WO2020215505A1 - Multi-dimensional correlation generation method and system for network alarm rules - Google Patents

Multi-dimensional correlation generation method and system for network alarm rules Download PDF

Info

Publication number
WO2020215505A1
WO2020215505A1 PCT/CN2019/096638 CN2019096638W WO2020215505A1 WO 2020215505 A1 WO2020215505 A1 WO 2020215505A1 CN 2019096638 W CN2019096638 W CN 2019096638W WO 2020215505 A1 WO2020215505 A1 WO 2020215505A1
Authority
WO
WIPO (PCT)
Prior art keywords
alarm
pair
alarms
subsequent
confidence
Prior art date
Application number
PCT/CN2019/096638
Other languages
French (fr)
Chinese (zh)
Inventor
郑远
匡立伟
华楠
郑小平
Original Assignee
烽火通信科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 烽火通信科技股份有限公司 filed Critical 烽火通信科技股份有限公司
Publication of WO2020215505A1 publication Critical patent/WO2020215505A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Definitions

  • the invention relates to the field of artificial intelligence and communication technology, in particular to a method and system for generating network alarm rules in a multi-dimensional association.
  • the existing network alarm rule association generation method cannot realize the efficient mining of the alarm rule, which results in the inability to quickly and effectively locate the root cause alarm when a network failure occurs, and is not suitable for the subsequent sorting of the alarm rule association.
  • the purpose of the present invention is to provide a method and system for generating a multi-dimensional association of network alarm rules, which can quickly generate effective association rules.
  • the present invention provides a multi-dimensional association generation method of network alarm rules, which includes the steps:
  • each dimension of AMCM represents an indicator of the correlation strength
  • the sequence of the alarm pair is determined according to the alarm start time, and when the start time is the same, the sequence is determined according to the sequence of alarm collection.
  • the indicators of correlation strength include support and antecedent confidence.
  • Antecedent confidence is the ratio of alarm pairs in alarm pairs with the same leading alarm.
  • Both the support degree and the predecessor confidence degree of the alarm pair are greater than the minimum threshold set by each.
  • the correlation strength indicator also includes the subsequent confidence, which is the proportion of alarm pairs in the alarm pairs with the same subsequent alarm;
  • the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarms is: the confidence of the antecedent of the alarm pair is greater than the confidence of the subsequent.
  • the correlation strength indicators also include the antecedent derived strength and the subsequent derived strength. For any pair of alarms in a group, if there is another pair of alarms in reverse order with the same data but in reverse order:
  • the antecedent derived strength is the ratio of the antecedent confidence of the alarm pair to the antecedent confidence of the reverse alarm pair;
  • the subsequent derivative strength is the ratio of the subsequent confidence of the alarm pair to the subsequent confidence of the reverse alarm pair.
  • the antecedent derivative strength of the alarm pair is greater than 1, and the subsequent derivative strength of the alarm pair is less than 1.
  • collecting historical alarms and performing clustering and grouping includes:
  • attributes include address information and board number, alarm type, alarm start time, alarm end time and alarm serial number;
  • the effective association rules are the alarm pairs derived from the subsequent alarms from the leading alarm;
  • the root cause alarm and/or derivative alarm of the new alarm are extracted in real time.
  • the present invention also provides a network alarm rule multi-dimensional association generation system for realizing the above method, which includes:
  • Data processing module which is used to collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including a leading alarm and a subsequent alarm according to the alarms in each group;
  • Modeling module which is used to calculate the correlation strength of each alarm pair and import the multi-dimensional correlation model to construct the alarm multi-dimensional correlation model AMCM; each dimension of AMCM represents an indicator of the correlation strength;
  • the rule mining module is used to extract all the alarm pairs derived from the lead alarm from the subsequent alarms from the AMCM, add it to the alarm pair database, generate a hierarchical directed acyclic graph based on this, and extract the root cause alarm.
  • the multi-dimensional correlation generation method of network alarm rules of the present invention can accurately and clearly display the correlation strength between each ordered alarm pair through AMCM, and quickly and effectively extract all alarm pairs derived from the pilot alarm for subsequent alarms, that is, rapid generation and effective And then form the alarm pair database, and then generate a hierarchical directed acyclic graph to get all alarm rules.
  • the multi-dimensional association generation method of network alarm rules of the present invention can quickly and effectively locate the root cause alarm through the hierarchical directed acyclic graph.
  • FIG. 1 is a flowchart of a method for generating a multi-dimensional association of network alarm rules according to Embodiment 1 of the present invention
  • Fig. 2 is a flowchart of extracting effective association rules according to Embodiment 3 of the present invention.
  • an embodiment of the present invention provides a method for generating a multi-dimensional association of network alarm rules, which includes the following steps:
  • S1. Collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including pilot alarms and subsequent alarms according to the alarms in each group;
  • each dimension of AMCM represents an indicator of correlation strength
  • the sequence of the ordered alarm pair is determined according to the alarm start time, and when the start time is the same, the sequence is determined according to the sequence of alarm collection.
  • an alarm with an earlier alarm start time in the same group is regarded as a leading alarm a
  • an alarm with a later start time is regarded as a subsequent alarm b, that is, an alarm pair a ⁇ b is formed, assuming that it is a derived alarm from alarm a b.
  • the alarm time can only be accurate to the second, so there will be a large number of alarms generated within the same second.
  • the alarms are arranged according to the order in which they are imported, that is, the first imported alarm is regarded as the leading alarm, and the later imported alarm is regarded as the subsequent alarm.
  • the expression form of the association rule between two alarms in this embodiment is a binary orderly alarm pair X ⁇ Y, where the alarm X and the alarm Y are respectively called the leading alarm and the subsequent alarm of the association rule.
  • alarm X is derived from alarm Y, indicating that the association rule X ⁇ Y is a valid association rule; assuming that the conclusion is that alarm X is derived from alarm Y, that is, alarm Y is derived from alarm X, indicating the association rule X ⁇ Y Is an invalid association rule. All valid association rules are collectively called alarm rules.
  • the method in this embodiment can effectively extract all the alarm pairs derived from the pilot alarm in the subsequent alarms, that is, quickly generate effective association rules to form an alarm pair database, and then generate a hierarchical directed acyclic graph based on the alarm pair database , Get all alarm rules.
  • the indicators of the correlation strength include support and antecedent confidence.
  • the support degree is the probability that an alarm pair appears in the alarm group to which it belongs, and is used to measure whether the alarm pair appears frequently.
  • the antecedent confidence is the proportion of an alarm pair in the alarm pairs that have the same leading alarm. The higher the antecedent confidence, the greater the correlation between the two alarms of the alarm pair.
  • the orderly alarm pair a ⁇ b generated by the leading alarm a and the subsequent alarm b has the following support:
  • N is the total number of all alarm pairs in the alarm group to which alarm a and alarm b belong
