WO2022249369A1 - Process information analysis device, process information analysis method, and program - Google Patents

Process information analysis device, process information analysis method, and program Download PDF

Info

Publication number
WO2022249369A1
WO2022249369A1 PCT/JP2021/020091 JP2021020091W WO2022249369A1 WO 2022249369 A1 WO2022249369 A1 WO 2022249369A1 JP 2021020091 W JP2021020091 W JP 2021020091W WO 2022249369 A1 WO2022249369 A1 WO 2022249369A1
Authority
WO
WIPO (PCT)
Prior art keywords
process information
index value
information analysis
processes
bipartite graph
Prior art date
Application number
PCT/JP2021/020091
Other languages
French (fr)
Japanese (ja)
Inventor
悠香 橋本
研 西松
敬志郎 渡辺
洋一 松尾
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/020091 priority Critical patent/WO2022249369A1/en
Priority to JP2023523840A priority patent/JPWO2022249369A1/ja
Publication of WO2022249369A1 publication Critical patent/WO2022249369A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment

Definitions

  • the present invention relates to a process information analysis device, process information analysis method and program.
  • the ICT (Information and Communication Technology) system has become an important infrastructure that supports our lives and social and economic foundations.
  • failures in systems that operate in conjunction with various functions tend to be difficult to detect in advance and the cause is difficult to understand, so there are cases where it takes half a day to a day to recover. For this reason, the user is affected for a long period of time, resulting in a large business loss. Therefore, there is a need for a technology that minimizes the impact on users by detecting anomalies before failures become obvious and identifying the causes.
  • Non-Patent Document 1 a method of analyzing the correlation of multiple numerical data by Autoencoder
  • Non-Patent Document 2 a mathematical model is used to express temporal changes in numerical data, and observation values
  • Non-Patent Document 3 a method of creating a causal graph that shows the causal relationship between an abnormality in each device and observation data and estimating the location of the abnormality
  • Non-Patent Document 4 A method of creating a causal graph representing the causal relationship between events and estimating the alarm that is the main cause (Non-Patent Document 4), extracting events from log data such as syslog, creating and analyzing a causal graph representing the causal relationship between events method (Non-Patent Document 3).
  • Non-Patent Document 5 a method of expressing the internal state of a system, that is, process generation and file referencing, using a graph, and using this to achieve anomaly detection and factor estimation.
  • a method of expressing the internal state of a system that is, process generation and file referencing, using a graph, and using this to achieve anomaly detection and factor estimation.
  • As an existing anomaly detection method using a graph there has been proposed a method that analyzes changes in relationships between fixed vertices (Non-Patent Document 5).
  • the disclosed technology aims to calculate index values for anomaly detection or factor estimation for complex failures.
  • the disclosed technology includes a process information acquisition unit that acquires process information indicating information on a target process group, and estimates the relationship between the target process group and the child processes of the processes included in the process group. , an inter-process relationship estimation unit that generates a bipartite graph, and an index value calculation unit that calculates an index value based on the bipartite graph.
  • FIG. 4 is a diagram showing an example of a bipartite graph
  • 6 is a flowchart showing an example of the flow of index value calculation processing
  • It is a first diagram showing experimental results.
  • It is a second diagram showing experimental results.
  • It is a figure which shows the hardware configuration example of a computer.
  • the process information analysis apparatus analyzes process information to generate a bipartite graph showing similarity relationships between processes, and based on the generated bipartite graph, calculates an index value of a process group to be monitored. It is a device that calculates.
  • a process is a program running on the OS (Operating System) of an information processing device.
  • a process group to be monitored includes a plurality of processes.
  • the process information analysis device 10 includes a process information acquisition unit 11 , an inter-process relationship estimation unit 12 , an index value calculation unit 13 and an output unit 14 .
  • the process information acquisition unit 11 acquires process information indicating information about the target process group.
  • the process information includes information on child processes whose parent processes are the target process group.
  • a child process is a process that is spawned by a parent process. Since the abnormal behavior of the parent process affects its child processes, the process information analysis device 10 uses information on the child processes to monitor the parent process.
  • the process information acquisition unit 11 periodically acquires information on the CPU (Central Processing Unit) usage rate and memory usage rate of the process using the ps command in UNIX (registered trademark) OS. .
  • the process information acquisition unit 11 executes the strace command to acquire information on process file references, other process references, and child process generation.
  • the inter-process relationship estimation unit 12 estimates relationships between processes and generates a bipartite graph. Specifically, the inter-process relationship estimating unit 12 sets the time width to ⁇ t, and uses the information of the strace command from time t to t+ ⁇ t among the process information and the information of the ps command at m time t to obtain Generate graphs.
  • the generated bipartite graph is a bipartite graph for a vertex set V 1 that is a set of monitored processes (parent processes) and a vertex set V 2 that is a set of other processes (child processes of the monitored process). is. Also, in the bipartite graph, the weight of an edge is the sum of the similarity of file names referred to by each process (vertex) and the number of accesses between processes.
  • the similarity of the reference file is a numerical vectorization of how many times each character (0-9, az) appears in the n-th directory counting from the root directory in the path of the file referenced by each process. It is represented by the inner product of the
  • the similarity calculation method may be other than the above. For example, it may be the number of times the same word appears or the number of times the file extension matches.
  • the natural number n is arbitrarily set in advance.
  • the index value calculator 13 calculates index values based on the generated bipartite graph. Specifically, the index value calculator 13 calculates the eigenvalue w t of the adjacency matrix of the bipartite graph.
  • the index value calculation unit 13 also calculates the number of file references for each process V 1 and V 2 . In addition, the index value calculation unit 13 determines that the process p of V2 whose edge weight is ⁇ or more has a strong relationship with each parent process P, and the number of file references of p is calculated as to calculate the number of file references for each parent process. Let u (t, FILE) be a vectorized version of this. Note that ⁇ is a preset threshold.
  • the index value calculation unit 13 acquires and vectorizes the CPU usage rate and memory usage rate of each parent process to be u (t, CPU) and u (t, MEM) , respectively.
  • the index value calculation unit 13 calculates the weighted sum of the calculated values as the index value at each time t
  • FIG. 2 is a diagram showing an example of a bipartite graph.
  • the bipartite graph generated by the inter-process relationship estimating unit 12 has the sum of the similarity of the file name referred to by each process (vertex) and the number of accesses between processes as the weight of the edge.
  • the process information analysis device 10 starts index value calculation processing in response to a user's operation or the like.
  • FIG. 3 is a flowchart showing an example of the flow of index value calculation processing.
  • the process information acquisition unit 11 acquires process information (step S11).
  • the inter-process relationship estimation unit 12 calculates the similarity of the reference files for each combination of parent process and child process (step S12).
  • the inter-process relationship estimating unit 12 generates a bipartite graph having the parent process overall V1 and the child process overall V2 as vertices (step S13).
  • the index value calculator 13 calculates the eigenvalue w t of the adjacency matrix of the bipartite graph (step S14). Then, the index value calculator 13 calculates the number of file references of each process (step S15). Here, the index value calculation unit 13 adds the file reference count of p to the file reference count of P if the parent process P is a process p of V2 whose edge weight is ⁇ or more, Compute the number of file references for each parent process.
  • the index value calculation unit 13 vectorizes the CPU usage rate and memory usage rate of each parent process (step S16). Then, the index value calculator 13 calculates an index value that is a weighted sum of the values calculated from step S14 to step S16 (step S17). The output unit 14 outputs information indicating the calculated index value.
  • FIG. 4 is the first diagram showing the experimental results.
  • FIG. 4(1) shows the results of Experiment 1 digitized by the process information analysis method according to the present embodiment.
  • FIG. 4(2) shows the result of digitizing simply by summing the number of reference files, the CPU usage rate, and the memory usage rate without using a bipartite graph.
  • cron was running and Kibana's CPU load increased during the experiment.
  • the index value increases in the present embodiment with respect to the pseudo failure, the operation of cron, and the increase in the CPU load of Kibana. Therefore, it can be said that the present embodiment provides an index value that captures changes in the process.
  • FIG. 5 is the second diagram showing the experimental results.
  • FIG. 5(1) shows the results of Experiment 2 digitized by the process information analysis method according to the present embodiment.
  • FIG. 5(2) shows the results of Experiment 3 digitized by the process information analysis method according to the present embodiment.
  • cron was running during the experiment.
  • the index values according to the present embodiment increased with respect to the simulated failure and the operation of cron. Therefore, it can be said that the index value according to the present embodiment is an index value that captures changes in the process.
  • Each functional unit of the process information analysis apparatus 10 described above can be realized by causing a computer to execute a program describing the processing content described in the present embodiment.
  • this "computer” may be a physical machine or a virtual machine on the cloud.
  • the "hardware” described here is virtual hardware.
  • the above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
  • FIG. 6 is a diagram showing a hardware configuration example of the computer.
  • the computer of FIG. 6 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, and the like, which are connected to each other via a bus B, respectively.
  • a program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example.
  • a recording medium 1001 such as a CD-ROM or memory card
  • the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 .
  • the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network.
  • the auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
  • the memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received.
  • the CPU 1004 implements functions related to the device according to programs stored in the memory device 1003 .
  • the interface device 1005 is used as an interface for connecting to the network.
  • a display device 1006 displays a program-based GUI (Graphical User Interface) or the like.
  • An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions.
  • the output device 1008 outputs the calculation result.
  • the computer may include a GPU (Graphics Processing Unit) or TPU (Tensor Processing Unit) instead of the CPU 1004, or may include a GPU or TPU in addition to the CPU 1004. In that case, the processing may be divided and executed, for example, the GPU or TPU executes processing that requires special computation, and the CPU 1004 executes other processing.
  • a bipartite graph indicating the degree of similarity of processes is generated based on process information, and an index value is calculated based on the generated bipartite graph. This makes it possible to calculate an index value for detecting anomalies or estimating factors for complex failures in which each process is related to each other.
  • This specification describes at least a process information analysis apparatus, a process information analysis method, and a program described in each of the following items.
  • (Section 1) a process information acquisition unit that acquires process information indicating information about a target process group; an inter-process relationship estimation unit that estimates relationships between the target process group and child processes of processes included in the process group and generates a bipartite graph; an index value calculation unit that calculates an index value based on the bipartite graph; Process information analyzer.
  • the process information includes information on process file references, other process references, and child process creation.
  • the bipartite graph has, as edge weights, the similarity of file names referred to by each process and the sum of access counts between processes,
  • the process information analysis device according to item 1.
  • the index value calculation unit calculates an eigenvalue of an adjacency matrix of the bipartite graph, and calculates the index value based on the calculated eigenvalue.
  • the process information analysis device according to item 2.
  • the index value calculation unit calculates the number of file references for each of the processes, and calculates the index value based on the number of file references.
  • the index value calculation unit determines that the file reference count of each parent process is the file reference count obtained by adding the file reference count of child processes in which the weight of the edge is equal to or greater than a threshold. 5.
  • the process information analysis device according to item 4.
  • (Section 6) A computer-executed process information analysis method comprising: obtaining process information indicating information about the target process group; estimating relationships between the target process group and child processes of processes included in the process group to generate a bipartite graph; calculating an index value based on the bipartite graph; Process information analysis method.
  • (Section 7) A program for causing a computer to function as each unit in the process information analysis apparatus according to any one of items 1 to 5.
  • process information analysis device 11 process information acquisition unit 12 inter-process relationship estimation unit 13 index value calculation unit 14 output unit 1000 drive device 1001 recording medium 1002 auxiliary storage device 1003 memory device 1004 CPU 1005 interface device 1006 display device 1007 input device 1008 output device

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Provided is a process information analysis device comprising a process information acquisition unit that acquires process information indicating a designated process group, a process relationship inference unit that infers the relationship between the designated process group and the child processes of processes included in the designated process group to generate a bipartite graph; and an index value calculation unit that calculates an index value on the basis of the bipartite graph.

