WO2022111659A1 - Warning method, apparatus and device, and storage medium - Google Patents
Warning method, apparatus and device, and storage medium Download PDFInfo
- Publication number
- WO2022111659A1 WO2022111659A1 PCT/CN2021/133717 CN2021133717W WO2022111659A1 WO 2022111659 A1 WO2022111659 A1 WO 2022111659A1 CN 2021133717 W CN2021133717 W CN 2021133717W WO 2022111659 A1 WO2022111659 A1 WO 2022111659A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- alarm
- item
- association rule
- frequent
- feature
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000001364 causal effect Effects 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 5
- 230000000295 complement effect Effects 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 description 12
- 238000007726 management method Methods 0.000 description 10
- 230000003287 optical effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000010276 construction Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000005065 mining Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 238000012098 association analyses Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
Definitions
- the present application relates to the technical field of network operation and maintenance, and in particular, to an alarm method, apparatus, device and storage medium.
- EMS Element Management System
- Derivative alarms will affect users to locate fault points and occupy a large amount of network bandwidth.
- the following two methods are often used to deal with the massive alarms related to the relationship: 1) Filter the alarms according to the prior knowledge such as the alarm rule table and the whitelist, and obtain the root alarm that needs to be uploaded; 2) Extract historical alarms as a sample data set to determine credible alarm association rules, and determine root alarms that need to be uploaded through the alarm association rules.
- Embodiments of the present application provide an alarm method, apparatus, device, and storage medium.
- An embodiment of the present application provides an alarm method, including: determining a root alarm in the current alarm according to an alarm type of a current alarm and an association rule corresponding to the alarm type; wherein the association rule is based on a frequent pattern tree It is determined that the frequent pattern tree is obtained by scanning historical alarms.
- An embodiment of the present application provides an alarm device, including: a root alarm determination module configured to determine a root alarm in the current alarm according to an alarm type of the current alarm and an association rule corresponding to the alarm type; wherein, the The association rules are determined according to a frequent pattern tree obtained by scanning historical alarms.
- An embodiment of the present application provides an alarm device, including: one or more processors; a storage device configured to store one or more programs; when the one or more programs are executed by the one or more processors , so that the one or more processors implement the above-mentioned alarm method.
- Embodiments of the present application further provide a storage medium for computer-executable instructions, where the computer-executable instructions are used to execute the above-mentioned alarm method when executed by a computer processor.
- FIG. 1 is a flowchart of an alarm method provided by an embodiment
- FIG. 2 is a flowchart of another alarm method provided by an embodiment
- FIG. 3 is an exemplary flowchart of generating a data set according to a time sequence of historical alarms and feature items extracted from historical alarms provided by an embodiment
- FIG. 4 is an exemplary flowchart of a method for determining a first frequent itemset provided by an embodiment
- FIG. 5 is an exemplary flowchart of a method for constructing a frequent pattern tree provided by an embodiment
- FIG. 6 is an exemplary diagram of a structure of a frequent pattern tree provided by an embodiment
- FIG. 7 is an exemplary flowchart of a method for determining a maximum frequent itemset corresponding to a feature item in an item header table according to an embodiment
- FIG. 8 is an exemplary flowchart of a method for determining a target association rule provided by an embodiment
- FIG. 9 is a schematic structural diagram of an alarm device according to an embodiment.
- FIG. 10 is a schematic structural diagram of an alarm device according to an embodiment.
- the alarm rule table and whitelist generated based on prior knowledge are often used to filter the alarms, or the association rule algorithm APRIORI is used to select the alarms from history.
- the association rules are mined in the alarms to filter the above-mentioned alarms, so as to remove the derivative alarms in the above-mentioned alarms, and then determine the root alarm sent by the faulty communication node, so as to reduce the workload of operation and maintenance.
- the alarm rule table and whitelist depend on the generation of prior knowledge, in the face of complex multi-architecture, diverse device types, and complex alarm types and relationships, the screening rules generated by livable prior knowledge are difficult to deal with, and rely on The rules generated by prior knowledge have narrow coverage and low accuracy, and it is difficult to dynamically adapt to changes according to different application environments; while the APRIORI algorithm is used to determine the association rules, it is necessary to scan the data set generated according to historical alarms for many times, and A huge number of candidate sets will be generated, and the number of candidate sets will increase exponentially with the size of the data set, which will generate a large load and cause a large waste of resources, which will increase the amount of data to be processed for operation and maintenance work.
- the root alarm in the current alarm is determined through the association rule corresponding to the alarm type of the current alarm determined according to the frequent pattern tree, which improves the accuracy of determining the root alarm and reduces the alarm at the same time. Resource requirements and complexity of operations work.
- FIG. 1 is a flowchart of an alarm method provided by an embodiment. As shown in FIG. 1 , the alarm method provided by this embodiment includes step 110 .
- step 110 the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type.
- the association rules are determined according to the frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
- the current alarm can be understood as multiple pieces of alarm information uploaded by the device to the network element management system EMS, and the current alarm includes the alarm of the faulty node in the communication network, and the upstream and downstream alarms derived from the above-mentioned alarms.
- Correlation alarms wherein the alarms of the faulty node can be understood as the root alarms in the current alarms, and the upstream and downstream associated alarms derived from the root alarms can be understood as the derived alarms in the current alarms.
- the alarm type can be understood as the type of fault in the alarm. In some examples, the alarm type can be signal loss, output optical power exceeding the limit, laser bias current too small, module internal temperature exceeding the limit, input optical power exceeding the limit and tunnel.
- Association rules can be understood as an implication in the form of X ⁇ Y, where X can be called the predecessor (Antecedent or left-hand-side, LHS) of the association rule, and Y can be called the successor (Consequent or right of the association rule).
- LHS predecessor
- Y can be called the successor (Consequent or right of the association rule).
- -hand-side, RHS) the association relationship is used to represent the causal relationship between X and Y, that is, for the association relationship with high support and trust, Y is more likely to appear when X appears.
- Frequent Pattern Tree FP-Tree
- FP-Growth can be understood as a data structure that compresses the database that provides frequent itemsets according to the association analysis algorithm (FP-Growth) and retains the association information between itemsets. The tree consists of a root node (value is null), a frequent item header table and multiple descendant nodes.
- History Alarm can be understood as the alarm that occurred before
- the current alarm containing multiple pieces of alarm information sent by the device at the current moment is obtained, and according to the alarm type corresponding to each alarm information in the current alarm, the association rule corresponding to the alarm type is obtained from the association rule base, and then The alarm type corresponding to the fault scenario in the current alarm is determined through the association rule, and the alarm information with the alarm type is determined as the root alarm in the current alarm.
- the attribute features can be extracted by scanning historical alarms and a data set can be constructed, a frequent pattern tree can be constructed according to the frequent item sets in the data set, and the association rules corresponding to each alarm type can be determined by the correlation information between the sets of the frequent pattern tree. .
- association rules are obtained by mining the association information among the item sets in the frequent pattern tree, thus reducing the generation of association rules. required data load.
- the root alarm in the current alarm is determined through the association rule corresponding to the alarm type of each alarm information in the current alarm, only the determined root alarm is sent to the network element management system EMS via the Northbound Interface (NBI) ) to the Network Management System (NMS), which reduces the data traffic of the northbound interface, enables the NMS to perform more accurate fault diagnosis on the faulty node that generates the alarm, and improves the simplicity of alarm operation and maintenance. and accuracy.
- the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type; wherein, the association rule is determined according to the frequent pattern tree, and the Frequent pattern trees are obtained by scanning historical alarms.
- the frequent pattern tree is constructed by scanning historical alarms, the association rules corresponding to the alarm types are determined according to the frequent pattern tree structure, and the root alarms in the current alarms are determined according to the association rules corresponding to the alarm types of the current alarms, so that the current alarms Derivative alarms that affect fault location can be filtered, and only the root alarms determined are uploaded.
- FIG. 2 is a flowchart of another alarm method provided by an embodiment. As shown in FIG. 2 , the method includes steps 210 to 260 .
- step 210 historical alarms within a preset time are acquired, and a data set is generated according to the time sequence of the historical alarms and the feature items extracted from the historical alarms.
- the feature item includes attribute features extracted from historical alarms.
- the feature item can be understood as alarm information determined according to the attribute feature extracted from the historical alarm, the attribute feature includes the system ID and the alarm type, and the feature item, the alarm type and the system ID have a corresponding relationship.
- the historical alarms corresponding to the preset time are obtained from the historical alarm database, and the obtained historical alarms are arranged in chronological order. Since there is an association relationship between adjacent historical alarms The possibility is high, so the historical alarms can be grouped according to the time sequence, so that the same group contains only one root alarm and the derivative alarms corresponding to the root alarm as much as possible, and at the same time attribute the historical alarms in each group after the grouping.
- Feature extraction determine the historical alarms with different system IDs and alarm types in each group, and determine the above-mentioned historical alarms with different system IDs and alarm types as the feature items corresponding to the group, and then according to the grouping and the corresponding Feature items generate datasets for association rule determination.
- the number of historical alarms used to generate the frequent pattern tree can be adjusted by adjusting the size of the preset time, and then the complexity of the frequent pattern tree can be adjusted by adjusting the size of the preset time.
- the size may be determined according to the actual situation, which is not limited in this embodiment of the present application.
- FIG. 3 is an exemplary flowchart of generating a data set according to a time sequence of historical alarms and feature items extracted from historical alarms provided by an embodiment, as shown in FIG. 3 , which specifically includes the following steps:
- Step 2101 Divide the historical alarms into at least two alarm sets in a chronological order at a preset time interval.
- an alarm set may be understood as a set of historical alarms within a preset time interval, and each alarm in the same alarm set is likely to have an associated relationship, that is, the same alarm set.
- the acquired historical alarms are arranged in chronological order from first to last, starting from the historical alarm with the first chronological order and backward, grouping the historical alarms at preset time intervals, and grouping the historical alarms belonging to the same It is assumed that the collection of historical alarms within the time interval is determined as an alarm set. In some examples, assuming that the time corresponding to the historical alarm with the first time sequence is 16:31:00 and the preset time interval is one minute, the alarm time is set to be within the range of 16:31:00-16:31:59. The historical alarms are determined as one alarm set, and further, the historical alarms within 16:32:00-16:32:59 are determined as another alarm set.
- the congestion situation of the network in the network element management system EMS and the alarm receiving and processing mechanism of the network element management system EMS can be comprehensively considered, and it can be determined from the triggering of the associated alarm on the device to
- the network element management system EMS receives the processing interval, and determines the above interval as the preset time interval. If it is considered that there is a correlation between the two alarms, the above two alarms should be respectively sent by the device to the network element within the preset time interval.
- the specific set value of the preset time interval is not limited in this embodiment of the present application.
- Step 2102 Perform attribute feature extraction on each alarm set, and determine the feature item corresponding to each alarm set according to the alarm type in the extracted attribute feature.
- attribute feature extraction is performed on the historical alarms in each alarm set to determine the alarm type corresponding to each historical alarm in the alarm set, and then several types of alarms that appear in each alarm set are determined.
- the alarm type determines the corresponding feature item in the alarm set.
- the alarm type may further include system type information. For more concise and intuitive expression, it may be mapped by the alarm key value, and the corresponding feature item in the alarm set may be represented by the alarm key value.
- Table 1 below is an alarm key-value mapping table provided by an embodiment, as shown in Table 1 below:
- the characteristic items and representations corresponding to the alarm set are I2 and I5.
- Step 2103 Generate a data set according to each alarm set and feature items corresponding to each alarm set.
- the alarm set has been determined according to the preset time interval, and it is determined that each alarm set contains corresponding feature items.
- Table 2 below is an example of a data set provided by an embodiment, as shown in Table 2 below:
- Step 220 Scan the data set, and count the occurrences of the feature items in the data set to determine the first frequent item set.
- an itemset can be understood as a set of several items; a frequent itemset can be understood as a set of items whose support is greater than or equal to the minimum support.
- the support degree can be understood as the support degree, and in the association analysis of data mining, it can represent the frequency of the former item and the latter item appearing in a data set at the same time.
- the data set is scanned, and the number of occurrences of each feature item appearing in the data set is counted. Since the same feature item can only appear once in the same alarm set, the frequency of occurrence of each feature item and the alarm set are calculated according to the number of occurrences of each feature item. The number determines the support degree of each feature item in the data set, and the set of feature items whose support degree satisfies the minimum support degree judgment condition is determined as the first frequent item set.
- FIG. 4 is an exemplary flowchart of a method for determining a first frequent itemset provided by an embodiment, as shown in FIG. 4 , which specifically includes the following steps:
- Step 2201 Scan the data set, and count the occurrences of the feature items corresponding to each alarm type.
- the data set shown in Table 2 is scanned, and the number of occurrences of the feature items corresponding to each alarm type is counted. Taking the feature item I2 as an example, the number of occurrences in the data set is 7 times. , then the number of occurrences of the feature item I2 can be recorded as 7.
- Step 2202 Determine the support degree of the feature item corresponding to each alarm type according to the occurrence times and the number of alarm sets.
- the maximum number of times the feature items corresponding to each alarm type appear in the data set is the number of alarm sets.
- the ratio of the number of occurrences of the feature item to the number of alarm sets is determined as the support degree of the feature item corresponding to each alarm type.
- the frequency of the itemset X ⁇ Y in the data set is ⁇ (X ⁇ Y), that is, the number of times X and Y appear simultaneously in the data set is ⁇ (X ⁇ Y), and T is the data set.
- the number of groups, then the support of the itemset X ⁇ Y in the dataset can be expressed as:
- Step 2203 Determine the set of feature items corresponding to the alarm types with each support greater than or equal to the preset support threshold as the first frequent item set.
- the preset support threshold may be set to 20%, which is not limited in this embodiment of the present application.
- the first frequent itemset is determined for the data set shown in Table 2.
- Table 3 below is an example of a first frequent itemset that satisfies the minimum support threshold provided by an embodiment, as shown in the following table 3 shows:
- Step 230 Scan the data set again, and construct a frequent pattern tree according to the item header table generated by the first frequent itemset.
- the item header table can be understood as including all the feature items in the frequent pattern tree, and the feature items in the frequent pattern tree are sorted according to the support degree, and the feature item set of the frequent pattern tree is constructed according to the support degree.
- the feature items are sorted in descending order of support degree to generate an item header table, the data set is scanned again, and the alarm set is sorted according to the features contained in it.
- the sorting of items in the item header table is rearranged again, and the rearranged alarm sets are inserted into the frequent pattern tree with null as the root node in turn to complete the construction of the frequent pattern tree.
- the feature items with high support in the alarm set are preferentially inserted, that is, the feature items with high support are regarded as ancestor nodes, and other feature items are inserted in sequence according to the order of support as descendant node.
- FIG. 5 is an exemplary flowchart of a method for constructing a frequent pattern tree provided by an embodiment, as shown in FIG. 5 , which specifically includes the following steps:
- Step 2301 Arrange the feature items in the first frequent item set in descending order of support to generate an item header table, and delete the feature items in each alarm set that are not included in the first frequent item set to obtain an adjusted alarm set.
- the feature items in the first frequent item set are sorted according to the support degree, and the feature items are put into the list in order of the support degree from high to low to generate the item header table. Since they are not included in the first frequent item The feature items in the set will not be used to generate the frequent pattern tree, so the generated data set is scanned again, and the feature items that are not included in the first frequent item set in each alarm set in the data set are deleted. According to the arrangement order of the feature items in the middle, the alarm set is adjusted and rearranged, so that the alarm set containing the feature items with high support is adjusted to the front position in the arrangement order.
