WO2024066331A1 - 网络异常检测方法、装置、电子设备及存储介质 - Google Patents
网络异常检测方法、装置、电子设备及存储介质 Download PDFInfo
- Publication number
- WO2024066331A1 WO2024066331A1 PCT/CN2023/090852 CN2023090852W WO2024066331A1 WO 2024066331 A1 WO2024066331 A1 WO 2024066331A1 CN 2023090852 W CN2023090852 W CN 2023090852W WO 2024066331 A1 WO2024066331 A1 WO 2024066331A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- subnet
- indicator
- network
- target
- target network
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 87
- 230000005856 abnormality Effects 0.000 title abstract description 24
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 112
- 230000000737 periodic effect Effects 0.000 claims abstract description 53
- 230000002159 abnormal effect Effects 0.000 claims abstract description 46
- 238000000034 method Methods 0.000 claims description 42
- 230000036541 health Effects 0.000 claims description 37
- 238000005070 sampling Methods 0.000 claims description 22
- 238000004364 calculation method Methods 0.000 claims description 16
- 238000004891 communication Methods 0.000 claims description 15
- 238000012216 screening Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 9
- 230000002688 persistence Effects 0.000 claims description 9
- 238000001228 spectrum Methods 0.000 claims description 9
- 230000001186 cumulative effect Effects 0.000 claims description 8
- 238000005315 distribution function Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 20
- 238000012549 training Methods 0.000 description 20
- 238000005516 engineering process Methods 0.000 description 10
- 238000012544 monitoring process Methods 0.000 description 9
- 238000013480 data collection Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000035945 sensitivity Effects 0.000 description 5
- 230000003044 adaptive effect Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 4
- 238000010219 correlation analysis Methods 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 238000011897 real-time detection Methods 0.000 description 3
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 2
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 2
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 2
- 238000009432 framing Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003862 health status Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/18—Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
Definitions
- the present disclosure relates to the field of wireless communication technology, and in particular to a network anomaly detection method, device, electronic device and storage medium.
- the target network is layered into sub-networks, the similarity matrix of the sub-network is determined by a machine learning algorithm, and then the anomaly detection model is trained based on the similarity matrix and historical performance data.
- this method focuses on improving the accuracy of detection by optimizing the machine learning algorithm, and can be applied in various network scenarios such as telecommunications networks and cable TV networks. Technologies similar to this method do not reflect the possible reasons for the abnormality of the network in the output detection results, and there is no subsequent fault correlation analysis method.
- network optimization engineers In actual network performance monitoring and operation and maintenance work, network optimization engineers often pay attention to key network indicators, such as wireless connection rate, RRC connection establishment success rate, etc. These indicator data are obtained by summarizing the counter data reported by the network element to the network management through the indicator formula, which can characterize the network status in a more detailed and multi-dimensional manner.
- Network optimization engineers perform network anomaly detection by monitoring the status of key network indicators, which can reflect the cause of network anomalies in a more detailed and clear manner, and facilitate the rapid location of network problems.
- a set of network indicators is obtained, the correlation between these network indicators is calculated to obtain a correlation indicator data set, the correlation indicator data set is input into a pre-trained transmission quality prediction model to obtain a transmission quality prediction value, and then the prediction value is input into a pre-trained anomaly annotation model to obtain anomaly data.
- this method needs to calculate the correlation between network indicators, which has great limitations. It is currently only used in the scenario of transmission quality prediction. In addition, the anomaly detection in this method is only based on the prediction results, and the response to sudden major network failures is not timely enough, and it cannot provide relevant fault correlation analysis methods.
- the present invention provides a network anomaly detection method, device, electronic device and storage medium.
- the present disclosure provides a network anomaly detection method, the method comprising: determining whether a target network indicator is If it is not a periodic indicator, a judgment result is obtained; the target network indicator is any one of the key network indicators used to determine whether the current network is abnormal; based on the judgment result, a target threshold algorithm is selected, and based on the target threshold algorithm and the target network indicator data of any subnet in the current network, a target threshold interval corresponding to the target network indicator of any subnet is determined; the target network indicator data includes time series data of the target network indicator within a first preset time period; and when the real-time value of the target network indicator of any subnet in the current network exceeds the target threshold interval, the current network is determined to be abnormal and the serious fault cell under any subnet is located.
- the present disclosure provides a network anomaly detection device, the device comprising: a judgment unit, configured to judge whether a target network indicator is a periodic indicator and obtain a judgment result; the target network indicator is any one of the key network indicators used to determine whether the current network is abnormal; a determination unit, configured to select a target threshold algorithm based on the judgment result, and determine a target threshold interval corresponding to the target network indicator of any subnet in the current network based on the target threshold algorithm and the target network indicator data of any subnet in the current network; the target network indicator data includes time series data of the target network indicator within a first preset time period; and an anomaly detection unit, configured to determine that the current network is abnormal and locate a serious fault cell under any subnet when the real-time value of the target network indicator of any subnet in the current network exceeds the target threshold interval.
- the present disclosure provides an electronic device, including a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other through the communication bus; the memory stores computer programs; and the processor implements the network anomaly detection method described in the first aspect when executing the program stored in the memory.
- the present disclosure provides a computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the network anomaly detection method as described in the first aspect is implemented.
- FIG1 is a schematic diagram of a flow chart of a network anomaly detection method provided by an embodiment of the present disclosure
- FIG2 is a schematic diagram of a network anomaly detection process provided by an embodiment of the present disclosure.
- FIG3 is a schematic diagram of a network anomaly detection system provided by an embodiment of the present disclosure.
- FIG4 is a schematic diagram of a network anomaly detection device provided by an embodiment of the present disclosure.
- FIG5 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present disclosure.
- the embodiment of the present disclosure provides a network anomaly detection method, which is applied to any device that can communicate directly or indirectly with the current network. As shown in FIG1 , the network anomaly detection method includes steps 101 to 104.
- Step 101 Determine whether the target network indicator is a periodic indicator.
- the target network indicator is any one of the key network indicators used to determine whether the current network is abnormal.
- the number of key network indicators used to determine whether the current network is abnormal is at least one.
- a preset number of sampling points is used as a period, and a judgment is made based on the target network indicator data and FFT spectrum of any subnet to determine whether the target network indicator is a periodic indicator.
- any subnet is any one of the subnets of the current network.
- the target network indicator data includes time series data of the target network indicator within a first preset time period.
- the first preset time period is a period of time before the current moment, and the length of the first preset time period can be determined based on an empirical value or randomly determined. Moreover, the length of the first preset time period can be fixed or determined for different target network indicators.
- the target network indicator is a periodic indicator
- first collect performance data reported by the network element to the network management and obtain the counter data of each cell within the first preset time period from the collected performance data.
- the counter data of each cell within the first preset time period obtained are summarized to obtain the counter data of each subnet.
- the counter data of each subnet is converted into the network indicator data of each subnet based on the calculation formula of the network indicator.
- the network indicator data of each subnet is preprocessed, including filling missing values and removing extreme values.
- the integrity of the data can be guaranteed by preprocessing the network indicator data of each subnet, and the interference of extreme values can be removed, thereby ensuring the accuracy and reliability of the target threshold interval determined based on the network indicator data, and further, the accuracy of network anomaly detection based on the target threshold interval can be effectively guaranteed.
- the subnet object such as any subnet
- the target network index are first determined, and after the counter data of each subnet is aggregated, the counter data of any subnet is converted into the target network index data of the any subnet based on the calculation formula of the target network index.
- the counter data of each subnet is obtained, only the counter data corresponding to the target network index of any selected subnet is converted to obtain the required target network index data of any subnet, which can effectively reduce the amount of data processing and reduce the data processing delay, thereby improving Determine the efficiency of the target threshold interval corresponding to the target network indicator of any subnet in the current network.
- the subnet object such as any subnet and the target network indicator
- the subnet object is determined before collecting the performance data reported by the network element to the network management.
- the subnet object is determined before collecting the performance data reported by the network element to the network management.
- the subnet object is determined before collecting the performance data reported by the network element to the network management.
- the first preset time period may be, for example, 15 days.
- the above-mentioned method of summarizing the counter data may be summing or taking an average value.
- the above subnet object and target network indicator may be determined by a user. After the subnet object and target network indicator are determined, steps 101 to 104 in the present disclosure are performed.
- the right boundary of the spectrum fft_size/4 can ensure that the period corresponding to f is T>4.
- record the spectrum increment corresponding to f as fft_amp and obtain the spectrum mean fft_mean and variance fft_std after calculation and transformation. If the spectrum mean fft_amp corresponding to f is greater than the sum of the product of the preset value and the variance fft_std and the spectrum mean fft_mean, that is, fft_amp>fft_mean+period_check_ratio*fft_std, then the target network indicator data becomes a periodic feature, that is, the target network indicator corresponding to the target network indicator data is a periodic indicator.
- the preset value period_check_ratio is configured as 3 by default, which can be used to determine whether the target network indicator is a periodic indicator.
- the relevant information of the network indicator includes, for example, a tag indicating whether the network indicator is a periodic indicator.
- whether the target network indicator is a periodic indicator can be determined based on the tag in the relevant information of the target network indicator.
- Step 102 Based on the judgment result, select a target threshold algorithm.
- different target threshold algorithms are selected based on different judgment results.
- the determination result indicates that the target network indicator is a periodic indicator, or the determination result indicates that the target network indicator is a non-periodic indicator.
- the first prediction algorithm and the first threshold algorithm are selected as the target threshold algorithm; if the judgment result indicates that the target network indicator is a non-periodic indicator, the second threshold algorithm is selected as the target threshold algorithm.
- an algorithm corresponding to the threshold interval of appropriate training is selected for the network indicator, which at least includes a threshold algorithm (or an upper and lower threshold algorithm) and may also include a prediction algorithm (or a prediction value algorithm).
- a target threshold algorithm is selected, and the second prediction algorithm is also selected as the target prediction algorithm.
- the second prediction algorithm and the second threshold algorithm are used together as the target threshold algorithm.
- the real-time value of the target network indicator can be predicted based on the target network indicator data of any subnet and the second prediction algorithm to obtain the predicted value corresponding to the real-time value of the target network indicator of any subnet.
- the real-time value of the target network indicator can be predicted based on the upper threshold and lower threshold of the target threshold interval corresponding to the target network indicator of any subnet, and the second prediction algorithm, to obtain the predicted value corresponding to the real-time value of the target network indicator of any subnet.
- the average of all values at the same time (i.e., the current time) within a certain length of time (e.g., n days) before the current time in the target network indicator data of any subnet can be determined based on the second prediction algorithm similar to the Olympic algorithm, and then the average is determined as the predicted value corresponding to the real-time value of the target network indicator of any subnet.