Description

プロセス情報解析装置、プロセス情報解析方法およびプログラムProcess information analysis device, process information analysis method and program
 本発明は、プロセス情報解析装置、プロセス情報解析方法およびプログラムに関する。 The present invention relates to a process information analysis device, process information analysis method and program.
 ICT(Information and Communication Technology)システムは生活や社会・経済基盤を支える重要インフラとなっている。一方で、様々な機能が関連して動作しているシステムの障害は、事前検知が難しく要因も分かりにくい傾向にあるため、復旧までに半日から1日程度かかるケースもある。このため、ユーザへの影響時間も長期に渡ってしまい、事業的な損失が大きくなる。そこで、障害が顕在化する前に異常を検知し、要因を特定することでユーザへの影響を最小限に抑える技術が必要となる。 The ICT (Information and Communication Technology) system has become an important infrastructure that supports our lives and social and economic foundations. On the other hand, failures in systems that operate in conjunction with various functions tend to be difficult to detect in advance and the cause is difficult to understand, so there are cases where it takes half a day to a day to recover. For this reason, the user is affected for a long period of time, resulting in a large business loss. Therefore, there is a need for a technology that minimizes the impact on users by detecting anomalies before failures become obvious and identifying the causes.
 現在、ICTシステムの障害対応自動化という観点で異常検知・要因推定技術が検討されている。障害の発生を検知する異常検知技術については、Autoencoderによる複数の数値データの相関関係を解析する方法(非特許文献1)や、数学モデルを用いて数値データの時間的変化を表現し、観測値のモデルからの乖離を解析する方法(非特許文献2)などがある。障害の主要因を推定する要因推定技術は、各機器の異常と観測データの因果関係を表す因果グラフを作成し異常箇所を推定する方法(非特許文献3)や、障害時に発生する複数のアラームの因果関係を表す因果グラフを作成し主要因となるアラームを推定する方法(非特許文献4)、syslogなどのログデータからイベントを抽出しイベント間の因果関係を表す因果グラフを作成、分析する方法(非特許文献3)などがある。  Currently, anomaly detection and factor estimation technologies are being considered from the perspective of automating failure response for ICT systems. Regarding anomaly detection technology that detects the occurrence of a failure, there is a method of analyzing the correlation of multiple numerical data by Autoencoder (Non-Patent Document 1), and a mathematical model is used to express temporal changes in numerical data, and observation values There is a method of analyzing the deviation from the model (Non-Patent Document 2). Factor estimation techniques for estimating the main cause of a failure include a method of creating a causal graph that shows the causal relationship between an abnormality in each device and observation data and estimating the location of the abnormality (Non-Patent Document 3), and multiple alarms that occur at the time of failure. A method of creating a causal graph representing the causal relationship between events and estimating the alarm that is the main cause (Non-Patent Document 4), extracting events from log data such as syslog, creating and analyzing a causal graph representing the causal relationship between events method (Non-Patent Document 3).
 また、システムの内部状態、つまり、プロセスの生成やファイルの参照を、グラフを用いて表現し、それを用いて異常検知や要因推定を達成する方法が知られている。グラフを用いた既存の異常検知法として、固定された頂点に対して、頂点同士の関係性の変化を解析するものが提案されている(非特許文献5)。 Also known is a method of expressing the internal state of a system, that is, process generation and file referencing, using a graph, and using this to achieve anomaly detection and factor estimation. As an existing anomaly detection method using a graph, there has been proposed a method that analyzes changes in relationships between fixed vertices (Non-Patent Document 5).
 様々な機能が関連して動作しているシステムにおいて事前検知が難しく要因が分かりにくくなる理由はシステムの内部状態が影響するためである。システムはプロセス(システムが実行するコマンド)群の動作により実現する。プロセスの動作として、新たなプロセスの生成・別プロセスへのアクセス・ファイルの参照などがあるため、システムの「内部状態」とは、プロセスの親子関係やプロセス/ファイル間の参照関係に該当する。 The reason why advance detection is difficult and causes are difficult to understand in a system where various functions are operating in relation to each other is that the internal state of the system affects it. A system is realized by the operation of a group of processes (commands executed by the system). Process operations include creating new processes, accessing other processes, and referencing files. Therefore, the "internal state" of a system corresponds to the parent-child relationship between processes and the reference relationship between processes and files.
 そこで、プロセス/ファイルの関係性を解析することで、複雑な障害に対する異常検知・要因推定が達成できると期待される。しかし、現在検討されている技術は、トラヒック量やCPU使用率、ログなどの顕在的なデータを用いる。これらのデータはプロセスの動作により生成される場合もあるが、プロセス自身の詳細な動作を表しているわけではなく、内部状態の解析には不十分である。このため、内部状態が関係する複雑な障害に対する異常検知・要因推定を達成するには、既存技術では不十分である。 Therefore, by analyzing the relationship between processes and files, it is expected that anomaly detection and factor estimation for complex failures can be achieved. However, the technology currently under study uses explicit data such as traffic volume, CPU utilization, and logs. These data may be generated by the operation of the process, but they do not represent the detailed operation of the process itself and are insufficient for analyzing the internal state. For this reason, existing technologies are insufficient to achieve anomaly detection and factor estimation for complex failures related to internal states.
 生成されるプロセスの数や参照されるファイル数が時間とともに変化するような頂点が固定されず、また、あるプロセスに起因するプロセスが無くなるといった、親子関係の変化に着目する必要がある。しかし、上述した従来の技術では、固定されていない頂点のグラフを扱うことが困難であり、また親子関係の変化に着目したグラフを生成することができない。 It is necessary to pay attention to changes in parent-child relationships, such as the number of processes generated and the number of files referenced changing over time, the apex not being fixed, and the process caused by a certain process disappearing. However, with the above-described conventional technology, it is difficult to handle graphs with unfixed vertices, and it is not possible to generate graphs focused on changes in parent-child relationships.