- Table 4 is an example of an item header table provided by an embodiment, as shown in Table 4 below:
- Table 5 below is an example of an adjusted alarm set provided by an embodiment, as shown in Table 5 below:
- the order of the alarm set including the feature item I2 is adjusted to the first position.
- Step 2302 Construct a frequent pattern tree according to the feature items in the adjusted alarm set and the item header table.
- the feature items in the same alarm set are located in the same branch in the frequent pattern tree, and the feature items in the same alarm set are inserted into the frequent pattern tree in descending order of support.
- the count of the corresponding common superior node is incremented by one, and after insertion, if a new node appears, the corresponding node will be linked to the new node through the node linked list according to the item header table, until After all feature items in the alarm set are inserted into the frequent pattern tree, the construction of the frequent pattern tree is considered complete.
- FIG. 6 is an example diagram of a structure of a frequent pattern tree provided by an embodiment.
- Step 240 Determine the conditional pattern base corresponding to the feature item in the item header table according to the frequent pattern tree, and determine the maximum frequent item set corresponding to the feature item according to the conditional pattern base.
- conditional pattern base can be understood as a set of paths in the frequent pattern tree ending with the search item, that is, all content between the search item and the root node of the frequent pattern tree.
- the maximum frequent itemset can be understood as the frequent itemsets that meet the condition of no superset in multiple frequent itemsets, that is, the frequent itemsets that contain the most qualified feature items.
- a superset can be understood as if every element in a set S2 is in the set S1, and the combination S1 may contain elements that are not in S2, then S1 is a superset of S2.
- the bottom items of the item header table are dug up sequentially, that is, starting from the feature item located at the bottom of the item header table, each feature item in the item header table is sequentially used as the search item to determine the conditional pattern base.
- each feature item in the item header table is sequentially used as the search item to determine the conditional pattern base.
- reconstruct the data set corresponding to the search item and determine a plurality of frequent item sets ending with the search item according to the data set, and select each frequent item set.
- the frequent itemset containing the most feature items is used as the maximum frequent itemset corresponding to the search item, and in the same way, the maximum frequent itemset corresponding to each feature item in the item header table can be obtained.
- FIG. 7 is an exemplary flowchart of a method for determining a maximum frequent itemset corresponding to a feature item in an item header table provided by an embodiment. As shown in FIG. 7 , the method specifically includes the following steps:
- Step 2401 Determine the node chain in the frequent pattern tree that ends with the feature item in the item header table.
- Step 2402 Determine the support degree of each node in the node chain, update the support degree of the feature item corresponding to each node, and determine the combination of the feature item corresponding to the node chain as the conditional pattern base corresponding to the feature item in the item header table. .
- conditional pattern base of the corresponding I5 node is ⁇ (I2:1), (I1:1), (I3: 1),(I5:1)> and ⁇ (I2:1),(I1:1),(I5:1)>.
- Step 2403 Generate a second data set according to the conditional pattern base, and determine the maximum frequent item set corresponding to the feature item in the item header table according to the support degree of each feature item in the second data set.
- each conditional pattern base corresponding to I5 is used as a new alarm set to generate a second data set, that is, each row in the second data set stores a feature item corresponding to an I5 conditional pattern base, and then generates a second data set corresponding to the conditional pattern base of I5.
- the frequent itemsets are (I5:2), (I1, I5:2), (I2, I5:2), (I1, I2, I5:2), since the itemsets (I1, I2, I5:2) are All frequent itemsets meet the frequent itemsets without superset condition, so the itemsets (I1, I2, I5:2) are determined as the maximum frequent itemsets corresponding to the feature item I5.
- the frequent pattern subtree corresponding to the feature item I5 is single-branched, there is no need to recurse the subtree, and the set of feature items corresponding to the I5 conditional pattern base can be directly determined as the maximum frequent item set corresponding to the feature item I5.
- Step 250 Determine the target association rule corresponding to the feature item according to the maximum frequent item set, the data set and the preset reliability threshold, and store the target association rule in the association rule base.
- the confidence level can be understood as the degree of credibility of the association relationship, that is, the probability of the occurrence of event Y based on the occurrence of event X, indicating the strength of the association or the reliability of the rule, that is, both X and Y are included. % of transactions that contain X. Assuming that the frequency of the itemset X ⁇ Y in the data set is ⁇ (X ⁇ Y), and the frequency of the itemset X in the data set is ⁇ (X), then the confidence that the itemset X ⁇ Y occurs on the basis of the itemset X is Degree can be expressed as:
- recursive splitting is performed on the maximum frequent itemset, multiple association rules are generated, the confidence level of each association rule in the data set is determined, and the confidence level is compared with the preset confidence level threshold, and the confidence level is considered as the confidence level.
- the association rules greater than the preset reliability threshold are credible, that is, strong association rules, the determined association rules are determined as the target association rules corresponding to the feature items, and the target association rules are stored in the association rule database for Provides root alert determination.
- FIG. 8 is an exemplary flowchart of a method for determining a target association rule provided by an embodiment, as shown in FIG. 8 , which specifically includes the following steps:
- Step 2501 Recursively split the maximum frequent itemset to obtain a first itemset and a second itemset, where the second itemset is the complement of the first itemset to the maximum frequent itemset.
- the first item set and the second item set are obtained by recursively splitting the largest frequent item set, in order to determine the causal relationship between the corresponding feature items in the first item set and the second item set, that is,
- the relationship between the feature items in the first item set and the feature items in the second item set can be called the relationship between the feature items in the first item set and the feature items in the second item set. connection relation.
- the association rules that can be split out may include: (I2, I1, I5 ⁇ ), ( I2,I1 ⁇ I5), (I1 ⁇ I2,I5), (I2,I5 ⁇ I1), (I2 ⁇ I1,I5), (I1,I5 ⁇ I2), and (I5 ⁇ I2,I1).
- the correlation can be expressed as I2 and I1 will appear when I5 appears, that is, there is a causal relationship between I5 and I2 and I1, and I2 and I1 are derived alarms of I5.
- Step 2502 According to the maximum frequent itemset, the first item set and the data set, determine the first number of times that the maximum frequent itemset belongs to the same alarm set in the data set, and the second time that the first item set belongs to the same alarm set in the data set. frequency.
- the first number of times can be understood as the number of times that the alarms corresponding to the feature items in the maximum frequent item set occur simultaneously in one alarm set, that is, there are several alarm sets in the data set that have feature items in the maximum frequent item set at the same time.
- the second number of times can be understood as the number of times that the alarms corresponding to the feature items in the first item set appear simultaneously in an alarm set, that is, there are several alarm sets in the data set that have the feature items in the first item set at the same time.
- the first number of times corresponding to the association rule (I5 ⁇ I2, I1) is the number of times the feature item combinations I1, I2 and I5 appear in the dataset, and also That is, the first time is 2, and the second time is the number of times the feature item I5 appears in the data set, that is, the second time is 2.
- Step 2503 When the ratio of the first time to the second time is greater than or equal to the preset reliability threshold, determine the causal relationship between the feature item corresponding to the first item set and the feature item corresponding to the second item set. is the target association rule of the corresponding feature item in the first item set.
- the ratio of the first count to the second count can be understood as the confidence level of the association rule formed by the first item set and the second item set.
- the above confidence level is greater than or equal to the preset confidence threshold , it can be considered that the causal relationship corresponding to the above-mentioned association rules is strong, and belongs to strong association rules, which can be stored and applied as the target association rules of the corresponding feature items in the first item set.
- the corresponding first time is the number of times the feature item combination I1, I2 and I5 appear in the data set, that is, the first time is 2, and the second time is the feature item.
- the target association rule into the association rule base when storing the target association rule into the association rule base, it includes:
- the target association rule is stored in the association rule base.
- the target association rule is included in the association rule base and is a subset of the association rule to be updated in the association rule base, the target association rule is not stored in the association rule base.
- the target association rule is included in the association rule base and is a superset of the association rule to be updated in the association rule base
- the to-be-updated association rule is replaced with the target association rule
- the association rule to be updated is an association rule corresponding to the target association rule in the association rule base.
- the target association rule is (I5 ⁇ I2, I1), and the association rule to be updated corresponding to the target association rule in the association rule base is (I5 ⁇ I2), the target association rule is considered to be the association rule to be updated At this time, the target association rule is not stored in the association rule base; and when the association rule to be updated is (I5 ⁇ I2, I1, I3), the target association rule is considered to be the superset of the association rule to be updated. At this time, the target association rule to be updated is replaced by the association rule to be updated, and stored in the association rule base.
- Step 260 Determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type.
- the data set generated by the historical alarms is scanned twice, and the alarm sets divided according to preset time intervals in the data set are compressed and stored in the frequent pattern tree in descending order according to the support degree.
- the division of the alarm set can be dynamically adjusted according to the preset time interval, the alarm density and the alarm intensity in the alarm set can be adjusted.
- the number of alarm sets is adjusted to control the flourishing degree of frequent pattern tree generation, optimize the mining efficiency of association rules, and better adapt to performance problems in systems with large data volumes.
- association rule When mining association rules, only the largest frequent itemset corresponding to the feature item is considered, and the number of words corresponding to the feature item is no longer recursively traversed, which improves the efficiency of association rule determination.
- the generated association rule is used to determine the root alarm of the current alarm, which improves the reliability of the determination of the root alarm and reduces the complexity of alarm operation and maintenance.
- FIG. 9 is a schematic structural diagram of an alarm device according to an embodiment. As shown in FIG. 9 , the alarm device includes: a root alarm determination module 310 .
- the root alarm determining module 310 is configured to determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type;
- association rule is determined according to a frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
- a frequent pattern tree is constructed by scanning historical alarms, an association rule corresponding to an alarm type is determined according to the frequent pattern tree structure, and a root alarm in the current alarm is detected according to the association rule corresponding to the alarm type of the current alarm.
- it also includes:
- the association rule determination module is configured to generate a frequent pattern tree according to historical alarms, and determine an association rule according to the frequent pattern tree.
- the association rule determination module includes:
- a data set generating unit configured to obtain historical alarms within a preset time, and generate a data set according to the time sequence of the historical alarms and the feature items extracted from the historical alarms; wherein the feature items include the Attribute features extracted from historical alarms.
- the first frequent itemset determining unit is configured to scan the data set and count the occurrences of the feature items in the data set to determine the first frequent itemset.
- the frequent pattern tree construction unit is configured to scan the data set again, and construct a frequent pattern tree according to the item header table generated by the first frequent item set.
- the maximum frequent itemset determining unit is configured to determine the conditional pattern base corresponding to the feature item in the item header table according to the frequent pattern tree, and determine the maximum frequent itemset corresponding to the feature item according to the conditional pattern base.
- An association rule determination unit configured to determine a target association rule corresponding to the feature item according to the maximum frequent item set, the data set and a preset reliability threshold, and store the target association rule into an association rule in the library.
- the data set generating unit is specifically configured to divide the historical alarms into at least two alarm sets in chronological order and at preset time intervals; perform attribute feature extraction on each of the alarm sets, and extract the alarm set according to the extracted data.
- the alarm type in the attribute feature of the attribute determines the feature item corresponding to each alarm set; a data set is generated according to each alarm set and the feature item corresponding to each alarm set.
- the alarm types include at least two types.
- the first frequent item set determining unit is specifically configured to scan the data set, and count the occurrences of the feature items corresponding to each of the alarm types; The number of sets determines the support degree of the feature item corresponding to each alarm type; the set of feature items corresponding to each alarm type whose support degree is greater than or equal to the preset support degree threshold is determined as the first frequent item set.
- the frequent pattern tree construction unit is specifically configured to arrange the feature items in the first frequent item set in descending order of support to generate an item header table, and not include each of the alarm sets in the first frequent item set.
- the feature items in the frequent item set are deleted to obtain an adjusted alarm set;
- a frequent pattern tree is constructed according to the feature items in the adjusted alarm set and the item header table; wherein, the feature items in the same alarm set are located in the frequent The same branch in the pattern tree, and the feature items in the same alarm set are inserted into the frequent pattern tree in descending order of support, and the feature item with the highest support is the ancestor node.
- the maximum frequent itemset determination unit is specifically set to determine the node chain in the frequent pattern tree that ends with the feature item in the item header table; determine the support degree of each node in the node chain, and update the support degree of the feature items corresponding to each of the nodes, and determine the combination of the feature items corresponding to the node chain as the conditional pattern base corresponding to the feature item in the item header table; according to the conditional pattern base A second data set is generated, and the maximum frequent itemset corresponding to the feature items in the item header table is determined according to the support degree of each feature item in the second data set.
- the association rule determination unit is specifically set to recursively split the maximum frequent itemset to obtain a first itemset and a second itemset, and the second itemset is the first itemset With respect to the complement of the maximum frequent itemset; according to the maximum frequent itemset, the first item set and the data set, determine that the maximum frequent itemset belongs to the first item of the same alarm set in the data set.
- the causal relationship between the feature item corresponding to the first item set and the feature item corresponding to the second item set is determined as the target association rule of the feature item corresponding to the first item set.
- the target association rule is not included in the association rule base, store the target association rule in the association rule base; if the target association rule is included in the association rule base, and is the In the case of a subset of the association rules to be updated in the association rule base, the target association rules are not stored in the association rule base; in the case where the target association rules are included in the association rule base, and are all In the case of a superset of the association rules to be updated in the association rule base, the association rules to be updated are replaced with the target association rules; wherein the association rules to be updated are the association rules in the association rule base that are the same as the target association rules.
- the association rule corresponding to the association rule is the association rule base that are the same as the target association rules.
- the alarm device proposed in this embodiment and the alarm method proposed in the above-mentioned embodiments belong to the same inventive concept.
- FIG. 10 is a schematic structural diagram of an alarm device provided by an embodiment.
- the alarm device includes a processor 410, a storage device 420, an input device 430, and an output device 440; the number of processors 410 in the alarm device There may be one or more, and one processor 410 is taken as an example in FIG. 10; the processor 410, the storage device 420, the input device 430, and the output device 440 in the alarm device can be connected by a bus or in other ways. Take bus connection as an example.
- the storage device 420 may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the alarm method in the embodiments of the present application.
- the processor 410 executes various functional applications and data processing of the alarm device by running the software programs, instructions and modules stored in the storage device 420 , that is, to implement the above-mentioned alarm method.
- the storage device 420 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Additionally, storage device 420 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, storage device 420 may further include memory located remotely from processor 410, which may be connected to the device through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
- the input device 430 can be used to receive input numerical or character information, and generate signal input related to user settings and function control of the device, and can include a touch screen, a keyboard, a mouse, and the like.
- the output device 440 may include a display device such as a display screen.
- Embodiments of the present application further provide a storage medium containing computer-executable instructions, where the computer-executable instructions are used to execute an alarm method when executed by a computer processor.
- the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type; wherein, the association rule is determined according to the frequent pattern tree, and the frequent pattern tree passes Scan history alarms are obtained.
- a frequent pattern tree is constructed by scanning historical alarms, the association rules corresponding to the alarm types are determined according to the frequent pattern tree structure, and the root alarms in the current alarms are determined according to the association rules corresponding to the alarm types of the current alarms, so that the current alarms Derivative alarms that affect fault location can be filtered, and only the root alarms determined are uploaded.