- the average of all values within a certain time length (for example, n days) before the current moment in the target network indicator data of any subnet can be determined based on the second prediction algorithm, and then the average is determined as the predicted value corresponding to the real-time value of the target network indicator of any subnet.
- the average of the upper threshold and the lower threshold of the target threshold interval corresponding to the target network indicator can be first determined based on the second prediction algorithm, and then the average is determined as the predicted value corresponding to the real-time value of the target network indicator of any subnet.
- the second prediction algorithm may be an average algorithm, and based on different selections, different data may be averaged to obtain a prediction value corresponding to the real-time value of the target network indicator of any subnet.
- the different data are not limited to the above-mentioned data.
- the correspondence between the data type of the time series data of the network indicator and the threshold algorithm and the prediction algorithm can be shown in Table 1 above.
- the prediction algorithm and threshold algorithm corresponding to the periodic data in the data type, that is, the first prediction algorithm and the first threshold algorithm are the Olympic algorithm and the adaptive Ksigma algorithm, respectively
- the prediction algorithm and threshold algorithm corresponding to the non-periodic data in the data type, that is, the second prediction algorithm and the second threshold algorithm are the threshold mean algorithm and the kernel density estimation (KDE) algorithm, respectively.
- KDE kernel density estimation
- the Olympic algorithm is used for the prediction of periodic series. It is a simple window model that uses the average value of the corresponding points of the previous N periods as the predicted value of the next point.
- the adaptive Ksigma algorithm used in this disclosure is more adaptable to data with different distributions and reduces the false alarm rate.
- Step 103 Based on the target threshold algorithm and the target network indicator data of any subnet in the current network, determine the target threshold interval corresponding to the target network indicator of any subnet.
- the values of each sampling point in the period of the target network indicator are fitted and predicted based on the target network indicator data of any subnet and the first prediction algorithm to obtain a prediction period sequence, and the fitting error root mean square of each sampling point in the period of the target network indicator is determined. Subsequently, based on the prediction period sequence, the target network indicator data of any subnet, the fitting error root mean square of each sampling point and the first threshold algorithm, the threshold interval corresponding to each sampling point in the period of the target network indicator is trained to obtain the target threshold interval corresponding to each sampling point.
- the first prediction algorithm and the first threshold algorithm corresponding to the periodic data in Table 1, namely the Olympic algorithm and the adaptive Ksigma algorithm, are taken as examples.
- the step of processing the target network indicator data of any subnet based on the Olympic algorithm includes: the original sequence of the known target network indicator (i.e., the target network indicator data of any subnet) raw_list, the period is period, and the number of training cycles is number_period.
- the fitting value i.e., the predicted value
- the predicted sequence i.e., the predicted period sequence pred_list
- the steps of adjusting the target threshold interval corresponding to the target network indicator based on the adaptive Ksigma algorithm include the following 3 points 1 to 3.
- the predicted value obtained by the Olympic algorithm that is, the value of the corresponding sampling point in the prediction sequence
- the training result corresponding to the target network indicator that is, the target threshold interval corresponding to the target network indicator.
- the predicted value is first obtained based on the first prediction algorithm, and then the size of the threshold box is adjusted based on the first threshold algorithm so that the proportion of abnormal points in the historical data reaches the expected sensitivity, thereby obtaining the corresponding threshold.
- the target threshold interval corresponding to any sampling point in the period of the periodic target network indicator of any subnet can be determined based on the periodic target network indicator data of any subnet, so that in the current network, based on the real-time value of the target network indicator of any subnet and the target threshold interval of the target network indicator corresponding to the real-time value, it is possible to monitor whether the target network indicator of any subnet is abnormal, and then determine whether the current network is abnormal.
- the judgment result indicates that the target network indicator is a non-periodic indicator
- a Gaussian kernel is used to perform kernel density estimation on the target network indicator data of any subnet, and a cumulative distribution function is determined.
- a calculation is performed according to the cumulative distribution function to determine the first value corresponding to the first quantile of the target network indicator and the second value corresponding to the second quantile of the target network indicator, and the first quantile is greater than the second quantile.
- the first value and the second value are respectively determined as the upper threshold and the lower threshold of the target threshold interval corresponding to the target network indicator.
- the predicted value of the target network indicator, or the real-time prediction value of the target network indicator is determined based on the second prediction algorithm mentioned above. The predicted value corresponding to the value.
- the second prediction algorithm and the second threshold algorithm corresponding to the non-periodic data in Table 1, namely, the threshold mean algorithm and the KDE algorithm are taken as examples.
- the Gaussian kernel is first used to perform kernel density estimation on the training data, i.e., the target network indicator data of any subnet, so as to calculate the cumulative distribution function.
- the values of the 99.7% and 0.3% quantiles are calculated according to the cumulative distribution function as the upper and lower thresholds.
- the upper and lower thresholds determined based on the KDE algorithm are averaged as the predicted values of the corresponding target network indicators.
- the threshold interval is first generated based on the second threshold algorithm, and then the mean is determined as the predicted value based on the second prediction algorithm.
- the process of determining the mean as the predicted value based on the second prediction algorithm can be referred to the above content, which will not be repeated here.
- the present invention can determine the target threshold interval for the non-periodic target network indicator in any subnet based on the second threshold algorithm, thereby achieving the effect of targeted determination of the target threshold interval corresponding to the target network indicator, and better ensuring the accuracy of network anomaly monitoring.
- Step 104 If the real-time value of the target network indicator of any subnet in the current network exceeds the target threshold range, the current network is determined to be abnormal and the serious fault cell under any subnet is located.
- the real-time value of the target network indicator of any subnet in the current network does not exceed the target threshold range, it is determined that there is no abnormality in the current network and there is no need to further locate the serious fault cell under any subnet.
- network anomalies are detected in real time based on the data collected in real time and the target threshold interval obtained by the above training.
- the current network anomaly is directly determined without performing other operations. This can reduce the delay in determining the current network anomaly while effectively determining the current network anomaly.
- the health of the target network indicator of any network is first determined, and then based on the health of the target network indicator, it is determined whether the current network is abnormal.
- the deviation degree of the real-time value of the target network indicator of any subnet in the current network relative to the target threshold interval is scored to obtain a single-point deviation degree score; based on the probability of network anomaly in the second preset time period before the current moment, the network anomaly degree is scored to obtain an anomaly persistence degree score. Subsequently, the single-point deviation degree score and the anomaly persistence degree score are weighted to obtain the target network indicator of any subnet. Health.
- the second preset time period may be the same as or different from the first preset time period, and the time length of the second preset time period may be predetermined or determined based on actual working conditions. Furthermore, the time length of the second preset time period may be a fixed time length or the same or different time lengths determined for different target network indicators.
- the health calculation is to evaluate the severity of network indicator anomalies and filter out minor anomalies.
- the health considers two aspects. On the one hand, it scores the single-point deviation degree based on the degree to which the network indicator data of any subnet deviates from the corresponding target threshold range. On the other hand, it scores the persistence of anomalies based on the probability of anomalies in the recent history. The weighted sum of the two is the health of the network indicator.
- j represents the health of the target network indicator of any subnet
- Q1 is the weight of the single point deviation score
- Q2 is the weight of the abnormal persistence score
- dan represents the value of the single point deviation score
- yi represents the value of the abnormal persistence score.
- the health (of the target network indicator of any subnet) exceeds a preset health threshold, it is determined that the current network is abnormal.
- the health does not exceed the preset health threshold, it is determined that the current network is normal/normal.
- the preset health threshold can be determined by oneself according to the actual working conditions.
- the health of the target network indicator does not exceed (i.e., not lower than) the preset health threshold, it is determined that the current network has no abnormality. In this way, some scenarios with slight network abnormalities can be ignored, avoiding the problem of locating or handling serious fault cells in scenarios where the network is slightly abnormal but does not affect the use or has a small impact, resulting in problems such as waste of resources.
- the target network indicator if the health of the target network indicator is lower than the corresponding preset health threshold, the target network indicator is considered abnormal, reported to the user, and the serious fault cell causing the abnormal target network indicator of any subnet is further located.
- the network indicator abnormality and health calculation can be simplified to only determine whether the real-time data of the indicator exceeds the threshold obtained by training. If it exceeds, it is determined that the indicator is abnormal, that is, the health calculation is ignored. This is because the health calculation part is used to evaluate the severity of indicator anomalies and filter out minor anomalies. If the health calculation part is removed, real-time detection of network indicator anomalies can still be performed normally.
- each cell in any subnet is screened based on its contribution, and a severely faulty cell in any subnet is determined.
- the contribution degree is used to measure the contribution of each cell to the value determination of the network indicator.
- the location of the seriously faulty cell is performed by calculating the contribution of each cell.
- common network key indicators can be divided into ratio-type indicators and counting-type indicators according to the different formula structures of the network key indicators obtained by aggregating counter data.
- the type of the target network indicator is determined based on the structure of the calculation formula of the target network indicator. If the type of the target network indicator is a ratio type, the contribution of each cell in any subnet is determined according to a first rule; if the type of the target network indicator is a counting type, the contribution of each cell in any subnet is determined according to a second rule.
- the following operations are performed on any cell in any subnet: based on the real-time value of the target network indicator of any subnet, the real-time value of the target network indicator of any cell in any subnet, and the direction in which the target network indicator of any subnet deviates from the corresponding target threshold interval, the contribution of any cell is determined.
- the direction in which the real-time value of the target network indicator deviates from the target threshold interval can be represented by ⁇ 1, that is, the value of d above is ⁇ 1.
- contribution [KPI subnet- (KPI numerator subnet -KPI numerator cell ) / (KPI denominator subnet -KPI denominator cell )] * direction.
- the KPI subnet is the value of the ratio indicator of any subnet
- the KPI numerator subnet is the numerator of the ratio indicator of any subnet
- the KPI denominator subnet is the denominator of the ratio indicator of any subnet
- the KPI numerator cell is the ratio indicator of any cell in any subnet.
- the numerator of the target and the denominator of the KPI subnet are the denominators of the ratio indicators of any cell in any subnet.
- addition score refers to the fraction obtained by adding the numerator and denominator respectively.
- the following operations are performed on any cell in any subnet: determining the predicted value corresponding to the real-time value of the target network indicator of any cell, and determining the contribution of any cell based on the real-time value and corresponding predicted value of the target network indicator of any subnet and the real-time value and corresponding predicted value of the target network indicator of any cell.
- the method for determining the predicted value corresponding to the real-time value of the target network indicator of any cell can refer to the above-mentioned process of determining the predicted value corresponding to the real-time value of the target network indicator of any subnet, which will not be repeated here.
- the historical data of the indicator of the cell is taken to calculate the predicted value, and a residual analysis is performed with the subnet indicator data.