  • N(a ⁇ b) is the total number of alarm pairs a ⁇ b appearing in the above alarm group.
  • N(a) is the total number of alarm pairs where the pilot alarm in the above alarm group is alarm a.
  • the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarm is:
  • Both the support degree and the predecessor confidence degree of the alarm pair are greater than the minimum threshold set by each.
  • the above-mentioned minimum threshold of support and minimum threshold of confidence are to eliminate alarm pairs with a small number of occurrences and false alarm pairs due to data accuracy, so as to avoid generating too many ordered alarm pairs.
  • the minimum threshold of support it needs to be as small as possible within the allowable range of the number of alarm pairs. Assuming that the minimum threshold of support is set to not less than 2%, some alarm pairs related to root alarms may be screened out by the program. Alarm pairs with a minimum confidence threshold of less than 10% are mostly false rules due to data accuracy, so they may not be considered.
  • the ordered alarm pair generated in each group of alarms is an association rule with a chain length of 2
  • chain item 1 is the leading alarm of the ordered alarm pair
  • chain item 2 is the subsequent alarm.
  • the index of correlation strength also includes the subsequent confidence.
  • the subsequent confidence is the ratio of the alarm pair in the alarm pairs with the same subsequent alarm. The higher the subsequent confidence, the greater the correlation between the two alarms of the alarm pair.
  • the orderly alarm pair a ⁇ b generated by the leading alarm a and the subsequent alarm b, the subsequent confidence of the alarm pair a ⁇ b is:
  • N(b) is the total number of alarm pairs whose subsequent alarms in the above alarm group are alarm b.
  • the basis for judging that the subsequent alarms in an alarm pair are derived from the leading alarms is: the predecessor confidence level of the alarm pair is greater than the subsequent one.
  • the ordered alarm pair may be a valid ordered alarm pair; when the current item confidence is less than the subsequent item confidence, the ordered alarm pair may be an invalid ordered alarm pair .
  • correlation strength indicators also include the antecedent-derived intensity and the consequent-derived intensity. For any pair of alarms in a group, if there is another pair of alarms in reverse order with the same data but in the opposite order:
  • the antecedent derived strength is the ratio of the antecedent confidence of the alarm pair to the antecedent confidence of the inverse alarm pair, and is used to measure the probability of the existence of the alarm pair relative to the inverse alarm pair.
  • the subsequent derivative strength is the ratio of the subsequent confidence of the alarm pair to the subsequent confidence of the reverse alarm pair, and is also used to measure the probability of the alarm pair relative to the reverse alarm pair.
  • the antecedent derivation intensity of the above warning to a ⁇ b is:
  • conf(a ⁇ b) is the antecedent confidence of the alarm to a ⁇ b
  • conf(b ⁇ a) is the antecedent confidence of the alarm to b ⁇ a
  • bconf(a ⁇ b) is the subsequent confidence level of the alarm to a ⁇ b
  • bconf(b ⁇ a) is the subsequent confidence level of the alarm to b ⁇ a
  • the basis for judging that the subsequent alarm in the alarm pair is derived from the pilot alarm is: the antecedent derived intensity of the alarm pair is greater than 1, and the subsequent derived intensity of the alarm pair is less than 1.
  • the antecedent-derived strength and the consequent-derived strength are based on the assumption: alarms cannot be inferred from each other. That is, if there is an alarm pair a ⁇ b, there is no alarm pair b ⁇ a. If the derived intensity of the antecedent is greater than 1, and the derived intensity of the subsequent is less than 1, then a ⁇ b is considered to be more credible than b ⁇ a, that is, alarm b is derived from alarm a.
  • the generated alarm pair b ⁇ a when there is an orderly alarm pair a ⁇ b generated by alarm a and alarm b, and due to different services, or the coexistence of alarm a and alarm b in the same second, the generated alarm pair b ⁇ a, That is, when a ⁇ b and b ⁇ a coexist, it is impossible to accurately distinguish whether it is an alarm b derived from alarm a or an alarm b derived from alarm a.
  • the indicators of the correlation strength of each alarm pair include support, antecedent confidence, subsequent confidence, antecedent derivation strength, and subsequent derivation strength.
  • the alarm pair correlation strength is completed.
  • Each expansion surface of AMCM is an M ⁇ M two-dimensional matrix, where M represents the number of alarm categories.
  • M represents the number of alarm categories.
  • Each dimension of AMCM represents an indicator, and each side represents a measurement of an indicator. From each expanded surface of AMCM, an indicator value of the correlation strength of any alarm pair can be accurately obtained, which can intuitively show the comparison of various indicators. result.
  • step S1 collecting historical alarms and performing clustering in step S1 specifically includes:
  • attributes include address information and board number, alarm type, alarm start time, alarm end time and alarm serial number;
  • the alarm start time and end time of each alarm can be quantified into a coordinate vector, so that the alarms in each group can quickly generate an orderly alarm pair according to the time coordinate.
  • a root cause alarm of LINK_LOS type may derive OSPF alarm (OSPF Alarm) or ISIS alarm (ISIS Alarm).
  • Embodiment 1 On the basis of Embodiment 1, when a new alarm is obtained, clustering of the new alarm is performed to obtain the corresponding ordered alarm pair and its correlation strength. At this time, the above-mentioned new alarm can be either a pilot alarm or Follow-up warning.
  • the root cause alarms and derivative alarms can be clearly and clearly displayed, and the root cause alarms and/or derivative alarms of new alarms can be extracted in real time, so that in the existing network, the system can automatically and quickly when equipment failure alarms occur Find the alarm pair associated with the new alarm.
  • an indicator of a specific dimension can be calculated according to actual conditions. Assuming that only the confidence and support can be calculated to determine the root cause of the new alarm and/or derived alarms, in order to be able to quickly correlate, there is no need to calculate other correlation strength indicators, so as to quickly update the generated alarm pairs. database.
  • the embodiment of the present invention provides a multi-dimensional association generation system for network alarm rules.
  • the system of this embodiment includes a data processing module, a modeling module, and a rule mining module.
  • the data processing module is used to collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including a leading alarm and a subsequent alarm according to the alarms in each group.
  • the modeling module is used to calculate the correlation strength of each alarm pair and import the multi-dimensional correlation model to construct the alarm multi-dimensional correlation model AMCM.
  • Each dimension of AMCM represents an indicator of the strength of the association.
  • the indicators of the correlation strength of each alarm pair include the degree of support, the confidence of the antecedent, the confidence of the subsequent, the derivative strength of the antecedent, and the derivative strength of the subsequent.
  • the rule mining module is used to extract all the alarm pairs derived from the lead alarm from the subsequent alarms from the AMCM, add them to the alarm pair database, generate hierarchical directed acyclic graphs based on this, and extract the root cause alarms.
  • the network alarm rule multi-dimensional association generation system of the embodiment of the present invention is applicable to the above methods, can accurately and clearly display the correlation strength between each ordered alarm pair through AMCM, and effectively extract all the alarm pairs derived from the pilot alarm in subsequent alarms, An alarm pair database is formed, and a hierarchical directed acyclic graph is generated according to the alarm pair database to obtain the alarm rules for all alarms, and at the same time, it can quickly and effectively locate the root cause of the alarm.

