WO2024201607A1 - 時系列異常検知システム - Google Patents

時系列異常検知システム Download PDF

Info

Publication number
WO2024201607A1
WO2024201607A1 PCT/JP2023/011972 JP2023011972W WO2024201607A1 WO 2024201607 A1 WO2024201607 A1 WO 2024201607A1 JP 2023011972 W JP2023011972 W JP 2023011972W WO 2024201607 A1 WO2024201607 A1 WO 2024201607A1
Authority
WO
WIPO (PCT)
Prior art keywords
unit
anomaly
change
detection
time series
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2023/011972
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
毅彦 溝口
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to PCT/JP2023/011972 priority Critical patent/WO2024201607A1/ja
Priority to JP2025509243A priority patent/JPWO2024201607A1/ja
Publication of WO2024201607A1 publication Critical patent/WO2024201607A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance

Definitions

  • the present invention relates to a time series anomaly detection system, an output method, an output device, and a recording medium.
  • Patent Document 1 describes a machine learning system that has one or more machine learning models and detects abnormalities and the like of equipment based on sensor data output by one or more sensors that detect the state of the equipment.
  • the machine learning system manages a model identifier unique to the machine learning model that identifies the machine learning model and a sensor identifier specific to the sensor that identifies the sensor that outputs the sensor data, in association with each other.
  • the machine learning system determines an impact degree that represents a change in the trend of sensor data before and after the maintenance work was performed for each maintenance event identifier unique to the maintenance work that identifies the maintenance work performed on the equipment, and manages this impact degree in association with each sensor identifier.
  • the machine learning system then considers that sensors whose impact degree meets a predetermined condition have been affected by the maintenance work, and presents a model identifier that is associated with the sensor identifier of the sensor that meets the condition.
  • Patent Document 2 describes a technology for converting a time series data set, which is a collection of multiple time series data, into a feature vector that indicates the characteristics of the time series data set, making it searchable.
  • one of the objectives of the present invention is to provide a time series anomaly detection system, an output method, an output device, and a recording medium that can solve the above-mentioned problems.
  • a time series anomaly detection system includes: A first acquisition unit that acquires feature amount information based on time-series data of an anomaly detection target; A change detection unit that detects a change in a state of an anomaly detection target; a second acquisition unit that acquires feature amount information based on time-series data after the change detection unit detects a change based on the feature amount information acquired by the first acquisition unit; an anomaly information output unit that outputs anomaly information regarding an anomaly based on the feature amount information acquired from the second acquisition unit and the feature amount information acquired by the first acquisition unit;
  • the configuration has the following:
  • an output method includes: An information processing device, Detecting a change in state in the anomaly detection target; Acquire feature information based on time-series data of the target for anomaly detection, Based on the acquired feature amount information, feature amount information based on the time series data after the change detection is acquired; The system is configured to output anomaly information related to an anomaly based on feature amount information based on the time series data after the change has been detected and feature amount information based on the time series data of the anomaly detection target.
  • an output device includes: A first acquisition unit that acquires feature amount information based on time-series data of an anomaly detection target; A change detection unit that detects a change in a state of an anomaly detection target; a second acquisition unit that acquires feature amount information based on time-series data after the change detection unit detects a change based on the feature amount information acquired by the first acquisition unit; an anomaly information output unit that outputs anomaly information regarding an anomaly based on the feature amount information acquired from the second acquisition unit and the feature amount information acquired by the first acquisition unit;
  • the configuration has the following:
  • a recording medium includes: In the information processing device, Detecting a change in state in the anomaly detection target; Acquire feature information based on time-series data of the target for anomaly detection, Based on the acquired feature amount information, feature amount information based on the time series data after the change detection is acquired;
  • the computer-readable recording medium has recorded thereon a program for implementing a process of outputting anomaly information regarding an anomaly based on feature amount information based on time series data after change detection and feature amount information based on time series data of an anomaly detection target.
  • FIG. 1 is a diagram for explaining an overview of a detection system according to a first embodiment of the present disclosure.
  • FIG. 13 is a diagram illustrating an example of an anomaly score according to a change in a system state.
  • FIG. 2 is a block diagram showing a configuration example of a detection device.
  • FIG. 10 is a diagram for explaining an example of feature extraction and conversion.
  • FIG. 10 is a diagram for explaining an example of anomaly detection.
  • FIG. 10 is a diagram for explaining an example of anomaly detection.
  • 4 is a flowchart showing an example of the operation of the detection device. 4 is a flowchart showing an example of the operation of the detection device. 4 is a flowchart showing an example of the operation of the detection device. 4 is a flowchart showing an example of the operation of the detection device.
  • FIG. 13 is a diagram for explaining an example of the effect of the present invention.
  • FIG. 11 is a diagram illustrating an example of a hardware configuration of a calculation device according to a second embodiment of the present disclosure.
  • FIG. 2 is a block diagram showing an example of the configuration of a calculation device.
  • FIG. 1 is a diagram for explaining an overview of a detection system 100.
  • Fig. 2 is a diagram showing an example of an anomaly score according to a change in a system state.
  • Fig. 3 is a block diagram showing an example of a configuration of a detection device 200.
  • Fig. 4 is a diagram for explaining an example of feature extraction and conversion.
  • Figs. 5 and 6 are diagrams for explaining an example of anomaly detection.
  • Figs. 7 to 9 are flowcharts showing an example of the operation of the detection device 200.
  • Fig. 10 is a diagram for explaining an example of the effect of the present invention.
  • a detection system 100 which is a time series anomaly detection system that detects anomalies based on one or more time series data acquired using one or more sensors.