- the KPI predicted value cell is the predicted value corresponding to the real-time value of the target network indicator of the cell
- the KPI predicted value subnet is the predicted value corresponding to the real-time value of the target network indicator of the subnet where the cell is located
- the KPI cell is the real-time value of the target network indicator of the cell
- the KPI subnet is the real-time value of the target network indicator of the subnet where the cell is located.
- the residual is the difference between the observed value of the dependent variable and the predicted value obtained based on the estimated regression equation.
- Residual analysis refers to analyzing the reliability, periodicity or other interference of the data through the information provided by the residual.
- the target network indicator type is ratio type
- cells are eliminated one by one and the target network indicator of any subnet is recalculated until the recalculated target network indicator of any subnet does not exceed its corresponding target threshold range.
- the eliminated cells are determined as serious fault cells in any subnet.
- the subnet index value is recalculated after the cells are eliminated one by one in descending order of their contribution until the subnet index returns to within the threshold range.
- the cells that are eliminated are the seriously faulty cells that cause the subnet index to be abnormal.
- the target network index a of subnet A is a1/a2
- the target network index a of cell 1 is a11/a21
- the target network index a of cell 2 is a12/a22.
- the contribution of cell 1 is a111
- the contribution of cell 2 is a112, where a111>a112.
- the contribution of cell 1 is ranked before the contribution of cell 2.
- the data of cell 1 is removed from the calculation process of the target network index a of subnet A to obtain the value of the target network index of the new subnet, that is, (a1-a11)/(a2-a21).
- the data of cell 2 is further removed from the calculation process of the target network index a of subnet A to obtain the value of the target network index of the new subnet, that is, (a1-a11-a12)/(a2-a21-a22). If (a1-a11-a12)/(a2-a21-a22) is within the target threshold interval corresponding to the value of the target network index, it is determined that the removed cells 1 and 2 are severely faulty cells in subnet A, and other cells under subnet A are not severely faulty cells.
- each cell is screened based on a preset contribution screening standard, and at least one cell that passes the screening among each cell is determined as a serious fault cell in any subnet.
- a standard contribution is first determined based on the contribution of each cell, and then the cells whose contributions exceed the standard contribution are determined as severely faulty cells in any subnet.
- the standard contribution may be determined based on the mean and variance of the contribution of each cell.
- the product of the contribution variance of each cell thereunder and a preset value may be determined first, and the sum of the product and the mean value of the contribution of each cell may be determined as the standard contribution.
- the cells with positive contribution can be first determined, and the mean and variance of the contributions of these cells with positive contribution can be calculated. Then, the product of the variance and a preset value is determined, and the sum of the product and the mean is determined as the standard contribution.
- the preset value is 3.
- the above standard contribution can also be determined randomly without rushing to determine the cell contribution.
- network anomaly detection information may be generated, and then sent to a user so that the user can find the network anomaly and the cause of the network anomaly in a timely manner.
- network anomaly detection information is generated based on the network anomaly detection result and information of any subnet.
- the network anomaly detection information includes the network anomaly detection result, the information of any subnet and the information of the severely faulty cell in any subnet.
- the information of the seriously faulty cell includes the identification, location, subnet, etc. of the seriously faulty cell.
- the information of any subnet includes the identification, location, network, etc. of the any subnet.
- the network anomaly detection result may also include information such as the health of the target network indicator.
- the network anomaly detection information also includes information of the detected target network indicator, etc.
- the target network indicator information includes the name, identification, calculation formula, real-time value and other information of the target network indicator.
- the real-time detection results i.e. whether the current network is abnormal
- the associated analysis results i.e. the serious fault cells when the current network is abnormal
- the present disclosure can realize automatic monitoring of key network indicators, and supports separate training and detection of each key network indicator. (In the process of monitoring whether the network is abnormal based on any key network indicator) There is a higher degree of freedom in the selection of key network indicators, and the network status can be monitored more comprehensively. Secondly, the present disclosure can quickly respond to sudden network failures and provide changes in each indicator. Users can refer to the changes in each indicator to analyze the cause of network abnormalities. Thirdly, when the computing resources are limited and the entire network cell cannot be monitored, the present disclosure can detect abnormalities in the subnet and then locate the severely faulty cell that causes the subnet abnormality, thereby greatly improving the network (abnormal) detection capability. Finally, the present disclosure locates the severely faulty cell that causes the subnet abnormality through an algorithm, which can help users quickly locate the cause of network abnormalities and make the network operation and maintenance work intelligent and efficient.
- the network indicator i.e., the network key indicator, referred to as KPI, i.e., the above-mentioned target network indicator
- network anomaly detection is performed based on the selected subnet object and network indicator.
- historical data collection collecting historical data of the subnet object
- the collected historical data is preprocessed.
- the target network indicator is periodically judged based on the data after data preprocessing.
- a predicted value is generated based on the Olympic algorithm, and a threshold frame width is generated based on the Ksigma algorithm, and then the upper and lower thresholds are calculated to obtain a training result, i.e., the target threshold interval corresponding to the target network indicator; if it is non-periodic, a threshold is generated based on the KDE algorithm, and a predicted value is generated based on the (threshold) mean to obtain a training result, i.e., the target threshold interval corresponding to the target network indicator. After that, real-time data collection is performed, and a threshold judgment is performed based on the real-time value of the collected target network indicator.
- the detection is terminated; if it exceeds the target threshold interval, the health of the target network indicator is calculated, the health of the target network indicator is obtained, and the health judgment is performed. If the health does not exceed the preset health, the detection is terminated; if the health exceeds the preset health, the seriously faulty cell is located, that is, the Topn cell calculation is performed, and the user is reported, that is, the network abnormality is reported to the user, so that the user can analyze the cause of the network abnormality and maintain the abnormal network.
- each time when network anomaly detection is performed the above steps are executed in sequence to achieve the target threshold.
- the real-time update of the value interval ensures the real-time performance of the target threshold interval and improves the accuracy of network anomaly detection based on the target threshold interval.
- steps 101 to 103 may not be executed every time network anomaly detection is performed, but steps 101 to 103 may be executed at regular intervals based on historical data before the current moment, so as to achieve periodic updating of the target threshold interval and reduce the waste of resources caused by repeated updating of the target threshold interval when there is less newly generated historical data.
- steps 101 to 103 are performed based on the data of the first time period in the historical data to determine the target threshold interval and obtain threshold interval 1.
- network anomaly detection is performed based on the threshold interval 1.
- steps 101 to 103 are performed based on the data of the third time period in the historical data to re-determine the target threshold interval and obtain threshold interval 2.
- network anomaly detection is performed based on the threshold interval 2.
- multiple target network indicators and/or target network indicators of multiple subnets can be automatically detected at the same time, so as to identify network anomalies as accurately as possible.
- the network anomaly can be determined, or when it is determined that more than a second preset number of target network indicators of any subnet are abnormal, the network anomaly can be determined, so as to further ensure the accuracy and reliability of network anomaly detection.
- the present disclosure may be applied to a network anomaly detection system as shown in Fig. 3.
- the network anomaly detection system includes a data acquisition module, a training module, and a detection module.
- the data collection module consists of network elements, network management, and network management system, and is used to collect and process performance data reported by network elements to the network management.
- the counter data of the cell is obtained from the performance data, and the counter data of the subnet is summarized by summing or averaging. Then, the counter data is converted into the network indicator data of the subnet according to the formula of the network indicator. It is divided into two parts: historical data collection and real-time data collection.
- the results of historical data collection are used as the training set of time series, and the results of real-time data collection are used as anomaly detection (test set).
- the training module is configured to determine whether the historical data of network indicators show periodic characteristics, and provide two different training algorithms to obtain the predicted values of network indicators in the future and the threshold range for normal operation (i.e., the above-mentioned target threshold range).
- Detection module this module performs detection based on the threshold interval obtained through training and the performance data collected from real-time data. If the real-time data exceeds the threshold interval, the degree of deviation of the subnet indicator data from the threshold interval is calculated as the single-point deviation degree score, and the probability of abnormal occurrence in the subnet history in the recent period is calculated as the abnormal persistence degree score, and then the weighted average is used to obtain the health of the subnet indicator. Whether the subnet indicator is abnormal is determined based on the health status and reported to the user. If the subnet indicator is abnormal, the module further locates the serious fault cell that caused the subnet indicator abnormality according to the fault cell association algorithm (i.e. the first rule or the second rule mentioned above).
- the fault cell association algorithm i.e. the first rule or the second rule mentioned above.
- the detection module can be further divided into an abnormality detection submodule and a faulty cell association submodule.
- the abnormality detection submodule is configured to detect whether the indicator is abnormal, and then determine whether the network is abnormal;
- the faulty cell association submodule is configured to locate the serious faulty cell that causes the subnet indicator abnormality according to the faulty cell association algorithm.
- an embodiment of the present disclosure provides a network anomaly detection device, which includes a judgment unit 401 , a determination unit 402 , and an anomaly detection unit 403 .
- the judging unit 401 is configured to judge whether the target network indicator is a periodic indicator and obtain a judgment result; the target network indicator is any one of the key network indicators used to determine whether the current network is abnormal.
- the determination unit 402 is configured to select a target threshold algorithm based on the judgment result, and determine the target threshold interval corresponding to the target network indicator of any subnet based on the target threshold algorithm and the target network indicator data of any subnet in the current network; the target network indicator data includes time series data of the target network indicator within a first preset time period.
- the abnormality detection unit 403 is configured to determine that the current network is abnormal and locate a serious fault cell in any subnet if the real-time value of the target network indicator of any subnet in the current network exceeds the target threshold range.
- an embodiment of the present disclosure provides an electronic device, including a processor 501, a communication interface 502, a memory 503 and a communication bus 504.
- the processor 501, the communication interface 502 and the memory 503 communicate with each other via the communication bus 504.
- the memory 503 stores computer programs.
- the processor 501 is used to implement the network anomaly detection method provided by any one of the aforementioned method embodiments when executing the program stored in the memory 503.
- the embodiments of the present disclosure further provide a computer-readable storage medium on which a computer program is stored.
- a computer program is stored on which a computer program is stored.
- the computer program is executed by a processor, a network anomaly detection method as provided in any of the aforementioned method embodiments is implemented.
- the above technical solution provided by the embodiment of the present disclosure has the following advantages over the related art.