Abstract

A multi-dimensional correlation generation method and system for network alarm rules, which relate to the field of artificial intelligence and communication, wherein the method comprises: collecting historical alarms and clustering and grouping, and generating an ordered alarm pair comprising a pilot alarm and a subsequent alarm according to the alarms in each group (S1); calculating the correlation strength of each alarm pair, and importing a multi-dimensional correlation model to construct an alarm multi-dimensional correlation model AMCM; each dimension of the AMCM represents one index of the correlation strength (S2); extracting all the alarm pairs, derived from the pilot alarms, of the subsequent alarms from the AMCM, adding them into an alarm pair database to generate a hierarchical directed acyclic graph, and extracting root alarms (S3). The AMCM can accurately and clearly display the correlation strength between each ordered alarm pair, quickly generate effective correlation rules, and then form the alarm pair database, generate the hierarchical directed acyclic graph, and obtain the alarm rules of all the alarms.

Description

一种网络告警规则多维关联生成方法及系统Method and system for generating multi-dimensional association of network alarm rules 技术领域Technical field
本发明涉及人工智能与通信技术领域,具体涉及一种网络告警规则多维关联生成方法及系统。The invention relates to the field of artificial intelligence and communication technology, in particular to a method and system for generating network alarm rules in a multi-dimensional association.
背景技术Background technique
在现有的通信网络中,随着移动通信网络拓扑结构的日益复杂,各个网络类型在运行过程中都会产生大量告警,且具有实时刷新速率快的特点。当网络设备在瞬时内产生大量告警信息时,快速准确的定位根源告警是较大的难点。在当前日趋复杂的网络环境下,现有的告警规则分析和基于专家系统的告警分析模型,在处理海量告警时,已明显地能力不足。In the existing communication network, with the increasingly complex mobile communication network topology, a large number of alarms will be generated during the operation of each network type, and it has the characteristics of fast real-time refresh rate. When network equipment generates a large amount of alarm information in an instant, it is difficult to locate the root cause alarm quickly and accurately. In the current increasingly complex network environment, the existing alarm rule analysis and the alarm analysis model based on the expert system are obviously insufficient in handling massive alarms.
现有的网络告警规则关联生成方法,无法实现告警规则的高效挖掘,导致在网络故障产生时,无法快速有效地定位根源告警,且不适于后期告警规则关联的梳理工作。The existing network alarm rule association generation method cannot realize the efficient mining of the alarm rule, which results in the inability to quickly and effectively locate the root cause alarm when a network failure occurs, and is not suitable for the subsequent sorting of the alarm rule association.
发明内容Summary of the invention
针对现有技术中存在的缺陷,本发明的目的在于提供一种网络告警规则多维关联生成方法及系统,可快速生成有效的关联规则。In view of the defects in the prior art, the purpose of the present invention is to provide a method and system for generating a multi-dimensional association of network alarm rules, which can quickly generate effective association rules.
本发明提供一种网络告警规则多维关联生成方法,其包括步骤:The present invention provides a multi-dimensional association generation method of network alarm rules, which includes the steps:
采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对;Collect historical alarms and group them into clusters, and generate an orderly alarm pair including pilot alarms and subsequent alarms according to the alarms in each group;
计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM;AMCM的每个维度代表关联强度的一个指标;Calculate the correlation strength of each alarm pair, and import the multi-dimensional correlation model to build the alarm multi-dimensional correlation model AMCM; each dimension of AMCM represents an indicator of the correlation strength;
从AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。Extract all the alarm pairs derived from the pilot alarm from the AMCM and add them to the alarm pair database to generate a hierarchical directed acyclic graph and extract the root cause alarm.
在上述技术方案的基础上,告警对的先后顺序根据告警开始时间确定,当开始时间相同时,先后顺序根据告警采集的顺序确定。On the basis of the above technical solution, the sequence of the alarm pair is determined according to the alarm start time, and when the start time is the same, the sequence is determined according to the sequence of alarm collection.
在上述技术方案的基础上,关联强度的指标包括支持度和前件置信度,对于一个告警分组中的任一告警对:On the basis of the above technical solution, the indicators of correlation strength include support and antecedent confidence. For any pair of alarms in an alarm group:
支持度为告警对在所属的告警分组中出现的概率;Support is the probability that an alarm pair appears in the alarm group to which it belongs;
前件置信度为告警对在具有相同先导告警的告警对中的比例。Antecedent confidence is the ratio of alarm pairs in alarm pairs with the same leading alarm.
在上述技术方案的基础上,判断告警对中后继告警由先导告警衍生的依据为:On the basis of the above technical solution, the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarm is:
告警对的支持度和前件置信度均大于各自设置的最小阈值。Both the support degree and the predecessor confidence degree of the alarm pair are greater than the minimum threshold set by each.
在上述技术方案的基础上,关联强度的指标还包括后件置信度,后件置信度为告警对在具有相同后继告警的告警对中的比例;On the basis of the above technical solution, the correlation strength indicator also includes the subsequent confidence, which is the proportion of alarm pairs in the alarm pairs with the same subsequent alarm;
判断告警对中后继告警由先导告警衍生的依据为:告警对的前件置信度大于其后件置信度。The basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarms is: the confidence of the antecedent of the alarm pair is greater than the confidence of the subsequent.
在上述技术方案的基础上,关联强度的指标还包括前件衍生强度和后件衍生强度,对于一个分组中的任一告警对,如果存在另一与其数据相同且顺序相反的反序告警对:On the basis of the above technical solution, the correlation strength indicators also include the antecedent derived strength and the subsequent derived strength. For any pair of alarms in a group, if there is another pair of alarms in reverse order with the same data but in reverse order:
前件衍生强度为该告警对的前件置信度与反序告警对的前件置信度的比;The antecedent derived strength is the ratio of the antecedent confidence of the alarm pair to the antecedent confidence of the reverse alarm pair;
后件衍生强度为该告警对的后件置信度与反序告警对的后件置信度的比。The subsequent derivative strength is the ratio of the subsequent confidence of the alarm pair to the subsequent confidence of the reverse alarm pair.
在上述技术方案的基础上,判断告警对中后继告警由先导告警衍生的依据为:On the basis of the above technical solution, the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarm is:
告警对的前件衍生强度大于1,且告警对的后件衍生强度小于1。The antecedent derivative strength of the alarm pair is greater than 1, and the subsequent derivative strength of the alarm pair is less than 1.
在上述技术方案的基础上,采集历史告警并进行聚类分组具体包括:On the basis of the above technical solution, collecting historical alarms and performing clustering and grouping includes:
记录每个历史告警的属性;属性包括地址信息和板号、告警类型、告警开始时间、告警结束时间和告警序列号;Record the attributes of each historical alarm; attributes include address information and board number, alarm type, alarm start time, alarm end time and alarm serial number;
根据历史告警的属性进行聚类处理,得到多个分组。Perform clustering processing according to the attributes of historical alarms to obtain multiple groups.
在上述技术方案的基础上,当获取新的告警时,对新的告警进行聚类处理,得到对应的有序告警对及其关联强度;On the basis of the above technical solution, when a new alarm is obtained, clustering of the new alarm is performed to obtain the corresponding ordered alarm pair and its correlation strength;
将对应告警对的关联强度导入并更新AMCM,快速更新已生成的有效的关联规则,据此更新告警对数据库和有向无环图;有效的关联规则为后继告警由先导告警衍生的告警对;Import the correlation strength of the corresponding alarm pair and update the AMCM, quickly update the generated effective association rules, and update the alarm pair database and directed acyclic graph accordingly; the effective association rules are the alarm pairs derived from the subsequent alarms from the leading alarm;
根据有向无环图,实时提取新的告警的根源告警和/或衍生告警。According to the directed acyclic graph, the root cause alarm and/or derivative alarm of the new alarm are extracted in real time.
本发明还提供一种实现上述方法的网络告警规则多维关联生成系统,其包括:The present invention also provides a network alarm rule multi-dimensional association generation system for realizing the above method, which includes:
数据处理模块,其用于采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对;Data processing module, which is used to collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including a leading alarm and a subsequent alarm according to the alarms in each group;