- the present application can be implemented by means of software and general hardware, and can also be implemented by hardware. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the computer software product can be stored in a computer-readable storage medium, such as a floppy disk of a computer, a read-only memory (Read-Only Memory, ROM), Random access memory (Random Access Memory, RAM), flash memory (FLASH), hard disk or optical disk, etc., including multiple instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) to execute any methods described in the examples.
- a computer-readable storage medium such as a floppy disk of a computer, a read-only memory (Read-Only Memory, ROM), Random access memory (Random Access Memory, RAM), flash memory (FLASH), hard disk or optical disk, etc.
- the block diagrams of any logic flow in the figures of the present application may represent program steps, or may represent interconnected logic circuits, modules and functions, or may represent a combination of program steps and logic circuits, modules and functions.
- Computer programs can be stored on memory.
- the memory may be of any type suitable for the local technical environment and may be implemented using any suitable data storage technology, such as but not limited to read only memory (ROM), random access memory (RAM), optical memory devices and systems (Digital Versatile Discs). DVD or CD disc) etc.
- Computer-readable media may include non-transitory storage media.
- the data processor may be of any type suitable for the local technical environment, such as, but not limited to, a general purpose computer, special purpose computer, microprocessor, digital signal processor (DSP), application specific integrated circuit (ASIC), programmable logic device (FGPA) and processors based on multi-core processor architectures.
- DSP digital signal processor
- ASIC application specific integrated circuit
- FGPA programmable logic device
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A warning method, apparatus and device, and a storage medium. The method comprises: determining a root warning in the current warning according to a warning type of the current warning and an association rule corresponding to the warning type (110), wherein the association rule is determined according to a frequent pattern tree, and the frequent pattern tree is obtained by scanning historical warnings.
Description
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请基于申请号为202011384572.6、申请日为2020年11月30日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on the Chinese patent application with the application number of 202011384572.6 and the filing date of November 30, 2020, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is incorporated herein by reference.
本申请涉及网络运维技术领域,具体涉及一种告警方法、装置、设备及存储介质。The present application relates to the technical field of network operation and maintenance, and in particular, to an alarm method, apparatus, device and storage medium.
在通讯网络中,如果一个通信节点出现告警,往往能衍生出上下游的关联告警,而设备会将所有告警均上报至网元管理系统(Element Management System,EMS)。衍生告警会影响用户定位故障点,同时占用大量网络带宽。目前在网元管理系统中,针对有关联关系的海量告警的处理常采用以下两种方式:1)依据告警规则表、白名单等先验知识对告警进行过滤,得到需要进行上传的根告警;2)抽取历史告警作为样本数据集确定可信的告警关联规则,并通过告警关联规则确定需要进行上传的根告警。然而告警规则表和白名单等先验知识需要精通相关业务和技术的专家根据普遍知识和经验归纳得到,在面对多体系结构复杂、设备类型多样,告警类型和关系复杂的情况时,很难形成覆盖范围完整、准确性高以及动态适应性好的先验规则;而通过作为样本数据集的历史告警形成告警关联规则时,需要对样本数据集进行多次扫描,造成很大的输入/输出(Input/Output)负载,同时可能产生庞大的候选集,且候选集的数量是呈指数级增长的,严重影响了告警关联规则的生成效率。In a communication network, if an alarm occurs on a communication node, the associated alarms of upstream and downstream can often be derived, and the device will report all alarms to the Element Management System (EMS). Derivative alarms will affect users to locate fault points and occupy a large amount of network bandwidth. At present, in the network element management system, the following two methods are often used to deal with the massive alarms related to the relationship: 1) Filter the alarms according to the prior knowledge such as the alarm rule table and the whitelist, and obtain the root alarm that needs to be uploaded; 2) Extract historical alarms as a sample data set to determine credible alarm association rules, and determine root alarms that need to be uploaded through the alarm association rules. However, prior knowledge such as alarm rule table and whitelist needs to be obtained by experts who are proficient in related services and technologies based on general knowledge and experience. In the face of complex multi-architecture, various device types, and complex alarm types and relationships, it is difficult to Form a priori rules with complete coverage, high accuracy and good dynamic adaptability; while forming alarm correlation rules through historical alarms as sample data sets, it is necessary to scan the sample data sets multiple times, resulting in a large input/output (Input/Output) load, and may generate huge candidate sets at the same time, and the number of candidate sets increases exponentially, which seriously affects the generation efficiency of alarm association rules.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种告警方法、装置、设备及存储介质。Embodiments of the present application provide an alarm method, apparatus, device, and storage medium.
本申请实施例提供了一种告警方法,包括:根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。An embodiment of the present application provides an alarm method, including: determining a root alarm in the current alarm according to an alarm type of a current alarm and an association rule corresponding to the alarm type; wherein the association rule is based on a frequent pattern tree It is determined that the frequent pattern tree is obtained by scanning historical alarms.
本申请实施例提供了一种告警装置,包括:根告警确定模块,设置为根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。An embodiment of the present application provides an alarm device, including: a root alarm determination module configured to determine a root alarm in the current alarm according to an alarm type of the current alarm and an association rule corresponding to the alarm type; wherein, the The association rules are determined according to a frequent pattern tree obtained by scanning historical alarms.
本申请实施例提供了一种告警设备,包括:一个或多个处理器;存储装置,设置为存储一个或多个程序;当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述告警方法。An embodiment of the present application provides an alarm device, including: one or more processors; a storage device configured to store one or more programs; when the one or more programs are executed by the one or more processors , so that the one or more processors implement the above-mentioned alarm method.
本申请实施例还提供了一种计算机可执行指令的存储介质,所述计算机可执行指令在由计算机处理器执行时用于执行上述告警方法。Embodiments of the present application further provide a storage medium for computer-executable instructions, where the computer-executable instructions are used to execute the above-mentioned alarm method when executed by a computer processor.
关于本申请的以上实施例和其他方面以及其实现方式,在附图说明、具体实施方式和权利要求中提供更多说明。With regard to the above embodiments and other aspects of the present application, as well as implementations thereof, further explanation is provided in the Brief Description of the Drawings, the Detailed Description and the Claims.
图1为一实施例提供的一种告警方法的流程图;FIG. 1 is a flowchart of an alarm method provided by an embodiment;
图2为一实施例提供的另一种告警方法的流程图;FIG. 2 is a flowchart of another alarm method provided by an embodiment;
图3为一实施例提供的根据历史告警的时间顺序,以及根据历史告警提取出的特征项生成数据集的流程示例图;3 is an exemplary flowchart of generating a data set according to a time sequence of historical alarms and feature items extracted from historical alarms provided by an embodiment;
图4为一实施例提供的一种第一频繁项集的确定方法的流程示例图;4 is an exemplary flowchart of a method for determining a first frequent itemset provided by an embodiment;
图5为一实施例提供的一种频繁模式树的构造方法的流程示例图;5 is an exemplary flowchart of a method for constructing a frequent pattern tree provided by an embodiment;
图6为一实施例提供的一种频繁模式树的结构示例图;6 is an exemplary diagram of a structure of a frequent pattern tree provided by an embodiment;
图7为一实施例提供的一种项头表中特征项对应的最大频繁项集的确定方法的流程示例图;7 is an exemplary flowchart of a method for determining a maximum frequent itemset corresponding to a feature item in an item header table according to an embodiment;
图8为一实施例提供的一种目标关联规则的确定方法的流程示例图;8 is an exemplary flowchart of a method for determining a target association rule provided by an embodiment;
图9为一实施例提供的一种告警装置的结构示意图;FIG. 9 is a schematic structural diagram of an alarm device according to an embodiment;
图10为一实施例提供的一种告警设备的结构示意图。FIG. 10 is a schematic structural diagram of an alarm device according to an embodiment.
下面结合附图和实施例对本申请进行说明。可以理解的是,此处所描述的具体实施例仅仅用于解释本申请,而非对本申请的限定。需要说明的是,在不冲突的情况下,本申请中的实施例中的特征可以相互任意组合。另外还需要说明的是,为了便于描述,附图中仅示出了与本申请相关的部分而非全部结构。The present application will be described below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application. It should be noted that, in the case of no conflict, the features in the embodiments of the present application may be combined with each other arbitrarily. In addition, it should be noted that, for the convenience of description, the drawings only show some but not all the structures related to the present application.
现有通信网络的运维工作中,针对设备需要上报至网元管理系统EMS的告警,常通过根据先验知识生成的告警规则表和白名单等筛选规则,或通过采用关联规则算法APRIORI由历史告警中挖掘关联规则对上述告警进行筛选,以除去上述告警中的衍生告警,进而确定出由故障的通信节点发出的根告警,以减少运维工作量。但由于告警规则表和白名单依赖于先验知识生成,在面对多体系结构复杂、设备类型多样、告警类型和关系错综复杂的情况时,宜居先验知识生成的筛选规则难以应对,且依赖于先验知识生成的规则覆盖范围狭窄,准确性低,难以根据应用环境的不同进行动态适应变化;而通过APRIORI算法确定关联规则时又需对根据历史告警生成的数据集进行多次扫描,并会产生庞大的候选集,候选集的数目随数据集的规模增大而成指数倍增长,会产生很大的负载并造成较大的资源浪费,使得运维工作所需处理数据量增大,难以降低告警运维工作的复杂度。本实施例的告警方法,通过根据频繁模式树确定的,与当前告警的告警类型对应的关联规则,对当前告警中的根告警进行确定,提升了确定根告警的准确度的同时,降低了告警运维工作的资源需求和复杂度。In the operation and maintenance work of the existing communication network, for the alarms that need to be reported to the network element management system EMS, the alarm rule table and whitelist generated based on prior knowledge are often used to filter the alarms, or the association rule algorithm APRIORI is used to select the alarms from history. The association rules are mined in the alarms to filter the above-mentioned alarms, so as to remove the derivative alarms in the above-mentioned alarms, and then determine the root alarm sent by the faulty communication node, so as to reduce the workload of operation and maintenance. However, since the alarm rule table and whitelist depend on the generation of prior knowledge, in the face of complex multi-architecture, diverse device types, and complex alarm types and relationships, the screening rules generated by livable prior knowledge are difficult to deal with, and rely on The rules generated by prior knowledge have narrow coverage and low accuracy, and it is difficult to dynamically adapt to changes according to different application environments; while the APRIORI algorithm is used to determine the association rules, it is necessary to scan the data set generated according to historical alarms for many times, and A huge number of candidate sets will be generated, and the number of candidate sets will increase exponentially with the size of the data set, which will generate a large load and cause a large waste of resources, which will increase the amount of data to be processed for operation and maintenance work. It is difficult to reduce the complexity of alarm operation and maintenance. In the alarm method of this embodiment, the root alarm in the current alarm is determined through the association rule corresponding to the alarm type of the current alarm determined according to the frequent pattern tree, which improves the accuracy of determining the root alarm and reduces the alarm at the same time. Resource requirements and complexity of operations work.
图1为一实施例提供的一种告警方法的流程图,如图1所示,本实施例提供的告警方法包括步骤110。FIG. 1 is a flowchart of an alarm method provided by an embodiment. As shown in FIG. 1 , the alarm method provided by this embodiment includes step 110 .
在步骤110中,根据当前告警的告警类型和与告警类型对应的关联规则,确定当前告警中的根告警。In step 110, the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type.
其中,关联规则根据频繁模式树确定,频繁模式树通过扫描历史告警得到。The association rules are determined according to the frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
在一实施例中,当前告警可理解为由设备上传至网元管理系统EMS的多条告警信息,当前告警中包括通讯网络中发生故障节点出现的告警,以及根据上述告警衍生出的上下游的关 联告警,其中,发生故障节点出现的告警可理解为当前告警中的根告警,而由根告警衍生出的上下游的关联告警可理解为当前告警中的衍生告警。告警类型可理解为告警中出现故障的种类,在一些示例中,告警类型可为信号丢失、输出光功率越限、激光器偏置电流过小、模块内部温度超限、输入光功率越限和隧道维护点连通性丢失等。关联规则可理解为一种形如X→Y的蕴含式,其中,X可称为关联规则的先导(Antecedent或left-hand-side,LHS),Y可称为关联规则的后继(Consequent或right-hand-side,RHS),关联关系用以表征X与Y间的因果关系,也即对于支持度和信任度较高的关联关系,在X出现时有较大的可能性出现Y。频繁模式树(Frequent Pattern Tree,FP-Tree)可理解为一种根据关联分析算法(FP-Growth)将提供频繁项集的数据库进行压缩,并保留项集间关联信息的数据结构,该频繁模式树由一个根节点(值为null)、一个频繁项头表和多个子孙节点构成。历史告警(History Alarm)可理解为发生在当前告警前的告警,历史告警可被保存于历史告警数据库以供统计查询。In one embodiment, the current alarm can be understood as multiple pieces of alarm information uploaded by the device to the network element management system EMS, and the current alarm includes the alarm of the faulty node in the communication network, and the upstream and downstream alarms derived from the above-mentioned alarms. Correlation alarms, wherein the alarms of the faulty node can be understood as the root alarms in the current alarms, and the upstream and downstream associated alarms derived from the root alarms can be understood as the derived alarms in the current alarms. The alarm type can be understood as the type of fault in the alarm. In some examples, the alarm type can be signal loss, output optical power exceeding the limit, laser bias current too small, module internal temperature exceeding the limit, input optical power exceeding the limit and tunnel. Maintenance point connectivity loss, etc. Association rules can be understood as an implication in the form of X→Y, where X can be called the predecessor (Antecedent or left-hand-side, LHS) of the association rule, and Y can be called the successor (Consequent or right of the association rule). -hand-side, RHS), the association relationship is used to represent the causal relationship between X and Y, that is, for the association relationship with high support and trust, Y is more likely to appear when X appears. Frequent Pattern Tree (FP-Tree) can be understood as a data structure that compresses the database that provides frequent itemsets according to the association analysis algorithm (FP-Growth) and retains the association information between itemsets. The tree consists of a root node (value is null), a frequent item header table and multiple descendant nodes. History Alarm can be understood as the alarm that occurred before the current alarm, and the historical alarm can be saved in the historical alarm database for statistical query.
本实施例中,获取当前时刻由设备发送的包含多条告警信息的当前告警,根据当前告警中各告警信息所对应的告警类型,由关联规则库中获取与告警类型相对应的关联规则,进而通过关联规则确定当前告警中故障场景对应的告警类型,并将具有该告警类型的告警信息确定为当前告警中的根告警。其中,可通过对历史告警进行扫描提取属性特征并构建数据集,根据数据集中的频繁项集构建频繁模式树,并通过频繁模式树各项集间的关联信息确定各告警类型所对应的关联规则。In this embodiment, the current alarm containing multiple pieces of alarm information sent by the device at the current moment is obtained, and according to the alarm type corresponding to each alarm information in the current alarm, the association rule corresponding to the alarm type is obtained from the association rule base, and then The alarm type corresponding to the fault scenario in the current alarm is determined through the association rule, and the alarm information with the alarm type is determined as the root alarm in the current alarm. Among them, the attribute features can be extracted by scanning historical alarms and a data set can be constructed, a frequent pattern tree can be constructed according to the frequent item sets in the data set, and the association rules corresponding to each alarm type can be determined by the correlation information between the sets of the frequent pattern tree. .