- the network anomaly detection method provided by the embodiment of the present disclosure selects a target threshold algorithm based on whether any one of the key network indicators used to determine whether the current network is abnormal, namely the target network indicator, is a periodic indicator, and determines the target threshold interval corresponding to the target network indicator under any subnet based on the target threshold algorithm and the time series data of the target network indicator of any subnet within the first preset time period, and then determines whether the current network is abnormal based on the real-time value of the target network indicator of any subnet and the corresponding target threshold interval, thereby realizing real-time and automatic detection of network anomalies, and on this basis, locates the severely faulty cell under any subnet, and can complete the network anomaly detection and analysis work more efficiently.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Optimization (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computational Mathematics (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Bioinformatics & Computational Biology (AREA)
- Operations Research (AREA)
- Probability & Statistics with Applications (AREA)
- Evolutionary Biology (AREA)
- Algebra (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本公开涉及一种网络异常检测方法、装置、电子设备及存储介质,该网络异常检测方法包括:判断用于确定当前网络是否异常的关键网络指标中的目标网络指标是否为周期性指标,得到判断结果;基于根据判断结果选择的目标阈值算法,和当前网络中任一子网的目标网络指标在第一预设时间段内的时间序列数据,确定相应的目标阈值区间;以及在该任一子网的目标网络指标的实时取值超过目标阈值区间的情况下,则确定当前网络异常并定位任一子网下的严重故障小区。
Description
相关申请的交叉引用
本公开要求享有2022年09月30日提交的名称为“网络异常检测方法、装置、电子设备及存储介质”的中国专利申请202211215007.6的优先权,其全部内容通过引用并入本公开中。
本公开涉及无线通信技术领域,尤其涉及一种网络异常检测方法、装置、电子设备及存储介质。
在无线通信技术领域,随着网络性能监测的需求日益增长,网络异常实时检测技术和故障关联分析技术成为研究的热点之一。
相关技术中,已经存在一些利用机器学习等技术实现网络异常实时检测的方法。例如,将目标网络分层成子网络,通过机器学习算法确定子网络的相似矩阵,然后基于相似矩阵和历史性能数据训练得到异常检测模型。但是,这一方法专注于通过优化机器学习算法提升检测的准确度,以及能够在电信网络、有线电视网络等多种网络场景中进行应用。类似该方法的技术,其输出的检测结果没有体现网络产生异动的可能原因,并且没有后续的故障关联分析方法。
在实际的网络性能监测和运维工作中,网络优化工程师经常关注网络的关键指标,比如无线接通率、RRC连接建立成功率等。这些指标数据由网元上报到网管的计数器数据通过指标的公式汇总后得到,能够更加详细地、多维度地表征网络的状态。网络优化工程师通过监测网络关键指标的状态来进行网络异常检测,能够更加详细、明确地体现出网络产生异常的原因,便于迅速定位网络问题。但是,网络优化工程师依赖专家经验监测网络关键指标、识别网络异常的难度较大,且具有滞后性。
随着技术的发展,逐渐出现了利用网络指标预测技术监测网络关键指标的方法。例如,获取一组网络指标,计算这些网络指标间的相关性得到关联指标数据集,将关联指标数据集输入预先训练的传输质量预测模型得到传输质量预测值,然后将预测值输入预先训练的异常标注模型,得到异常数据。但是,该方法中,需要计算网络指标间的相关性,局限性较大,暂时仅在传输质量预测的场景中应用,且该方法中的异常检测仅基于预测结果进行,对网络突发的重大故障响应不够及时,也无法提供相关的故障关联分析方法。
发明内容
本公开提供了一种网络异常检测方法、装置、电子设备及存储介质。
第一方面,本公开提供了一种网络异常检测方法,该方法包括:判断目标网络指标是
否为周期性指标,得到判断结果;所述目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个;基于所述判断结果,选择目标阈值算法,并基于所述目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间;所述目标网络指标数据包括所述目标网络指标在第一预设时间段内的时间序列数据;以及在所述当前网络中任一子网的目标网络指标的实时取值超过所述目标阈值区间的情况下,则确定当前网络异常并定位所述任一子网下的严重故障小区。
第二方面,本公开提供了一种网络异常检测装置,所述装置包括:判断单元,被配置为判断目标网络指标是否为周期性指标,得到判断结果;所述目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个;确定单元,被配置为基于所述判断结果,选择目标阈值算法,并基于所述目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间;所述目标网络指标数据包括所述目标网络指标在第一预设时间段内的时间序列数据;以及异常检测单元,被配置为在所述当前网络中任一子网的目标网络指标的实时取值超过所述目标阈值区间的情况下,则确定当前网络异常并定位所述任一子网下的严重故障小区。
第三方面,本公开提供了一种电子设备,包括处理器、通信接口、存储器和通信总线,处理器、通信接口、存储器通过通信总线完成相互间的通信;存储器,存放计算机程序;处理器,执行存储器上所存放的程序时,实现第一方面所述的网络异常检测方法。
第四方面,本公开提供了一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如第一方面所述的网络异常检测方法。
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。
为了更清楚地说明本公开实施例或相关技术中的技术方案,下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,对于本领域普通技术人员而言,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1为本公开实施例提供的一种网络异常检测方法的流程示意图;
图2为本公开实施例提供的一种网络异常检测流程的示意图;
图3为本公开实施例提供的一种网络异常检测系统的示意图;
图4为本公开实施例提供的一种网络异常检测装置的示意图;以及
图5为本公开实施例提供的一种电子设备的结构示意图。
为使本公开实施例的目的、技术方案和优点更加清楚,下面将结合本公开实施例中的
附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开的一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本公开保护的范围。
为了解决无法自动、实时地进行网络异常检测并进行故障关联分析的问题,本公开实施例提供了一种网络异常检测方法,应用于任一设备中,该任一设备可与当前网络直接或间接通信。如图1所示,该网络异常检测方法包括步骤101至步骤104。
步骤101:判断目标网络指标是否为周期性指标。
目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个。
在一些可能的实现方式中,用于确定当前网络是否异常的关键网络指标的数量为至少一个。
在一些实施例中,以预设采样点数为周期,基于任一子网的目标网络指标数据和FFT频谱进行判断,确定目标网络指标是否为周期性指标。
一般地,网络中子网的数量为多个。上述任一子网为当前网络的子网中的任意一个。
另外,上述目标网络指标数据包括目标网络指标在第一预设时间段内的时间序列数据。第一预设时间段是当前时刻之前的一段时间,第一预设时间段的时间长度可以是根据经验值确定的,也可以是随机确定的。并且,第一预设时间段的时间长度可以是固定的,也可以是针对不同的目标网络指标确定的。
在一些可能的实现方式中,在判断目标网络指标是否为周期性指标之前,即执行步骤101之前,先采集网元上报至网管的性能数据,从采集到的性能数据中获取第一预设时间段内的各个小区计数器数据。随后,对获取到的第一预设时间段内的各个小区的计数器数据进行汇总,得到各个子网的计数器数据。最后,基于网络指标的计算公式将各个子网的计数器数据转化为各个子网的网络指标数据。
在基于网络指标的计算公式将各个子网的计数器数据转化为各个子网的网络指标数据之后,对各个子网的网络指标数据进行数据预处理,包括填补缺失值和去极值等操作。这样的话,通过对各个子网的网络指标数据进行数据预处理可以保证数据的完整性,并去除极端值的干扰,从而保证基于该网络指标数据所确定的目标阈值区间的准确性和可靠性,更进一步地,可以有效保证基于该目标阈值区间进行网络异常检测的准确性。
在汇总得到各个子网的计数器数据前,先确定子网对象例如任一子网,以及目标网络指标,并在汇总得到各个子网的计数器数据后,基于目标网络指标的计算公式,将任一子网的计数器数据转化为该任一子网的目标网络指标数据。这样,在得到各个子网的计数器数据后,仅对选定的任一子网的目标网络指标对应的计数器数据进行转化,得到所需的任一子网的目标网络指标数据,可以较好地减少数据处理量,减少数据处理时延,从而提高
确定当前网络中任一子网的目标网络指标对应的目标阈值区间的效率。
或者,在采集网元上报至网管的性能数据之前,确定子网对象例如任一子网以及目标网络指标。这样的话,可以在采集性能数据、获取小区计数器数据、汇总子网的计数器数据或者转化得到子网的网络指标数据的过程中,仅针对任一子网和目标网络指标对应的数据进行处理,从而更好的减少数据处理量,减少数据处理时延,提高确定当前网络中任一子网的目标网络指标对应的目标阈值区间的效率。
示例性地,第一预设时间段可以为例如15天。
上述对计数器数据进行汇总的方式可以为求和或取平均值等。
在一些可能的实现方式中,上述子网对象和目标网络指标可以是由用户确定的。确定子网对象和目标网络指标后,执行本公开中的步骤101至104。