  • the detection system 100 uses time series segments, which are time series data corresponding to a time window of a certain period, as learning data to learn a model that extracts and outputs features that preserve local distance relationships with respect to the input of the time series segments.
  • the detection system 100 may learn a model using a method such as that described in Patent Document 2.
  • the detection system 100 inputs a learning time series segment to the learned model, thereby acquiring features that are obtained as the output of the model.
  • the detection system 100 stores feature information, which is information corresponding to the acquired feature, in a storage device.
  • feature information is information corresponding to the acquired feature
  • the detection system 100 can store binary codes obtained by converting the feature as the feature information in the storage device.
  • the feature information may be the value of the feature.
  • the detection system 100 inputs the time series segment to be detected into a model to acquire features extracted from the time series segment to be detected.
  • the detection system 100 also acquires binary code, which is feature information, by converting the acquired features using an arbitrary method.
  • the detection system 100 searches the above-mentioned storage device for binary codes similar to the acquired binary code, and calculates an anomaly score according to the distance between the acquired binary code and the result searched for in the storage device.
  • the detection system 100 detects anomalies based on the calculated anomaly score. For example, as described above, the detection system 100 performs anomaly detection using a search method, which is a method of detecting anomalies based on search results for storage devices.
  • the detection system 100 can output anomaly information, such as a calculated anomaly score or an anomaly notification that notifies the user that an anomaly has occurred, according to the detection result.
  • the detection system 100 detects a change in the system state, such as a change in the network configuration in the system that is the target of anomaly detection. Then, the detection system 100 additionally stores feature information according to the detection result.
  • the detection system 100 detects a change in the system state, it starts a process of extracting features from the time series segment after the change in the system state and newly storing binary codes, which are information according to the extracted features, in the storage device. For example, when the system state changes, such as a change in the network configuration, a state that has never been seen before will occur continuously. Therefore, if no measures are taken, as illustrated in FIG. 2, the calculated anomaly score value will increase and false alarms may continue to occur.
  • the detection system 100 accumulates new binary codes according to the detection of the change, as described above. As a result, it becomes possible to perform a search from among search candidates that also include the binary codes accumulated after the change. This allows the detection system 100 to suppress an increase in the anomaly score after a change in the system state.
  • the detection system 100 provisionally extracts features using the model learned before the system state change. Furthermore, if it is determined that a sufficient number of time series segments to be used as learning data have been obtained after the system state has changed, the detection system 100 uses the time series segments after the system state has changed as learning data to re-learn the model used to extract features so that it adapts to the state after the system state has changed. For example, the detection system 100 can re-learn by using the time series segments after the system state has changed as learning data to update the weight parameters of the model.
  • the detection system 100 uses the re-learned adapted model to replace the feature information provisionally added to the storage device.
  • the detection system 100 can replace the feature information provisionally extracted using the model learned before the system state has changed with the feature information extracted using the adapted model.
  • the detection system 100 additionally stores the provisional binary code, and then replaces the provisionally additionally stored binary code in accordance with the adaptation of the model.
  • the detection system 100 can appropriately detect anomalies even when the system state changes, while minimizing the occurrence of periods during which anomalies cannot be detected due to re-learning.
  • FIG. 1 shows an overview of the detection system 100.
  • the detection system 100 has a detection device 200 (output device) which is an information processing device that performs anomaly detection using a search method.
  • the detection device 200 acquires time-series data from various sensors and other external devices.
  • the time-series data may be data in which numerical data such as observation data measured by various sensors at a predetermined period is arranged in order of measurement time.
  • the detection device 200 searches for information similar to feature amount information, which is information according to the feature amount extracted from the acquired time-series data.
  • the detection device 200 searches for binary code, which is the feature amount information.
  • the detection device 200 calculates an anomaly score based on the search results, and detects anomalies according to the calculated result.
  • FIG. 3 shows an example of the configuration of the detection device 200.
  • the detection device 200 has, as main components, for example, an operation input unit 210, a screen display unit 220, a communication I/F unit 230, a storage unit 240, and a calculation processing unit 250.
  • FIG. 3 illustrates an example in which the functions of the detection device 200 are realized using one information processing device.
  • the functions of the detection device 200 may be realized using multiple information processing devices, for example, on the cloud.
  • the detection device 200 may be composed of a calculation device that calculates an anomaly score, and an output device that detects an anomaly based on the anomaly score calculated by the calculation device and outputs the detection result.
  • the detection device 200 may not include some of the configurations exemplified above, such as not having the operation input unit 210 or the screen display unit 220, or may have a configuration other than those exemplified above.
  • the operation input unit 210 is made up of operation input devices such as a keyboard and a mouse.
  • the operation input unit 210 detects the operation of the operator who operates the detection device 200 and outputs the operation to the calculation processing unit 250.
  • the screen display unit 220 is composed of a screen display device such as a liquid crystal display or an organic electroluminescence (EL) display.
  • the screen display unit 220 can display various information stored in the memory unit 240 on the screen in response to instructions from the calculation processing unit 250.
  • the communication I/F unit 230 is composed of a data communication circuit and the like.
  • the communication I/F unit 230 performs data communication with various sensors and other external devices connected via communication lines.
  • the storage unit 240 is a storage device such as a hard disk or memory.
  • the storage unit 240 stores processing information and programs 244 necessary for various processes in the arithmetic processing unit 250.