建模模块,其用于计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM;AMCM的每个维度代表一个关联强度的指标;Modeling module, which is used to calculate the correlation strength of each alarm pair and import the multi-dimensional correlation model to construct the alarm multi-dimensional correlation model AMCM; each dimension of AMCM represents an indicator of the correlation strength;
规则挖掘模块,其用于从AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。The rule mining module is used to extract all the alarm pairs derived from the lead alarm from the subsequent alarms from the AMCM, add it to the alarm pair database, generate a hierarchical directed acyclic graph based on this, and extract the root cause alarm.
与现有技术相比,本发明的优点在于:Compared with the prior art, the advantages of the present invention are:
(1)本发明的网络告警规则多维关联生成方法,可通过AMCM准确明了地展示各有序告警对之间的关联强度,快速有效提取后继告警由先导告警衍生的所有告警对,即快速生成有效的关联规则,进而 形成告警对数据库,然后生成分层级的有向无环图,得到所有告警的告警规则。(1) The multi-dimensional correlation generation method of network alarm rules of the present invention can accurately and clearly display the correlation strength between each ordered alarm pair through AMCM, and quickly and effectively extract all alarm pairs derived from the pilot alarm for subsequent alarms, that is, rapid generation and effective And then form the alarm pair database, and then generate a hierarchical directed acyclic graph to get all alarm rules.
(2)本发明的网络告警规则多维关联生成方法,通过分层级的有向无环图,可快速有效地定位根源告警。(2) The multi-dimensional association generation method of network alarm rules of the present invention can quickly and effectively locate the root cause alarm through the hierarchical directed acyclic graph.
附图说明Description of the drawings
图1为本发明实施例1提供的网络告警规则多维关联生成方法的流程图;FIG. 1 is a flowchart of a method for generating a multi-dimensional association of network alarm rules according to Embodiment 1 of the present invention;
图2为本发明实施例3提供的提取有效关联规则的流程框图。Fig. 2 is a flowchart of extracting effective association rules according to Embodiment 3 of the present invention.
具体实施方式Detailed ways
以下结合附图及实施例对本发明作进一步详细说明。The present invention will be further described in detail below in conjunction with the drawings and embodiments.
实施例1Example 1
参见图1所示,本发明实施例提供一种网络告警规则多维关联生成方法,包括以下步骤:As shown in Fig. 1, an embodiment of the present invention provides a method for generating a multi-dimensional association of network alarm rules, which includes the following steps:
S1.采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对;S1. Collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including pilot alarms and subsequent alarms according to the alarms in each group;
S2.计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM(Alarm Multi-dimension Correlation Model);AMCM的每个维度代表关联强度的一个指标;S2. Calculate the correlation strength of each alarm pair, and import a multi-dimensional correlation model to build an alarm multi-dimension correlation model AMCM (Alarm Multi-dimension Correlation Model); each dimension of AMCM represents an indicator of correlation strength;
S3.从AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。S3. Extract all the alarm pairs derived from the lead alarm from the AMCM and add them to the alarm pair database to generate a hierarchical directed acyclic graph and extract the root cause alarm.
优选地,有序告警对的先后顺序根据告警开始时间确定,当开始时间相同时,先后顺序根据告警采集的顺序确定。Preferably, the sequence of the ordered alarm pair is determined according to the alarm start time, and when the start time is the same, the sequence is determined according to the sequence of alarm collection.
本发明实施例中,将同一个分组中告警开始时间较早的告警视为先导告警a,开始时间较晚的告警视为后继告警b,即形成告警对a →b,假设为告警a衍生告警b。然而,因网络设备精度所限,告警时间只能精确到秒,因此会有大量产生于同一秒内的告警。在同一秒内,依据告警导入的顺序进行排列,即先导入的告警视为先导告警,后导入的告警视为后继告警。In the embodiment of the present invention, an alarm with an earlier alarm start time in the same group is regarded as a leading alarm a, and an alarm with a later start time is regarded as a subsequent alarm b, that is, an alarm pair a → b is formed, assuming that it is a derived alarm from alarm a b. However, due to the limited accuracy of network equipment, the alarm time can only be accurate to the second, so there will be a large number of alarms generated within the same second. Within the same second, the alarms are arranged according to the order in which they are imported, that is, the first imported alarm is regarded as the leading alarm, and the later imported alarm is regarded as the subsequent alarm.
因此,本实施例中两两告警之间的关联规则的表现形式为二元有序告警对X→Y,其中告警X和告警Y分别称为关联规则的先导告警和后继告警。假设计算后,得出告警X衍生告警Y的结论,说明关联规则X→Y为有效的关联规则;假设结论为告警X由告警Y衍生,即告警Y衍生出告警X,说明关联规则X→Y为无效的关联规则。所有有效的关联规则总称为告警规则。Therefore, the expression form of the association rule between two alarms in this embodiment is a binary orderly alarm pair X→Y, where the alarm X and the alarm Y are respectively called the leading alarm and the subsequent alarm of the association rule. Assuming that after calculation, it is concluded that alarm X is derived from alarm Y, indicating that the association rule X→Y is a valid association rule; assuming that the conclusion is that alarm X is derived from alarm Y, that is, alarm Y is derived from alarm X, indicating the association rule X→Y Is an invalid association rule. All valid association rules are collectively called alarm rules.
本实施例中的方法,可有效提取后继告警由先导告警衍生的所有告警对,即快速生成有效的关联规则,进而形成告警对数据库,然后根据告警对数据库生成分层级的有向无环图,得到所有告警的告警规则。The method in this embodiment can effectively extract all the alarm pairs derived from the pilot alarm in the subsequent alarms, that is, quickly generate effective association rules to form an alarm pair database, and then generate a hierarchical directed acyclic graph based on the alarm pair database , Get all alarm rules.
实施例2Example 2
在实施例1的基础上,关联强度的指标包括支持度和前件置信度,对于一个告警分组中的任一告警对:On the basis of Example 1, the indicators of the correlation strength include support and antecedent confidence. For any alarm pair in an alarm group:
支持度为告警对在所属的告警分组中出现的概率,用以衡量该告警对出现是否频繁。The support degree is the probability that an alarm pair appears in the alarm group to which it belongs, and is used to measure whether the alarm pair appears frequently.
前件置信度为告警对在具有相同先导告警的告警对中的比例,前件置信度越高,表示该告警对的两个告警之间的关联性越大。The antecedent confidence is the proportion of an alarm pair in the alarm pairs that have the same leading alarm. The higher the antecedent confidence, the greater the correlation between the two alarms of the alarm pair.
例如,由先导告警a和后继告警b生成的有序告警对a→b,其支持度为:For example, the orderly alarm pair a→b generated by the leading alarm a and the subsequent alarm b has the following support:
Figure PCTCN2019096638-appb-000001
Figure PCTCN2019096638-appb-000001
其中,N为告警a和告警b所属的告警分组中的所有告警对的总数,N(a→b)为在上述告警分组中,告警对a→b出现的总数。Among them, N is the total number of all alarm pairs in the alarm group to which alarm a and alarm b belong, and N(a→b) is the total number of alarm pairs a→b appearing in the above alarm group.
上述告警对a→b的前件置信度为:The antecedent confidence of the above warning to a→b is:
Figure PCTCN2019096638-appb-000002
Figure PCTCN2019096638-appb-000002
其中,N(a)为上述告警分组中的先导告警为告警a的告警对的总数。Among them, N(a) is the total number of alarm pairs where the pilot alarm in the above alarm group is alarm a.
本实施例中,判断告警对中后继告警由先导告警衍生的依据为:In this embodiment, the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarm is:
告警对的支持度和前件置信度均大于各自设置的最小阈值。Both the support degree and the predecessor confidence degree of the alarm pair are greater than the minimum threshold set by each.
上述支持度的最小阈值和置信度的最小阈值是为剔除发生次数很少的告警对以及因数据精度原因导致的错误告警对,以避免产生的有序告警对过多。The above-mentioned minimum threshold of support and minimum threshold of confidence are to eliminate alarm pairs with a small number of occurrences and false alarm pairs due to data accuracy, so as to avoid generating too many ordered alarm pairs.
根据对历史告警的观察分析发现,在同一个分组内的告警信息,根源告警出现的次数远小于衍生告警出现的次数,即一个根源告警可能会导致多个相同的衍生告警。故在选取支持度的最小阈值时在告警对数量允许的范围内需尽量取小,假设支持度的最小阈值设置在不小于2%时,可能导致部分根源告警相关的告警对被程序筛除。置信度的最小阈值小于10%的告警对大多为因数据精度原因产生的虚假规则,因此可不予考虑。According to the observation and analysis of historical alarms, it is found that in the alarm information in the same group, the number of occurrences of root-cause alarms is much less than the number of occurrences of derivative alarms, that is, one root-cause alarm may cause multiple identical derivative alarms. Therefore, when selecting the minimum threshold of support, it needs to be as small as possible within the allowable range of the number of alarm pairs. Assuming that the minimum threshold of support is set to not less than 2%, some alarm pairs related to root alarms may be screened out by the program. Alarm pairs with a minimum confidence threshold of less than 10% are mostly false rules due to data accuracy, so they may not be considered.