在本申请实施例中,由于采用对频繁模式树中各项集间的关联信息进行挖掘进而得到关联规则,在构建频繁模式树时仅需对历史告警进行两次扫描,因此降低了关联规则生成所需的数据负载。同时由于通过与当前告警中各告警信息的告警类型相对应的关联规则,对当前告警中的根告警进行确定,仅将确定出的根告警由网元管理系统EMS经北向接口(Northbound Interface,NBI)发送至网络管理系统(Network Management System,NMS),减少了北向接口的数据流量,使得网络管理系统NMS可对生成告警的故障节点进行更准确的故障诊断,提升了告警运维工作的简便性和准确性。In the embodiment of the present application, since the association rules are obtained by mining the association information among the item sets in the frequent pattern tree, only two scans of historical alarms are required when constructing the frequent pattern tree, thus reducing the generation of association rules. required data load. At the same time, since the root alarm in the current alarm is determined through the association rule corresponding to the alarm type of each alarm information in the current alarm, only the determined root alarm is sent to the network element management system EMS via the Northbound Interface (NBI) ) to the Network Management System (NMS), which reduces the data traffic of the northbound interface, enables the NMS to perform more accurate fault diagnosis on the faulty node that generates the alarm, and improves the simplicity of alarm operation and maintenance. and accuracy.
本实施例提供的告警方法,通过根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。通过扫描历史告警构建频繁模式树,根据频繁模式树结构确定对应告警类型的关联规则,并根据与当前告警的告警类型相对应的关联规则,对当前告警中的根告警进行确定,使得当前告警中影响故障点定位的衍生告警可被过滤,仅对确定出的根告警进行上传。同时解决了告警关联规则的构建依赖于先验知识,需要多次扫描历史告警的问题,提升了生成的用于确定当期告警中根告警关联规则的关联规则的准确性,可信度和动态适应性,降低了关联规则生成所需的数据量,降低了告警运维工作的复杂度。In the alarm method provided by this embodiment, the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type; wherein, the association rule is determined according to the frequent pattern tree, and the Frequent pattern trees are obtained by scanning historical alarms. The frequent pattern tree is constructed by scanning historical alarms, the association rules corresponding to the alarm types are determined according to the frequent pattern tree structure, and the root alarms in the current alarms are determined according to the association rules corresponding to the alarm types of the current alarms, so that the current alarms Derivative alarms that affect fault location can be filtered, and only the root alarms determined are uploaded. At the same time, it solves the problem that the construction of alarm correlation rules depends on prior knowledge and requires multiple scanning of historical alarms, and improves the accuracy, reliability and dynamic adaptability of the generated correlation rules for determining the root alarm correlation rules in current alarms , which reduces the amount of data required to generate association rules and reduces the complexity of alarm operation and maintenance.
图2为一实施例提供的另一种告警方法的流程图,如图2所示,该方法包括步骤210至步骤260。FIG. 2 is a flowchart of another alarm method provided by an embodiment. As shown in FIG. 2 , the method includes steps 210 to 260 .
在步骤210中,获取预设时间内的历史告警,根据历史告警的时间顺序,以及根据历史告警提取出的特征项生成数据集。In step 210, historical alarms within a preset time are acquired, and a data set is generated according to the time sequence of the historical alarms and the feature items extracted from the historical alarms.
其中,特征项中包含历史告警提取出的属性特征。The feature item includes attribute features extracted from historical alarms.
在一实施例中,特征项可理解为根据历史告警提取出的属性特征确定出的告警信息,属性特征中包含系统ID和告警类型,特征项与告警类型与系统ID存在对应关系。In one embodiment, the feature item can be understood as alarm information determined according to the attribute feature extracted from the historical alarm, the attribute feature includes the system ID and the alarm type, and the feature item, the alarm type and the system ID have a corresponding relationship.
本实施例中,在生成关联规则时,由历史告警数据库中获取预设时间内对应的历史告警,将获取到的历史告警按照时间顺序进行排列,由于相邻近的历史告警间存在关联关系的可能性较大,故可根据时间顺序对历史告警进行分组,使得同一分组内尽可能只包含一个根告警以及与该根告警相对应的衍生告警,同时对分组后各组内的历史告警进行属性特征提取,确定出各组内具有不同系统ID和告警类型的历史告警,并将上述具有不同系统ID和告警类型的历史告警确定为对应于该分组的特征项,进而根据分组以及各分组对应的特征项生成用于进行关联规则确定的数据集。In this embodiment, when the association rule is generated, the historical alarms corresponding to the preset time are obtained from the historical alarm database, and the obtained historical alarms are arranged in chronological order. Since there is an association relationship between adjacent historical alarms The possibility is high, so the historical alarms can be grouped according to the time sequence, so that the same group contains only one root alarm and the derivative alarms corresponding to the root alarm as much as possible, and at the same time attribute the historical alarms in each group after the grouping. Feature extraction, determine the historical alarms with different system IDs and alarm types in each group, and determine the above-mentioned historical alarms with different system IDs and alarm types as the feature items corresponding to the group, and then according to the grouping and the corresponding Feature items generate datasets for association rule determination.
在一实施例中,可通过调整预设时间的大小调整用于生成频繁模式树的历史告警的多少,进而可通过调整预设时间的大小调整频繁模式树的复杂度,本申请中预设时间的大小可根据实际情况进行确定,本申请实施例对此不进行限制。In one embodiment, the number of historical alarms used to generate the frequent pattern tree can be adjusted by adjusting the size of the preset time, and then the complexity of the frequent pattern tree can be adjusted by adjusting the size of the preset time. The size may be determined according to the actual situation, which is not limited in this embodiment of the present application.
图3为一实施例提供的一种根据历史告警的时间顺序,以及根据历史告警提取出的特征项生成数据集的流程示例图,如图3所示,具体包括如下步骤:FIG. 3 is an exemplary flowchart of generating a data set according to a time sequence of historical alarms and feature items extracted from historical alarms provided by an embodiment, as shown in FIG. 3 , which specifically includes the following steps:
步骤2101、将历史告警按照时间顺序以预设时间间隔分为至少两个告警集。Step 2101: Divide the historical alarms into at least two alarm sets in a chronological order at a preset time interval.
在一实施例中,告警集可理解为预设时间间隔内的历史告警的集合,同一告警集中各告警间有较大可能性具有关联关系,也即同一告警集中。In one embodiment, an alarm set may be understood as a set of historical alarms within a preset time interval, and each alarm in the same alarm set is likely to have an associated relationship, that is, the same alarm set.
本实施例中,将获取到的历史告警按照时间顺序由先至后进行排列,由时间顺序最先的历史告警开始依次向后,以预设时间间隔对历史告警进行分组,并将属于同一预设时间间隔内的历史告警的集合确定为一个告警集。在一些示例中,假设时间顺序最先的历史告警所对应的时间为16:31:00,预设时间间隔为一分钟,则将告警时间处于16:31:00-16:31:59内的历史告警确定为一个告警集,进而将16:32:00-16:32:59内的历史告警确定为另一告警集。In this embodiment, the acquired historical alarms are arranged in chronological order from first to last, starting from the historical alarm with the first chronological order and backward, grouping the historical alarms at preset time intervals, and grouping the historical alarms belonging to the same It is assumed that the collection of historical alarms within the time interval is determined as an alarm set. In some examples, assuming that the time corresponding to the historical alarm with the first time sequence is 16:31:00 and the preset time interval is one minute, the alarm time is set to be within the range of 16:31:00-16:31:59. The historical alarms are determined as one alarm set, and further, the historical alarms within 16:32:00-16:32:59 are determined as another alarm set.
在一些示例中,在确定预设时间间隔时,可综合考虑网元管理系统EMS中网络的拥堵情况,以及网元管理系统EMS的告警接收和处理机制,确定出从设备上的关联告警触发到网元管理系统EMS接收处理的间隔时间,并将上述间隔时间确定为预设时间间隔,若认为两告警间存在关联关系,则上述两告警应在预设时间间隔内分别由设备发送至网元管理系统EMS中。预设时间间隔具体设置值,本申请实施例对此不进行限制。In some examples, when determining the preset time interval, the congestion situation of the network in the network element management system EMS and the alarm receiving and processing mechanism of the network element management system EMS can be comprehensively considered, and it can be determined from the triggering of the associated alarm on the device to The network element management system EMS receives the processing interval, and determines the above interval as the preset time interval. If it is considered that there is a correlation between the two alarms, the above two alarms should be respectively sent by the device to the network element within the preset time interval. In the management system EMS. The specific set value of the preset time interval is not limited in this embodiment of the present application.
步骤2102、对各告警集进行属性特征提取,并根据提取到的属性特征中的告警类型确定各告警集对应的特征项。Step 2102: Perform attribute feature extraction on each alarm set, and determine the feature item corresponding to each alarm set according to the alarm type in the extracted attribute feature.
本实施例中,对每个告警集中的历史告警进行属性特征提取,确定出告警集中各历史告警所对应的告警类型,进而确定出每个告警集中共出现几种告警类型,并根据上述出现的告警类型确定告警集中对应的特征项。In this embodiment, attribute feature extraction is performed on the historical alarms in each alarm set to determine the alarm type corresponding to each historical alarm in the alarm set, and then several types of alarms that appear in each alarm set are determined. The alarm type determines the corresponding feature item in the alarm set.
在一些示例中,告警类型中还可包括系统类型信息,为进行更简洁、直观的表达,可通过告警键值对其进行映射,并通过告警键值表征告警集中对应的特征项。下表1为一实施例提供的一种告警键值映射表,如下表1所示:In some examples, the alarm type may further include system type information. For more concise and intuitive expression, it may be mapped by the alarm key value, and the corresponding feature item in the alarm set may be represented by the alarm key value. Table 1 below is an alarm key-value mapping table provided by an embodiment, as shown in Table 1 below:
表1Table 1
系统类型system type | 告警类型Alert Type | 告警键值(Item)Alarm key value (Item) |
OTNOTN | 信号丢失signal loss | I1I1 |
OTNOTN | 输出光功率越限The output optical power exceeds the limit | I2I2 |
OTNOTN | 激光器偏置电流过小Laser bias current is too small | I3I3 |
OTNOTN | 模块内部温度超限The internal temperature of the module exceeds the limit | I4I4 |
OTNOTN | 输入光功率超限The input optical power exceeds the limit | I5I5 |
PTNPTN | 隧道维护点连通性丢失Tunnel maintenance point connectivity lost | I6I6 |
也即,若一个告警集中出现输入光功率超限和输出光功率超限两种告警类型,则该告警集所对应的特征项和表征为I2和I5。That is, if there are two alarm types of input optical power exceeding limit and output optical power exceeding limit in an alarm set, the characteristic items and representations corresponding to the alarm set are I2 and I5.
步骤2103、根据各告警集以及各告警集对应的特征项生成数据集。Step 2103: Generate a data set according to each alarm set and feature items corresponding to each alarm set.
在一些示例中,若获取的历史告警处于16:31:00-18:15:59之间,预设时间间隔为一分钟,已根据预设时间间隔确定告警集,并确定出各告警集所对应的特征项。下表2为一实施例提供的一种数据集的示例,如下表2所示:In some examples, if the acquired historical alarm is between 16:31:00-18:15:59, the preset time interval is one minute, the alarm set has been determined according to the preset time interval, and it is determined that each alarm set contains corresponding feature items. Table 2 below is an example of a data set provided by an embodiment, as shown in Table 2 below:
表2Table 2
Tid | TimeTime | ItemsItems | |
11 | 16:31:00-16:31:5916:31:00-16:31:59 |
I1,I2,I5I1,I2, |
|
22 | 16:32:00-16:32:5916:32:00-16:32:59 | I2,I4I2,I4 | |
33 | 16:33:00-16:33:5916:33:00-16:33:59 |
I2,I3I2, |
|
44 | 16:34:00-16:34:5916:34:00-16:34:59 | I1,I2,I4I1,I2,I4 | |
55 | 16:35:00-16:35:5916:35:00-16:35:59 | I1,I3I1,I3 | |
66 | 16:36:00-16:36:5916:36:00-16:36:59 |
I2,I3I2, |
|
77 | 16:37:00-16:37:5916:37:00-16:37:59 | I1,I3I1,I3 | |
88 | 16:38:00-16:38:5916:38:00-16:38:59 | I1,I2,I3,I5I1,I2,I3,I5 | |
99 | 16:39:00-16:39:5916:39:00-16:39:59 | I1,I2,I3I1,I2,I3 | |
1010 | 18:14:00-18:14:5918:14:00-18:14:59 | I6I6 |
步骤220、扫描数据集,并对数据集中特征项的出现次数进行计数,确定第一频繁项集。Step 220: Scan the data set, and count the occurrences of the feature items in the data set to determine the first frequent item set.
在一实施例中,项集可理解为若干个项的集合;频繁项集可理解为支持度大于或等于最小支持度的项的集合。支持度可理解为支持度程度,在数据挖掘的关联分析中可表示前项与后项在一个数据集中同时出现的频率。In one embodiment, an itemset can be understood as a set of several items; a frequent itemset can be understood as a set of items whose support is greater than or equal to the minimum support. The support degree can be understood as the support degree, and in the association analysis of data mining, it can represent the frequency of the former item and the latter item appearing in a data set at the same time.
本实施例中,对数据集进行扫描,分别对数据集中出现的各特征项的出现次数进行计数,由于同一特征项在同一告警集中仅能出现一次,故根据各特征项的出现次数与告警集个数确定各特征项在数据集中的支持度,并将支持度满足最小支持度判断条件的特征项的集合确定为第一频繁项集。In this embodiment, the data set is scanned, and the number of occurrences of each feature item appearing in the data set is counted. Since the same feature item can only appear once in the same alarm set, the frequency of occurrence of each feature item and the alarm set are calculated according to the number of occurrences of each feature item. The number determines the support degree of each feature item in the data set, and the set of feature items whose support degree satisfies the minimum support degree judgment condition is determined as the first frequent item set.
图4为一实施例提供的一种第一频繁项集的确定方法的流程示例图,如图4所示,具体包括如下步骤:FIG. 4 is an exemplary flowchart of a method for determining a first frequent itemset provided by an embodiment, as shown in FIG. 4 , which specifically includes the following steps:
步骤2201、扫描数据集,并对各告警类型对应的特征项的出现次数进行计数。Step 2201: Scan the data set, and count the occurrences of the feature items corresponding to each alarm type.
在一些示例中,对如表2所示的数据集进行扫描,对其中各告警类型对应的特征项的出现次数进行计数,则以特征项I2为例,其在数据集中出现的次数为7次,则可记特征项I2出现次数为7。In some examples, the data set shown in Table 2 is scanned, and the number of occurrences of the feature items corresponding to each alarm type is counted. Taking the feature item I2 as an example, the number of occurrences in the data set is 7 times. , then the number of occurrences of the feature item I2 can be recorded as 7.
步骤2202、根据各出现次数和告警集的个数确定各告警类型对应的特征项的支持度。Step 2202: Determine the support degree of the feature item corresponding to each alarm type according to the occurrence times and the number of alarm sets.
本实施例中,由于同一告警类型对应的特征项在同一告警集中仅出现一次,因此各告警 类型对应的特征项在数据集中出现的最大次数为告警集的个数,因此将各告警类型对应的特征项的出现次数与告警集个数的比值确定为各告警类型对应的特征项的支持度。In this embodiment, since the feature items corresponding to the same alarm type appear only once in the same alarm set, the maximum number of times the feature items corresponding to each alarm type appear in the data set is the number of alarm sets. The ratio of the number of occurrences of the feature item to the number of alarm sets is determined as the support degree of the feature item corresponding to each alarm type.