  • the programs 244 are loaded into the arithmetic processing unit 250 and executed to realize various processing units.
  • the programs 244 are loaded in advance from an external device or recording medium via a data input/output function such as the communication I/F unit 230, and are stored in the storage unit 240.
  • Main information stored in the storage unit 240 includes, for example, model information 241, feature amount information 242, and time series data information 243.
  • the model information 241 includes information about a model that extracts and outputs features that preserve local distance relationships for input time series segments.
  • the model information 241 may include weight parameters and the like included in a trained model such as the one described above.
  • the model included in the model information 241 is trained in advance using training time series segments inside or outside the detection device 200 and stored in the storage unit 240.
  • the model information 241 is updated by the model adaptation unit 257 when, for example, the model adaptation unit 257 determines that a sufficient number of time series segments to be used as training data have been obtained after detecting a change in the system state through processing described below.
  • the model included in the model information 241 may be any model capable of handling time series data.
  • the model may be any of 1D-CNN (1 Dimensional-Convolutional Neural Network), GRU (Gated Recurrent Unit), LSTM (Long Short-Term Memory), Transformer, etc.
  • the loss function used as the learning criterion for the model may be any function that preserves the local similarity relationship between data in the input space.
  • the loss function may be any of Triplet loss, Pairwise loss, Contrastive loss, etc.
  • the model included in the model information 241 may be one that has been trained using a method as described in Patent Document 2.
  • Patent Document 2 discloses an example of model training when Triplet loss or Pairwise loss is used.
  • the feature amount information 242 includes feature amount information that is information according to the feature amount extracted from the time series segment.
  • the feature amount information 242 includes a binary code into which the feature amount is converted using an arbitrary method as the feature amount information.
  • the binary code included in the feature amount information 242 is obtained in advance using an arbitrary method, such as obtaining it from an external device via the communication I/F unit 230, or converting the feature amount extracted by the feature amount extraction unit 252 by the binary code conversion unit 253, and is stored in the storage unit 240.
  • binary code converted by the binary code conversion unit 253 is additionally stored according to the detection result by the change detection unit 254 described later.
  • binary code converted from the feature amount extracted from the time series segment after the system state change is stored.
  • the binary code converted by the binary code conversion unit 253 from the feature amount extracted by the feature amount extraction unit 252 using the model before adaptation by the model adaptation unit 257 is provisionally stored as the feature amount information 242.
  • the model adaptation unit 257 updates the model the provisionally stored binary code is replaced with binary code according to the adapted model by the update unit 258 described later.
  • the time series data information 243 includes one or more time series data acquired by one or more sensors, etc.
  • the time series data may be data in which numerical data such as observation data measured by a sensor at a predetermined interval is arranged in order of measurement time.
  • the time series data information 243 is updated in response to the time series data acquisition unit 251 (described later) acquiring time series data from a sensor or other external device, etc.
  • the arithmetic processing unit 250 has an arithmetic device such as a CPU (Central Processing Unit) and its peripheral circuits.
  • the arithmetic processing unit 250 reads and executes the program 244 from the storage unit 240, thereby implementing various processing units by having the above hardware and the program 244 work together.
  • the main processing units implemented by the arithmetic processing unit 250 include, for example, a time series data acquisition unit 251, a feature extraction unit 252, a binary code conversion unit 253, a change detection unit 254, a storage unit 255, an anomaly detection unit 256, a model adaptation unit 257, an update unit 258, and an output unit 259.
  • the calculation processing unit 250 may have a GPU (Graphic Processing Unit), a DSP (Digital Signal Processor), an MPU (Micro Processing Unit), an FPU (Floating point number Processing Unit), a PPU (Physics Processing Unit), a TPU (Tensor Processing Unit), a quantum processor, a microcontroller, or a combination of these.
  • a GPU Graphic Processing Unit
  • DSP Digital Signal Processor
  • MPU Micro Processing Unit
  • FPU Floating point number Processing Unit
  • PPU Physicals Processing Unit
  • TPU Transsor Processing Unit
  • quantum processor a microcontroller, or a combination of these.
  • the time series data acquisition unit 251 acquires time series data from various sensors included in the detection system 100 and other external devices.
  • the time series data acquisition unit 251 can acquire any time series data from an optical transponder, an optical performance monitor that measures the optical signal to noise ratio (OSNR), etc.
  • the time series data acquisition unit 251 may also acquire time series data from multiple sensors installed in plants, data centers, social infrastructure facilities, etc.
  • the feature extraction unit 252 extracts features based on the time series segments by inputting the time series segments to a model stored as the model information 241. For example, as illustrated in FIG. 4, the feature extraction unit 252 divides the time series data acquired by the time series data acquisition unit 251 into multiple time series segments using a time window of a certain period. The feature extraction unit 252 then inputs each divided time series segment to a trained model to extract features.
  • the feature extraction unit 252 may use any method to perform the division into time series segments. For example, the size of the time window may be set arbitrarily.
  • the feature extraction unit 252 may also divide the time series data into multiple time series segments so that they overlap for an arbitrary period, or may divide the time series data into multiple time series segments so that the time series segments do not overlap.
  • the feature extraction unit 252 extracts features when performing anomaly detection.
  • the feature extraction unit 252 functions as part of a first acquisition unit that acquires feature information based on time-series data.
  • the features extracted by the feature extraction unit 252 can be used when additional storage is performed on the feature information 242 after the change detection unit 254 detects a change in the system state. For example, after detecting a change in the system state, the features extracted by the feature extraction unit 252 can be used both when performing anomaly detection and when additional storage is performed on the feature information 242.