如下表1给出的部分示例所示,每组告警中生成的有序告警对即链长度为2的关联规则,链项1即为有序告警对的先导告警,链项2为后继告警。经实验发现,设置支持度的最小阈值support-min为1%,置信度的最小阈值confidence-min为15%进行有序告警对过滤时可以得到较好的规则挖掘结果,即较为合理的告警对。As shown in some examples given in Table 1 below, the ordered alarm pair generated in each group of alarms is an association rule with a chain length of 2, chain item 1 is the leading alarm of the ordered alarm pair, and chain item 2 is the subsequent alarm. Experiments have found that setting the minimum support threshold support-min to 1% and the minimum confidence threshold confidence-min to 15% can get better rule mining results when orderly alarm pair filtering, that is, a more reasonable alarm pair .
表1Table 1
Figure PCTCN2019096638-appb-000003
Figure PCTCN2019096638-appb-000003
实施例3Example 3
在实施例2的基础上,参见图2所示,关联强度的指标还包括后件置信度,对于一个告警分组中的任一告警对:On the basis of Embodiment 2, referring to Figure 2, the index of correlation strength also includes the subsequent confidence. For any pair of alarms in an alarm group:
后件置信度为告警对在具有相同后继告警的告警对中的比例,后件置信度越高,用以表示该告警对的两个告警之间的关联性越大。The subsequent confidence is the ratio of the alarm pair in the alarm pairs with the same subsequent alarm. The higher the subsequent confidence, the greater the correlation between the two alarms of the alarm pair.
例如,由先导告警a和后继告警b生成的有序告警对a→b,告警对a→b的后件置信度为:For example, the orderly alarm pair a→b generated by the leading alarm a and the subsequent alarm b, the subsequent confidence of the alarm pair a→b is:
Figure PCTCN2019096638-appb-000004
Figure PCTCN2019096638-appb-000004
其中,N(b)为上述告警分组中的后继告警为告警b的告警对的总数。Among them, N(b) is the total number of alarm pairs whose subsequent alarms in the above alarm group are alarm b.
判断告警对中后继告警由先导告警衍生的依据为:该告警对的前件置信度大于其后件置信度。The basis for judging that the subsequent alarms in an alarm pair are derived from the leading alarms is: the predecessor confidence level of the alarm pair is greater than the subsequent one.
当告警对的支持度和前件置信度均大于各自设置的最小阈值时,再来比较该告警对的前件置信度和后件置信度。当前件置信度大于后件置信度时,该有序告警对可能是有效的有序告警对;当前件置信度小于后件置信度时,则该有序告警对可能是无效的有序告警对。When the support and the confidence of the antecedents of the alarm pair are both greater than the minimum thresholds set respectively, then the antecedent confidence and the confidence of the antecedents of the alarm pair are compared. When the confidence of the current item is greater than the confidence of the subsequent item, the ordered alarm pair may be a valid ordered alarm pair; when the current item confidence is less than the subsequent item confidence, the ordered alarm pair may be an invalid ordered alarm pair .
上述关联强度的指标还包括前件衍生强度和后件衍生强度,对于一个分组中的任一告警对,如果存在另一与其数据相同且顺序相反的反序告警对:The above-mentioned correlation strength indicators also include the antecedent-derived intensity and the consequent-derived intensity. For any pair of alarms in a group, if there is another pair of alarms in reverse order with the same data but in the opposite order:
前件衍生强度为该告警对的前件置信度与反序告警对的前件置信度的比,用以衡量该告警对相对于反序告警对存在的可能性。The antecedent derived strength is the ratio of the antecedent confidence of the alarm pair to the antecedent confidence of the inverse alarm pair, and is used to measure the probability of the existence of the alarm pair relative to the inverse alarm pair.
后件衍生强度为该告警对的后件置信度与反序告警对的后件置信度的比,同样是用以衡量该告警对相对于反序告警对存在的可能性。The subsequent derivative strength is the ratio of the subsequent confidence of the alarm pair to the subsequent confidence of the reverse alarm pair, and is also used to measure the probability of the alarm pair relative to the reverse alarm pair.
对于由告警a和告警b生成的有序告警对a→b与其反序告警对告警b→a,For the orderly alarm pair a→b generated by alarm a and alarm b and its reverse order alarm pair b→a,
上述告警对a→b的前件衍生强度为:The antecedent derivation intensity of the above warning to a→b is:
Figure PCTCN2019096638-appb-000005
Figure PCTCN2019096638-appb-000005
其中,conf(a→b)为告警对a→b的前件置信度,conf(b→a)为告警对b→a的前件置信度。Among them, conf(a→b) is the antecedent confidence of the alarm to a→b, and conf(b→a) is the antecedent confidence of the alarm to b→a.
上述告警对a→b的后件衍生强度为:The derivative strength of the above-mentioned warning to a→b is:
Figure PCTCN2019096638-appb-000006
Figure PCTCN2019096638-appb-000006
其中,bconf(a→b)为告警对a→b的后件置信度,bconf(b→a)为告警对b→a的后件置信度。Among them, bconf(a→b) is the subsequent confidence level of the alarm to a→b, and bconf(b→a) is the subsequent confidence level of the alarm to b→a.
在本实施例中,判断告警对中后继告警由先导告警衍生的依据为:告警对的前件衍生强度大于1,且告警对的后件衍生强度小于1。In this embodiment, the basis for judging that the subsequent alarm in the alarm pair is derived from the pilot alarm is: the antecedent derived intensity of the alarm pair is greater than 1, and the subsequent derived intensity of the alarm pair is less than 1.
表2Table 2
RULERULE SUPPORTSUPPORT CONFCONF
VP_LOC==>VC_LOCVP_LOC==>VC_LOC 33.4733.47 80.4580.45
RCONTE==>PK_LOSRCONTE==>PK_LOS 13.3913.39 46.5946.59
CONTEX==>PK_LOSCONTEX==>PK_LOS 9.899.89 45.0745.07
PPI_LO==>PK_LOSPPI_LO ==> PK_LOS 8.868.86 39.6339.63
CES_PK==>PK_LOSCES_PK ==> PK_LOS 7.937.93 7777
RCONTE==>VC_LOCRCONTE==>VC_LOC 6.596.59 22.9422.94
VC_LOC==>PK_LOSVC_LOC==>PK_LOS 6.396.39 13.5113.51
RCONTE==>VP_LOCRCONTE==>VP_LOC 5.975.97 20.7920.79
VP_LOC==>PK_LOSVP_LOC==>PK_LOS 5.665.66 13.6113.61
VP_LOC==>RCONTEVP_LOC ==> RCONTE 5.565.56 13.3713.37
E1_AIS==>PK_LOSE1_AIS ==> PK_LOS 5.465.46 33.7633.76
CONTEX==>RCONTECONTEX ==> RCONTE 4.944.94 22.5422.54
RCONTE==>PPI_LORCONTE==>PPI_LO 4.844.84 16.8516.85
LINK_L==>PK_LOSLINK_L==>PK_LOS 3.913.91 42.2242.22
PPI_LO==>VC_LOCPPI_LO ==> VC_LOC 3.913.91 17.5117.51
CONTEX==>PPI_LOCCONTEX ==> PPI_LOC 3.813.81 17.3717.37
CONTEX==>VC_LOCCONTEX==>VC_LOC 3.63.6 16.4316.43
CONTEX==>VP_LOCCONTEX==>VP_LOC 3.63.6 16.4316.43
E1_AIS==>CONTEXE1_AIS ==> CONTEX 2.992.99 18.4718.47
E1_AIS==>RCONTEE1_AIS ==> RCONTE 2.782.78 17.217.2
TEMP_O==>PK_LOSTEMP_O ==> PK_LOS 2.572.57 46.346.3
E1_AIS==>VC_LOCE1_AIS ==>VC_LOC 2.372.37 14.6514.65
E1_AIS==>PPI_LOE1_AIS ==> PPI_LO 2.272.27 14.0114.01
OOCR==>PK_LOSOOCR ==> PK_LOS 1.961.96 35.8535.85
E1_AIS==>VP_LOCE1_AIS ==>VP_LOC 1.751.75 10.8310.83
CES_PK==>RCONTECES_PK ==> RCONTE 1.541.54 1515
LINK_L==>RCONTELINK_L ==> RCONTE 1.541.54 16.6716.67
LINK_L==>VC_LOCLINK_L==>VC_LOC 1.541.54 16.6716.67
LINK_L==>VP_LOCLINK_L==>VP_LOC 1.541.54 16.6716.67
前件衍生强度和后件衍生强度是基于假设:告警之间不能两两互推。即如果存在告警对a→b,则不存在告警对b→a。如果前件衍生强度大于1,同时后件衍生强度小于1,则认为a→b要比b→a更加可信,即由告警a衍生告警b。The antecedent-derived strength and the consequent-derived strength are based on the assumption: alarms cannot be inferred from each other. That is, if there is an alarm pair a→b, there is no alarm pair b→a. If the derived intensity of the antecedent is greater than 1, and the derived intensity of the subsequent is less than 1, then a→b is considered to be more credible than b→a, that is, alarm b is derived from alarm a.
如上表2所示,在提取后继告警由先导告警衍生的告警对时,增加对告警对的前件衍生强度和后件衍生强度的判断,可以在很大程度上减少关联规则中的成环现象,同时还可以删除明显的不成立规则,如a→a,以得到优化精简后的告警对。As shown in Table 2 above, when extracting the alarm pair derived from the leading alarm in the subsequent alarm, adding the judgment of the antecedent derived strength and the subsequent derived strength of the alarm pair can greatly reduce the ringing phenomenon in the association rules. , And at the same time, you can delete obvious invalid rules, such as a→a, to get an optimized and simplified alarm pair.
因此,在分组中,当出现告警a和告警b生成的有序告警对a→b,以及因业务的不同,或在同一秒内告警a与告警b并存,产生的告警对b→a时,即a→b与b→a并存时,无法准确区分出是告警a衍生告警b,还是告警b衍生告警a,则引入后件置信度、前件衍生强度和后件衍生强度,并采用人工判断的方式,来区分出由先导告警衍生后继告警的告警对,删除另一出现较少的不合理的告警对,如下表3所示,告警对PPI_LO==>PK_LOS和CES_PK==>PK_LOS为有效的有序告警对。Therefore, in the grouping, when there is an orderly alarm pair a→b generated by alarm a and alarm b, and due to different services, or the coexistence of alarm a and alarm b in the same second, the generated alarm pair b→a, That is, when a→b and b→a coexist, it is impossible to accurately distinguish whether it is an alarm b derived from alarm a or an alarm b derived from alarm a. Then the subsequent confidence, the derived strength of the antecedent and the derived strength of the subsequent article are introduced, and manual judgment is used To distinguish the alarm pair derived from the pilot alarm and the subsequent alarm, and delete the other alarm pair that appears less unreasonable, as shown in Table 3 below, the alarm pairs PPI_LO ==>PK_LOS and CES_PK ==>PK_LOS are valid The orderly warning pair.
表3table 3
Figure PCTCN2019096638-appb-000007
Figure PCTCN2019096638-appb-000007