示例性地,以一天的采样点数period为周期,基于FFT频谱,对目标网络指标是否为周期性指标进行判断,过程如下。首先,对任一子网的目标网络指标数据去趋势,保证数据长度>=2*period,即目标网络指标数据至少包括目标网络指标两个周期的取值。随后,对目标网络指标数据进行FFT变换,FFT变换的长度为fft_size,经过FFT变换后,频谱[1,fft_size/4]中最大峰值频点f对应的周期为T,且period%T=0。频谱的右边界fft_size/4可以保证f对应的周期T>4。最后,记录f对应的频谱增值为fft_amp,并经过计算变换后得到频谱均值fft_mean和方差fft_std。若f对应的频谱均值fft_amp大于预设值和方差fft_std之积与频谱均值fft_mean的和,即fft_amp>fft_mean+period_check_ratio*fft_std,则该目标网络指标数据成周期性特征,即该目标网络指标数据对应的目标网络指标为周期性指标。一般情况下,预设值period_check_ratio默认配置为3,可用于确定目标网络指标是否为周期性指标。
这样的话,可基于历史采集到的网络指标的时间序列数据,在未知该网络指标是否为周期性指标的情况下,通过对采集到的该网络指标的时间序列数据进行分析,确定该网络指标是否为周期性指标,便于针对性的选择目标阈值算法,确定该网络指标所对应的目标网络阈值,从而通过监测该网络指标的变化实现对当前网络的监测。
或者,在一些实施例中,网络指标的相关信息中包括例如可指示网络指标是否为周期性指标的标签。这样的话,可基于目标网络指标的相关信息中的标签,来确定该目标网络指标是否为周期性指标。
步骤102:基于判断结果,选择目标阈值算法。
在一些实施例中,基于判断结果的不同,所选择的目标阈值算法不同。
在一些可能的实现方式中,判断结果表示目标网络指标为周期性指标,或者,判断结果表示目标网络指标为非周期性指标。
此时,若判断结果表示目标网络指标为周期性指标,则选择第一预测算法和第一阈值算法为目标阈值算法;若判断结果表示目标网络指标为非周期性指标,则选择第二阈值算法为目标阈值算法。
也就是说,根据网络指标的时间序列数据是否具有周期性特征,即网络指标的时间序列数据的数据类型为周期数据还是非周期数据,来为该网络指标选择合适的训练对应的阈值区间的算法,至少包括阈值算法(或者说上下阈值算法),还可以包括预测算法(或者说预测值算法)。
在另一些可能的实现方式中,判断结果表示目标网络指标为非周期性指标时,基于判断结果,选择目标阈值算法,还包括选择第二预测算法为目标预测算法。
也就是说,在判断结果表示目标网络指标为非周期性指标时,将第二预测算法与第二阈值算法一并作为目标阈值算法。
此时,可基于任一子网的目标网络指标数据与第二预测算法,对目标网络指标的实时取值进行预测,得到该任一子网的目标网络指标的实时取值对应的预测值。
或者,此时,可基于任一子网的目标网络指标对应的目标阈值区间的上阈值和下阈值,以及第二预测算法,对目标网络指标的实时取值进行预测,得到该任一子网的目标网络指标的实时取值对应的预测值。
基于任一子网的目标网络指标数据与第二预测算法,对目标网络指标的实时取值进行预测时,可先基于类似于Olympic算法的第二预测算法,确定任一子网的目标网络指标数据中当前时刻之前一定时间长度(例如n天)内相同时刻(即当前时刻)的所有取值的均值,随后,将该均值确定为该任一子网的目标网络指标的实时取值对应的预测值。
或者,基于任一子网的目标网络指标数据与第二预测算法,对目标网络指标的实时取值进行预测时,可先基于第二预测算法,确定任一子网的目标网络指标数据中当前时刻之前一定时间长度(例如n天)内所有取值的均值,随后,将该均值确定为该任一子网的目标网络指标的实时取值对应的预测值。
可基于任一子网的目标网络指标对应的目标阈值区间的上阈值和下阈值,以及第二预测算法,对目标网络指标的实时取值进行预测时,可先基于第二预测算法,确定该目标网络指标对应的目标阈值区间的上阈值和下阈值的均值,随后,将该均值确定为该任一子网的目标网络指标的实时取值对应的预测值。
也就是说,第二预测算法可以是取均值的算法,基于选择的不同,可以对不同的数据取均值,从而得到任一子网的目标网络指标的实时取值对应的预测值。不同的数据并不局限于上述提到的数据。
表1
示例性地,网络指标的时间序列数据的数据类型与阈值算法、预测算法之间的对应关系,可如上表1所示。与数据类型中周期数据对应的预测算法和阈值算法,即第一预测算法和第一阈值算法,分别为Olympic算法和自适应Ksigma算法,与数据类型中非周期数据对应的预测算法和阈值算法,即第二预测算法和第二阈值算法,分别为阈值均值算法和核密度估计(kernel density estimation,KDE)算法。
需要说明的是,Olympic算法用于周期序列的预测,是一个简单的窗口模型,以之前N个周期对应点的平均值来当作下一个点的预测值。另外,相比于固定的Ksigma算法,本公开中所采用的自适应Ksigma算法,更能适应不同分布的数据,降低误报率。
步骤103:基于目标阈值算法和当前网络中任一子网的目标网络指标数据,确定该任一子网的目标网络指标对应的目标阈值区间。
在一些实施例中,判断结果表示目标网络指标为周期性指标时,则基于任一子网的目标网络指标数据和第一预测算法,对目标网络指标的周期中各个采样点的取值进行拟合预测,得到预测周期序列,并确定目标网络指标的周期中的各个采样点的拟合误差均方根。随后,基于预测周期序列、任一子网的目标网络指标数据、各个采样点的拟合误差均方根和第一阈值算法,对目标网络指标的周期中各个采样点对应的阈值区间进行训练,得到各个采样点对应的目标阈值区间。
示例性地,以表1中周期数据对应的第一预测算法和第一阈值算法,即Olympic算法和自适应Ksigma算法为例。
基于Olympic算法对任一子网的目标网络指标数据进行处理的步骤包括:已知目标网络指标的原始序列(即上述任一子网的目标网络指标数据)raw_list,周期为period,训练周期数为number_period。从训练数据,即原始序列中第二个周期开始的数据中,对于第i个(采样)点的拟合值,取当前值之前number_period(以下简称为n)个周期中的对应点的平均值作为拟合值(即预测值),得到预测序列(即预测周期序列)pred_list,并(针对预测序列中的各个采样点)计算拟合误差均方根rmse。
基于自适应Ksigma算法对目标网络指标对应的目标阈值区间进行调整的步骤包括以下1至3共3点。
1、配置参数,如下表2所示。
sensitivity即敏感度,默认为0;incr即K值步长,默认为0.1;max_sigma即K值上
限,默认为6.0。
表2
2、针对预测序列中的每一采样点,初始化K=3,输入原始序列raw_list和预测序列pred_list,对于上边框upper_threshold=K*rmse,计算raw_list的训练数据,即number_period对应的周期数据,和pred_list中对应值相差的绝对值大于upper_threshold的(采样)点数m;如果m/n>=sensitivity且K<max_sigma,则K=K+incr,返回重新确定上边框并计算m,否则输出当前的加框阈值即上边框upper_threshold。
对于下边框lower_threshold=K*rmse,计算raw_list的训练数据和pred_list中对应值相差的绝对值小于lower_threshold的(采样)点数q;如果q/n>=sensitivity且K<max_sigma,则K=K+incr,返回重新计算下边框q,否则输出当前的加框阈值即下边框lower_threshold。
3、针对预测序列中的每一采样点,确定对应的上边框和下边框后,对Olympic算法得到的预测值即预测序列中对应采样点的值,进行加框,得到目标网络指标对应的训练结果,即该目标网络指标对应的目标阈值区间。
也就是说,对于周期性的任一子网的目标网络指标数据,先基于第一预测算法得到预测值,然后基于第一阈值算法,调整阈值框的大小,使得历史数据异常点的比例达到期望敏感度,从而得到相应的阈值。
需要说明的是,基于上述过程,可基于任一子网的周期性的目标网络指标数据,确定该任一子网的周期性的目标网络指标的周期中任一采样点对应的目标阈值区间,使得在当前网络下可基于该任一子网的目标网络指标的实时取值,以及该实时取值所对应的目标网络指标的目标阈值区间,来对该任一子网的目标网络指标是否异常进行监测,进而确定当前网络是否异常。
在一些实施例中,判断结果表示目标网络指标为非周期性指标时,则基于第二阈值算法,采用高斯核对任一子网的目标网络指标数据进行核密度估计,并确定累积分布函数。随后,基于第二阈值算法,根据累积分布函数进行计算,确定目标网络指标在第一分位数对应的第一取值,和目标网络指标在第二分位数对应的第二取值,第一分位数大于第二分位数。最后,将第一取值和第二取值,分别确定为目标网络指标对应的目标阈值区间的上阈值和下阈值。
在一些可能的实现方式中,判断结果表示目标网络指标为非周期性指标时,还基于上述提到的第二预测算法,来确定该目标网络指标的预测值,或者说该目标网络指标的实时
取值对应的预测值。
示例性地,以表1中非周期数据对应的第二预测算法和第二阈值算法,即阈值均值算法和KDE算法为例。
基于KDE算法,先采用高斯核对训练数据即任一子网的目标网络指标数据进行核密度估计,从而计算累积分布函数。随后,确定累积分布函数,即确定累积分布函数的查找范围range和查找步长step,range=[min_data-3*bw,max_data+3*bw],step=range/num_data,min_data是训练数据中的最小值,max_data是训练数据的最大值,bw是高斯核的带宽,num_data是训练数据的个数(或者说采样点数)。最后,根据累积分布函数求99.7%和0.3%分位数的值作为上下阈值。
基于阈值均值算法,对基于KDE算法确定的上下阈值取均值,作为相应目标网络指标的预测值。
也就是说,对于非周期性的任一子网的目标网络指标数据,先基于第二阈值算法生成阈值区间,再基于第二预测算法,确定均值为预测值。关于基于第二预测算法确定均值为预测值的过程可参见上述内容,在此不进行赘述。
需要说明的是,通过上述过程,本公开可基于第二阈值算法,来对任一子网中非周期性的目标网络指标进行目标阈值区间的确定,实现针对性确定目标网络指标对应的目标阈值区间的效果,更好的保证网络异常监测的准确性。
步骤104:若当前网络中任一子网的目标网络指标的实时取值超过目标阈值区间,则确定当前网络异常并定位该任一子网下的严重故障小区。
相应地,若当前网络中任一子网的目标网络指标的实时取值未超过目标阈值区间,则确定当前网络并无异常,无需进一步定位该任一子网下的严重故障小区。
需要说明的是,通过这一过程,根据实时采集到的数据,结合上述训练得到目标阈值区间对网络异常进行实时检测,这样在当前网络中任一子网的目标网络指标的实时取值超过目标阈值区间时,直接确定当前网络异常,无需进行其他操作,可在有效确定当前网络异常的情况下,减少确定当前网络异常的时延。
在一些实施例中,在当前网络中任一子网的目标网络指标的实时取值超过目标阈值区间后,确定当前网络异常时,首先确定该任一网络的目标网络指标的健康度,然后基于该目标网络指标的健康度,确定当前网络是否异常。
在一些可能的实现方式中,对当前网络中任一子网的目标网络指标的实时取值相对于目标阈值区间的偏离程度进行评分,得到单点偏离程度评分;基于当前时刻之前的第二预设时间段内网络异常的概率,对网络异常程度进行评分,得到异常持续程度评分。随后,对单点偏离程度评分和异常持续程度评分进行加权处理,得到任一子网的目标网络指标的
健康度。
第二预设时间段可以与第一预设时间段相同,也可以不同,且第二预设时间段的时间长度可以是预先确定的,也可以是基于实际工况确定的。并且,第二预设时间段的时间长度可以是固定的时间长度,也可以是针对不同的目标网络指标确定的相同或不同的时间长度。