  • the feature extraction unit 252 extracts features using a model stored as model information 241. Therefore, before the weight parameters and the like are updated by the model adaptation unit 257, the feature extraction unit 252 extracts features using a model before adaptation to the change in the system state. In other words, even after the system state changes, before the weight parameters and the like are updated by the model adaptation unit 257, the feature extraction unit 252 extracts features using a model learned before the change in the system state. Furthermore, when the weight parameters and the like are updated by the model adaptation unit 257, thereafter, the feature extraction unit 252 extracts features using a model that has been adapted to the change in the system state.
  • the feature extraction unit 252 can again extract features using the adapted model for the time series segment after the change in the system state is detected.
  • the feature extraction unit 252 can extract features using the pre-adaptation model, and after model adaptation, can extract features using the adapted model.
  • the binary code conversion unit 253 converts the features extracted by the feature extraction unit 252 into binary code, which is information corresponding to the features.
  • the method of conversion to binary code is not particularly limited.
  • the binary code conversion unit 253 may use any method to convert the features extracted by the feature extraction unit 252 into binary code.
  • the binary code conversion unit 253 can function as part of a first acquisition unit that acquires feature information based on time series data.
  • the change detection unit 254 detects changes in the system state.
  • the change detection unit 254 may detect changes in the system state using any means.
  • the change detection unit 254 acquires domain knowledge such as operation information of the system that is the target of anomaly detection from an external device, etc. Then, based on the acquired domain knowledge, the change detection unit 254 detects a change in the system state, such as a change in the network configuration. The change detection unit 254 may also detect a change in the system state based on the time series data acquired by the time series data acquisition unit 251, etc. For example, the change detection unit 254 may detect a change in the system state when it detects a fluctuation in distribution in the time series data using any statistical method, etc.
  • the change detection unit 254 detects a change in the system state using domain knowledge and statistical methods, for example, when the network configuration in the optical network changes.
  • the change detection unit 254 may detect a change in the system state by detecting changes in equipment installed in a plant or other environmental changes using domain knowledge and statistical methods. In this way, the change detection unit 254 may detect any change in state as a change in the system state, in addition to changes in the network configuration.
  • the storage unit 255 stores the binary code converted by the binary code conversion unit 253 as feature information 242 in the memory unit 240 in response to detection of a change in the system state by the change detection unit 254.
  • the storage unit 255 does not store the binary code converted by the binary code conversion unit 253 until the change detection unit 254 detects a change in the system state.
  • the storage unit 255 stores the binary code converted by the binary code conversion unit 253 in the memory unit 240 as feature amount information 242.
  • the storage unit 255 adds and stores in the memory unit 240 as feature amount information 242 the binary code into which the feature amount extracted using the model before adaptation to the change in the system state is converted. Note that the binary code added by the storage unit 255 at this stage is subject to updating by the update unit 258, which will be described later.
  • the storage unit 255 provisionally stores the binary code in the memory unit 240 as feature amount information 242. Furthermore, after model adaptation by the model adaptation unit 257, the storage unit 255 can additionally store in the memory unit 240 as feature information 242 a binary code that converts the features extracted using the model after adapting to the change in the system state.
  • the storage unit 255 may terminate the additional storage process based on any criteria. For example, the storage unit 255 may terminate the additional storage of binary code when it is determined that a predetermined number of additional storages have been performed after detecting a change in the system state.
  • the anomaly detection unit 256 calculates an anomaly score based on the feature amount extracted from the time series segment to be detected, and detects an anomaly based on the calculated result.
  • the anomaly detection unit 256 has a function as a calculation unit that calculates an anomaly score and a function as a detection unit that detects an anomaly based on the calculated result.
  • the anomaly detection unit 256 acquires a binary code corresponding to a feature extracted from a time series segment to be detected from the binary code conversion unit 253. That is, the anomaly detection unit 256 acquires a binary code that is the detection target information from the binary code conversion unit 253. Then, the anomaly detection unit 256 searches the feature amount information 242 for a binary code similar to the acquired binary code. In the case of the present disclosure, the anomaly detection unit 256 may perform the above search using any method. For example, the anomaly detection unit 256 calculates the distance between the acquired binary code and each binary code included in the feature amount information 242.
  • the anomaly detection unit 256 acquires a binary code that satisfies any condition, such as a binary code that has the smallest calculated distance among the binary codes included in the feature amount information 242, as a binary code similar to the acquired binary code. In this way, the anomaly detection unit 256 can function as a second acquisition unit that acquires a binary code that is feature amount information based on the binary code acquired by the binary code conversion unit 253, which is the first acquisition unit.
  • the anomaly detection unit 256 also calculates an anomaly score according to the distance between the acquired binary code and the binary code searched from the storage device. The anomaly detection unit 256 then detects an anomaly based on the calculated anomaly score. For example, the anomaly detection unit 256 compares the calculated anomaly score with a predetermined threshold. The anomaly detection unit 256 detects an anomaly when the calculated anomaly score exceeds the threshold. In this way, the anomaly detection unit 256 calculates an anomaly score to be used when detecting an anomaly, and detects an anomaly based on the calculated anomaly score. The anomaly detection unit 256 may calculate an anomaly score according to the distance using any method.
  • the anomaly detection unit 256 can calculate an anomaly score such that the longer the distance, the larger the value. When the anomaly score is calculated in this way, a larger anomaly score indicates a higher possibility that an anomaly has occurred.
  • the threshold to be compared with the anomaly score may be determined using any method.