本实施例中,每个告警对关联强度的指标包括支持度、前件置信度、后件置信度、前件衍生强度和后件衍生强度,根据五个指标的计算公式,完成告警对关联强度的计算统计,构建AMCM。AMCM的每一个展开面均是一个M×M的二维矩阵,其中M代表告警的类别 个数。AMCM的每个维度代表一个指标,每一面代表一个指标的度量,从AMCM的每一个展开面中,可以准确获得任意告警对的关联强度的一个指标数值,即可直观的表现出各个指标的对比结果。沿着各个维度搜索关联模型多维空间,提取有效的关联规则,即后继告警由先导告警衍生的所有告警对,并标注告警对的关联强度,以生成告警对数据库,并通过分层级的有向无环图展现出来。In this embodiment, the indicators of the correlation strength of each alarm pair include support, antecedent confidence, subsequent confidence, antecedent derivation strength, and subsequent derivation strength. According to the calculation formula of the five indicators, the alarm pair correlation strength is completed. Calculate statistics, build AMCM. Each expansion surface of AMCM is an M×M two-dimensional matrix, where M represents the number of alarm categories. Each dimension of AMCM represents an indicator, and each side represents a measurement of an indicator. From each expanded surface of AMCM, an indicator value of the correlation strength of any alarm pair can be accurately obtained, which can intuitively show the comparison of various indicators. result. Search the multi-dimensional space of the correlation model along each dimension, extract effective correlation rules, that is, all alarm pairs derived from the pilot alarm for subsequent alarms, and mark the correlation strength of the alarm pairs to generate the alarm pair database, and through hierarchical directed The acyclic graph shows up.
实施例4Example 4
在实施例1的基础上,上述步骤S1中采集历史告警并进行聚类分组具体包括:On the basis of embodiment 1, collecting historical alarms and performing clustering in step S1 specifically includes:
记录每个历史告警的属性;属性包括地址信息和板号、告警类型、告警开始时间、告警结束时间和告警序列号;Record the attributes of each historical alarm; attributes include address information and board number, alarm type, alarm start time, alarm end time and alarm serial number;
根据历史告警的属性进行聚类处理,得到多个分组。Perform clustering processing according to the attributes of historical alarms to obtain multiple groups.
本发明实施例中,首先需从现有通信网络中获取的大量的网络告警,记录每个历史告警的属性,然后通过在线分析处理、情报检索、机器学习、专家系统和模式识别等诸多方法进行历史文件拼接、有效性检查、剔除无效告警以及有效告警编码处理,提取有效告警信息,并使用数据挖掘、大数据分析等人工智能技术,对告警进行关联性分析,根据信息相似度原则对有效告警完成聚类处理,得到高准确度的多个分组。In the embodiment of the present invention, it is first necessary to obtain a large number of network alarms from the existing communication network, record the attributes of each historical alarm, and then perform online analysis and processing, intelligence retrieval, machine learning, expert system, pattern recognition and many other methods. Historical file splicing, validity check, invalid alarm removal, and effective alarm coding processing, extract effective alarm information, and use artificial intelligence technologies such as data mining and big data analysis to analyze the correlation of alarms, and perform effective alarms based on the principle of information similarity Complete the clustering process to obtain multiple groups with high accuracy.
其中,每个告警的告警开始时间和结束时间可量化成坐标向量,以便于每个分组中的告警可根据时间坐标快速生成有序告警对。例如,一个LINK_LOS类型的根源告警可能衍生出OSPF告警(OSPF Alarm),也可能衍生出ISIS告警(ISIS Alarm)。Among them, the alarm start time and end time of each alarm can be quantified into a coordinate vector, so that the alarms in each group can quickly generate an orderly alarm pair according to the time coordinate. For example, a root cause alarm of LINK_LOS type may derive OSPF alarm (OSPF Alarm) or ISIS alarm (ISIS Alarm).
实施例5Example 5
在实施例1的基础上,当获取新的告警时,对新的告警进行聚类 处理,得到对应的有序告警对及其关联强度,此时,上述新的告警可为先导告警也可为后继告警。On the basis of Embodiment 1, when a new alarm is obtained, clustering of the new alarm is performed to obtain the corresponding ordered alarm pair and its correlation strength. At this time, the above-mentioned new alarm can be either a pilot alarm or Follow-up warning.
将对应的告警对的关联强度导入并更新AMCM,即更新AMCM的每一个展开面的M×M的二维矩阵,即可快速更新已生成的有效的关联规则,据此更新告警对数据库,并通过告警对数据库生成分层级的有向无环图;有效的关联规则为后继告警由先导告警衍生的告警对。Import the correlation strength of the corresponding alarm pair and update the AMCM, that is, update the M×M two-dimensional matrix of each expanded surface of AMCM, and then quickly update the generated effective association rules, and update the alarm pair database accordingly, and A hierarchical directed acyclic graph is generated for the database through alarms; the effective association rule is the alarm pair derived from the pilot alarm for the subsequent alarm.
根据有向无环图,可清晰明了地体现根源告警和衍生告警,同时实时提取新的告警的根源告警和/或衍生告警,实现在现有网络中,设备发生故障告警时,系统能够自动快速找到与新告警相关联的告警对。According to the directed acyclic graph, the root cause alarms and derivative alarms can be clearly and clearly displayed, and the root cause alarms and/or derivative alarms of new alarms can be extracted in real time, so that in the existing network, the system can automatically and quickly when equipment failure alarms occur Find the alarm pair associated with the new alarm.
当新的告警为根源告警时,可快速确定其衍生告警;当新的告警为衍生告警时,可快速确定其根源告警,并显示出是否存在新的告警的衍生告警。When a new alarm is a root cause alarm, its derivative alarm can be quickly determined; when a new alarm is a derivative alarm, its root cause alarm can be quickly determined, and whether there is a derivative alarm of the new alarm is displayed.
本实施例中,对新的告警,可根据实际情况,选择计算特定维度的指标。假设,只计算置信度和支持度就可以确定该新的告警的根源告警和/或衍生告警时,为了能快速关联,可以不用计算其他的关联强度的指标,以便于快速更新已经生成的告警对数据库。In this embodiment, for a new alarm, an indicator of a specific dimension can be calculated according to actual conditions. Assuming that only the confidence and support can be calculated to determine the root cause of the new alarm and/or derived alarms, in order to be able to quickly correlate, there is no need to calculate other correlation strength indicators, so as to quickly update the generated alarm pairs. database.
实施例6Example 6
本发明实施例提供一种网络告警规则多维关联生成系统,本实施例的系统包括数据处理模块、建模模块和规则挖掘模块。The embodiment of the present invention provides a multi-dimensional association generation system for network alarm rules. The system of this embodiment includes a data processing module, a modeling module, and a rule mining module.
数据处理模块用于采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对。The data processing module is used to collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including a leading alarm and a subsequent alarm according to the alarms in each group.
建模模块用于计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM。AMCM的每个维度代表一个关联强 度的指标。每个告警对的关联强度的指标包括支持度、前件置信度、后件置信度、前件衍生强度和后件衍生强度。The modeling module is used to calculate the correlation strength of each alarm pair and import the multi-dimensional correlation model to construct the alarm multi-dimensional correlation model AMCM. Each dimension of AMCM represents an indicator of the strength of the association. The indicators of the correlation strength of each alarm pair include the degree of support, the confidence of the antecedent, the confidence of the subsequent, the derivative strength of the antecedent, and the derivative strength of the subsequent.
规则挖掘模块用于从AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。The rule mining module is used to extract all the alarm pairs derived from the lead alarm from the subsequent alarms from the AMCM, add them to the alarm pair database, generate hierarchical directed acyclic graphs based on this, and extract the root cause alarms.
本发明实施例的网络告警规则多维关联生成系统,适用于上述各方法,可通过AMCM准确明了地展示各有序告警对之间的关联强度,有效提取后继告警由先导告警衍生的所有告警对,形成告警对数据库,并根据告警对数据库生成分层级的有向无环图,得到所有告警的告警规则,同时还能快速有效地定位根源告警。The network alarm rule multi-dimensional association generation system of the embodiment of the present invention is applicable to the above methods, can accurately and clearly display the correlation strength between each ordered alarm pair through AMCM, and effectively extract all the alarm pairs derived from the pilot alarm in subsequent alarms, An alarm pair database is formed, and a hierarchical directed acyclic graph is generated according to the alarm pair database to obtain the alarm rules for all alarms, and at the same time, it can quickly and effectively locate the root cause of the alarm.
本发明不局限于上述实施方式,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也视为本发明的保护范围之内。本说明书中未作详细描述的内容属于本领域专业技术人员公知的现有技术。The present invention is not limited to the above-mentioned embodiments. For those of ordinary skill in the art, without departing from the principle of the present invention, several improvements and modifications can be made, and these improvements and modifications are also regarded as the protection of the present invention. Within range. The content not described in detail in this specification belongs to the prior art known to those skilled in the art.