也就是说,健康度计算是为了评估网络指标异常的严重程度,并过滤轻微异常的场景。健康度对两个方面进行考量,一方面是根据任一子网的网络指标数据偏离对应目标阈值区间的程度作单点偏离程度评分,另一方面是根据历史近期内异常出现的概率进行异常持续程度的评分。两者加权后即为该网络指标的健康度。
当前网络中任一子网的目标网络指标的实时取值相对于其对应的目标阈值区间的偏离程度越大,则对应的单点偏离程度评分越低。
相应地,当前时刻之间的第二预设时间段内网络异常的概率越大,则异常持续程度评分越低。
示例性地,基于j=Q1*dan+Q2*yi,来确定任一子网的目标网络指标的健康度。j表示任一子网的目标网络指标的健康度,Q1为单点偏离程度评分的权重,Q2为异常持续程度评分的权重,dan表示单点偏离程度评分的取值,yi表示异常持续程度评分的取值。
也就是说,任一子网的目标网络指标的健康度越低,则网络异常的可能性越大。
在一些可能的实现方式中,若(任一子网的目标网络指标的)健康度超过预设健康度阈值,则确定当前网络异常。
相应地,若健康度未超过预设健康度阈值,则确定当前网络无异常/正常。
预设健康度阈值可以是自行确定的,根据实际工况确定的。
示例性地,若健康度j<J,则确定当前网络异常;若健康度j>=J,则确定当前网络无异常。其中,J为预设健康度阈值。
通过上述过程,在目标网络指标的健康度不超过(即不低于)预设健康度阈值时,确定当前网络无异常。这样的话,可以忽略掉一些网络轻微异常的场景,避免在网络轻微异常但不影响使用或影响较小的场景下,进行严重故障小区定位或故障处理等,造成资源浪费等问题。
在一些可能的实现方式中,若目标网络指标的健康度低于对应的预设健康度阈值,则视为该目标网络指标异常,上报给用户,并进一步定位出造成该任一子网的目标网络指标异常的严重故障小区。
可以理解的是,关于网络指标是否产生异常以及健康度计算部分,可以简化为仅判断指标的实时数据是否超过训练得到的阈值,如果超出则判定为指标异常,即忽略健康度计
算部分。这是因为健康度计算部分是为了评估指标异常的严重程度,并过滤轻微异常的场景,如果去掉健康度计算部分,也能够正常进行网络指标异常的实时检测。
在一些实施例中,基于任一子网中各个小区的贡献度对各个小区进行筛选,确定任一子网中的严重故障小区。
贡献度用于针对网络指标衡量各个小区对网络指标的取值确定所做出的贡献。
也就是说,定位严重故障小区通过计算每个小区的贡献度进行。
另外,一般情况下,对于常见的网络关键指标,根据计数器数据汇总得到该网络关键指标的公式结构的不同,可以分为比率型指标和计数型指标。
在一些可能的实现方式中,基于目标网络指标的计算公式的结构,确定目标网络指标的类型。若该目标网络指标的类型为比率型,则按照第一规则来确定任一子网中各个小区的贡献度;若该目标网络指标的类型为计数型,则按照第二规则来确定任一子网中各个小区的贡献度。
按照第一规则来确定任一子网中各个小区的贡献度的过程中,基于第一规则,对任一子网中任一小区执行以下操作:基于任一子网的目标网络指标的实时取值、任一子网中任一小区的目标网络指标的实时取值,以及任一子网的目标网络指标偏离对应的目标阈值区间的方向,来确定任一小区的贡献度。
可以基于C=[A-(a1-b1)/(a2-b2)]*d,来确定任一小区的贡献度,C表示任一小区的贡献度,A表示任一子网的目标网络指标的实时取值,a1表示任一子网的目标网络指标的实时取值的分子,a2表示任一子网的目标网络指标的实时取值的分母,b1表示任一小区的目标网络指标的实时取值的分子,b2表示任一小区的目标网络指标的实时取值的分母,d表示任一子网的目标网络指标的实时取值偏离目标阈值区间的方向。
可以理解的是,目标网络指标的实时取值偏离目标阈值区间的方向可以使用±1表示,即上述d的取值为±1。
示例性地,对于比率型指标,其计数器汇总到指标的公式可以视为分子/分母结构,即任一子网下每个小区的该比率型指标,有如下公式:KPI小区=KPI分子小区/KPI分母小区,该任一子网的该比率型指标可以视为是该子网下所有小区的加成分数即KPI子网=(KPI分子小区
1+…+KPI分子小区s)/(KPI分母小区1+…+KPI分母小区s),即该子网下共s个小区。此时,每个小区的贡献度等于从加成分数中剔除该小区数据后产生的波动,即contribution=[KPI子网-(KPI分子子网-KPI分子小区)/(KPI分母子网-KPI分母小区)]*direction。
direction(即上述d)由该比率型指标超出对应目标阈值区间的方向决定,且KPI子网即任一子网的该比率型指标的取值,KPI分子子网即任一子网的该比率型指标的分子,KPI分母子网即任一子网的该比率型指标的分母,KPI分子小区即任一子网中任一小区的该比率型指
标的分子,KPI分母子网即任一子网中该任一小区的该比率型指标的分母。
需要说明的是,加成分数(addition score)是指分子、分母分别相加得到的分数。
另外,按照第二规则来确定任一子网中各个小区的贡献度的过程中,基于第二规则,对任一子网中任一小区执行以下操作:确定任一小区的目标网络指标的实时取值对应的预测值,并基于任一子网的目标网络指标的实时取值和对应的预测值、任一小区的目标网络指标的实时取值和对应的预测值,来确定任一小区的贡献度。
确定任一小区的目标网络指标的实时取值对应的预测值的方式,可参照上述确定任一子网的目标网络指标的实时取值对应的预测值的过程,在此不进行赘述。
可以基于C=(B-b)/(A-a),来确定任一小区的贡献度,C表示任一小区的贡献度,A表示任一子网的目标网络指标的实时取值,B表示任一小区的目标网络指标的实时取值,a表示任一子网的目标网络指标的实时取值对应的预测值,b表示任一小区的目标网络指标实时取值对应的预测值。
示例性地,对于计数型指标,计算小区贡献度时,取该小区该指标历史数据计算预测值,并与子网指标数据进行残差分析。此时,每个小区的贡献度为contribution=(KPI小区-KPI预测值小区)/(KPI子网-KPI预测值子网)。KPI预测值小区为小区的目标网络指标实时取值对应的预测值,KPI预测值子网为小区所在子网的目标网络指标实时取值对应的预测值,KPI小区为小区的目标网络指标实时取值,KPI子网为小区所在子网的目标网络指标实时取值。
可以理解的是,残差(residual)是因变量的观测值与根据估计的回归方程求出的预测之差。残差分析(residual analysis)是指通过残差所提供的信息,分析出数据的可靠性、周期性或其它干扰。
在一些可能的实现方式中,在确定任一小区的贡献度后,基于目标网络指标的类型的不同,采用不同的方式来基于各个小区的贡献度,确定严重故障小区。
目标网络指标的类型为比率型时,先基于贡献度高低对各个小区进行排序,得到小区贡献度排序。然后按照小区贡献度排序,逐个累计剔除小区并重新计算得到任一子网的目标网络指标,直至重新计算得到的任一子网的目标网络指标不超出其对应的目标阈值区间。最后,将剔除的小区确定为任一子网中的严重故障小区。
也就是说,按小区贡献度降序,并逐项累计剔除小区后重新计算子网的指标值,直到子网指标恢复到阈值区间内。被剔除的即为造成子网指标异常的严重故障小区。
示例性地,当前网络的子网A下存在多个小区,以这多个小区中的小区1和小区2为例。子网A的目标网络指标a的取值为a1/a2,小区1的目标网络指标a的取值为a11/a21,小区2的目标网络指标a的取值为a12/a22。小区1的贡献度为a111,小区2的贡献度为a112,a111>a112。对于小区1和小区2,小区1的贡献度排序在小区2的贡献度排序之前,先将
小区1的数据从子网A的目标网络指标a的计算过程中去除,得到新的子网的目标网络指标的取值,即(a1-a11)/(a2-a21),若(a1-a11)/(a2-a21)不位于该目标网络指标的取值对应的目标阈值区间内,继续将小区2的数据从子网A的目标网络指标a的计算过程中去除,得到新的子网的目标网络指标的取值,即(a1-a11-a12)/(a2-a21-a22),若(a1-a11-a12)/(a2-a21-a22)位于该目标网络指标的取值对应的目标阈值区间内,则确定剔除的小区1和小区2为子网A中的严重故障小区,且子网A下的其他小区不是严重故障小区。
目标网络指标的类型为计数型时,基于预设贡献度筛选标准对各个小区筛选,将各个小区中通过筛选的至少一个小区,确定为任一子网中的严重故障小区。
基于预设贡献度筛选标准对各个小区进行筛选,并将通过筛选的至少一个小区确定为任一子网的严重故障小区时,先基于各个小区的贡献度来确定标准贡献度,随后,将各个小区中贡献度超过标准贡献度的小区,确定为任一子网中的严重故障小区。
基于各个小区的贡献度来确定标准贡献度时,可以基于各个小区的贡献度的均值和方差,来确定标准贡献度。
在一些可能的实现方式中,对于任一子网,可先确定其下各个小区的贡献度方差与预设值的乘积,并将该乘积与各个小区的贡献度的均值之和,确定为标准贡献度。
在另一些可能的实现方式中,对于任一子网,可先确定其下贡献度为正的小区,并对这些贡献度为正的小区的贡献度求均值与方差,随后,确定该方差和预设值的乘积,并将该乘积和该均值的和,确定为标准贡献度。
示例性地,预设值为3。
示例性地,确定各个小区的贡献度后,取所有贡献度为正的小区,以均值+3*std为小区的预设贡献度筛选标准即预设贡献度,即可输出严重故障小区的结果。可以是将贡献度为正的各个小区中,贡献度超出预设贡献度的小区,确定为该小区所在子网中的严重故障小区。均值+3*std中的均值和std分别是贡献度为正的小区的贡献度的均值和std。
这样的话,基于指标的不同类型,即比率型和计数型,可采用不同的方式进行指标的计算,得到相应的指标的贡献度,从而针对性的确定由于不同网络指标异常导致的网络异常情况下的严重故障小区,提高定位网络异常原因的准确度。
当然,上述标准贡献度也可以是不急于小区贡献度而随机确定的。
在一些实施例中,在定位严重故障小区后,可生成网络异常检测信息。随后,将网络异常检测信息发送给用户,以使得用户及时发现网络异常以及网络异常原因。
在一些可能的实现方式中,基于网络异常检测结果、任一子网的信息,生成网络异常检测信息。
在一些可能的实现方式中,基于网络异常检测结果、任一子网的信息与任一子网中严
重故障小区的信息,生成网络异常检测信息。即,该网络异常检测信息包括网络异常检测结果、任一子网的信息与任一子网中严重故障小区的信息。
严重故障小区的信息包括严重故障小区的标识、位置、所属子网等信息。任一子网的信息包括该任一子网的标识、位置、所属网络等信息。
在另一些可能的方式中,网络异常检测结果还可以包括目标网络指标的健康度等信息。
当然,网络异常检测信息中还包括所检测的目标网络指标的信息等。目标网络指标的信息包括目标网络指标的名称、标识、计算公式、实时取值等信息。
通过上述过程,将实时的检测结果即当前网络是否异常,以及关联分析结果即当前网络异常时的严重故障小区等信息,反馈给用户,从而可以很好的帮助用户实时监测网络状况,及时发现网络异常情况。
最后,还需要说明的是,通过上述过程,本公开可实现网络关键指标的自动监测,且支持对每个网络关键指标单独进行训练和检测。(基于任一网络关键指标对网络是否异常进行监测的过程中)在网络关键指标的选择上的自由度更高,可以更加全面的监测网络状态。其次,本公开能够迅速响应网络突发故障,提供各指标的异动情况,用户可以参考各指标的变化情况分析网络异常原因。再次,本公开可在在计算资源受限无法监控全网小区时,通过对子网进行异常检测后再定位造成子网异常的严重故障小区,大幅提高网络(异常)检测的能力。最后,本公开通过算法定位造成子网异常的严重故障小区,可以帮助用户快速定位网络异常原因,使网络的运维工作智能化、高效化。
示例性地,如图2所示,用户选择需要检测的子网对象(即上述任一子网)和网络指标(即网络关键指标,简称KPI,也即上述目标网络指标)后,基于选定的子网对象和网络指标进行网络异常检测。首先,进行历史数据采集(采集子网对象的历史数据),并对采集到的历史数据进行数据预处理。随后,基于进行数据预处理后的数据对目标网络指标进行周期性判断。如果是周期性的,则基于Olympic算法生成预测值,并基于Ksigma算法生成阈值框宽,进而计算上下阈值,得到训练结果,即该目标网络指标所对应的目标阈值区间;如果是非周期性的,则基于KDE算法生成阈值,并基于(阈值)均值生成预测值,得到训练结果,即目标网络指标所对应的目标阈值区间。再之后,进行实时数据采集,基于采集到的目标网络指标的实时取值,进行阈值判断。若不超过目标阈值区间,则结束本次检测;若超过目标阈值区间,则进行目标网络指标的健康度计算,得到该目标网络指标的健康度,并进行健康度判断。若健康度未超过预设健康度,则结束本次检测;若健康度超过预设健康度,则定位严重故障小区,即进行Topn小区计算,并上报用户,即将本次网络异常情况上报给用户,以便于用户进行网络异常原因分析,对异常网络进行维护等。