 また、グラフの形状の細かい変化ではなく、あるプロセスに起因するプロセスが無くなるといった、親子関係の変化に着目し、異常かどうかを判断することが必要である。これは、プロセスの異常な振る舞いはその子プロセスへ影響し、親子関係が変化するためである。これらのことを考慮すると、既存のグラフに対する異常検知法では、複雑な障害に対する異常検知または要因推定を行うことができない。 In addition, it is necessary to focus on changes in parent-child relationships, such as the disappearance of a process caused by a certain process, rather than detailed changes in the shape of the graph, and judge whether there is an abnormality. This is because the abnormal behavior of a process affects its children, changing the parent-child relationship. Considering these things, the existing anomaly detection methods for graphs cannot perform anomaly detection or factor estimation for complex failures.
 開示の技術は、複雑な障害に対する異常検知または要因推定を行うための指標値を算出することを目的とする。 The disclosed technology aims to calculate index values for anomaly detection or factor estimation for complex failures.
 開示の技術は、対象のプロセス群の情報を示すプロセス情報を取得するプロセス情報取得部と、前記対象のプロセス群と、前記プロセス群に含まれるプロセスの子プロセスとの間の関係性を推定し、2部グラフを生成するプロセス間関係性推定部と、前記2部グラフに基づいて指標値を算出する指標値算出部と、を備えるプロセス情報解析装置である。 The disclosed technology includes a process information acquisition unit that acquires process information indicating information on a target process group, and estimates the relationship between the target process group and the child processes of the processes included in the process group. , an inter-process relationship estimation unit that generates a bipartite graph, and an index value calculation unit that calculates an index value based on the bipartite graph.
 複雑な障害に対する異常検知または要因推定を行うための指標値を算出することができる。 It is possible to calculate index values for anomaly detection or factor estimation for complex failures.
プロセス情報解析装置の機能構成図である。It is a functional block diagram of a process information analysis apparatus. 2部グラフの一例を示す図である。FIG. 4 is a diagram showing an example of a bipartite graph; 指標値算出処理の流れの一例を示すフローチャートである。6 is a flowchart showing an example of the flow of index value calculation processing; 実験結果を示す第一の図である。It is a first diagram showing experimental results. 実験結果を示す第二の図である。It is a second diagram showing experimental results. コンピュータのハードウェア構成例を示す図である。It is a figure which shows the hardware configuration example of a computer.
 以下、図面を参照して本発明の実施の形態(本実施の形態)について説明する。以下で説明する実施の形態は一例に過ぎず、本発明が適用される実施の形態は、以下の実施の形態に限られるわけではない。 An embodiment (this embodiment) of the present invention will be described below with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments.
 (本実施の形態の概要)
 本実施の形態に係るプロセス情報解析装置は、プロセス情報を解析してプロセス間の類似関係を示す2部グラフを生成し、生成した2部グラフに基づいて、監視対象のプロセス群の指標値を算出する装置である。 (Overview of this embodiment)
The process information analysis apparatus according to the present embodiment analyzes process information to generate a bipartite graph showing similarity relationships between processes, and based on the generated bipartite graph, calculates an index value of a process group to be monitored. It is a device that calculates.
 プロセスとは、情報処理装置のOS(Operating System)上で動作中のプログラムである。監視対象のプロセス群には、複数のプロセスが含まれる。 A process is a program running on the OS (Operating System) of an information processing device. A process group to be monitored includes a plurality of processes.
 (プロセス情報解析装置の機能構成)
 プロセス情報解析装置10は、プロセス情報取得部11と、プロセス間関係性推定部12と、指標値算出部13と、出力部14と、を備える。 (Functional configuration of process information analysis device)
The process information analysis device 10 includes a process information acquisition unit 11 , an inter-process relationship estimation unit 12 , an index value calculation unit 13 and an output unit 14 .
 プロセス情報取得部11は、対象のプロセス群の情報を示すプロセス情報を取得する。プロセス情報には、対象のプロセス群を親プロセスとする子プロセスの情報が含まれる。子プロセスは、親プロセスによって生成されるプロセスである。親プロセスの異常な振る舞いはその子プロセスへ影響するため、プロセス情報解析装置10は、子プロセスの情報を親プロセスの監視に用いる。 The process information acquisition unit 11 acquires process information indicating information about the target process group. The process information includes information on child processes whose parent processes are the target process group. A child process is a process that is spawned by a parent process. Since the abnormal behavior of the parent process affects its child processes, the process information analysis device 10 uses information on the child processes to monitor the parent process.
 具体的には、プロセス情報取得部11は、UNIX(登録商標)系OSにおけるpsコマンドによって、コマンドを用いて定期的にプロセスのCPU(Central Processing Unit)使用率とメモリ使用率の情報を取得する。また、プロセス情報取得部11は、straceコマンドを実行し、プロセスのファイル参照、別プロセス参照および子プロセス生成に関する情報を取得する。 Specifically, the process information acquisition unit 11 periodically acquires information on the CPU (Central Processing Unit) usage rate and memory usage rate of the process using the ps command in UNIX (registered trademark) OS. . In addition, the process information acquisition unit 11 executes the strace command to acquire information on process file references, other process references, and child process generation.
 プロセス間関係性推定部12は、プロセス間の関係性を推定し、2部グラフを生成する。具体的には、プロセス間関係性推定部12は、時間幅をΔtとし、プロセス情報のうち時刻tからt+Δtにおけるstraceコマンドによる情報とm時刻tにおけるpsコマンドによる情報とを用いて、時刻tにおけるグラフを生成する。 The inter-process relationship estimation unit 12 estimates relationships between processes and generates a bipartite graph. Specifically, the inter-process relationship estimating unit 12 sets the time width to Δt, and uses the information of the strace command from time t to t+Δt among the process information and the information of the ps command at m time t to obtain Generate graphs.
