the main element Gaussian component is set to account for 85% of the threshold value, and the actual extracted principal elements are X_T[0], X_T[2], X_T[3], and X_T[1] is eliminated because it is non-Gaussian.
- the new principal space formed by X_T[0], X_T[2], and X_T[3] is returned to the original data space to calculate the PCA residual.
- the detection statistic takes a threshold value of 99.7% of the cumulative probability distribution value.
- the results show that in the test set, ICA SPE detected a more intensive period of abnormality.
- the method of the present disclosure detects more abnormal points than the traditional PCA method, and from the original data, the system resources do have relatively severe abnormal fluctuations during the time period in which the test set is located.
- the embodiments of the present disclosure are based on the improvement of the conventional PCA and ICA anomaly detection methods. Compared with the conventional methods, the embodiments of the present disclosure have the following technical effects:
- the traditional PCA algorithm only considers the energy size factor when extracting the principal element, and does not consider the data distribution.
- the algorithm of the embodiment of the present disclosure further extracts the principal component extracted by the traditional PCA according to the Gaussian property, that is, retains the PCA.
- the Gaussian component of the principal element is the actual PCA principal.
- the residual space obtained by the traditional PCA algorithm only reflects the energy characteristics.
- the obtained non-Gaussian residual space is also enhanced, which has two advantages.
- the PCA residual is not Systematic changes, it is easier to detect anomalies than the principal elements; secondly, the anomalies often have sudden, small non-Gaussian characteristics, so non-Gaussian enhancements indicate that the residual space capture anomalies will be more comprehensive, in non-Gaussian It is better to detect anomalies in a strong PCA residual space.
- the traditional ICA algorithm is suitable for the processing of non-Gaussian source signals. Therefore, the PCA residual data with strong non-Gaussian obtained by the embodiment of the present disclosure is more suitable for the processing of the ICA algorithm than the direct input of the original signal, thus obtaining The test results will be more accurate and effective.
- the virtual machine anomaly detection method provided by the embodiment of the present disclosure extracts non-Gaussian independent elements in the PCA residual space by using ICA, and the obtained detection result is more accurate and effective; the non-Gauss information is processed to a certain extent by the PCA processed residual space.
- the reservation can capture exception information more comprehensively.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Quality & Reliability (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
主元分量 | JB | 累计和/总和 |
X_T[3] | 4.745843e+02 | 9.973862e-08 |
X_T[0] | 4.537954e+06 | 9.537958e-04 |
X_T[2] | 1.088366e+07 | 3.241106e-03 |
X_T[1] | 4.742859e+09 | 1.000000e+00 |
主元分量 | JB | 累计和/总和 |
X_T[2] | 1.316693e+04 | 0.000001 |
X_T[3] | 3.613565e+04 | 0.000004 |
X_T[0] | 9.596462e+05 | 0.000088 |
X_T[1] | 1.152558e+10 | 1.000000 |
Claims (10)
- 一种虚拟机异常检测方法,包括:获取虚拟机的非高斯性的残差数据;对所述非高斯性的残差数据进行独立元分析,确定所述虚拟机发生异常行为的时间点。