可以理解的是,每次在进行网络异常检测时,均顺序执行上述步骤,可实现对目标阈
值区间的实时更新,保证目标阈值区间的实时性,提高基于该目标阈值区间进行网络异常检测的准确性。
但是,上述步骤101至103也可以不是每次进行网络异常检测都执行的,而是每间隔一定时间,基于当前时刻之前的历史数据执行步骤101至103,实现目标阈值区间的周期性更新,减少新产生历史数据较少的情况下,多次重复更新目标阈值区间所造成的资源浪费。
示例性地,基于历史数据中第一时间段的数据执行步骤101至103,确定目标阈值区间,得到阈值区间1,在第二时间段内基于该阈值区间1,进行网络异常检测。经过第二时间段后,基于历史数据中即第三时间段的数据执行步骤101至103,重新确定目标阈值区间,得到阈值区间2,在第四时间段内基于该阈值区间2,进行网络异常检测。
需要说明的是,基于选择的不同,可同时对多个目标网络指标和/或多个子网的目标网络指标进行自动检测,从而尽可能准确的识别网络异常。可以在确定超过第一预设数量个的子网的目标网络指标异常的情况下,确定网络异常,或者在确定任一子网的超过第二预设数量个的目标网络指标异常的情况下,确定网络异常,以进一步保证网络异常检测的准确性和可靠性。
示例性地,本公开可应用于如图3所示的网络异常检测系统中。如图3所示,该网络异常检测系统包括数据采集模块、训练模块以及检测模块。
数据采集模块由网元、网管、网络管理系统构成,用于采集和处理网元上报到网管的性能数据。从性能数据中得到小区的计数器数据,用求和或取平均的方式汇总成子网的计数器数据,然后根据网络指标的公式将计数器数据转化成子网的网络指标数据。分成历史数据采集和实时数据采集两个部分,历史数据采集的结果用作时间序列的训练集,实时数据采集的结果用作异常检测(测试集)。
在实际通信业务中,有些网络指标带有一定的周期涨落现象,比如白天与晚上业务场景不同。训练模块,被配置为判断网络指标历史数据是否呈周期性特征,并给出两套不同的训练算法,得到网络指标未来一段时间的预测值和正常工作的阈值区间(即上述目标阈值区间)。
检测模块,该模块基于训练得到的阈值区间和实时数据采集的性能数据进行检测。如果实时数据超出了阈值区间,则分别计算子网指标数据偏离阈值区间的程度作为单点偏离程度评分、子网历史近期内异常出现的概率作为异常持续程度评分,然后加权平均得到该子网指标的健康度。根据健康度情况决定子网指标是否异常,并上报给用户。如果子网指标产生异常,该模块根据故障小区关联算法(即上述第一规则或第二规则)进一步定位出造成子网指标异常的严重故障小区。
如图3所示,检测模块可进一步划分为异动检测子模块和故障小区关联子模块。异动检测子模块被配置为检测指标是否异常,进而确定网络是否异常;故障小区关联子模块,被配置为根据故障小区关联算法定位出造成子网指标异常的严重故障小区。
如图4所示,本公开实施例提供了一种网络异常检测装置,该装置包括判断单元401、确定单元402和异常检测单元403。
判断单元401,被配置为判断目标网络指标是否为周期性指标,得到判断结果;目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个。
确定单元402,被配置为基于判断结果,选择目标阈值算法,并基于目标阈值算法和当前网络中任一子网的目标网络指标数据,确定任一子网的目标网络指标对应的目标阈值区间;目标网络指标数据包括目标网络指标在第一预设时间段内的时间序列数据。
异常检测单元403,被配置为若当前网络中任一子网的目标网络指标的实时取值超过目标阈值区间,则确定当前网络异常并定位任一子网下的严重故障小区。
如图5所示,本公开实施例提供了一种电子设备,包括处理器501、通信接口502、存储器503和通信总线504。处理器501、通信接口502、存储器503通过通信总线504完成相互间的通信。存储器503,存放计算机程序。
在本公开一些实施例中,处理器501,用于执行存储器503上所存放的程序时,实现前述任意一个方法实施例提供的网络异常检测方法。
本公开实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现如前述任意一个方法实施例提供的网络异常检测方法。
本公开实施例提供的上述技术方案与相关技术相比具有如下优点。本公开实施例提供的该网络异常检测方法,基于用于确定当前网络是否异常的关键网络指标中的任意一个即目标网络指标,是否为周期性指标,选择目标阈值算法,并基于该目标阈值算法和任一子网的目标网络指标在第一预设时间段内的时间序列数据,来确定该任一子网下的目标网络指标对应的目标阈值区间,进而基于该任一子网的目标网络指标的实时取值和对应的目标阈值区间,确定当前网络是否异常,实现网络异常的实时、自动检测,在此基础上,定位该任一子网下的严重故障小区,可以较为高效的完成网络异常检测和网络异常的分析工作。
需要说明的是,在本文中,诸如“第一”和“第二”等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不
排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。
以上所述仅是本公开的具体实施方式,使本领域技术人员能够理解或实现本公开。对这些实施例的多种修改对本领域的技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本公开的精神或范围的情况下,在其它实施例中实现。因此,本公开将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。
Claims (20)
- 一种网络异常检测方法,包括:判断目标网络指标是否为周期性指标,得到判断结果;所述目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个;基于所述判断结果,选择目标阈值算法,并基于所述目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间;所述目标网络指标数据包括所述目标网络指标在第一预设时间段内的时间序列数据;以及在所述当前网络中任一子网的目标网络指标的实时取值超过所述目标阈值区间的情况下,则确定当前网络异常并定位所述任一子网下的严重故障小区。
- 根据权利要求1所述的网络异常检测方法,其中,所述判断目标网络指标是否为周期性指标,得到判断结果,包括:以预设采样点数为周期,基于所述任一子网的目标网络指标数据和FFT频谱进行判断,确定所述目标网络指标是否为周期性指标。
- 根据权利要求1所述的网络异常检测方法,其中,所述基于所述判断结果,选择目标阈值算法,包括:在所述判断结果表示所述目标网络指标为周期性指标的情况下,则选择第一预测算法和第一阈值算法为目标阈值算法;以及在所述判断结果表示所述目标网络指标为非周期性指标的情况下,则选择第二阈值算法为目标阈值算法。
- 根据权利要求3所述的网络异常检测方法,其中,在所述判断结果表示所述目标网络指标为周期性指标的情况下,所述基于所述目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间,包括:基于所述任一子网的目标网络指标数据和所述第一预测算法,对目标网络指标的周期中各个采样点的取值进行拟合预测,得到预测周期序列,并确定目标网络指标的周期中的各个采样点的拟合误差均方根;以及基于所述预测周期序列、所述任一子网的目标网络指标数据、各个采样点的拟合误差均方根和所述第一阈值算法,对目标网络指标的周期中各个采样点对应的阈值区间进行训练,得到所述各个采样点对应的目标阈值区间。
- 根据权利要求3所述的网络异常检测方法,其中,在所述判断结果表示所述目标网络指标为非周期性指标的情况下,所述基于所述 目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间,包括:基于所述第二阈值算法,采用高斯核对所述任一子网的目标网络指标数据进行核密度估计,并确定累积分布函数;基于所述第二阈值算法,根据所述累积分布函数进行计算,确定目标网络指标在第一分位数对应的第一取值,和目标网络指标在第二分位数对应的第二取值;所述第一分位数大于所述第二分位数;以及将所述第一取值和所述第二取值,分别确定为所述目标网络指标对应的目标阈值区间的上阈值和下阈值。
- 根据权利要求5所述的网络异常检测方法,其中,在所述判断结果表示所述目标网络指标为非周期性指标的情况下,所述基于所述判断结果,选择目标阈值算法,还包括:选择第二预测算法为目标阈值算法;所述方法还包括:基于所述任一子网的目标网络指标数据与所述第二预测算法,或者,基于所述目标网络指标对应的目标阈值区间的上阈值和下阈值与所述第二预测算法,对目标网络指标的实时取值进行预测,得到所述任一子网的目标网络指标的实时取值对应的预测值。
- 根据权利要求1所述的网络异常检测方法,其中,所述确定当前网络异常,包括:对所述当前网络中任一子网的目标网络指标的实时取值相对于所述目标阈值区间的偏离程度进行评分,得到单点偏离程度评分;基于当前时刻之前的第二预设时间段内网络异常的概率,对网络异常程度进行评分,得到异常持续程度评分;对所述单点偏离程度评分和所述异常持续程度评分进行加权处理,得到所述任一子网的目标网络指标的健康度;以及在所述健康度超过预设健康度阈值的情况下,则确定当前网络异常。
- 根据权利要求3所述的网络异常检测方法,其中,所述定位所述任一子网下的严重故障小区,包括:基于所述任一子网中各个小区的贡献度对所述各个小区进行筛选,确定所述任一子网中的严重故障小区。
- 根据权利要求8所述的网络异常检测方法,其中,所述基于所述任一子网中各个小区的贡献度对所述各个小区进行筛选,确定所述任一子网中的严重故障小区之前,所述方法还包括:基于目标网络指标的计算公式的结构,确定所述目标网络指标的类型;在所述目标网络指标的类型为比率型的情况下,则按照第一规则来确定所述任一子网中各个小区的贡献度;以及在所述目标网络指标的类型为计数型的情况下,则按照第二规则来确定所述任一子网中各个小区的贡献度。
- 根据权利要求9所述的网络异常检测方法,其中,所述按照第一规则来确定所述任一子网中各个小区的贡献度,包括:基于所述第一规则,对所述任一子网中任一小区执行以下操作:基于所述任一子网的目标网络指标的实时取值、所述任一子网中任一小区的目标网络指标的实时取值,以及所述任一子网的目标网络指标偏离对应的目标阈值区间的方向,来确定所述任一小区的贡献度。
- 根据权利要求10所述的网络异常检测方法,其中,所述确定所述任一小区的贡献度,包括:基于C=[A-(a1-b1)/(a2-b2)]*d,来确定所述任一小区的贡献度;其中,C表示所述任一小区的贡献度,A表示所述任一子网的目标网络指标的实时取值,a1表示所述任一子网的目标网络指标的实时取值的分子,a2表示所述任一子网的目标网络指标的实时取值的分母,b1表示所述任一小区的目标网络指标的实时取值的分子,b2表示所述任一小区的目标网络指标的实时取值的分母,d表示所述任一子网的目标网络指标的实时取值偏离所述目标阈值区间的方向。
- 根据权利要求9所述的网络异常检测方法,其中,所述按照第二规则来确定所述任一子网中各个小区的贡献度,包括:基于所述第二规则,对所述任一子网中任一小区执行以下操作:确定所述任一小区的目标网络指标的实时取值对应的预测值,并基于所述任一子网的目标网络指标的实时取值和对应的预测值、所述任一小区的目标网络指标的实时取值和对应的预测值,来确定所述任一小区的贡献度。