 生成される2部グラフは、監視対象のプロセス(親プロセス)の集合である頂点集合V、それ以外のプロセス(監視対象のプロセスの子プロセス)の集合である頂点集合Vに対する2部グラフである。また、2部グラフは、各プロセス(頂点)が参照したファイル名の類似度とプロセス間のアクセス回数の和とを辺の重みにもつ。 The generated bipartite graph is a bipartite graph for a vertex set V 1 that is a set of monitored processes (parent processes) and a vertex set V 2 that is a set of other processes (child processes of the monitored process). is. Also, in the bipartite graph, the weight of an edge is the sum of the similarity of file names referred to by each process (vertex) and the number of accesses between processes.
 参照ファイルの類似度は、各プロセスが参照したファイルのパスのうち、ルートディレクトリから数えてn番目のディレクトリまでに、各文字(0-9、a-z)が何回現れたかを数値ベクトル化したもの同士の内積によって表される。 The similarity of the reference file is a numerical vectorization of how many times each character (0-9, az) appears in the n-th directory counting from the root directory in the path of the file referenced by each process. It is represented by the inner product of the
 類似度の計算方法は上記以外でも良く、例えば、同じ単語が現れた個数やファイルの拡張子が一致した回数などであっても良い。自然数nは、あらかじめ任意に設定されている。 The similarity calculation method may be other than the above. For example, it may be the number of times the same word appears or the number of times the file extension matches. The natural number n is arbitrarily set in advance.
 指標値算出部13は、生成された2部グラフに基づいて指標値を算出する。具体的には、指標値算出部13は、2部グラフの隣接行列の固有値wを算出する。 The index value calculator 13 calculates index values based on the generated bipartite graph. Specifically, the index value calculator 13 calculates the eigenvalue w t of the adjacency matrix of the bipartite graph.
 また、指標値算出部13は、V、Vの各プロセスに対して、ファイル参照数を計算する。また、指標値算出部13は、各親プロセスPに対して、辺の重みがβ以上になるVのプロセスpは関係性が強いと判断し、pのファイル参照数をPのファイル参照数に足し込み、各親プロセスのファイル参照数を計算する。これをベクトル化したものをu(t,FILE)とする。なお、βはあらかじめ設定された閾値である。 The index value calculation unit 13 also calculates the number of file references for each process V 1 and V 2 . In addition, the index value calculation unit 13 determines that the process p of V2 whose edge weight is β or more has a strong relationship with each parent process P, and the number of file references of p is calculated as to calculate the number of file references for each parent process. Let u (t, FILE) be a vectorized version of this. Note that β is a preset threshold.
 さらに、指標値算出部13は、各親プロセスのCPU使用率とメモリ使用率を取得しベクトル化したものを、それぞれu(t,CPU)、u(t,MEM)とする。 Furthermore, the index value calculation unit 13 acquires and vectorizes the CPU usage rate and memory usage rate of each parent process to be u (t, CPU) and u (t, MEM) , respectively.
 そして、指標値算出部13は、各時刻tにおける指標値として、算出した値の重み付き和 Then, the index value calculation unit 13 calculates the weighted sum of the calculated values as the index value at each time t
Figure JPOXMLDOC01-appb-M000001
  を算出する。ここで、
Figure JPOXMLDOC01-appb-M000001
 Calculate here,
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 図2は、2部グラフの一例を示す図である。プロセス間関係性推定部12によって生成される2部グラフは、各プロセス(頂点)が参照したファイル名の類似度とプロセス間のアクセス回数の和を辺の重みにもつ。 FIG. 2 is a diagram showing an example of a bipartite graph. The bipartite graph generated by the inter-process relationship estimating unit 12 has the sum of the similarity of the file name referred to by each process (vertex) and the number of accesses between processes as the weight of the edge.
 (プロセス情報解析装置の動作)
 次に、プロセス情報解析装置10の動作について、図面を参照して説明する。プロセス情報解析装置10は、ユーザの操作等を受けて、指標値算出処理を開始する。 (Operation of process information analysis device)
Next, operation of the process information analysis device 10 will be described with reference to the drawings. The process information analysis device 10 starts index value calculation processing in response to a user's operation or the like.
 図3は、指標値算出処理の流れの一例を示すフローチャートである。プロセス情報取得部11は、プロセス情報を取得する(ステップS11)。次に、プロセス間関係性推定部12は、親プロセスと子プロセスの組み合わせごとに、参照ファイルの類似度を計算する(ステップS12)。続いて、プロセス間関係性推定部12は、親プロセス全体Vと子プロセス全体Vを頂点とする2部グラフを生成する(ステップS13)。 FIG. 3 is a flowchart showing an example of the flow of index value calculation processing. The process information acquisition unit 11 acquires process information (step S11). Next, the inter-process relationship estimation unit 12 calculates the similarity of the reference files for each combination of parent process and child process (step S12). Subsequently, the inter-process relationship estimating unit 12 generates a bipartite graph having the parent process overall V1 and the child process overall V2 as vertices (step S13).
 続いて、指標値算出部13は、2部グラフの隣接行列の固有値wを計算する(ステップS14)。そして、指標値算出部13は、各プロセスのファイル参照数を計算する(ステップS15)。ここで、指標値算出部13は、各親プロセスPに対して、辺の重みがβ以上になるVのプロセスpである場合、pのファイル参照数をPのファイル参照数に足し込み、各親プロセスのファイル参照数を計算する。 Subsequently, the index value calculator 13 calculates the eigenvalue w t of the adjacency matrix of the bipartite graph (step S14). Then, the index value calculator 13 calculates the number of file references of each process (step S15). Here, the index value calculation unit 13 adds the file reference count of p to the file reference count of P if the parent process P is a process p of V2 whose edge weight is β or more, Compute the number of file references for each parent process.
 そして、指標値算出部13は、各親プロセスのCPU使用率とメモリ使用率をベクトル化する(ステップS16)。そして、指標値算出部13は、ステップS14からステップS16までに算出した値の重み付き和である指標値を算出する(ステップS17)。出力部14は、算出された指標値を示す情報を出力する。 Then, the index value calculation unit 13 vectorizes the CPU usage rate and memory usage rate of each parent process (step S16). Then, the index value calculator 13 calculates an index value that is a weighted sum of the values calculated from step S14 to step S16 (step S17). The output unit 14 outputs information indicating the calculated index value.
 (実証実験の結果)
 研究用に使用している計算サーバで、Kibana,elasticsarch,nginx,cronに関連するプロセス10個とその子プロセスを、以下の3つの擬似障害を起こし、1日程度監視した。 (Results of demonstration experiment)