在一实施例中,假设项集X∪Y在数据集中出现的频次为σ(X∪Y),也即X与Y在数据集中同时出现的次数为σ(X∪Y),T为数据集中分组的个数,则项集X∪Y在数据集中的支持度可表示为:In one embodiment, it is assumed that the frequency of the itemset X∪Y in the data set is σ(X∪Y), that is, the number of times X and Y appear simultaneously in the data set is σ(X∪Y), and T is the data set. The number of groups, then the support of the itemset X∪Y in the dataset can be expressed as:
Support(X→Y)=σ(X∪Y)/TSupport(X→Y)=σ(X∪Y)/T
在一些示例中,以如表2所示的数据集为例,其中特征项I2的出现次数为7,告警集个数为10,则特征项I2的支持度可表示为Support(I2)=7/10=70%。In some examples, taking the data set shown in Table 2 as an example, where the number of occurrences of the feature item I2 is 7 and the number of alarm sets is 10, the support degree of the feature item I2 can be expressed as Support(I2)=7 /10=70%.
步骤2203、将各支持度大于或等于预设支持度阈值的告警类型对应的特征项的集合确定为第一频繁项集。Step 2203: Determine the set of feature items corresponding to the alarm types with each support greater than or equal to the preset support threshold as the first frequent item set.
本实施例中,在告警类型对应的特征项的支持度大于或等于预设支持度阈值的情况下,可认为该特征项在所有告警集中出现该告警类型的概率较高,属于频繁出现的项,存在关联关系的可能性较大。确定出各告警类型对应的特征项中,所有支持度大于或等于预设支持度阈值的特征项,并将上述特征项的集合确定为第一频繁项集,该第一频繁项集中的各特征项间可认为存在关联关系,可利用其构建频繁模式树对其中的关联关系进行挖掘。在一些示例中,预设支持度阈值可设为20%,本申请实施例对此不进行限制。In this embodiment, when the support degree of the characteristic item corresponding to the alarm type is greater than or equal to the preset support degree threshold, it can be considered that the characteristic item has a high probability of the alarm type appearing in all alarm sets, and belongs to the frequently-occurring item , there is a high possibility of an association relationship. Determine all the feature items with the support degree greater than or equal to the preset support degree threshold among the feature items corresponding to each alarm type, and determine the set of the above-mentioned feature items as the first frequent item set, and each feature in the first frequent item set It can be considered that there is an association relationship between items, and it can be used to build a frequent pattern tree to mine the association relationship. In some examples, the preset support threshold may be set to 20%, which is not limited in this embodiment of the present application.
在一些示例中,对如表2所示的数据集进行第一频繁项集的确定,下表3为一实施例提供的一种满足最小支持度阈值的第一频繁项集的示例,如下表3所示:In some examples, the first frequent itemset is determined for the data set shown in Table 2. Table 3 below is an example of a first frequent itemset that satisfies the minimum support threshold provided by an embodiment, as shown in the following table 3 shows:
表3table 3
I1I1 | I2I2 | I3I3 | I4I4 | I5I5 |
66 | 77 | 66 | 22 | 22 |
步骤230、再次扫描数据集,根据第一频繁项集生成的项头表构造频繁模式树。Step 230: Scan the data set again, and construct a frequent pattern tree according to the item header table generated by the first frequent itemset.
在一实施例中,项头表可理解为包含频繁模式树中所有特征项,根据支持度对其中各特征项进行排序的,根据支持度排序构建频繁模式树的特征项集合。In one embodiment, the item header table can be understood as including all the feature items in the frequent pattern tree, and the feature items in the frequent pattern tree are sorted according to the support degree, and the feature item set of the frequent pattern tree is constructed according to the support degree.
本实施例中,根据第一频繁项集中的各特征项所对应的支持度,将各特征项按照支持度降序进行排序生成项头表,再次对数据集进行扫描,将告警集按照其中包含特征项在项头表中的排序再次进行重排,并将重排后的各告警集依次插入至以nu l l为根节点的频繁模式树中,完成对频繁模式树的构建。其中,在各告警集插入频繁模式树的过程中,将告警集中支持度高的特征项优先进行插入,也即将支持度高的特征项作为祖先节点,其他特征项依据支持度的排序依次插入作为子孙节点。In this embodiment, according to the support degrees corresponding to each feature item in the first frequent item set, the feature items are sorted in descending order of support degree to generate an item header table, the data set is scanned again, and the alarm set is sorted according to the features contained in it. The sorting of items in the item header table is rearranged again, and the rearranged alarm sets are inserted into the frequent pattern tree with null as the root node in turn to complete the construction of the frequent pattern tree. Among them, in the process of inserting each alarm set into the frequent pattern tree, the feature items with high support in the alarm set are preferentially inserted, that is, the feature items with high support are regarded as ancestor nodes, and other feature items are inserted in sequence according to the order of support as descendant node.
图5为一实施例提供的一种频繁模式树的构造方法的流程示例图,如图5所示,具体包括如下步骤:FIG. 5 is an exemplary flowchart of a method for constructing a frequent pattern tree provided by an embodiment, as shown in FIG. 5 , which specifically includes the following steps:
步骤2301、将第一频繁项集中的特征项依支持度降序排列生成项头表,并将各告警集中未包含于第一频繁项集中的特征项删除,得到调整后的告警集。Step 2301: Arrange the feature items in the first frequent item set in descending order of support to generate an item header table, and delete the feature items in each alarm set that are not included in the first frequent item set to obtain an adjusted alarm set.
本实施例中,通过支持度对第一频繁项集中各特征项进行排序,由支持度从高到低的顺序将特征项依次放入列表中生成项头表,由于未包含于第一频繁项集中的特征项不会被应用于频繁模式树的生成,故再次对生成的数据集进行扫描,将数据集中各告警集中未包含于第一频繁项集中的特征项进行删除,同时依据项头表中特征项的排列顺序,将告警集进行调整 重排,使得包含高支持度特征项的告警集调整至排列顺序靠前的位置。In this embodiment, the feature items in the first frequent item set are sorted according to the support degree, and the feature items are put into the list in order of the support degree from high to low to generate the item header table. Since they are not included in the first frequent item The feature items in the set will not be used to generate the frequent pattern tree, so the generated data set is scanned again, and the feature items that are not included in the first frequent item set in each alarm set in the data set are deleted. According to the arrangement order of the feature items in the middle, the alarm set is adjusted and rearranged, so that the alarm set containing the feature items with high support is adjusted to the front position in the arrangement order.
在一些示例中,表4为一实施例提供的一种项头表的示例,如下表4所示:In some examples, Table 4 is an example of an item header table provided by an embodiment, as shown in Table 4 below:
表4Table 4
Item | HeadHead |
I2I2 | 77 |
I1I1 | 66 |
I3I3 | 66 |
I4 |
22 |
I5 |
22 |
下表5为一实施例提供的一种调整后的告警集的示例,如下表5所示:Table 5 below is an example of an adjusted alarm set provided by an embodiment, as shown in Table 5 below:
表5table 5
Tid | TimeTime | ItemsItems | |
11 | 16:31:00-16:31:5916:31:00-16:31:59 |
I1,I2,I5I1,I2, |
|
22 | 16:32:00-16:32:5916:32:00-16:32:59 | I2,I4I2,I4 | |
33 | 16:33:00-16:33:5916:33:00-16:33:59 |
I2,I3I2, |
|
44 | 16:34:00-16:34:5916:34:00-16:34:59 | I1,I2,I4I1,I2,I4 | |
66 | 16:36:00-16:36:5916:36:00-16:36:59 | I2,I3I2,I3 | |
88 | 16:38:00-16:38:5916:38:00-16:38:59 | I1,I2,I3,I5I1,I2,I3,I5 | |
99 | 16:39:00-16:39:5916:39:00-16:39:59 | I1,I2,I3I1,I2,I3 | |
55 | 16:35:00-16:35:5916:35:00-16:35:59 |
I1,I3I1, |
|
77 | 16:37:00-16:37:5916:37:00-16:37:59 | I1,I3I1,I3 |
由于特征项I2的支持度最高,故将包含特征项I2的告警集的顺序调整至靠前的位置。Since the feature item I2 has the highest support degree, the order of the alarm set including the feature item I2 is adjusted to the first position.
步骤2302、根据调整后的告警集中的特征项,以及项头表构造频繁模式树。Step 2302: Construct a frequent pattern tree according to the feature items in the adjusted alarm set and the item header table.
其中,同一告警集中的特征项位于频繁模式树中的同一分支,且同一告警集中的特征项依支持度降序插入频繁模式树中。The feature items in the same alarm set are located in the same branch in the frequent pattern tree, and the feature items in the same alarm set are inserted into the frequent pattern tree in descending order of support.
本实施例中,初始构建的频繁模式树中没有数据,首先在频繁模式树中建立一个空的根节点null,以null作为祖先节点,然后依排序顺序依次读入调整后的告警集,将其插入频繁模式树中,使得同一告警集中的特征项插入至频繁模式树中的同一分支,同时在对一个告警集中的特征项进行插入时,依据支持度的降序排序将特征项依次插入,将排序靠前的特征项对应的节点作为祖先节点下的第二级节点,靠后的特征项对应的节点作为子孙节点。若存在共用的上级节点,则在对应的公用上级节点的计数加一,同时在插入后,若有新的节点出现,则根据项头表将对应的节点通过节点链表链接上新的节点,直到所有告警集中的特征项均插入至频繁模式树中后,认为频繁模式树的构造完成。其中,祖先节点下可能存在多个并列的第二级节点,在一些示例中,若项头表中示出A(5),B(4),C(2),其中AB出现0次,AC出现一次,BC出现一次,则以根节点null作为祖先节点,A和B均为第二级节点,C为三级节点。在一些示例中,以表2所示的数据集为例,图6为一实施例提供的一种频繁模式树的结构示例图。In this embodiment, there is no data in the initially constructed frequent pattern tree. First, an empty root node null is established in the frequent pattern tree, and null is used as the ancestor node, and then the adjusted alarm set is read in the sorted order, and the Insert into the frequent pattern tree, so that the feature items in the same alarm set are inserted into the same branch in the frequent pattern tree. At the same time, when inserting the feature items in an alarm set, the feature items are inserted in sequence according to the descending order of support, and the order will be sorted. The node corresponding to the front feature item is the second-level node under the ancestor node, and the node corresponding to the back feature item is the descendant node. If there is a common superior node, the count of the corresponding common superior node is incremented by one, and after insertion, if a new node appears, the corresponding node will be linked to the new node through the node linked list according to the item header table, until After all feature items in the alarm set are inserted into the frequent pattern tree, the construction of the frequent pattern tree is considered complete. Among them, there may be multiple parallel second-level nodes under the ancestor node. In some examples, if the item header table shows A(5), B(4), C(2), where AB appears 0 times, AC If it appears once and BC appears once, the root node null is used as the ancestor node, A and B are both second-level nodes, and C is a third-level node. In some examples, taking the data set shown in Table 2 as an example, FIG. 6 is an example diagram of a structure of a frequent pattern tree provided by an embodiment.
步骤240、根据频繁模式树确定项头表中特征项对应的条件模式基,并根据条件模式基 确定特征项对应的最大频繁项集。Step 240: Determine the conditional pattern base corresponding to the feature item in the item header table according to the frequent pattern tree, and determine the maximum frequent item set corresponding to the feature item according to the conditional pattern base.
在一实施例中,条件模式基可理解为频繁模式树中以查找项为结尾的路径集合,也即介于查找项与频繁模式树根节点之间的所有内容。最大频繁项集可理解为多个频繁项集中符合无超集条件的频繁项集,也即包含最多符合条件特征项的频繁项集。超集可理解为如果一个集合S2中的每一个元素都在集合S1中,且结合S1中可能包含S2中没有的元素,则S1就是S2的一个超集。In one embodiment, the conditional pattern base can be understood as a set of paths in the frequent pattern tree ending with the search item, that is, all content between the search item and the root node of the frequent pattern tree. The maximum frequent itemset can be understood as the frequent itemsets that meet the condition of no superset in multiple frequent itemsets, that is, the frequent itemsets that contain the most qualified feature items. A superset can be understood as if every element in a set S2 is in the set S1, and the combination S1 may contain elements that are not in S2, then S1 is a superset of S2.
本实施例中,由项头表的底部项依次向上挖掘,也即从位于项头表底部的特征项开始,依次将项头表中的各特征项作为查找项确定条件模式基。根据确定出的条件模式基中各节点所对应的支持度,重新构建与查找项对应的数据集,并依据该数据集确定以该查找项为结尾的多个频繁项集,选择各频繁项集中包含最多特征项的频繁项集作为查找项对应的最大频繁项集,进而同理可得项头表中各特征项所对应的最大频繁项集。In this embodiment, the bottom items of the item header table are dug up sequentially, that is, starting from the feature item located at the bottom of the item header table, each feature item in the item header table is sequentially used as the search item to determine the conditional pattern base. According to the determined support degree corresponding to each node in the conditional pattern base, reconstruct the data set corresponding to the search item, and determine a plurality of frequent item sets ending with the search item according to the data set, and select each frequent item set. The frequent itemset containing the most feature items is used as the maximum frequent itemset corresponding to the search item, and in the same way, the maximum frequent itemset corresponding to each feature item in the item header table can be obtained.
图7为一实施例提供的一种项头表中特征项对应的最大频繁项集的确定方法的流程示例图,如图7所示,具体包括如下步骤:FIG. 7 is an exemplary flowchart of a method for determining a maximum frequent itemset corresponding to a feature item in an item header table provided by an embodiment. As shown in FIG. 7 , the method specifically includes the following steps:
步骤2401、确定频繁模式树中以项头表中特征项为结尾的节点链。Step 2401: Determine the node chain in the frequent pattern tree that ends with the feature item in the item header table.
在一些示例中,以图6所示频繁模式树中项头表中的最底部项I5为例,在频繁模式树中以I5为结尾的节点链共有两条,分别为<(I2:7),(I1:4),(I3:2),(I5:1)>和<(I2:7),(I1:4),(I5:1)>。In some examples, taking the bottom item I5 in the item header table in the frequent pattern tree shown in FIG. 6 as an example, there are two node chains ending with I5 in the frequent pattern tree, which are <(I2:7) ,(I1:4),(I3:2),(I5:1)> and <(I2:7),(I1:4),(I5:1)>.
步骤2402、确定节点链中各节点的支持度,并对各节点对应的特征项的支持度进行更新,将节点链对应的特征项的组合确定为与项头表中特征项对应的条件模式基。Step 2402: Determine the support degree of each node in the node chain, update the support degree of the feature item corresponding to each node, and determine the combination of the feature item corresponding to the node chain as the conditional pattern base corresponding to the feature item in the item header table. .
接上述示例,对以最底部项I5为结尾的节点链中的节点支持度进行扫描更新,可确定对应I5节点的条件模式基为<(I2:1),(I1:1),(I3:1),(I5:1)>和<(I2:1),(I1:1),(I5:1)>。Following the above example, scan and update the node support in the node chain ending with the bottom item I5, it can be determined that the conditional pattern base of the corresponding I5 node is <(I2:1), (I1:1), (I3: 1),(I5:1)> and <(I2:1),(I1:1),(I5:1)>.
步骤2403、根据条件模式基生成第二数据集,并根据第二数据集中各特征项的支持度确定项头表中特征项对应的最大频繁项集。Step 2403: Generate a second data set according to the conditional pattern base, and determine the maximum frequent item set corresponding to the feature item in the item header table according to the support degree of each feature item in the second data set.