  • the search target when the anomaly detection unit 256 detects an anomaly changes depending on various processes such as the detection of a change in the system state by the change detection unit 254, the model adaptation by the model adaptation unit 257, and the replacement by the update unit 258.
  • the anomaly detection unit 256 performs anomaly detection based on the binary code obtained by converting the feature amount extracted using the model before adaptation and the feature amount information 242 stored in advance.
  • the anomaly detection unit 256 After the change detection unit 254 detects a change in the system state, the anomaly detection unit 256 performs anomaly detection based on the binary code obtained by converting the feature amount extracted using the model before adaptation and the feature amount information 242 in which the binary code has been additionally stored by the storage unit 255. At this time, it is desirable for the anomaly detection unit 256 to perform anomaly detection before the storage unit 255 additionally stores the binary code itself to be detected.
  • the model adaptation is performed by the model adaptation unit 257, the binary code temporarily added by the update unit 258 is replaced. As a result, the anomaly detection unit 256 performs anomaly detection based on the binary code obtained by converting the features extracted using the adapted model and the feature information 242 obtained by replacing the provisionally added binary code, as illustrated in FIG. 6.
  • the model adaptation unit 257 checks whether the conditions for performing model adaptation are met. Then, the model adaptation unit 257 performs model adaptation according to the storage result. For example, as a condition for performing model adaptation, the model adaptation unit 257 checks whether a sufficient number of time series segments to be used as learning data have been obtained after the system state has changed. Then, if it is determined that a sufficient number of time series segments have been obtained after the system state has changed, the model adaptation unit 257 performs model adaptation by updating the model information 241.
  • the model adaptation unit 257 uses the time series segments acquired after detecting a change in the system state as learning data to perform model adaptation by updating the weight parameters of the model.
  • the model adaptation unit 257 may update the weight parameters using a learning criterion based on a distance learning loss using a triplet loss, pairwise loss, or the like, as described in Patent Document 2.
  • the model adaptation unit 257 may check whether the conditions for performing model adaptation are met using any method. For example, the criteria for whether a sufficient number of time series segments to be used as learning data have been obtained may be set arbitrarily. Furthermore, the model adaptation unit 257 may check whether the conditions for performing model adaptation are met at any timing, such as by performing the above check at a predetermined interval after the change detection unit 254 detects a change in the system state.
  • the update unit 258 replaces the binary code that was provisionally added. For example, after the model adaptation by the model adaptation unit 257, the update unit 258 acquires the binary code corresponding to the adapted model from the binary code conversion unit 253. In response to this, the update unit 258 replaces the binary code that was provisionally added and stored as the feature amount information 242 with the acquired binary code.
  • the output unit 259 (abnormality information output unit) outputs the detection result by the abnormality detection unit 256, etc.
  • the output unit 259 can output abnormality information such as an abnormality score calculated by the abnormality detection unit 256 or an abnormality notification notifying that an abnormality has occurred, depending on the detection result by the abnormality detection unit 256.
  • the output unit 259 can transmit the abnormality information to an external device via the communication I/F unit 230, or can display the abnormality information on the screen display unit 220, etc.
  • FIG. 7 is a flowchart showing an example of the operation of the detection device 200 when the system state changes.
  • the change detection unit 254 detects a change in the system state (step S101).
  • the change detection unit 254 detects a change in the system state, such as a change in the network configuration, based on domain knowledge, such as operation information of the system that is the target of anomaly detection.
  • the change detection unit 254 may also detect a change in the system state based on time series data acquired by the time series data acquisition unit 251.
  • the storage unit 255 starts additional storage of binary code (step S102). For example, after starting additional storage, the storage unit 255 provisionally stores the binary code converted by the binary code conversion unit 253 as feature information 242 in the memory unit 240 until model adaptation is performed by the model adaptation unit 257. In addition, after model adaptation is performed by the model adaptation unit 257, the storage unit 255 stores the binary code as feature information 242 in the memory unit 240 until an arbitrary termination criterion is met.
  • step S101, No if a change in the system state cannot be detected (step S101, No), the storage unit 255 does not perform the process of step S102.
  • FIG. 8 is a flowchart showing an example of the operation of the detection device 200 when performing model adaptation.
  • the model adaptation unit 257 checks whether the conditions for performing model adaptation are met (step S201). For example, as a condition for performing model adaptation, the model adaptation unit 257 checks whether a sufficient number of time series segments to be used as learning data after a change in the system state have been obtained.
  • the model adaptation unit 257 performs model adaptation (step S202).
  • the model adaptation unit 257 can perform model adaptation by updating the weight parameters of the model using the time series segment acquired after detecting a change in the system state as learning data.
  • the update unit 258 replaces the binary code that was provisionally added (step S203). For example, after the processing of step S202, the update unit 258 acquires the binary code corresponding to the adapted model from the binary code conversion unit 253. In response to this, the update unit 258 replaces the binary code that was provisionally added and stored as the feature amount information 242 with the acquired binary code.
  • step S201 if the condition is not met (Yes in step S201), the model adaptation unit 257 and the update unit 258 do not perform the processes in and after step S202.
  • FIG. 9 is a flowchart showing an example of the operation of the detection device 200 when performing anomaly detection.
  • the feature extraction unit 252 extracts features by inputting the time series segment to be detected to a model stored as model information 241.
  • the binary code conversion unit 253 converts the features extracted by the feature extraction unit 252 into binary code, which is information corresponding to the features (step S301).