On a computing server used for research, 10 processes related to Kibana, elasticsearch, nginx, and cron and their child processes were monitored for about one day with the following three simulated failures.
 実験1:何もしない→CPUに負荷をかけるプログラムを2時間回し、障害を再現→プログラムを止める(正常に戻す)。  Experiment 1: Do nothing → Run the program that loads the CPU for 2 hours, reproduce the failure → Stop the program (return to normal).
 実験2:何もしない→一定間隔(1分おき)でファイルを生成するプログラムを2時間回し、障害を再現→プログラムを止める(正常に戻す)。 Experiment 2: Do nothing → Run a program that generates files at regular intervals (every minute) for 2 hours, reproduce the failure → Stop the program (return to normal).
 実験3:何もしない→子プロセスにアクセスを繰り返すプログラムを2時間回し、障害を再現→プログラムを止める(正常に戻す)。  Experiment 3: Do nothing → run the program that repeatedly accesses the child process for 2 hours, reproduce the failure → stop the program (return to normal).
 図4は、実験結果を示す第一の図である。図4(1)は、実験1に関して、本実施の形態に係るプロセス情報解析方法により数値化した結果を示している。図4(2)は、2部グラフを用いずに単純に参照ファイル数、CPU使用率およびメモリ使用率の和により数値化した結果を示している。なお、疑似障害の他、実験中にcronの稼働とKibanaのCPU負荷増大が発生した。実験の結果、疑似障害、cronの稼働およびKibanaのCPU負荷増大の発生に対して、本実施の形態の方が指標値の上昇が起こっていることがわかる。これにより、本実施形態の方がプロセスの変化を捉えた指標値となっていると言える。 Fig. 4 is the first diagram showing the experimental results. FIG. 4(1) shows the results of Experiment 1 digitized by the process information analysis method according to the present embodiment. FIG. 4(2) shows the result of digitizing simply by summing the number of reference files, the CPU usage rate, and the memory usage rate without using a bipartite graph. In addition to the pseudo-failure, cron was running and Kibana's CPU load increased during the experiment. As a result of the experiment, it can be seen that the index value increases in the present embodiment with respect to the pseudo failure, the operation of cron, and the increase in the CPU load of Kibana. Therefore, it can be said that the present embodiment provides an index value that captures changes in the process.
 図5は、実験結果を示す第二の図である。図5(1)は、実験2に関して、本実施の形態に係るプロセス情報解析方法により数値化した結果を示している。図5(2)は、実験3に関して、本実施の形態に係るプロセス情報解析方法により数値化した結果を示している。いずれの場合も実験中にcronの稼働が発生した。いずれの場合も本実施の形態に係る指標値は、疑似障害およびcronの稼働に対して値が上昇した。したがって、本実施形態に係る指標値は、プロセスの変化を捉えた指標値となっていると言える。 Fig. 5 is the second diagram showing the experimental results. FIG. 5(1) shows the results of Experiment 2 digitized by the process information analysis method according to the present embodiment. FIG. 5(2) shows the results of Experiment 3 digitized by the process information analysis method according to the present embodiment. In both cases, cron was running during the experiment. In both cases, the index values according to the present embodiment increased with respect to the simulated failure and the operation of cron. Therefore, it can be said that the index value according to the present embodiment is an index value that captures changes in the process.
 (コンピュータのハードウェア構成例)
 上述したプロセス情報解析装置10の各機能部は、コンピュータに、本実施の形態で説明する処理内容を記述したプログラムを実行させることにより実現可能である。なお、この「コンピュータ」は、物理マシンであってもよいし、クラウド上の仮想マシンであってもよい。仮想マシンを使用する場合、ここで説明する「ハードウェア」は仮想的なハードウェアである。 (Computer hardware configuration example)
Each functional unit of the process information analysis apparatus 10 described above can be realized by causing a computer to execute a program describing the processing content described in the present embodiment. Note that this "computer" may be a physical machine or a virtual machine on the cloud. When using a virtual machine, the "hardware" described here is virtual hardware.
 上記プログラムは、コンピュータが読み取り可能な記録媒体(可搬メモリ等)に記録して、保存したり、配布したりすることが可能である。また、上記プログラムをインターネットや電子メール等、ネットワークを通して提供することも可能である。 The above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
 図6は、上記コンピュータのハードウェア構成例を示す図である。図6のコンピュータは、それぞれバスBで相互に接続されているドライブ装置1000、補助記憶装置1002、メモリ装置1003、CPU1004、インタフェース装置1005、表示装置1006、入力装置1007、出力装置1008等を有する。 FIG. 6 is a diagram showing a hardware configuration example of the computer. The computer of FIG. 6 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, and the like, which are connected to each other via a bus B, respectively.
 当該コンピュータでの処理を実現するプログラムは、例えば、CD-ROM又はメモリカード等の記録媒体1001によって提供される。プログラムを記憶した記録媒体1001がドライブ装置1000にセットされると、プログラムが記録媒体1001からドライブ装置1000を介して補助記憶装置1002にインストールされる。但し、プログラムのインストールは必ずしも記録媒体1001より行う必要はなく、ネットワークを介して他のコンピュータよりダウンロードするようにしてもよい。補助記憶装置1002は、インストールされたプログラムを格納すると共に、必要なファイルやデータ等を格納する。 A program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example. When the recording medium 1001 storing the program is set in the drive device 1000 , the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 . However, the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
 メモリ装置1003は、プログラムの起動指示があった場合に、補助記憶装置1002からプログラムを読み出して格納する。CPU1004は、メモリ装置1003に格納されたプログラムに従って、当該装置に係る機能を実現する。インタフェース装置1005は、ネットワークに接続するためのインタフェースとして用いられる。表示装置1006はプログラムによるGUI(Graphical User Interface)等を表示する。入力装置1007はキーボード及びマウス、ボタン、又はタッチパネル等で構成され、様々な操作指示を入力させるために用いられる。出力装置1008は演算結果を出力する。なお、上記コンピュータは、CPU1004の代わりにGPU(Graphics Processing Unit)またはTPU(Tensor processing unit)を備えていても良く、CPU1004に加えて、GPUまたはTPUを備えていても良い。その場合、例えば特殊な演算が必要な処理をGPUまたはTPUが実行し、その他の処理をCPU1004が実行する、というように処理を分担して実行しても良い。 The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received. The CPU 1004 implements functions related to the device according to programs stored in the memory device 1003 . The interface device 1005 is used as an interface for connecting to the network. A display device 1006 displays a program-based GUI (Graphical User Interface) or the like. An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions. The output device 1008 outputs the calculation result. The computer may include a GPU (Graphics Processing Unit) or TPU (Tensor Processing Unit) instead of the CPU 1004, or may include a GPU or TPU in addition to the CPU 1004. In that case, the processing may be divided and executed, for example, the GPU or TPU executes processing that requires special computation, and the CPU 1004 executes other processing.