- 根据权利要求1所述的方法,所述获取虚拟机的非高斯性的残差数据包括:对所述虚拟机的时间序列数据进行主元分析,得到所述时间序列数据的强高斯性的主元;根据所述强高斯性的主元和所述时间序列数据,得到非高斯性的残差数据。
- 根据权利要求2所述的方法,所述对所述虚拟机的时间序列数据进行主元分析,得到所述时间序列数据的强高斯性的主元包括:对所述时间序列数据进行主元分解,得到所述时间序列数据的主元;从所述时间序列数据的主元中提取强高斯性的分量,并由所述强高斯性的分量构成所述时间序列数据的强高斯性的主元。
- 根据权利要求3所述的方法,所述从所述时间序列数据的主元中提取强高斯性的分量包括:计算所述时间序列数据的主元的每个分量的表征高斯性强弱的统计值;根据所述每个分量的统计值,确定所述时间序列数据的主元中的强高斯性的分量。
- 根据权利要求4所述的方法,所述根据所述每个分量的统计值,确定所述时间序列数据的主元中的强高斯性的分量包括:计算所有分量的统计值的总和;按照统计值由小至大的顺序对每个分量进行排序,并计算序列中每个所述分量与排序在前分量的统计值的累计和;根据每个所述分量与排序在前分量的统计值的累计和、所述所有分量的统计值的总和,计算高斯性成分占比,并根据所述高斯性成分占比,确定强高斯性的分量。
- 根据权利要求2所述的方法,所述根据所述强高斯性的主元和所述时间序列数据,得到非高斯性的残差数据包括:利用所述强高斯性的主元,进行数据恢复,得到强高斯性的时间序列恢复数据;根据所述时间序列数据和所述时间序列恢复数据,得到非高斯性的残差数据。
- 根据权利要求1所述的方法,所述对所述非高斯性的残差数据进行独立元分析,确定所述虚拟机发生异常行为的时间点包括:对所述非高斯性的残差数据进行独立元分析,得到用于衡量包含在独立元模型中的信息量的统计值和用于衡量不能被所述独立元模型描述的信息量的统计值;根据所述用于衡量包含在独立元模型中的信息量的统计值和所述用于衡量不能被所述独立元模型描述的信息量的统计值,确定所述虚拟机发生异常行为的时间点。
- 一种虚拟机异常检测装置,包括:残差获取模块,设置为获取虚拟机的非高斯性的残差数据;异常确定模块,设置为对所述非高斯性的残差数据进行独立元分析,确定所述虚拟机发生异常行为的时间点。
- 一种虚拟机异常检测设备,包括:处理器,设置为获取虚拟机的非高斯性的残差数据,并对所述非高斯性的残差数据进行独立元分析,确定所述虚拟机发生异常行为的时间点;存储器,设置为存储供所述处理器执行的程序。
- 一种存储介质,其上存储有处理器可执行的程序,该程序使处理器执行以下步骤:获取虚拟机的非高斯性的残差数据;对所述非高斯性的残差数据进行独立元分析,确定所述虚拟机发生异常行为的时间点。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710627200.3A CN109308225B (zh) | 2017-07-28 | 2017-07-28 | 一种虚拟机异常检测方法、装置、设备及存储介质 |
CN201710627200.3 | 2017-07-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019019429A1 true WO2019019429A1 (zh) | 2019-01-31 |
Family
ID=65039486
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2017/106655 WO2019019429A1 (zh) | 2017-07-28 | 2017-10-18 | 一种虚拟机异常检测方法、装置、设备及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109308225B (zh) |
WO (1) | WO2019019429A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11060885B2 (en) | 2019-09-30 | 2021-07-13 | Oracle International Corporation | Univariate anomaly detection in a sensor network |
US11216247B2 (en) | 2020-03-02 | 2022-01-04 | Oracle International Corporation | Automatic asset anomaly detection in a multi-sensor network |
CN114844796A (zh) * | 2022-04-29 | 2022-08-02 | 济南浪潮数据技术有限公司 | 一种对时序kpi的异常检测的方法、装置及介质 |
US20220253652A1 (en) | 2021-02-05 | 2022-08-11 | Oracle International Corporation | Adaptive Pattern Recognition for a Sensor Network |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115147203B (zh) * | 2022-06-08 | 2024-03-15 | 阿尔法时刻科技(深圳)有限公司 | 基于大数据的金融风险分析方法 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070211836A1 (en) * | 2006-03-09 | 2007-09-13 | Interdigital Technology Corporation | Wireless communication method and apparatus for performing knowledge-based and blind interference cancellation |
CN101158693A (zh) * | 2007-09-26 | 2008-04-09 | 东北大学 | 基于多核独立元分析的批量生产过程故障检测方法 |
CN101403923A (zh) * | 2008-10-31 | 2009-04-08 | 浙江大学 | 基于非高斯成分提取和支持向量描述的过程监控方法 |
CN103428026A (zh) * | 2012-05-14 | 2013-12-04 | 国际商业机器公司 | 用于共享动态云中的问题确定和诊断的方法和系统 |
CN106778533A (zh) * | 2016-11-28 | 2017-05-31 | 国网上海市电力公司 | 基于核函数的pca‑ksica储能系统典型工况识别方法 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8255100B2 (en) * | 2008-02-27 | 2012-08-28 | The Boeing Company | Data-driven anomaly detection to anticipate flight deck effects |
CN104656635B (zh) * | 2014-12-31 | 2017-10-13 | 重庆科技学院 | 非高斯动态高含硫天然气净化过程异常检测与诊断方法 |
CN106483847B (zh) * | 2016-09-20 | 2019-06-14 | 北京工业大学 | 一种基于自适应ica的冷水机组故障检测方法 |
-
2017
- 2017-07-28 CN CN201710627200.3A patent/CN109308225B/zh active Active