接上述示例,将I5对应的各条件模式基分别作为新的告警集生成第二数据集,也即第二数据集中每一行存储一个I5条件模式基所对应的特征项,进而生成与第二数据集相对应的项头表,构建特征项I5对应的频繁模式子树,由于特征项I3在第二数据集中仅出现一次,其支持度小于预设支持度阈值,因此,可得到以I5为结尾的频繁项集有(I5:2),(I1,I5:2),(I2,I5:2),(I1,I2,I5:2),由于项集(I1,I2,I5:2)为所有频繁项集中符合无超集条件的频繁项集,故将项集(I1,I2,I5:2)确定为特征项I5对应的最大频繁项集。Following the above example, each conditional pattern base corresponding to I5 is used as a new alarm set to generate a second data set, that is, each row in the second data set stores a feature item corresponding to an I5 conditional pattern base, and then generates a second data set corresponding to the conditional pattern base of I5. Set the corresponding item header table, and construct the frequent pattern subtree corresponding to the feature item I5. Since the feature item I3 only appears once in the second data set, its support degree is less than the preset support degree threshold. Therefore, it can be obtained with I5 as the end The frequent itemsets are (I5:2), (I1, I5:2), (I2, I5:2), (I1, I2, I5:2), since the itemsets (I1, I2, I5:2) are All frequent itemsets meet the frequent itemsets without superset condition, so the itemsets (I1, I2, I5:2) are determined as the maximum frequent itemsets corresponding to the feature item I5.
若特征项I5对应的频繁模式子树为单枝的,则无需对子树进行递归,可直接将I5条件模式基中所对应的特征项的集合确定为特征项I5对应的最大频繁项集。If the frequent pattern subtree corresponding to the feature item I5 is single-branched, there is no need to recurse the subtree, and the set of feature items corresponding to the I5 conditional pattern base can be directly determined as the maximum frequent item set corresponding to the feature item I5.
步骤250、根据最大频繁项集、数据集和预设置信度阈值,确定与特征项对应的目标关联规则,并将目标关联规则存入至关联规则库中。Step 250: Determine the target association rule corresponding to the feature item according to the maximum frequent item set, the data set and the preset reliability threshold, and store the target association rule in the association rule base.
在一实施例中,置信度可理解为关联关系的可信程度,即发生事件X的基础上发生事件Y的概率,表示关联性的强弱或规则的可靠性,也即同时包含X和Y的事务占包含X的事务的比例。假设项集X∪Y在数据集中出现的频次为σ(X∪Y),项集X在数据集中出现的频次为σ(X),则项集X∪Y在项集X基础上发生的置信度可表示为:In one embodiment, the confidence level can be understood as the degree of credibility of the association relationship, that is, the probability of the occurrence of event Y based on the occurrence of event X, indicating the strength of the association or the reliability of the rule, that is, both X and Y are included. % of transactions that contain X. Assuming that the frequency of the itemset X∪Y in the data set is σ(X∪Y), and the frequency of the itemset X in the data set is σ(X), then the confidence that the itemset X∪Y occurs on the basis of the itemset X is Degree can be expressed as:
Conf(X→Y)=σ(X∪Y)/σ(X)Conf(X→Y)=σ(X∪Y)/σ(X)
本实施例中,对最大频繁项集进行递归拆分,生成多个关联规则,确定各关联规则在数 据集中的置信度,并将上述各置信度与预设置信度阈值进行比较,认为置信度大于预设置信度阈值的关联规则为可信的,也即强关联规则,将确定出的关联规则确定为与特征项对应的目标关联规则,并将目标关联规则存入至关联规则库中以供根告警的确定。In this embodiment, recursive splitting is performed on the maximum frequent itemset, multiple association rules are generated, the confidence level of each association rule in the data set is determined, and the confidence level is compared with the preset confidence level threshold, and the confidence level is considered as the confidence level. The association rules greater than the preset reliability threshold are credible, that is, strong association rules, the determined association rules are determined as the target association rules corresponding to the feature items, and the target association rules are stored in the association rule database for Provides root alert determination.
图8为一实施例提供的一种目标关联规则的确定方法的流程示例图,如图8所示,具体包括如下步骤:FIG. 8 is an exemplary flowchart of a method for determining a target association rule provided by an embodiment, as shown in FIG. 8 , which specifically includes the following steps:
步骤2501、将最大频繁项集进行递归拆分,得到第一项集和第二项集,第二项集为第一项集相对于最大频繁项集的补集。Step 2501: Recursively split the maximum frequent itemset to obtain a first itemset and a second itemset, where the second itemset is the complement of the first itemset to the maximum frequent itemset.
本实施例中,通过对最大频繁项集进行递归拆分,得到的第一项集与第二项集,是为了确定第一项集与第二项集中对应特征项间的因果关系,也即通过第一项集中存在特征项推出,在第一项集特征项存在时第二项集中特征项是否存在的关系,该关系可称为第一项集中特征项与第二项集中特征项间的关联关系。In this embodiment, the first item set and the second item set are obtained by recursively splitting the largest frequent item set, in order to determine the causal relationship between the corresponding feature items in the first item set and the second item set, that is, The relationship between the feature items in the first item set and the feature items in the second item set can be called the relationship between the feature items in the first item set and the feature items in the second item set. connection relation.
在一些示例中,以特征项I5对应的最大频繁项集(I1,I2,I5:2)为例,其可拆分出的关联规则可包括:(I2,I1,I5→{})、(I2,I1→I5)、(I1→I2,I5)、(I2,I5→I1)、(I2→I1,I5)、(I1,I5→I2)和(I5→I2,I1)。以(I5→I2,I1)为例,其关联关系可表示为当I5出现时将会出现I2和I1,也即I5与I2和I1间存在因果关系,I2和I1为I5的衍生告警。In some examples, taking the largest frequent itemset (I1, I2, I5:2) corresponding to the feature item I5 as an example, the association rules that can be split out may include: (I2, I1, I5→{}), ( I2,I1→I5), (I1→I2,I5), (I2,I5→I1), (I2→I1,I5), (I1,I5→I2), and (I5→I2,I1). Taking (I5→I2, I1) as an example, the correlation can be expressed as I2 and I1 will appear when I5 appears, that is, there is a causal relationship between I5 and I2 and I1, and I2 and I1 are derived alarms of I5.
步骤2502、根据最大频繁项集、第一项集和数据集,确定最大频繁项集在数据集中属于同一告警集的第一次数,以及第一项集在数据集中属于同一告警集的第二次数。Step 2502: According to the maximum frequent itemset, the first item set and the data set, determine the first number of times that the maximum frequent itemset belongs to the same alarm set in the data set, and the second time that the first item set belongs to the same alarm set in the data set. frequency.
在一实施例中,第一次数可理解为最大频繁项集中特征项所对应的告警在一个告警集中同时出现的次数,也即数据集中有几个告警集中同时具有最大频繁项集中的特征项;第二次数可理解为第一项集中特征项所对应的告警在一个告警集中同时出现的次数,也即数据集中有几个告警集中同时具有第一项集中的特征项。In an embodiment, the first number of times can be understood as the number of times that the alarms corresponding to the feature items in the maximum frequent item set occur simultaneously in one alarm set, that is, there are several alarm sets in the data set that have feature items in the maximum frequent item set at the same time. ; The second number of times can be understood as the number of times that the alarms corresponding to the feature items in the first item set appear simultaneously in an alarm set, that is, there are several alarm sets in the data set that have the feature items in the first item set at the same time.
在一些示例中,以如表2所示的数据集为例,关联规则(I5→I2,I1)所对应的第一次数为特征项组合I1、I2和I5在数据集中出现的次数,也即第一次数为2,第二次数为特征项I5在数据集中出现的次数,也即第二次数为2。In some examples, taking the dataset shown in Table 2 as an example, the first number of times corresponding to the association rule (I5→I2, I1) is the number of times the feature item combinations I1, I2 and I5 appear in the dataset, and also That is, the first time is 2, and the second time is the number of times the feature item I5 appears in the data set, that is, the second time is 2.
步骤2503、在第一次数与第二次数的比值大于或等于预设置信度阈值的情况下,将第一项集中对应的特征项与第二项集中对应的特征项间的因果关系,确定为第一项集中对应的特征项的目标关联规则。Step 2503: When the ratio of the first time to the second time is greater than or equal to the preset reliability threshold, determine the causal relationship between the feature item corresponding to the first item set and the feature item corresponding to the second item set. is the target association rule of the corresponding feature item in the first item set.
本实施例中,第一次数与第二次数的比值可理解为第一项集与第二项集构成的关联规则的置信度,在上述置信度大于或等于预设置信度阈值的情况下,可认为上述关联规则所对应的因果关系较强,属于强关联规则,可将其作为第一项集中对应的特征项的目标关联规则进行存储以及应用。In this embodiment, the ratio of the first count to the second count can be understood as the confidence level of the association rule formed by the first item set and the second item set. When the above confidence level is greater than or equal to the preset confidence threshold , it can be considered that the causal relationship corresponding to the above-mentioned association rules is strong, and belongs to strong association rules, which can be stored and applied as the target association rules of the corresponding feature items in the first item set.
接上述示例,对于关联规则(I5→I2,I1),其置信度=第一次数/第二次数=1,当预设置信度阈值为80%时,该关联规则属于强关联规则,故其可作为特征项I5所对应的目标关联规则。而对于关联规则(I2,I1→I5),其对应的第一次数为特征项组合I1、I2和I5在数据集中出现的次数,也即第一次数为2,第二次数为特征项I2和I1在告警集中同时出现的次数,也即第二次数为4,则上述关联规则置信度为50%,小于预设置信度阈值,故上述关联规则无法作为特征项I2和I1对应的目标关联规则。Following the above example, for the association rule (I5→I2, I1), its confidence=first time/second time=1, when the preset reliability threshold is 80%, the association rule is a strong association rule, so It can be used as the target association rule corresponding to the feature item I5. For the association rule (I2, I1→I5), the corresponding first time is the number of times the feature item combination I1, I2 and I5 appear in the data set, that is, the first time is 2, and the second time is the feature item. The number of times I2 and I1 appear simultaneously in the alarm set, that is, the second time is 4, then the confidence of the above association rule is 50%, which is less than the preset confidence threshold, so the above association rule cannot be used as the target corresponding to the feature items I2 and I1 Association rules.
在一些示例中,在将目标关联规则存入至关联规则库中时,包括:In some examples, when storing the target association rule into the association rule base, it includes:
在目标关联规则未包含于关联规则库中的情况下,将目标关联规则存入关联规则库中。If the target association rule is not included in the association rule base, the target association rule is stored in the association rule base.
在目标关联规则包含于关联规则库中,且为关联规则库中待更新关联规则的子集的情况下,不将目标关联规则存入关联规则库中。When the target association rule is included in the association rule base and is a subset of the association rule to be updated in the association rule base, the target association rule is not stored in the association rule base.
在目标关联规则包含于关联规则库中,且为关联规则库中待更新关联规则的超集的情况下,将待更新关联规则替换为目标关联规则。When the target association rule is included in the association rule base and is a superset of the association rule to be updated in the association rule base, the to-be-updated association rule is replaced with the target association rule.
其中,待更新关联规则为关联规则库中与目标关联规则对应的关联规则。The association rule to be updated is an association rule corresponding to the target association rule in the association rule base.
在一些示例中,若目标关联规则为(I5→I2,I1),关联规则库中与目标关联规则相对应的待更新关联规则为(I5→I2),则认为目标关联规则为待更新关联规则的子集,此时不将目标关联规则存入至关联规则库中;而当待更新关联规则为(I5→I2,I1,I3),则认为目标关联规则为待更新关联规则的超集,此时将该目标关联规则对待更新关联规则进行替换,存入关联规则库中。In some examples, if the target association rule is (I5→I2, I1), and the association rule to be updated corresponding to the target association rule in the association rule base is (I5→I2), the target association rule is considered to be the association rule to be updated At this time, the target association rule is not stored in the association rule base; and when the association rule to be updated is (I5→I2, I1, I3), the target association rule is considered to be the superset of the association rule to be updated. At this time, the target association rule to be updated is replaced by the association rule to be updated, and stored in the association rule base.
步骤260、根据当前告警的告警类型和与告警类型对应的关联规则,确定当前告警中的根告警。Step 260: Determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type.
本实施例提供的告警方法,通过两次扫描历史告警生成的数据集,将数据集中按预设时间间隔划分的告警集依据支持度降序压缩存储至频繁模式树中,在后续对频繁模式和关联关系的挖掘过程中,无需再次对数据集进行扫描,降低了关联规则确定过程中的数据负载,同时由于告警集的划分可根据预设时间间隔进行动态调节,可对告警集中的告警密集程度和告警集的数量进行调节,控制生成频繁模式树的茂盛程度,优化了关联规则的挖掘效率,更好的适应大数据量系统下的性能问题。在进行关联规则挖掘时,仅考虑与特征项所对应的最大频繁项集,不再对与特征项相对应的字数进行递归遍历,提升了关联规则确定的效率。将生成的关联规则用于对当前告警的根告警的确定,提升了根告警确定的可信度,降低了告警运维工作的复杂度。In the alarm method provided in this embodiment, the data set generated by the historical alarms is scanned twice, and the alarm sets divided according to preset time intervals in the data set are compressed and stored in the frequent pattern tree in descending order according to the support degree. In the process of relationship mining, there is no need to scan the data set again, which reduces the data load in the process of determining the association rules. At the same time, because the division of the alarm set can be dynamically adjusted according to the preset time interval, the alarm density and the alarm intensity in the alarm set can be adjusted. The number of alarm sets is adjusted to control the flourishing degree of frequent pattern tree generation, optimize the mining efficiency of association rules, and better adapt to performance problems in systems with large data volumes. When mining association rules, only the largest frequent itemset corresponding to the feature item is considered, and the number of words corresponding to the feature item is no longer recursively traversed, which improves the efficiency of association rule determination. The generated association rule is used to determine the root alarm of the current alarm, which improves the reliability of the determination of the root alarm and reduces the complexity of alarm operation and maintenance.
本实施例还提供了一种告警装置。图9为一实施例提供的一种告警装置的结构示意图。如图9所示,所述告警装置包括:根告警确定模块310。This embodiment also provides an alarm device. FIG. 9 is a schematic structural diagram of an alarm device according to an embodiment. As shown in FIG. 9 , the alarm device includes: a root alarm determination module 310 .
根告警确定模块310,设置为根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;The root alarm determining module 310 is configured to determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type;
其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。Wherein, the association rule is determined according to a frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
本实施例的告警装置,通过扫描历史告警构建频繁模式树,根据频繁模式树结构确定对应告警类型的关联规则,并根据与当前告警的告警类型相对应的关联规则,对当前告警中的根告警进行确定,使得当前告警中影响故障点定位的衍生告警可被过滤,仅对确定出的根告警进行上传,降低了关联规则生成所需的数据量,降低了告警运维工作的复杂度。In the alarm device of this embodiment, a frequent pattern tree is constructed by scanning historical alarms, an association rule corresponding to an alarm type is determined according to the frequent pattern tree structure, and a root alarm in the current alarm is detected according to the association rule corresponding to the alarm type of the current alarm. By determining, the derivative alarms affecting the fault point location in the current alarms can be filtered, and only the determined root alarms are uploaded, which reduces the amount of data required for the generation of association rules and reduces the complexity of alarm operation and maintenance.
在一实施例中,还包括:In one embodiment, it also includes:
关联规则确定模块,设置为根据历史告警生成频繁模式树,并根据频繁模式树确定关联规则。The association rule determination module is configured to generate a frequent pattern tree according to historical alarms, and determine an association rule according to the frequent pattern tree.