Claims (10)

  1. 一种网络告警规则多维关联生成方法,其特征在于,其包括步骤:A method for generating multi-dimensional associations of network alarm rules is characterized in that it comprises the steps:
    采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对;Collect historical alarms and group them into clusters, and generate an orderly alarm pair including pilot alarms and subsequent alarms according to the alarms in each group;
    计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM;所述AMCM的每个维度代表所述关联强度的一个指标;Calculate the correlation strength of each alarm pair, and import a multi-dimensional correlation model to construct an alarm multi-dimensional correlation model AMCM; each dimension of the AMCM represents an indicator of the correlation strength;
    从所述AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。All the alarm pairs derived from the pilot alarm are extracted from the AMCM, added to the alarm pair database, and a hierarchical directed acyclic graph is generated accordingly, and the root cause alarm is extracted.
  2. 如权利要求1所述的网络告警规则多维关联生成方法,其特征在于:The method for generating multi-dimensional association of network alarm rules according to claim 1, wherein:
    所述告警对的先后顺序根据告警开始时间确定,当开始时间相同时,所述先后顺序根据告警采集的顺序确定。The sequence of the alarm pair is determined according to the alarm start time, and when the start time is the same, the sequence is determined according to the sequence of alarm collection.
  3. 如权利要求2所述的网络告警规则多维关联生成方法,其特征在于,所述关联强度的指标包括支持度和前件置信度,对于一个告警分组中的任一告警对:The method for generating a multi-dimensional association of network alarm rules according to claim 2, wherein the indicators of the association strength include support and antecedent confidence, and for any pair of alarms in an alarm group:
    所述支持度为所述告警对在所属的告警分组中出现的概率;The degree of support is the probability that the alarm pair appears in the alarm group to which it belongs;
    所述前件置信度为所述告警对在具有相同先导告警的告警对中的比例。The antecedent confidence is the proportion of the alarm pairs in the alarm pairs with the same pilot alarm.
  4. 如权利要求3所述的网络告警规则多维关联生成方法,其特征在于,判断告警对中后继告警由先导告警衍生的依据为:The method for generating multi-dimensional association of network alarm rules according to claim 3, wherein the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarms is:
    所述告警对的支持度和前件置信度均大于各自设置的最小阈值。The support degree and the antecedent confidence degree of the alarm pair are both greater than the minimum threshold set respectively.
  5. 如权利要求3所述的网络告警规则多维关联生成方法,其特征在于,所述关联强度的指标还包括后件置信度,所述后件置信度为 所述告警对在具有相同后继告警的告警对中的比例;The method for generating a multi-dimensional association of network alarm rules according to claim 3, wherein the indicator of the association strength further includes a subsequent confidence, and the subsequent confidence is that the alarm pair has the same subsequent alarm. The ratio
    判断告警对中后继告警由先导告警衍生的依据为:所述告警对的前件置信度大于其后件置信度。The basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarms is: the predecessor confidence of the alarm pair is greater than the subsequent confidence.
  6. 如权利要求5所述的网络告警规则多维关联生成方法,其特征在于,所述关联强度的指标还包括前件衍生强度和后件衍生强度,对于一个分组中的任一告警对,如果存在另一与其数据相同且顺序相反的反序告警对:The method for generating a multi-dimensional association of network alarm rules according to claim 5, wherein the index of association strength also includes antecedent-derived strength and consequent-derived strength. For any pair of alarms in a group, if there is another A pair of reverse-order alarms with the same data and opposite order:
    所述前件衍生强度为该告警对的前件置信度与反序告警对的前件置信度的比;The antecedent derivative strength is the ratio of the antecedent confidence of the alarm pair to the antecedent confidence of the reverse alarm pair;
    所述后件衍生强度为该告警对的后件置信度与反序告警对的后件置信度的比。The subsequent derivative strength is the ratio of the subsequent confidence of the alarm pair to the subsequent confidence of the reverse alarm pair.
  7. 如权利要求6所述的网络告警规则多维关联生成方法,其特征在于:判断告警对中后继告警由先导告警衍生的依据为:The method for generating multi-dimensional association of network alarm rules according to claim 6, characterized in that the basis for judging that the subsequent alarms in the alarm pair are derived from the pilot alarm is:
    所述告警对的前件衍生强度大于1,且所述告警对的后件衍生强度小于1。The antecedent derived intensity of the alarm pair is greater than 1, and the consequent derived intensity of the alarm pair is less than 1.
  8. 如权利要求1所述的网络告警规则多维关联生成方法,其特征在于,所述采集历史告警并进行聚类分组具体包括:The method for generating multi-dimensional association of network alarm rules according to claim 1, wherein said collecting historical alarms and performing clustering and grouping specifically comprises:
    记录每个历史告警的属性;所述属性包括地址信息和板号、告警类型、告警开始时间、告警结束时间和告警序列号;Record the attributes of each historical alarm; the attributes include address information and board number, alarm type, alarm start time, alarm end time and alarm serial number;
    根据所述历史告警的属性进行聚类处理,得到多个分组。Perform clustering processing according to the attributes of the historical alarms to obtain multiple groups.
  9. 如权利要求1所述的网络告警规则多维关联生成方法,其特征在于:当获取新的告警时,对所述新的告警进行聚类处理,得到对应的有序告警对及其关联强度;The method for generating multi-dimensional associations of network alarm rules according to claim 1, characterized in that: when a new alarm is acquired, clustering of the new alarm is performed to obtain the corresponding ordered alarm pair and its correlation strength;
    将对应告警对的关联强度导入并更新所述AMCM,快速更新已生成的有效的关联规则,据此更新所述告警对数据库和有向无环图; 所述有效的关联规则为后继告警由先导告警衍生的告警对;Import the correlation strength of the corresponding alarm pair and update the AMCM, quickly update the generated effective association rules, and update the alarm pair database and the directed acyclic graph accordingly; the effective association rule is that subsequent alarms are led by Alarm pair derived from alarm;
    根据所述有向无环图,实时提取所述新的告警的根源告警和/或衍生告警。According to the directed acyclic graph, the root cause alarm and/or the derivative alarm of the new alarm are extracted in real time.
  10. 一种实现权利要求1所述方法的网络告警规则多维关联生成系统,其特征在于,其包括:A network alarm rule multi-dimensional association generation system for implementing the method of claim 1, characterized in that it comprises:
    数据处理模块,其用于采集历史告警并进行聚类分组,根据每组中的告警生成包括先导告警和后继告警的有序告警对;Data processing module, which is used to collect historical alarms and perform clustering and grouping, and generate an orderly alarm pair including a leading alarm and a subsequent alarm according to the alarms in each group;
    建模模块,其用于计算每个告警对的关联强度,并导入多维关联模型,构建告警多维关联模型AMCM;所述AMCM的每个维度代表一个关联强度的指标;Modeling module, which is used to calculate the correlation strength of each alarm pair and import the multi-dimensional correlation model to construct the alarm multi-dimensional correlation model AMCM; each dimension of the AMCM represents an index of the correlation strength;
    规则挖掘模块,其用于从所述AMCM中提取后继告警由先导告警衍生的所有告警对,加入告警对数据库,据此生成分层级的有向无环图,并提取根源告警。The rule mining module is used to extract all the alarm pairs derived from the leading alarm from the AMCM and add the alarm pair database to generate a hierarchical directed acyclic graph and extract the root cause alarm.
PCT/CN2019/096638 2019-04-23 2019-07-19 Multi-dimensional correlation generation method and system for network alarm rules WO2020215505A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910330045.8A CN111831857B (en) 2019-04-23 2019-04-23 Network alarm rule multidimensional association generation method and system
CN201910330045.8 2019-04-23