 (本実施の形態の使用方法)
 本実施の形態に係るプロセス情報解析装置10によって出力された指標値を監視装置による監視対象とすることによって、プロセスの異常監視装置の精度を向上させることができる。また、要因を推定する装置に、指標値と、2部グラフとを入力させることによって、要因推定の精度を向上させることができる。 (How to use this embodiment)
By making the index value output by the process information analysis device 10 according to the present embodiment to be monitored by the monitoring device, the accuracy of the process abnormality monitoring device can be improved. Further, by inputting an index value and a bipartite graph into a device for estimating factors, the accuracy of factor estimation can be improved.
 (本実施の形態の効果)
 本実施の形態に係るプロセス情報解析装置10によれば、プロセス情報に基づいて、プロセスの類似度を示す2部グラフを生成し、生成された2部グラフに基づく指標値を算出する。これによって、各プロセスが互いに関連し合うような複雑な障害に対する異常検知または要因推定を行うための指標値を算出することができる。 (Effect of this embodiment)
According to the process information analysis device 10 according to the present embodiment, a bipartite graph indicating the degree of similarity of processes is generated based on process information, and an index value is calculated based on the generated bipartite graph. This makes it possible to calculate an index value for detecting anomalies or estimating factors for complex failures in which each process is related to each other.
 (実施の形態のまとめ)
 本明細書には、少なくとも下記の各項に記載したプロセス情報解析装置、プロセス情報解析方法およびプログラムが記載されている。
(第1項)
 対象のプロセス群の情報を示すプロセス情報を取得するプロセス情報取得部と、
 前記対象のプロセス群と、前記プロセス群に含まれるプロセスの子プロセスとの間の関係性を推定し、2部グラフを生成するプロセス間関係性推定部と、
 前記2部グラフに基づいて指標値を算出する指標値算出部と、を備える、
 プロセス情報解析装置。
(第2項)
 前記プロセス情報は、プロセスのファイル参照、別プロセス参照および子プロセス生成に関する情報を含む、
 前記2部グラフは、各プロセスが参照したファイル名の類似度とプロセス間のアクセス回数の和とを辺の重みにもつ、
 第1項に記載のプロセス情報解析装置。
(第3項)
 前記指標値算出部は、前記2部グラフの隣接行列の固有値を算出し、算出された固有値に基づく前記指標値を算出する、
 第2項に記載のプロセス情報解析装置。
(第4項)
 前記指標値算出部は、前記各プロセスに対して、ファイル参照数を計算し、前記ファイル参照数に基づく前記指標値を算出する、
 第3項に記載のプロセス情報解析装置。
(第5項)
 前記指標値算出部は、各親プロセスの前記ファイル参照数は、前記辺の重みが閾値以上になる子プロセスのファイル参照数を足し込まれたファイル参照数とする、
 第4項に記載のプロセス情報解析装置。
(第6項)
 コンピュータが実行するプロセス情報解析方法であって、
 対象のプロセス群の情報を示すプロセス情報を取得するステップと、
 前記対象のプロセス群と、前記プロセス群に含まれるプロセスの子プロセスとの間の関係性を推定し、2部グラフを生成するステップと、
 前記2部グラフに基づいて指標値を算出するステップと、を備える、
 プロセス情報解析方法。
(第7項)
 コンピュータを第1項から第5項のいずれか1項に記載のプロセス情報解析装置における各部として機能させるためのプログラム。 (Summary of embodiment)
This specification describes at least a process information analysis apparatus, a process information analysis method, and a program described in each of the following items.
(Section 1)
a process information acquisition unit that acquires process information indicating information about a target process group;
an inter-process relationship estimation unit that estimates relationships between the target process group and child processes of processes included in the process group and generates a bipartite graph;
an index value calculation unit that calculates an index value based on the bipartite graph;
Process information analyzer.
(Section 2)
The process information includes information on process file references, other process references, and child process creation.
The bipartite graph has, as edge weights, the similarity of file names referred to by each process and the sum of access counts between processes,
The process information analysis device according to item 1.
(Section 3)
The index value calculation unit calculates an eigenvalue of an adjacency matrix of the bipartite graph, and calculates the index value based on the calculated eigenvalue.
The process information analysis device according to item 2.
(Section 4)
The index value calculation unit calculates the number of file references for each of the processes, and calculates the index value based on the number of file references.
The process information analysis device according to claim 3.
(Section 5)
The index value calculation unit determines that the file reference count of each parent process is the file reference count obtained by adding the file reference count of child processes in which the weight of the edge is equal to or greater than a threshold.
5. The process information analysis device according to item 4.
(Section 6)
A computer-executed process information analysis method comprising:
obtaining process information indicating information about the target process group;
estimating relationships between the target process group and child processes of processes included in the process group to generate a bipartite graph;
calculating an index value based on the bipartite graph;
Process information analysis method.
(Section 7)
A program for causing a computer to function as each unit in the process information analysis apparatus according to any one of items 1 to 5.
 以上、本実施の形態について説明したが、本発明はかかる特定の実施形態に限定されるものではなく、請求の範囲に記載された本発明の要旨の範囲内において、種々の変形・変更が可能である。 Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes are possible within the scope of the gist of the present invention described in the claims. is.
10 プロセス情報解析装置
11 プロセス情報取得部
12 プロセス間関係性推定部
13 指標値算出部
14 出力部
1000 ドライブ装置
1001 記録媒体
1002 補助記憶装置
1003 メモリ装置
1004 CPU
1005 インタフェース装置
1006 表示装置
1007 入力装置
1008 出力装置 10 process information analysis device 11 process information acquisition unit 12 inter-process relationship estimation unit 13 index value calculation unit 14 output unit 1000 drive device 1001 recording medium 1002 auxiliary storage device 1003 memory device 1004 CPU
1005 interface device 1006 display device 1007 input device 1008 output device