在一实施例中,关联规则确定模块包括:In one embodiment, the association rule determination module includes:
数据集生成单元,设置为获取预设时间内的历史告警,根据所述历史告警的时间顺序,以及根据所述历史告警提取出的特征项生成数据集;其中,所述特征项中包含所述历史告警提取出的属性特征。A data set generating unit, configured to obtain historical alarms within a preset time, and generate a data set according to the time sequence of the historical alarms and the feature items extracted from the historical alarms; wherein the feature items include the Attribute features extracted from historical alarms.
第一频繁项集确定单元,设置为扫描所述数据集,并对所述数据集中特征项的出现次数进行计数,确定第一频繁项集。The first frequent itemset determining unit is configured to scan the data set and count the occurrences of the feature items in the data set to determine the first frequent itemset.
频繁模式树构造单元,设置为再次扫描所述数据集,根据所述第一频繁项集生成的项头表构造频繁模式树。The frequent pattern tree construction unit is configured to scan the data set again, and construct a frequent pattern tree according to the item header table generated by the first frequent item set.
最大频繁项集确定单元,设置为根据所述频繁模式树确定所述项头表中特征项对应的条件模式基,并根据所述条件模式基确定所述特征项对应的最大频繁项集。The maximum frequent itemset determining unit is configured to determine the conditional pattern base corresponding to the feature item in the item header table according to the frequent pattern tree, and determine the maximum frequent itemset corresponding to the feature item according to the conditional pattern base.
关联规则确定单元,设置为根据所述最大频繁项集、所述数据集和预设置信度阈值,确定与所述特征项对应的目标关联规则,并将所述目标关联规则存入至关联规则库中。An association rule determination unit, configured to determine a target association rule corresponding to the feature item according to the maximum frequent item set, the data set and a preset reliability threshold, and store the target association rule into an association rule in the library.
在一实施例中,数据集生成单元,具体设置为将所述历史告警按照时间顺序以预设时间间隔分为至少两个告警集;对各所述告警集进行属性特征提取,并根据提取到的所述属性特征中的告警类型确定各所述告警集对应的特征项;根据各所述告警集以及各所述告警集对应的特征项生成数据集。其中,所述告警类型至少包括两种。In one embodiment, the data set generating unit is specifically configured to divide the historical alarms into at least two alarm sets in chronological order and at preset time intervals; perform attribute feature extraction on each of the alarm sets, and extract the alarm set according to the extracted data. The alarm type in the attribute feature of the attribute determines the feature item corresponding to each alarm set; a data set is generated according to each alarm set and the feature item corresponding to each alarm set. Wherein, the alarm types include at least two types.
在一实施例中,第一频繁项集确定单元,具体设置为扫描所述数据集,并对各所述告警类型对应的特征项的出现次数进行计数;根据各所述出现次数和所述告警集的个数确定各所述告警类型对应的特征项的支持度;将各所述支持度大于或等于预设支持度阈值的告警类型对应的特征项的集合确定为第一频繁项集。In one embodiment, the first frequent item set determining unit is specifically configured to scan the data set, and count the occurrences of the feature items corresponding to each of the alarm types; The number of sets determines the support degree of the feature item corresponding to each alarm type; the set of feature items corresponding to each alarm type whose support degree is greater than or equal to the preset support degree threshold is determined as the first frequent item set.
在一实施例中,频繁模式树构造单元,具体设置为将所述第一频繁项集中的特征项依支持度降序排列生成项头表,并将各所述告警集中未包含于所述第一频繁项集中的特征项删除,得到调整后的告警集;根据所述调整后的告警集中的特征项,以及所述项头表构造频繁模式树;其中,同一告警集中的特征项位于所述频繁模式树中的同一分支,且所述同一告警集中的特征项依支持度降序插入所述频繁模式树中,支持度最高的特征项为祖先节点。In one embodiment, the frequent pattern tree construction unit is specifically configured to arrange the feature items in the first frequent item set in descending order of support to generate an item header table, and not include each of the alarm sets in the first frequent item set. The feature items in the frequent item set are deleted to obtain an adjusted alarm set; a frequent pattern tree is constructed according to the feature items in the adjusted alarm set and the item header table; wherein, the feature items in the same alarm set are located in the frequent The same branch in the pattern tree, and the feature items in the same alarm set are inserted into the frequent pattern tree in descending order of support, and the feature item with the highest support is the ancestor node.
在一实施例中,最大频繁项集确定单元,具体设置为确定所述频繁模式树中以所述项头表中特征项为结尾的节点链;确定所述节点链中各节点的支持度,并对各所述节点对应的特征项的支持度进行更新,将所述节点链对应的特征项的组合确定为与所述项头表中特征项对应的条件模式基;根据所述条件模式基生成第二数据集,并根据所述第二数据集中各特征项的支持度确定所述项头表中特征项对应的最大频繁项集。In one embodiment, the maximum frequent itemset determination unit is specifically set to determine the node chain in the frequent pattern tree that ends with the feature item in the item header table; determine the support degree of each node in the node chain, and update the support degree of the feature items corresponding to each of the nodes, and determine the combination of the feature items corresponding to the node chain as the conditional pattern base corresponding to the feature item in the item header table; according to the conditional pattern base A second data set is generated, and the maximum frequent itemset corresponding to the feature items in the item header table is determined according to the support degree of each feature item in the second data set.
在一实施例中,关联规则确定单元,具体设置为将所述最大频繁项集进行递归拆分,得到第一项集和第二项集,所述第二项集为所述第一项集相对于所述最大频繁项集的补集;根据所述最大频繁项集、所述第一项集和所述数据集,确定所述最大频繁项集在所述数据集中属于同一告警集的第一次数,以及所述第一项集在所述数据集中属于同一告警集的第二次数;在所述第一次数与所述第二次数的比值大于或等于所述预设置信度阈值的情况下,将所述第一项集中对应的特征项与所述第二项集中对应的特征项间的因果关系,确定为所述第一项集中对应的特征项的目标关联规则。在所述目标关联规则未包含于关联规则库中的情况下,将所述目标关联规则存入所述关联规则库中;在所述目标关联规则包含于所述关联规则库中,且为所述关联规则库中待更新关联规则的子集的情况下,不将所述目标关联规则存入所述关联规则库中;在所述目标关联规则包含于所述关联规则库中,且为所述关联规则库中待更新关联规则的超集的情况下,将所述待更新关联规则替换为所述目标关联规则;其中,所述待更新关联规则为所述关联规则库中与所述目标关联规则对应的关联规则。In one embodiment, the association rule determination unit is specifically set to recursively split the maximum frequent itemset to obtain a first itemset and a second itemset, and the second itemset is the first itemset With respect to the complement of the maximum frequent itemset; according to the maximum frequent itemset, the first item set and the data set, determine that the maximum frequent itemset belongs to the first item of the same alarm set in the data set. The number of times, and the second times that the first item set belongs to the same alarm set in the data set; the ratio of the first times to the second times is greater than or equal to the preset reliability threshold In the case of , the causal relationship between the feature item corresponding to the first item set and the feature item corresponding to the second item set is determined as the target association rule of the feature item corresponding to the first item set. If the target association rule is not included in the association rule base, store the target association rule in the association rule base; if the target association rule is included in the association rule base, and is the In the case of a subset of the association rules to be updated in the association rule base, the target association rules are not stored in the association rule base; in the case where the target association rules are included in the association rule base, and are all In the case of a superset of the association rules to be updated in the association rule base, the association rules to be updated are replaced with the target association rules; wherein the association rules to be updated are the association rules in the association rule base that are the same as the target association rules. The association rule corresponding to the association rule.
本实施例提出的告警装置与上述实施例提出的告警方法属于同一发明构思,为在本实施例中详尽描述的技术细节可参见上述任意实施例,并且本实施例具备执行告警方法相同的有益效果。The alarm device proposed in this embodiment and the alarm method proposed in the above-mentioned embodiments belong to the same inventive concept. For the technical details described in detail in this embodiment, reference may be made to any of the above-mentioned embodiments, and this embodiment has the same beneficial effect of executing the alarm method. .
图10为一实施例提供的一种告警设备的结构示意图,如图10所示,该告警设备包括处理器410、存储装置420、输入装置430和输出装置440;告警设备中处理器410的数量可以是一个或多个,图10中以一个处理器410为例;告警设备中的处理器410、存储装置420、输入装置430和输出装置440可以通过总线或其他方式连接,图10中以通过总线连接为例。FIG. 10 is a schematic structural diagram of an alarm device provided by an embodiment. As shown in FIG. 10 , the alarm device includes a processor 410, a storage device 420, an input device 430, and an output device 440; the number of processors 410 in the alarm device There may be one or more, and one processor 410 is taken as an example in FIG. 10; the processor 410, the storage device 420, the input device 430, and the output device 440 in the alarm device can be connected by a bus or in other ways. Take bus connection as an example.
存储装置420作为一种计算机可读存储介质,可用于存储软件程序、计算机可执行程序以及模块,如本申请实施例中的告警方法对应的程序指令/模块。处理器410通过运行存储至存储装置420中的软件程序、指令以及模块,从而执行告警设备的各种功能应用以及数据处理,即实现上述的告警方法。As a computer-readable storage medium, the storage device 420 may be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the alarm method in the embodiments of the present application. The processor 410 executes various functional applications and data processing of the alarm device by running the software programs, instructions and modules stored in the storage device 420 , that is, to implement the above-mentioned alarm method.
存储装置420可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端的使用所创建的数据等。此外,存储装置420可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些示例中,存储装置420可进一步包括相对于处理器410远程设置的存储器,这些远程存储器可以通过网络连接至设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The storage device 420 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Additionally, storage device 420 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, storage device 420 may further include memory located remotely from processor 410, which may be connected to the device through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
输入装置430可用于接收输入的数字或字符信息,以及产生与设备的用户设置以及功能控制有关的信号输入,可以包括触屏、键盘和鼠标等。输出装置440可包括显示屏等显示设备。The input device 430 can be used to receive input numerical or character information, and generate signal input related to user settings and function control of the device, and can include a touch screen, a keyboard, a mouse, and the like. The output device 440 may include a display device such as a display screen.
本申请实施例还提供一种包含计算机可执行指令的存储介质,计算机可执行指令在由计算机处理器执行时用于执行一种告警方法。Embodiments of the present application further provide a storage medium containing computer-executable instructions, where the computer-executable instructions are used to execute an alarm method when executed by a computer processor.
本申请实施例通过根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。通过扫描历史告警构建频繁模式树,根据频繁模式树结构确定对应告警类型的关联规则,并根据与当前告警的告警类型相对应的关联规则,对当前告警中的根告警进行确定,使得当前告警中影响故障点定位的衍生告警可被过滤,仅对确定出的根告警进行上传。同时解决了告警关联规则的构建依赖于先验知识,需要多次扫描历史告警的问题,提升了生成的用于确定当期告警中根告警关联规则的关联规则的准确性,可信度和动态适应性,降低了关联规则生成所需的数据量,降低了告警运维工作的复杂度。In this embodiment of the present application, the root alarm in the current alarm is determined according to the alarm type of the current alarm and the association rule corresponding to the alarm type; wherein, the association rule is determined according to the frequent pattern tree, and the frequent pattern tree passes Scan history alarms are obtained. A frequent pattern tree is constructed by scanning historical alarms, the association rules corresponding to the alarm types are determined according to the frequent pattern tree structure, and the root alarms in the current alarms are determined according to the association rules corresponding to the alarm types of the current alarms, so that the current alarms Derivative alarms that affect fault location can be filtered, and only the root alarms determined are uploaded. At the same time, it solves the problem that the construction of alarm correlation rules depends on prior knowledge and requires multiple scanning of historical alarms, and improves the accuracy, reliability and dynamic adaptability of the generated correlation rules for determining the root alarm correlation rules in current alarms , which reduces the amount of data required to generate association rules and reduces the complexity of alarm operation and maintenance.
通过以上关于实施方式的描述,所属领域的技术人员可以了解到,本申请可借助软件及通用硬件来实现,也可以通过硬件实现。基于这样的理解,本申请的技术方案可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如计算机的软盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、闪存(FLASH)、硬盘或光盘等,包括多个指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请任意实施例所述的方法。From the above description of the embodiments, those skilled in the art can understand that the present application can be implemented by means of software and general hardware, and can also be implemented by hardware. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the computer software product can be stored in a computer-readable storage medium, such as a floppy disk of a computer, a read-only memory (Read-Only Memory, ROM), Random access memory (Random Access Memory, RAM), flash memory (FLASH), hard disk or optical disk, etc., including multiple instructions to enable a computer device (which may be a personal computer, server, or network device, etc.) to execute any methods described in the examples.
以上所述,仅为本申请的一些实施例而已,并非用于限定本申请的保护范围。The above descriptions are merely some embodiments of the present application, and are not intended to limit the protection scope of the present application.
本申请附图中的任何逻辑流程的框图可以表示程序步骤,或者可以表示相互连接的逻辑电路、模块和功能,或者可以表示程序步骤与逻辑电路、模块和功能的组合。计算机程序可以存储在存储器上。存储器可以具有任何适合于本地技术环境的类型并且可以使用任何适合的数据存储技术实现,例如但不限于只读存储器(ROM)、随机访问存储器(RAM)、光存储器装置和系统(数码多功能光碟DVD或CD光盘)等。计算机可读介质可以包括非瞬时性存储介 质。数据处理器可以是任何适合于本地技术环境的类型,例如但不限于通用计算机、专用计算机、微处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、可编程逻辑器件(FGPA)以及基于多核处理器架构的处理器。The block diagrams of any logic flow in the figures of the present application may represent program steps, or may represent interconnected logic circuits, modules and functions, or may represent a combination of program steps and logic circuits, modules and functions. Computer programs can be stored on memory. The memory may be of any type suitable for the local technical environment and may be implemented using any suitable data storage technology, such as but not limited to read only memory (ROM), random access memory (RAM), optical memory devices and systems (Digital Versatile Discs). DVD or CD disc) etc. Computer-readable media may include non-transitory storage media. The data processor may be of any type suitable for the local technical environment, such as, but not limited to, a general purpose computer, special purpose computer, microprocessor, digital signal processor (DSP), application specific integrated circuit (ASIC), programmable logic device (FGPA) and processors based on multi-core processor architectures.
通过非限制性的示例,上文已提供了对本申请的一些实施例的详细描述。但结合附图和权利要求来考虑,对以上实施例的多种修改和调整对本领域技术人员来说是显而易见的,但不偏离本申请的范围。因此,本申请的恰当范围将根据权利要求确定。By way of non-limiting example, the foregoing has provided a detailed description of some embodiments of the present application. However, when considered in conjunction with the accompanying drawings and claims, various modifications and adjustments to the above embodiments will be apparent to those skilled in the art without departing from the scope of the present application. Accordingly, the proper scope of this application will be determined with reference to the claims.