  • the anomaly detection unit 256 detects anomalies based on the features extracted from the time series segment to be detected. For example, the anomaly detection unit 256 acquires a binary code corresponding to the features extracted from the time series segment to be detected from the binary code conversion unit 253 (step S302). For example, the anomaly detection unit 256 calculates the distance between the acquired binary code and each binary code included in the feature information 242. Then, the anomaly detection unit 256 acquires a binary code that satisfies an arbitrary condition, such as a binary code with a smallest calculated distance among the binary codes included in the feature information 242, as a binary code similar to the acquired binary code.
  • an arbitrary condition such as a binary code with a smallest calculated distance among the binary codes included in the feature information 242
  • the anomaly detection unit 256 also calculates an anomaly score according to the distance between the acquired binary code and the binary code searched for in the storage device (step S303).
  • the anomaly detection unit 256 may calculate the anomaly score using any method.
  • step S304 If the calculated anomaly score exceeds a predetermined threshold (step S304, Yes), the anomaly detection unit 256 detects an anomaly (step S305). On the other hand, if the calculated anomaly score is equal to or less than the threshold, the anomaly detection unit 256 does not detect an anomaly.
  • the above is an example of the operation of the detection device 200 when detecting an anomaly.
  • the output unit 259 may output anomaly information after the processing of step S305. Note that, as illustrated in Figs. 5 and 6, the search target when the anomaly detection unit 256 detects an anomaly changes depending on various processes such as detection of a change in the system state by the change detection unit 254, model adaptation by the model adaptation unit 257, and replacement by the update unit 258.
  • the detection device 200 has a change detection unit 254, a storage unit 255, and an anomaly detection unit 256.
  • the storage unit 255 can additionally store binary code in response to detection of a change in the system state by the change detection unit 254.
  • the anomaly detection unit 256 can detect anomalies by performing a search that includes the additionally stored results.
  • FIG. 10 shows an example of anomaly score calculation when additional binary code is stored.
  • the anomaly score is calculated using the results of additional storage from around x-axis 900.
  • additional storage of binary code makes it possible to suppress the value of the anomaly score compared to the example shown in FIG. 2.
  • the detection device 200 may continue to calculate the anomaly score while starting additional storage of binary code.
  • the detection device 200 may be configured to resume calculation of the anomaly score after a predetermined number of additional storages have been performed, as shown in FIG. 10.
  • the detection device 200 also has a model adaptation unit 257 and an update unit 258.
  • the update unit 258 replaces the provisionally added binary code after the model adaptation by the model adaptation unit 257.
  • the anomaly detection unit 256 can perform more appropriate anomaly detection using the results of the model adaptation.
  • the provisional additional storage by the storage unit 255 temporarily suppresses an increase in the anomaly score, while allowing appropriate anomaly detection to be performed.
  • Fig. 11 is a diagram showing an example of the hardware configuration of an output device 300.
  • Fig. 12 is a block diagram showing an example of the configuration of the output device 300.
  • an output device 300 that is a time-series anomaly detection system that calculates an anomaly score based on time-series data
  • Fig. 11 shows an example of a hardware configuration of the output device 300.
  • the output device 300 has, as an example, the following hardware configuration.
  • ⁇ CPU (Central Processing Unit) 301 (arithmetic unit)
  • ROM (Read Only Memory) 302 (storage device)
  • Program group 304 loaded into RAM 303
  • a drive device 306 that reads and writes data from and to a recording medium 310 outside the information processing device.
  • a communication interface 307 that connects to a communication network 311 outside the information processing device
  • Input/output interface 308 for inputting and outputting data
  • a bus 309 that connects each component
  • the output device 300 can realize the functions of the first acquisition unit 321, the change detection unit 322, the second acquisition unit 323, and the abnormality information output unit 324 shown in FIG. 12 by the CPU 301 acquiring the program group 304 and executing it.
  • the program group 304 is stored in advance in the storage device 305 or the ROM 302, for example, and is loaded into the RAM 303 or the like by the CPU 301 as necessary for execution.
  • the program group 304 may be supplied to the CPU 301 via the communication network 311, or may be stored in advance in the recording medium 310, and the drive device 306 may read out the programs and supply them to the CPU 301.
  • FIG. 11 shows an example of the hardware configuration of the output device 300.
  • the hardware configuration of the output device 300 is not limited to the above-mentioned case.
  • the output device 300 may be configured with only a part of the above-mentioned configuration, such as not having the drive device 306.
  • the CPU 301 may be a GPU as exemplified in the first embodiment.
  • the first acquisition unit 321 acquires feature information based on time series data of the target for anomaly detection.
  • the change detection unit 322 detects a change in the state of the object of anomaly detection.
  • the change detection unit 322 may detect a change in the state based on time series data.
  • the second acquisition unit 323 acquires feature amount information based on the time series data after change detection by the change detection unit 322, based on the feature amount information acquired by the first acquisition unit 321. For example, the second acquisition unit 323 may acquire feature amount information based on the time series data after change detection by the change detection unit 322, by searching a storage device for feature amount information similar to the feature amount information acquired by the first acquisition unit 321.
  • the abnormality information output unit 324 outputs abnormality information regarding an abnormality based on the feature amount information acquired from the second acquisition unit 323 and the feature amount information acquired by the first acquisition unit 321. For example, the abnormality information output unit 324 may output an abnormality score or an abnormality notification notifying that an abnormality has occurred as the abnormality information.
  • the output device 300 has a first acquisition unit 321, a change detection unit 322, a second acquisition unit 323, and an abnormality information output unit 324.
  • the abnormality information output unit 324 can output abnormality information regarding an abnormality based on the feature amount information acquired from the second acquisition unit 323 and the feature amount information acquired by the first acquisition unit 321. This makes it possible to suppress an increase in the calculated abnormality score even when the system state changes.
  • the output device 300 which is the time series anomaly detection system described above, can be realized by incorporating a predetermined program into an information processing device such as the output device 300.