Claims (7)

  1.  対象のプロセス群の情報を示すプロセス情報を取得するプロセス情報取得部と、
     前記対象のプロセス群と、前記プロセス群に含まれるプロセスの子プロセスとの間の関係性を推定し、2部グラフを生成するプロセス間関係性推定部と、
     前記2部グラフに基づいて指標値を算出する指標値算出部と、を備える、
     プロセス情報解析装置。     a process information acquisition unit that acquires process information indicating information about a target process group;
    an inter-process relationship estimation unit that estimates relationships between the target process group and child processes of processes included in the process group and generates a bipartite graph;
    an index value calculation unit that calculates an index value based on the bipartite graph;
    Process information analyzer.
  2.  前記プロセス情報は、プロセスのファイル参照、別プロセス参照および子プロセス生成に関する情報を含む、
     前記2部グラフは、各プロセスが参照したファイル名の類似度とプロセス間のアクセス回数の和とを辺の重みにもつ、
     請求項1に記載のプロセス情報解析装置。     The process information includes information on process file references, other process references, and child process creation.
    The bipartite graph has, as edge weights, the similarity of file names referred to by each process and the sum of access counts between processes,
    The process information analysis device according to claim 1.
  3.  前記指標値算出部は、前記2部グラフの隣接行列の固有値を算出し、算出された固有値に基づく前記指標値を算出する、
     請求項2に記載のプロセス情報解析装置。     The index value calculation unit calculates an eigenvalue of an adjacency matrix of the bipartite graph, and calculates the index value based on the calculated eigenvalue.
    The process information analysis device according to claim 2.
  4.  前記指標値算出部は、前記各プロセスに対して、ファイル参照数を計算し、前記ファイル参照数に基づく前記指標値を算出する、
     請求項3に記載のプロセス情報解析装置。     The index value calculation unit calculates the number of file references for each of the processes, and calculates the index value based on the number of file references.
    The process information analysis device according to claim 3.
  5.  前記指標値算出部は、各親プロセスの前記ファイル参照数は、前記辺の重みが閾値以上になる子プロセスのファイル参照数を足し込まれたファイル参照数とする、
     請求項4に記載のプロセス情報解析装置。     The index value calculation unit determines that the file reference count of each parent process is the file reference count obtained by adding the file reference count of child processes in which the weight of the edge is equal to or greater than a threshold.
    The process information analysis device according to claim 4.
  6.  コンピュータが実行するプロセス情報解析方法であって、
     対象のプロセス群の情報を示すプロセス情報を取得するステップと、
     前記対象のプロセス群と、前記プロセス群に含まれるプロセスの子プロセスとの間の関係性を推定し、2部グラフを生成するステップと、
     前記2部グラフに基づいて指標値を算出するステップと、を備える、
     プロセス情報解析方法。     A computer-executed process information analysis method comprising:
    a step of obtaining process information indicating information of a target process group;
    estimating relationships between the target process group and child processes of processes included in the process group to generate a bipartite graph;
    calculating an index value based on the bipartite graph;
    Process information analysis method.
  7.  コンピュータを請求項1から5のいずれか1項に記載のプロセス情報解析装置における各部として機能させるためのプログラム。 A program for causing a computer to function as each unit in the process information analysis device according to any one of claims 1 to 5.
PCT/JP2021/020091 2021-05-26 2021-05-26 Process information analysis device, process information analysis method, and program WO2022249369A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/020091 WO2022249369A1 (en) 2021-05-26 2021-05-26 Process information analysis device, process information analysis method, and program
JP2023523840A JPWO2022249369A1 (en) 2021-05-26 2021-05-26