Publications (1)

Publication Number Publication Date
WO2020215505A1 true WO2020215505A1 (en) 2020-10-29

Family

ID=72911957

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/096638 WO2020215505A1 (en) 2019-04-23 2019-07-19 Multi-dimensional correlation generation method and system for network alarm rules

Country Status (2)

Country Link
CN (1) CN111831857B (en)
WO (1) WO2020215505A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112699281A (en) * 2021-01-08 2021-04-23 北京明略软件系统有限公司 Alarm event rule mining method and system based on gspan algorithm

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113282461B (en) * 2021-05-28 2023-06-23 中国联合网络通信集团有限公司 Alarm identification method and device for transmission network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7483972B2 (en) * 2003-01-08 2009-01-27 Cisco Technology, Inc. Network security monitoring system
CN101355451A (en) * 2008-09-09 2009-01-28 中兴通讯股份有限公司 Method and system for analyzing alarm correlativity
CN101917297A (en) * 2010-08-30 2010-12-15 烽火通信科技股份有限公司 Method and system for diagnosing faults of core network based on Bayesian network
CN103929326A (en) * 2014-03-18 2014-07-16 烽火通信科技股份有限公司 Communication network transmission type alarm uniform analysis device and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038375A (en) * 2014-06-30 2014-09-10 成都广达电子股份有限公司 Alarm processing analysis system and method of broadcasting and TV access network
US10516868B2 (en) * 2015-07-09 2019-12-24 Doubleme, Inc. HoloPortal and HoloCloud system and method of operation
CN108156037B (en) * 2017-12-29 2020-12-15 中国移动通信集团江苏有限公司 Alarm correlation analysis method, device, equipment and medium
CN109389518A (en) * 2018-09-03 2019-02-26 北京数介科技有限公司 Association analysis method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7483972B2 (en) * 2003-01-08 2009-01-27 Cisco Technology, Inc. Network security monitoring system
CN101355451A (en) * 2008-09-09 2009-01-28 中兴通讯股份有限公司 Method and system for analyzing alarm correlativity
CN101917297A (en) * 2010-08-30 2010-12-15 烽火通信科技股份有限公司 Method and system for diagnosing faults of core network based on Bayesian network
CN103929326A (en) * 2014-03-18 2014-07-16 烽火通信科技股份有限公司 Communication network transmission type alarm uniform analysis device and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112699281A (en) * 2021-01-08 2021-04-23 北京明略软件系统有限公司 Alarm event rule mining method and system based on gspan algorithm
CN112699281B (en) * 2021-01-08 2024-03-15 青岛明略软件技术开发有限公司 Alarm event rule mining method and system based on gspan algorithm

Also Published As

Publication number Publication date
CN111831857B (en) 2022-11-04
CN111831857A (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN112581463A (en) Image defect detection method and device, electronic equipment, storage medium and product
CN112788066B (en) Abnormal flow detection method and system for Internet of things equipment and storage medium
CN105376193B (en) The intelligent association analysis method and device of security incident
CN109214527B (en) Early diagnosis and early warning method and system for transformer fault
WO2020215505A1 (en) Multi-dimensional correlation generation method and system for network alarm rules
CN104317681A (en) Behavioral abnormality automatic detection method and behavioral abnormality automatic detection system aiming at computer system
Wang et al. A fast abnormal data cleaning algorithm for performance evaluation of wind turbine
CN110969556A (en) Method and device for detecting river water quality abnormity by machine learning multi-dimension multi-model fusion
CN103760901A (en) Rail transit fault identification method based on association rule classifier
CN109058771B (en) The pipeline method for detecting abnormality of Markov feature is generated and is spaced based on sample
CN112217674B (en) Alarm root cause identification method based on causal network mining and graph attention network
CN105471637A (en) Evaluation method and system for importance of node of complex network
CN108197254B (en) A kind of data recovery method based on neighbour
CN107742883A (en) A kind of power system topology island system for rapidly identifying and method based on Spark
CN112766301B (en) Oil extraction machine indicator diagram similarity judging method
CN116400168A (en) Power grid fault diagnosis method and system based on depth feature clustering
CN113706459B (en) Detection and simulation repair device for abnormal brain area of autism patient
Pan et al. Study on intelligent anti–electricity stealing early-warning technology based on convolutional neural networks
CN111626311A (en) Heterogeneous graph data processing method and device
Ravikumar et al. Discovering geo-referenced Periodic-Frequent Patterns in geo-referenced time series databases
CN115514627A (en) Fault root cause positioning method and device, electronic equipment and readable storage medium
CN112597699B (en) Social network rumor source identification method integrated with objective weighting method
CN110728310B (en) Target detection model fusion method and fusion system based on super-parameter optimization
CN110889614A (en) Power grid system important user power supply risk analysis method based on SCADA big data
CN109506936A (en) Bearing fault degree recognition methods based on flow graph and non-naive Bayesian reasoning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19926278

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19926278

Country of ref document: EP

Kind code of ref document: A1