  • a program which is another form of the present invention is a program for implementing processing in an information processing device such as the output device 300 to detect a change in state in an anomaly detection target, acquire feature amount information based on time series data in the anomaly detection target, acquire feature amount information based on time series data after change detection based on the acquired feature amount information, and output anomaly information regarding an anomaly based on the feature amount information based on the time series data after change detection and the feature amount information based on the time series data in the anomaly detection target.
  • an output method executed by an information processing device such as the output device 300 described above is a method in which the information processing device detects a change in the state of an abnormality detection target, acquires feature amount information based on time series data of the abnormality detection target, acquires feature amount information based on the time series data after change detection based on the acquired feature amount information, and outputs abnormality information regarding an abnormality based on the feature amount information based on the time series data after change detection and the feature amount information based on the time series data of the abnormality detection target.
  • the invention is a program having the above-mentioned configuration, or a computer-readable recording medium having a program recorded thereon, or an output method, it can achieve the above-mentioned objective of the present disclosure by achieving the same actions and effects as the above-mentioned time series anomaly detection system and output device 300.
  • a first acquisition unit that acquires feature amount information based on time-series data of an anomaly detection target; A change detection unit that detects a change in a state of an anomaly detection target; a second acquisition unit that acquires feature amount information based on time-series data after the change detection unit detects a change based on the feature amount information acquired by the first acquisition unit; an anomaly information output unit that outputs anomaly information regarding an anomaly based on the feature amount information acquired from the second acquisition unit and the feature amount information acquired by the first acquisition unit; A time series anomaly detection system. (Appendix 2) 2.
  • the time series anomaly detection system a storage unit configured to store feature amount information based on time-series data after change detection in a storage device in response to a detection result by the change detection unit;
  • the second acquisition unit searches the storage device for feature information similar to the feature information acquired by the first acquisition unit, and acquires feature information based on the time series data after the change detection by the change detection unit.
  • (Appendix 3) The time series anomaly detection system according to claim 2,
  • the storage device pre-stores feature amount information based on time-series data before change detection,
  • the storage unit additionally stores, in the storage device, feature information based on the time series data after the change is detected, in accordance with a detection result by the change detection unit.
  • (Appendix 4) The time series anomaly detection system according to claim 2, a model adaptation unit that adapts a model used when extracting features from the time series data to a state after the change, based on the time series data after the change has been detected by the change detection unit.
  • (Appendix 5) The time series anomaly detection system according to claim 4,
  • the storage unit stores, in the storage device, feature information acquired using the model before adaptation by the model adaptation unit, in accordance with a detection result by the change detection unit.
  • (Appendix 6) The time series anomaly detection system according to claim 5, an update unit that replaces feature information acquired using the model before adaptation by the model adaptation unit, which is stored in the storage device by the storage unit, with feature information acquired using the adapted model in response to adaptation of the model by the model adaptation unit.
  • An information processing device Detecting a change in state in the anomaly detection target; Acquire feature information based on time-series data of the target for anomaly detection, Based on the acquired feature amount information, feature amount information based on the time series data after the change detection is acquired; An output method for outputting anomaly information related to an anomaly based on feature amount information based on time series data after change detection and feature amount information based on time series data of an anomaly detection target.
  • a first acquisition unit that acquires feature amount information based on time-series data of an anomaly detection target;
  • a change detection unit that detects a change in a state of an anomaly detection target;
  • a second acquisition unit that acquires feature amount information based on time-series data after the change detection unit detects a change based on the feature amount information acquired by the first acquisition unit;
  • an anomaly information output unit that outputs anomaly information regarding an anomaly based on the feature amount information acquired from the second acquisition unit and the feature amount information acquired by the first acquisition unit;
  • An output device having (Appendix 11) In the information processing device, Detecting a change in state in the anomaly detection target; Acquire feature information based on time-series data of the target for anomaly detection, Based on the acquired feature amount information, feature amount information based on the time series data after the change detection is acquired;
  • a computer-readable recording medium having recorded thereon a program for implementing a process of outputting anomaly information regarding an anomaly based on feature amount information based
  • the programs described in the above embodiments and appendices may be stored in a storage device or a computer-readable recording medium.
  • the recording medium may be a portable medium such as a flexible disk, an optical disk, a magneto-optical disk, or a semiconductor memory.
  • Detection system 100 Detection system 200 Detection device 210 Operation input unit 220 Screen display unit 230 Communication I/F unit 240 Memory unit 241 Model information 242 Feature amount information 243 Time series data information 244 Program 250 Calculation processing unit 251 Time series data acquisition unit 252 Feature amount extraction unit 253 Binary code conversion unit 254 Change detection unit 255 Storage unit 256 Anomaly detection unit 257 Model adaptation unit 258 Update unit 259 Output unit 300 Output device 301 CPU 302 ROM 303 RAM 304 Program group 305 Storage device 306 Drive device 307 Communication interface 308 Input/output interface 309 Bus 310 Recording medium 311 Communication network 321 First acquisition unit 322 Change detection unit 323 Second acquisition unit 324 Anomaly information output unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Testing And Monitoring For Control Systems (AREA)
PCT/JP2023/011972 2023-03-24 2023-03-24 時系列異常検知システム Ceased WO2024201607A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2023/011972 WO2024201607A1 (ja) 2023-03-24 2023-03-24 時系列異常検知システム
JP2025509243A JPWO2024201607A1 (https=) 2023-03-24 2023-03-24