- 2017-10-18 WO PCT/CN2017/106655 patent/WO2019019429A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070211836A1 (en) * | 2006-03-09 | 2007-09-13 | Interdigital Technology Corporation | Wireless communication method and apparatus for performing knowledge-based and blind interference cancellation |
CN101158693A (zh) * | 2007-09-26 | 2008-04-09 | 东北大学 | 基于多核独立元分析的批量生产过程故障检测方法 |
CN101403923A (zh) * | 2008-10-31 | 2009-04-08 | 浙江大学 | 基于非高斯成分提取和支持向量描述的过程监控方法 |
CN103428026A (zh) * | 2012-05-14 | 2013-12-04 | 国际商业机器公司 | 用于共享动态云中的问题确定和诊断的方法和系统 |
CN106778533A (zh) * | 2016-11-28 | 2017-05-31 | 国网上海市电力公司 | 基于核函数的pca‑ksica储能系统典型工况识别方法 |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11060885B2 (en) | 2019-09-30 | 2021-07-13 | Oracle International Corporation | Univariate anomaly detection in a sensor network |
US11216247B2 (en) | 2020-03-02 | 2022-01-04 | Oracle International Corporation | Automatic asset anomaly detection in a multi-sensor network |
US20220253652A1 (en) | 2021-02-05 | 2022-08-11 | Oracle International Corporation | Adaptive Pattern Recognition for a Sensor Network |
US11762956B2 (en) | 2021-02-05 | 2023-09-19 | Oracle International Corporation | Adaptive pattern recognition for a sensor network |
CN114844796A (zh) * | 2022-04-29 | 2022-08-02 | 济南浪潮数据技术有限公司 | 一种对时序kpi的异常检测的方法、装置及介质 |
Also Published As
Publication number | Publication date |
---|---|
CN109308225B (zh) | 2024-04-16 |
CN109308225A (zh) | 2019-02-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019019429A1 (zh) | 一种虚拟机异常检测方法、装置、设备及存储介质 | |
US10805151B2 (en) | Method, apparatus, and storage medium for diagnosing failure based on a service monitoring indicator of a server by clustering servers with similar degrees of abnormal fluctuation | |
US10069900B2 (en) | Systems and methods for adaptive thresholding using maximum concentration intervals | |
CN107992410B (zh) | 软件质量监测方法、装置、计算机设备和存储介质 | |
CN108921424B (zh) | 一种电力数据异常检测方法、装置、设备及可读存储介质 | |
CN116049146B (zh) | 一种数据库故障处理方法、装置、设备及存储介质 | |
Dhanalaxmi et al. | A review on software fault detection and prevention mechanism in software development activities | |
CN116414717A (zh) | 基于流量回放的自动测试方法、装置、设备、介质及产品 | |
CN115375039A (zh) | 一种工业设备故障预测方法、装置、电子设备及存储介质 | |
CN111752833A (zh) | 一种软件质量体系准出方法、装置、服务器及存储介质 | |
CN117372424B (zh) | 一种缺陷检测方法、装置、设备及存储介质 | |
CN117035563B (zh) | 产品质量安全风险监测方法、设备、监测系统及介质 | |
CN115114124A (zh) | 主机风险的评估方法及评估装置 | |
CN117236275A (zh) | 一种芯片优化方法、装置、设备及存储介质 | |
CN116954624A (zh) | 基于软件开发包的编译方法、软件开发系统及服务器 | |
KR100987124B1 (ko) | 메트릭을 이용한 소프트웨어 결함 예측 계산 장치 및 계산 방법 | |
CN115936266A (zh) | 轨道交通设备的可靠度预测方法、系统、设备和介质 | |
CN114881112A (zh) | 一种系统异常检测方法、装置、设备及介质 | |
CN112612882B (zh) | 检阅报告生成方法、装置、设备和存储介质 | |
Zhu et al. | A Performance Fault Diagnosis Method for SaaS Software Based on GBDT Algorithm. | |
CN114579519A (zh) | 文件系统的异常检测方法及装置、存储介质及电子设备 | |
CN114741291A (zh) | 一种漏洞信息自动提交的方法、装置、设备及介质 | |
CN106547690A (zh) | 基于新拟合判定标准下的软件可靠性建模方法及装置 | |
CN117909717B (zh) | 一种基于深度学习和数据挖掘的工程量辅助验收结算方法 | |
CN114443398B (zh) | 内存故障预测模型的生成方法、检测方法、装置及设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17918984 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17918984 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 26.06.2020) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17918984 Country of ref document: EP Kind code of ref document: A1 |