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020091 WO2022249369A1 (en) 2021-05-26 2021-05-26 Process information analysis device, process information analysis method, and program

Publications (1)

Publication Number Publication Date
WO2022249369A1 true WO2022249369A1 (en) 2022-12-01

Family

ID=84229778

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020091 WO2022249369A1 (en) 2021-05-26 2021-05-26 Process information analysis device, process information analysis method, and program

Country Status (2)

Country Link
JP (1) JPWO2022249369A1 (en)
WO (1) WO2022249369A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015141220A1 (en) * 2014-03-20 2015-09-24 日本電気株式会社 Information processing device and monitoring method
JP2018124829A (en) * 2017-02-01 2018-08-09 日本電信電話株式会社 State determination device, state determination method, and program
JP2019502195A (en) * 2015-11-18 2019-01-24 エヌイーシー ラボラトリーズ アメリカ インクNEC Laboratories America, Inc. Anomalous fusion in temporal causal graphs
US20190158520A1 (en) * 2017-11-17 2019-05-23 Accenture Global Solutions Limited Malicious Domain Scoping Recommendation System

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015141220A1 (en) * 2014-03-20 2015-09-24 日本電気株式会社 Information processing device and monitoring method
JP2019502195A (en) * 2015-11-18 2019-01-24 エヌイーシー ラボラトリーズ アメリカ インクNEC Laboratories America, Inc. Anomalous fusion in temporal causal graphs
JP2018124829A (en) * 2017-02-01 2018-08-09 日本電信電話株式会社 State determination device, state determination method, and program
US20190158520A1 (en) * 2017-11-17 2019-05-23 Accenture Global Solutions Limited Malicious Domain Scoping Recommendation System

Also Published As

Publication number Publication date
JPWO2022249369A1 (en) 2022-12-01

Similar Documents

Publication Publication Date Title
US10496468B2 (en) Root cause analysis for protection storage devices using causal graphs
Brandón et al. Graph-based root cause analysis for service-oriented and microservice architectures
Notaro et al. A survey of aiops methods for failure management
US10303533B1 (en) Real-time log analysis service for integrating external event data with log data for use in root cause analysis
US9921937B2 (en) Behavior clustering analysis and alerting system for computer applications
US7310590B1 (en) Time series anomaly detection using multiple statistical models
US10452458B2 (en) Computer performance prediction using search technologies
CN111373415A (en) Analyzing sequence data using neural networks
US11194906B2 (en) Automated threat alert triage via data provenance
US20150205691A1 (en) Event prediction using historical time series observations of a computer application
US20140258187A1 (en) Generating database cluster health alerts using machine learning
US9870294B2 (en) Visualization of behavior clustering of computer applications
CN102713862A (en) Error cause extraction device, error cause extraction method and program storage medium
Lee et al. Eadro: An end-to-end troubleshooting framework for microservices on multi-source data
Zhao et al. Predicting performance anomalies in software systems at run-time
Chen et al. Adaptive performance anomaly detection for online service systems via pattern sketching
WO2015110873A1 (en) Computer performance prediction using search technologies
Tsoukalas et al. Machine learning for technical debt identification
Cai et al. A real-time trace-level root-cause diagnosis system in alibaba datacenters
Yan et al. An experimental case study on the relationship between workload and resource consumption in a commercial web server
Cito et al. Interactive production performance feedback in the IDE
Bezemer et al. Performance optimization of deployed software-as-a-service applications
Turgeman et al. Context-aware incremental clustering of alerts in monitoring systems
Impedovo et al. Simultaneous process drift detection and characterization with pattern-based change detectors
Naidu et al. Analysis of Hadoop log file in an environment for dynamic detection of threats using machine learning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943020

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023523840

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21943020

Country of ref document: EP

Kind code of ref document: A1