- 根据权利要求12所述的网络异常检测方法,其中,所述确定所述任一小区的贡献度,包括:基于C=(B-b)/(A-a),来确定所述任一小区的贡献度;其中,C表示所述任一小区的贡献度,A表示所述任一子网的目标网络指标的实时取值,B表示所述任一小区的目标网络指标的实时取值,a表示所述任一子网的目标网络指标的实时取值对应的预测值,b表示所述任一小区的目标网络指标实时取值对应的预测值。
- 根据权利要求9所述的网络异常检测方法,其中,在所述目标网络指标的类型为比率型的情况下,所述基于所述任一子网中各个小区的贡献度对所述各个小区进行筛选,确定所述任一子网中的严重故障小区,包括:基于贡献度高低对所述各个小区进行排序,得到小区贡献度排序;按照所述小区贡献度排序,逐个累计剔除小区并重新计算得到所述任一子网的目标网络指标,直至重新计算得到的所述任一子网的目标网络指标不超出其对应的目标阈值区间;以及将剔除的小区确定为所述任一子网中的严重故障小区。
- 根据权利要求9所述的网络异常检测方法,其中,在所述目标网络指标的类型为计数型的情况下,所述基于所述任一子网中各个小区的贡献度对所述各个小区进行筛选,确定所述任一子网中的严重故障小区,包括:基于预设贡献度筛选标准对所述各个小区进行筛选,将所述各个小区中通过筛选的至少一个小区,确定为所述任一子网中的严重故障小区。
- 根据权利要求15所述的网络异常检测方法,其中,所述基于预设贡献度筛选标准对所述各个小区进行筛选,将所述各个小区中通过筛选的至少一个小区,确定为所述任一子网中的严重故障小区,包括:基于各个小区的贡献度均值与方差,确定标准贡献度;以及将所述各个小区中贡献度超过所述标准贡献度的小区,确定为所述任一子网中的严重故障小区。
- 根据权利要求1-16中任一项所述的网络异常检测方法,其中,在所述确定当前网络异常并定位所述任一子网下的严重故障小区之后,所述方法还包括:生成网络异常检测信息,所述网络异常检测信息包括网络异常检测结果、所述任一子网的信息与所述任一子网中严重故障小区的信息;以及将所述网络异常检测信息发送给用户,以使得所述用户及时发现网络异常以及网络异常原因。
- 一种网络异常检测装置,包括:判断单元,被配置为判断目标网络指标是否为周期性指标,得到判断结果;所述目标网络指标为用于确定当前网络是否异常的关键网络指标中的任意一个;确定单元,被配置为基于所述判断结果,选择目标阈值算法,并基于所述目标阈值算法和当前网络中任一子网的目标网络指标数据,确定所述任一子网的目标网络指标对应的目标阈值区间;所述目标网络指标数据包括所述目标网络指标在第一预设时间段内的时间序列数据;以及异常检测单元,被配置为在所述当前网络中任一子网的目标网络指标的实时取值超过所述目标阈值区间的情况下,则确定当前网络异常并定位所述任一子网下的严重故障小区。
- 一种电子设备,包括处理器、通信接口、存储器和通信总线,其中,处理器、通信接口、存储器通过通信总线完成相互间的通信;存储器,其存放计算机程序;以及处理器,其执行存储器上所存放的程序时,实现权利要求1-17中任一项所述的网络异常检测方法。
- 一种计算机可读存储介质,其上存储有计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1-17中任一项所述的网络异常检测方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211215007.6 | 2022-09-30 | ||
CN202211215007.6A CN117858135A (zh) | 2022-09-30 | 2022-09-30 | 网络异常检测方法、装置、电子设备及存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2024066331A1 true WO2024066331A1 (zh) | 2024-04-04 |
Family
ID=90475843
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/090852 WO2024066331A1 (zh) | 2022-09-30 | 2023-04-26 | 网络异常检测方法、装置、电子设备及存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN117858135A (zh) |
WO (1) | WO2024066331A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118296359A (zh) * | 2024-06-05 | 2024-07-05 | 山东德源电力科技股份有限公司 | 一种用于集中器终端具有智能采集系统的电能表 |
CN118348891A (zh) * | 2024-06-06 | 2024-07-16 | 杭州吉越智能科技有限公司 | 基于信息增强的会议智能集中控制方法及系统 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180285320A1 (en) * | 2017-03-31 | 2018-10-04 | Futurewei Technologies, Inc. | User-level kqi anomaly detection using markov chain model |
CN111459778A (zh) * | 2020-03-12 | 2020-07-28 | 平安科技(深圳)有限公司 | 运维系统异常指标检测模型优化方法、装置及存储介质 |
CN113064796A (zh) * | 2021-04-13 | 2021-07-02 | 上海浦东发展银行股份有限公司 | 一种无监督指标异常检测方法 |
CN114301803A (zh) * | 2021-12-24 | 2022-04-08 | 北京百度网讯科技有限公司 | 网络质量检测方法、装置、电子设备及存储介质 |
CN114528190A (zh) * | 2022-04-21 | 2022-05-24 | 云账户技术(天津)有限公司 | 单指标异常的检测方法、装置、电子设备及可读存储介质 |
-
2022
- 2022-09-30 CN CN202211215007.6A patent/CN117858135A/zh active Pending
-
2023
- 2023-04-26 WO PCT/CN2023/090852 patent/WO2024066331A1/zh unknown
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180285320A1 (en) * | 2017-03-31 | 2018-10-04 | Futurewei Technologies, Inc. | User-level kqi anomaly detection using markov chain model |
CN111459778A (zh) * | 2020-03-12 | 2020-07-28 | 平安科技(深圳)有限公司 | 运维系统异常指标检测模型优化方法、装置及存储介质 |
CN113064796A (zh) * | 2021-04-13 | 2021-07-02 | 上海浦东发展银行股份有限公司 | 一种无监督指标异常检测方法 |
CN114301803A (zh) * | 2021-12-24 | 2022-04-08 | 北京百度网讯科技有限公司 | 网络质量检测方法、装置、电子设备及存储介质 |
CN114528190A (zh) * | 2022-04-21 | 2022-05-24 | 云账户技术(天津)有限公司 | 单指标异常的检测方法、装置、电子设备及可读存储介质 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118296359A (zh) * | 2024-06-05 | 2024-07-05 | 山东德源电力科技股份有限公司 | 一种用于集中器终端具有智能采集系统的电能表 |
CN118348891A (zh) * | 2024-06-06 | 2024-07-16 | 杭州吉越智能科技有限公司 | 基于信息增强的会议智能集中控制方法及系统 |
Also Published As
Publication number | Publication date |
---|---|
CN117858135A (zh) | 2024-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2024066331A1 (zh) | 网络异常检测方法、装置、电子设备及存储介质 | |
EP3557819B1 (en) | Server failure detection method and system | |
EP3691189B1 (en) | Method, apparatus and computer program for predicting fault of optical module | |
CN108123849B (zh) | 检测网络流量的阈值的确定方法、装置、设备及存储介质 | |
US9015312B2 (en) | Network management system and method for identifying and accessing quality of service issues within a communications network | |
CN110428018A (zh) | 一种全链路监控系统中的异常预测方法及装置 | |
CN111262750B (zh) | 一种用于评估基线模型的方法及系统 | |
TWI721693B (zh) | 基於行動物聯網之網路行為異常偵測系統及方法 | |
CN114630352A (zh) | 一种接入设备的故障监测方法和装置 | |
US9235463B2 (en) | Device and method for fault management of smart device | |
CN117439827B (zh) | 一种网络流量大数据分析方法 | |
CN111901134B (zh) | 一种基于循环神经网络模型rnn的预测网络质量的方法和装置 | |
CN114338351B (zh) | 网络异常根因确定方法、装置、计算机设备及存储介质 | |
CN113727092B (zh) | 基于决策树的视频监控质量巡检方法及装置 | |
CN117130851B (zh) | 一种高性能计算集群运行效率评价方法及系统 | |
CN111708672B (zh) | 数据传输方法、装置、设备及存储介质 | |
WO2024066720A1 (zh) | 指标阈值的确定方法、装置、存储介质及电子装置 | |
CN117194171A (zh) | 一种异构云资源全景式异常检测系统 | |
CN110602070A (zh) | 一种网络安全的自动配置管理系统及方法 | |
CN116016288A (zh) | 工业设备的流量监测方法、装置、设备及存储介质 | |
CN112988504A (zh) | 一种报警策略的设定方法、装置、电子设备及存储介质 | |
CN117575176B (zh) | 一种电力数据中异常值的处理方法及系统 | |
CN101651583B (zh) | 一种监控信息管理方法及装置 | |
CN118509527B (zh) | 一种5g核心网多维kpi时间序列的异常检测方法及系统 | |
CN118413388B (zh) | 一种基于网络安全测试的在线评价系统及方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23869586 Country of ref document: EP Kind code of ref document: A1 |