Claims (11)
- 一种告警方法,包括:An alert method, including:根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;Determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。Wherein, the association rule is determined according to a frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
- 根据权利要求1所述的方法,其中,所述根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警之前,还包括:The method according to claim 1, wherein before determining the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type, the method further comprises:获取预设时间内的历史告警,根据所述历史告警的时间顺序,以及根据所述历史告警提取出的特征项生成数据集;其中,所述特征项中包含所述历史告警提取出的属性特征;Obtain historical alarms within a preset time, generate a data set according to the chronological order of the historical alarms, and according to the feature items extracted from the historical alarms; wherein, the feature items include the attribute features extracted from the historical alarms ;扫描所述数据集,并对所述数据集中特征项的出现次数进行计数,确定第一频繁项集;Scanning the data set, and counting the number of occurrences of feature items in the data set, to determine the first frequent item set;再次扫描所述数据集,根据所述第一频繁项集生成的项头表构造频繁模式树;Scan the data set again, and construct a frequent pattern tree according to the item header table generated by the first frequent itemset;根据所述频繁模式树确定所述项头表中特征项对应的条件模式基,并根据所述条件模式基确定所述特征项对应的最大频繁项集;Determine the conditional pattern base corresponding to the characteristic item in the item header table according to the frequent pattern tree, and determine the maximum frequent item set corresponding to the characteristic item according to the conditional pattern base;根据所述最大频繁项集、所述数据集和预设置信度阈值,确定与所述特征项对应的目标关联规则,并将所述目标关联规则存入至关联规则库中。According to the maximum frequent item set, the data set and the preset reliability threshold, a target association rule corresponding to the feature item is determined, and the target association rule is stored in an association rule base.
- 根据权利要求2所述的方法,其中,所述根据所述历史告警的时间顺序,以及根据所述历史告警提取出的特征项生成数据集,包括:The method according to claim 2, wherein the generating a data set according to the time sequence of the historical alarms and the feature items extracted from the historical alarms comprises:将所述历史告警按照时间顺序以预设时间间隔分为至少两个告警集;Divide the historical alarms into at least two alarm sets at preset time intervals in chronological order;对各所述告警集进行属性特征提取,并根据提取到的所述属性特征中的告警类型确定各所述告警集对应的特征项;Perform attribute feature extraction on each of the alarm sets, and determine feature items corresponding to each of the alarm sets according to the alarm types in the extracted attribute features;根据各所述告警集以及各所述告警集对应的特征项生成数据集。A data set is generated according to each of the alarm sets and feature items corresponding to each of the alarm sets.
- 根据权利要求3所述的方法,其中,所述告警类型至少包括两种,所述扫描所述数据集,并对所述数据集中特征项的出现次数进行计数,确定第一频繁项集,包括:The method according to claim 3, wherein the alarm types include at least two types, the scanning the data set, and counting the occurrences of feature items in the data set, and determining the first frequent item set, comprising: :扫描所述数据集,并对各所述告警类型对应的特征项的出现次数进行计数;Scan the data set, and count the occurrences of the feature items corresponding to each of the alarm types;根据各所述出现次数和所述告警集的个数确定各所述告警类型对应的特征项的支持度;Determine the support degree of the feature item corresponding to each of the alarm types according to the number of occurrences and the number of the alarm sets;将各所述支持度大于或等于预设支持度阈值的告警类型对应的特征项的集合确定为第一频繁项集。A set of feature items corresponding to each alarm type whose support degree is greater than or equal to a preset support degree threshold is determined as the first frequent item set.
- 根据权利要求4所述的方法,其中,所述根据所述第一频繁项集生成的项头表构造频繁模式树,包括:The method according to claim 4, wherein the constructing the frequent pattern tree according to the item header table generated from the first frequent itemset comprises:将所述第一频繁项集中的特征项依支持度降序排列生成项头表,并将各所述告警集中未包含于所述第一频繁项集中的特征项删除,得到调整后的告警集;The feature items in the first frequent item set are arranged in descending order of support to generate an item header table, and the feature items in each of the alarm sets that are not included in the first frequent item set are deleted to obtain an adjusted alarm set;根据所述调整后的告警集中的特征项,以及所述项头表构造频繁模式树;其中,同一告 警集中的特征项位于所述频繁模式树中的同一分支,且所述同一告警集中的特征项依支持度降序插入所述频繁模式树中。A frequent pattern tree is constructed according to the feature items in the adjusted alarm set and the item header table; wherein, the feature items in the same alarm set are located in the same branch in the frequent pattern tree, and the features in the same alarm set are located in the same branch of the frequent pattern tree. Items are inserted into the frequent pattern tree in descending order of support.
- 根据权利要求2所述的方法,其中,所述根据所述频繁模式树确定所述项头表中特征项对应的条件模式基,并根据所述条件模式基确定所述特征项对应的最大频繁项集,包括:The method according to claim 2, wherein the conditional pattern base corresponding to the feature item in the item header table is determined according to the frequent pattern tree, and the maximum frequency corresponding to the feature item is determined according to the conditional pattern base Itemset, including:确定所述频繁模式树中以所述项头表中特征项为结尾的节点链;Determine the node chain in the frequent pattern tree that ends with the feature item in the item header table;确定所述节点链中各节点的支持度,并对各所述节点对应的特征项的支持度进行更新,将所述节点链对应的特征项的组合确定为与所述项头表中特征项对应的条件模式基;Determine the support degree of each node in the node chain, update the support degree of the feature item corresponding to each node, and determine the combination of the feature item corresponding to the node chain as the feature item in the item header table. the corresponding conditional pattern base;根据所述条件模式基生成第二数据集,并根据所述第二数据集中各特征项的支持度确定所述项头表中特征项对应的最大频繁项集。A second data set is generated according to the conditional pattern base, and the maximum frequent itemset corresponding to the feature items in the item header table is determined according to the support degree of each feature item in the second data set.
- 根据权利要求3所述的方法,其中,所述根据所述最大频繁项集、所述数据集和预设置信度阈值,确定与所述特征项对应的目标关联规则,包括:The method according to claim 3, wherein the determining the target association rule corresponding to the feature item according to the maximum frequent item set, the data set and a preset reliability threshold value comprises:将所述最大频繁项集进行递归拆分,得到第一项集和第二项集,所述第二项集为所述第一项集相对于所述最大频繁项集的补集;The maximum frequent itemset is recursively split to obtain a first itemset and a second itemset, and the second itemset is the complement of the first itemset relative to the maximum frequent itemset;根据所述最大频繁项集、所述第一项集和所述数据集,确定所述最大频繁项集在所述数据集中属于同一告警集的第一次数,以及所述第一项集在所述数据集中属于同一告警集的第二次数;According to the maximum frequent itemset, the first item set and the data set, determine the first number of times that the maximum frequent itemset belongs to the same alarm set in the data set, and the first item set is in the same alarm set. the second number of times belonging to the same alarm set in the data set;在所述第一次数与所述第二次数的比值大于或等于所述预设置信度阈值的情况下,将所述第一项集中对应的特征项与所述第二项集中对应的特征项间的因果关系,确定为所述第一项集中对应的特征项的目标关联规则。In the case that the ratio of the first number of times to the second number of times is greater than or equal to the preset reliability threshold, compare the feature item corresponding to the first item set with the feature corresponding to the second item set The causal relationship between items is determined as the target association rule of the corresponding feature item in the first item set.
- 根据权利要求2所述的方法,其中,所述将所述目标关联规则存入至关联规则库中,包括:The method according to claim 2, wherein the storing the target association rule into an association rule base comprises:在所述目标关联规则未包含于关联规则库中的情况下,将所述目标关联规则存入所述关联规则库中;In the case that the target association rule is not included in the association rule base, storing the target association rule in the association rule base;在所述目标关联规则包含于所述关联规则库中,且为所述关联规则库中待更新关联规则的子集的情况下,不将所述目标关联规则存入所述关联规则库中;When the target association rule is included in the association rule base and is a subset of the association rule to be updated in the association rule base, the target association rule is not stored in the association rule base;在所述目标关联规则包含于所述关联规则库中,且为所述关联规则库中待更新关联规则的超集的情况下,将所述待更新关联规则替换为所述目标关联规则;In the case that the target association rule is included in the association rule base and is a superset of the association rule to be updated in the association rule base, replace the to-be-updated association rule with the target association rule;其中,所述待更新关联规则为所述关联规则库中与所述目标关联规则对应的关联规则。The to-be-updated association rule is an association rule corresponding to the target association rule in the association rule base.
- 一种告警装置,包括:An alarm device, comprising:根告警确定模块,设置为根据当前告警的告警类型和与所述告警类型对应的关联规则,确定所述当前告警中的根告警;a root alarm determination module, configured to determine the root alarm in the current alarm according to the alarm type of the current alarm and the association rule corresponding to the alarm type;其中,所述关联规则根据频繁模式树确定,所述频繁模式树通过扫描历史告警得到。Wherein, the association rule is determined according to a frequent pattern tree, and the frequent pattern tree is obtained by scanning historical alarms.
- 一种告警设备,包括:An alarm device, comprising:一个或多个处理器;one or more processors;存储装置,设置为存储一个或多个程序;其中,storage means arranged to store one or more programs; wherein,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-8中任一所述的告警方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the alarm method according to any one of claims 1-8.
- 一种计算机可执行指令的存储介质,其中,所述计算机可执行指令在由计算机处理器执行时用于执行如权利要求1-8中任一所述的告警方法。A storage medium of computer-executable instructions, wherein the computer-executable instructions, when executed by a computer processor, are used to perform the alerting method according to any one of claims 1-8.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011384572.6A CN114579409A (en) | 2020-11-30 | 2020-11-30 | Alarm method, device, equipment and storage medium |
CN202011384572.6 | 2020-11-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022111659A1 true WO2022111659A1 (en) | 2022-06-02 |
Family
ID=81753747
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/133717 WO2022111659A1 (en) | 2020-11-30 | 2021-11-26 | Warning method, apparatus and device, and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114579409A (en) |
WO (1) | WO2022111659A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115865620A (en) * | 2022-11-25 | 2023-03-28 | 中国南方电网有限责任公司超高压输电公司天生桥局 | Flexible direct current converter transformer warning knowledge system |
CN117112371A (en) * | 2023-10-25 | 2023-11-24 | 杭银消费金融股份有限公司 | Observable full-link log tracking method and system |
WO2024007631A1 (en) * | 2022-07-08 | 2024-01-11 | 中兴通讯股份有限公司 | Fault root cause alarm positioning method, fault alarm mode construction method, and device |
CN117609990A (en) * | 2023-09-18 | 2024-02-27 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115243286B (en) * | 2022-06-20 | 2024-05-03 | 中国联合网络通信集团有限公司 | Data processing method, device and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098175A (en) * | 2011-01-26 | 2011-06-15 | 浪潮通信信息系统有限公司 | Alarm association rule obtaining method of mobile internet |
CN104239437A (en) * | 2014-08-28 | 2014-12-24 | 国家电网公司 | Power-network-dispatching-oriented intelligent warning analysis method |
CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
US20180107695A1 (en) * | 2016-10-19 | 2018-04-19 | Futurewei Technologies, Inc. | Distributed fp-growth with node table for large-scale association rule mining |
CN111722984A (en) * | 2020-06-23 | 2020-09-29 | 深圳前海微众银行股份有限公司 | Alarm data processing method, device, equipment and computer storage medium |
CN112528458A (en) * | 2020-09-16 | 2021-03-19 | 贵州电网有限责任公司 | Metering master station alarm analysis model construction method based on FP-Growth algorithm |
CN113360350A (en) * | 2020-03-03 | 2021-09-07 | 中国移动通信集团贵州有限公司 | Method, device, equipment and storage medium for positioning root cause alarm of network equipment |
-
2020
- 2020-11-30 CN CN202011384572.6A patent/CN114579409A/en active Pending
-
2021
- 2021-11-26 WO PCT/CN2021/133717 patent/WO2022111659A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098175A (en) * | 2011-01-26 | 2011-06-15 | 浪潮通信信息系统有限公司 | Alarm association rule obtaining method of mobile internet |
CN104239437A (en) * | 2014-08-28 | 2014-12-24 | 国家电网公司 | Power-network-dispatching-oriented intelligent warning analysis method |
US20180107695A1 (en) * | 2016-10-19 | 2018-04-19 | Futurewei Technologies, Inc. | Distributed fp-growth with node table for large-scale association rule mining |
CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
CN113360350A (en) * | 2020-03-03 | 2021-09-07 | 中国移动通信集团贵州有限公司 | Method, device, equipment and storage medium for positioning root cause alarm of network equipment |
CN111722984A (en) * | 2020-06-23 | 2020-09-29 | 深圳前海微众银行股份有限公司 | Alarm data processing method, device, equipment and computer storage medium |
CN112528458A (en) * | 2020-09-16 | 2021-03-19 | 贵州电网有限责任公司 | Metering master station alarm analysis model construction method based on FP-Growth algorithm |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024007631A1 (en) * | 2022-07-08 | 2024-01-11 | 中兴通讯股份有限公司 | Fault root cause alarm positioning method, fault alarm mode construction method, and device |
CN115865620A (en) * | 2022-11-25 | 2023-03-28 | 中国南方电网有限责任公司超高压输电公司天生桥局 | Flexible direct current converter transformer warning knowledge system |
CN117609990A (en) * | 2023-09-18 | 2024-02-27 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
CN117609990B (en) * | 2023-09-18 | 2024-05-10 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
CN117112371A (en) * | 2023-10-25 | 2023-11-24 | 杭银消费金融股份有限公司 | Observable full-link log tracking method and system |
CN117112371B (en) * | 2023-10-25 | 2024-01-26 | 杭银消费金融股份有限公司 | Observable full-link log tracking method and system |
Also Published As
Publication number | Publication date |
---|---|
CN114579409A (en) | 2022-06-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022111659A1 (en) | Warning method, apparatus and device, and storage medium | |
CN109684181B (en) | Alarm root cause analysis method, device, equipment and storage medium | |
CN108446184B (en) | Method and system for analyzing fault root cause | |
Li et al. | Online mining (recently) maximal frequent itemsets over data streams | |
US20170104636A1 (en) | Systems and methods of constructing a network topology | |
US6697802B2 (en) | Systems and methods for pairwise analysis of event data | |
WO2021068547A1 (en) | Log schema extraction method and apparatus | |
CN114637989B (en) | APT attack tracing method, system and storage medium based on distributed system | |
KR20070011432A (en) | Processing data in a computerised system | |
CN116070206B (en) | Abnormal behavior detection method, system, electronic equipment and storage medium | |
CN114461792A (en) | Alarm event correlation method, device, electronic equipment, medium and program product | |
CN115544519A (en) | Method for carrying out security association analysis on threat information of metering automation system | |
CN105760279A (en) | Method and system for generating fault early warning relevance tree of distributed database cluster | |
CN116662058A (en) | Method, device, equipment and storage medium for constructing fault propagation relationship | |
CN113128213A (en) | Log template extraction method and device | |
Sengupta et al. | Benchmark generator for dynamic overlapping communities in networks | |
CN116662127A (en) | Method, system, equipment and medium for classifying and early warning equipment alarm information | |
CN116668264A (en) | Root cause analysis method, device, equipment and storage medium for alarm clustering | |
Seipel et al. | Mining complex event patterns in computer networks | |
Lin et al. | Dcsa: Using density-based clustering and sequential association analysis to predict alarms in telecommunication networks | |
CN116170281A (en) | Alarm association rule generation method and device, electronic equipment and storage medium | |
US9158824B2 (en) | Incremental aggregation-based event pattern matching | |
Kumar et al. | Raw Cardinality Information Discovery for Big Datasets | |
Zhang et al. | Mining frequent closed itemsets over data stream based on Bitvector and digraph | |
CN111740856A (en) | Network communication equipment alarm acquisition abnormity early warning method based on abnormity detection algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21897159 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 24.10.2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21897159 Country of ref document: EP Kind code of ref document: A1 |