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/011972 WO2024201607A1 (ja) 2023-03-24 2023-03-24 時系列異常検知システム

Publications (1)

Publication Number Publication Date
WO2024201607A1 true WO2024201607A1 (ja) 2024-10-03

Family

ID=92903998

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/011972 Ceased WO2024201607A1 (ja) 2023-03-24 2023-03-24 時系列異常検知システム

Country Status (2)

Country Link
JP (1) JPWO2024201607A1 (https=)
WO (1) WO2024201607A1 (https=)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192097A (ja) * 2010-03-16 2011-09-29 Hitachi Ltd 異常検知方法およびそれを用いた情報処理システム
JP2019009680A (ja) * 2017-06-27 2019-01-17 日本電信電話株式会社 検知装置および検知方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192097A (ja) * 2010-03-16 2011-09-29 Hitachi Ltd 異常検知方法およびそれを用いた情報処理システム
JP2019009680A (ja) * 2017-06-27 2019-01-17 日本電信電話株式会社 検知装置および検知方法

Also Published As

Publication number Publication date
JPWO2024201607A1 (https=) 2024-10-03

Similar Documents

Publication Publication Date Title
Yu Adaptive hidden Markov model-based online learning framework for bearing faulty detection and performance degradation monitoring
US20220405645A1 (en) Machine Learning-Based Infrastructure Anomaly And Incident Detection Using Multi-Dimensional Machine Metrics
JP7012871B2 (ja) システムを制御する装置及び方法
US11415975B2 (en) Deep causality learning for event diagnosis on industrial time-series data
US11620384B2 (en) Independent malware detection architecture
US20240071037A1 (en) Mapper component for a neuro-linguistic behavior recognition system
Zhang et al. Roller bearing degradation assessment based on a deep MLP convolution neural network considering outlier regions
US20240354505A1 (en) Perceptual associative memory for a neuro-linguistic behavior recognition system
CN111475804A (zh) 一种告警预测方法及系统
CN115374810A (zh) 基于动态可分离卷积神经网络的故障诊断方法及设备
CN108584592A (zh) 一种基于时间序列预测模型的电梯轿厢振动异常预警方法
JPWO2019142331A1 (ja) 障害予測システムおよび障害予測方法
CN111931509A (zh) 实体链指方法、装置、电子设备及存储介质
KR102005138B1 (ko) 기기 이상징후 사전감지 방법 및 시스템
CN105518656A (zh) 用于多传感器数据融合的认知神经语言学行为辨识系统
US11989013B2 (en) Abnormality detection apparatus, abnormality detection system, and learning apparatus, and methods for the same and non-temporary computer-readable medium storing the same
CN107111609B (zh) 用于神经语言行为识别系统的词法分析器
CN114138610B (zh) 一种故障处理方法及装置
US20170278007A1 (en) Early Warning Prediction System
Lee et al. Early failure detection of paper manufacturing machinery using nearest neighbor‐based feature extraction
FALLAHNEZHAD Application of multivariate control charts for condition based maintenance
CN117609957A (zh) 一种自适应两阶段高斯过程回归的剩余寿命预测方法及系统
CN118468177A (zh) 基于时频掩码自编码器的时间序列异常检测方法及系统
CN114490386A (zh) 一种基于信息熵过采样的软件缺陷预测方法及系统
WO2024201607A1 (ja) 時系列異常検知システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23930248

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2025509243

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2025509243

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 23930248

Country of ref document: EP

Kind code of ref document: A1