WO2025069315A1 - 異常検知システム、異常検知方法、及びプログラム - Google Patents

異常検知システム、異常検知方法、及びプログラム Download PDF

Info

Publication number
WO2025069315A1
WO2025069315A1 PCT/JP2023/035439 JP2023035439W WO2025069315A1 WO 2025069315 A1 WO2025069315 A1 WO 2025069315A1 JP 2023035439 W JP2023035439 W JP 2023035439W WO 2025069315 A1 WO2025069315 A1 WO 2025069315A1
Authority
WO
WIPO (PCT)
Prior art keywords
anomaly detection
post
data
service
services
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/JP2023/035439
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
健吾 藤岡
大助 藤井
亮 西村
大地 長谷川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rakuten Group Inc
Original Assignee
Rakuten Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rakuten Group Inc filed Critical Rakuten Group Inc
Priority to PCT/JP2023/035439 priority Critical patent/WO2025069315A1/ja
Priority to EP23948667.3A priority patent/EP4561043A4/en
Priority to JP2024567628A priority patent/JP7854518B2/ja
Publication of WO2025069315A1 publication Critical patent/WO2025069315A1/ja
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0709Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a distributed system consisting of a plurality of standalone computer nodes, e.g. clusters, client-server systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0781Error filtering or prioritizing based on a policy defined by the user or on a policy defined by a hardware/software module, e.g. according to a severity level
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/40Business processes related to social networking or social networking services

Definitions

  • This disclosure relates to an anomaly detection system, an anomaly detection method, and a program.
  • Patent Document 1 describes an anomaly detection device that determines whether posted data in a social networking service (SNS) contains a negative expression.
  • the anomaly detection device of Patent Document 1 determines that posted data containing a predetermined keyword does not contain a negative expression.
  • the anomaly detection device of Patent Document 1 detects an anomaly when the number of posts containing a negative expression at the current time increases by a predetermined threshold or more compared to the number of posts containing a negative expression at a predetermined time in the past.
  • the anomaly detection device in Patent Document 1 is intended to detect anomalies in one service, and cannot be applied to a case where there are multiple services for which anomalies are to be detected. For this reason, when there are multiple services for which anomalies are to be detected, the anomaly detection device in Patent Document 1 cannot detect anomalies related to each of the multiple services based on each of the multiple pieces of post data on the SNS.
  • One of the objectives of this disclosure is to appropriately detect anomalies in each of the multiple services that are the subject of anomaly detection.
  • the anomaly detection system includes a post data acquisition unit that acquires each of a plurality of post data in a social networking service (SNS), a post-related service identification unit that identifies a post-related service related to each of the plurality of post data among a plurality of services that are the subject of anomaly detection, a sentiment analysis execution unit that performs sentiment analysis on each of the plurality of post data, and an anomaly detection unit that detects an anomaly related to each of the plurality of services based on the post-related service identified for each of the plurality of post data and the result of the sentiment analysis executed on each of the plurality of post data.
  • SNS social networking service
  • FIG. 2 is a diagram illustrating an example of a hardware configuration of the anomaly detection system.
  • FIG. 2 is a diagram illustrating an example of a posting database in which posting data is stored.
  • FIG. 13 is a diagram illustrating an example of a time-series change in the number of negative posts.
  • FIG. 13 is a diagram showing an example of an administrator screen displayed on a management tool.
  • FIG. 2 is a diagram illustrating an example of functions realized by the anomaly detection system.
  • FIG. 4 is a diagram illustrating an example of a dictionary database.
  • FIG. 10 is a diagram illustrating an example of an anomaly detection database.
  • FIG. 2 is a diagram illustrating an example of a process executed in the anomaly detection system.
  • FIG. 13 is a diagram illustrating an example of functions realized by an anomaly detection system according to a modified example.
  • the anomaly detection server 10 is a server computer.
  • the anomaly detection server 10 is managed by an administrator in charge of anomaly detection.
  • the administrator may be the operating company of the service that is the subject of anomaly detection, or may be someone other than the operating company of the service.
  • the anomaly detection server 10 includes a control unit 11, a memory unit 12, and a communication unit 13.
  • the control unit 11 includes at least one processor.
  • the memory unit 12 includes at least one of a volatile memory such as RAM and a non-volatile memory such as a flash memory.
  • the communication unit 13 includes at least one of a communication interface for wired communication and a communication interface for wireless communication.
  • the SNS server 20 is a server computer.
  • the SNS server 20 is managed by the SNS operating company.
  • the SNS operating company is different from the administrator, but the SNS operating company may be the same as the administrator.
  • the SNS server 20 includes a control unit 21, a memory unit 22, and a communication unit 23.
  • the hardware configurations of the control unit 21, the memory unit 22, and the communication unit 23 may be similar to those of the control unit 11, the memory unit 12, and the communication unit 13, respectively.
  • the user terminal 30 is a smartphone, a tablet, a personal computer, or a wearable terminal.
  • the user terminal 30 includes a control unit 31, a memory unit 32, a communication unit 33, an operation unit 34, and a display unit 35.
  • the hardware configurations of the control unit 31, the memory unit 32, and the communication unit 33 may be similar to those of the control unit 11, the memory unit 12, and the communication unit 13, respectively.
  • the operation unit 34 is an input device such as a touch panel or a mouse.
  • the display unit 35 is a display such as a liquid crystal or organic EL.
  • Each computer may also include at least one of a reading unit (e.g., a memory card slot) that reads a computer-readable information storage medium, and an input/output unit (e.g., a USB port) for inputting and outputting data to and from an external device.
  • a reading unit e.g., a memory card slot
  • an input/output unit e.g., a USB port
  • a program stored in an information storage medium may be supplied via at least one of the reading unit and the input/output unit.
  • the anomaly detection system 1 may include at least one computer.
  • the computers included in the anomaly detection system 1 are not limited to the example in FIG. 1.
  • the anomaly detection system 1 may include only the anomaly detection server 10.
  • the SNS server 20, the user terminal 30, and the administrator terminal 40 each exist outside the anomaly detection system 1.
  • the anomaly detection system 1 may include only the anomaly detection server 10 and the administrator terminal 40.
  • the SNS server 20 and the user terminal 30 each exist outside the anomaly detection system 1.
  • the anomaly detection system 1 may include other computers not shown in FIG. 1.
  • the anomaly detection system 1 detects an anomaly related to each of a plurality of services by analyzing posting data related to posts on SNS.
  • An anomaly is a state that deviates from a predetermined standard.
  • An anomaly is a state in which a user cannot use a service, or a state in which a user has difficulty using a service.
  • a failure is one aspect of an anomaly.
  • An anomaly may include a state immediately before developing into a failure.
  • An abnormality occurs in at least one of the hardware and software used to provide the service.
  • an abnormality may occur in any hardware.
  • an abnormality may occur in a server computer, personal computer, tablet, smartphone, other computer, communication equipment, cable, memory, power supply, or other hardware.
  • an abnormality may occur in any software.
  • the anomaly detection server 10 when a post is made about a certain service, the anomaly detection server 10 performs sentiment analysis on the content of the post.
  • the anomaly detection server increases the number of negative posts, which is the number of negative posts.
  • the number of negative posts serves as an indicator of anomaly detection.
  • the number of negative posts is calculated for each service that is the target of anomaly detection. The more negative posts there are for a certain service, the more negative posts there are about that service on SNS.
  • the anomaly detection server 10 includes a data storage unit 100, a post data acquisition unit 101, a post-related service identification unit 102, a sentiment analysis execution unit 103, and an anomaly detection unit 104.
  • the data storage unit 100 is realized by the memory unit 12.
  • Each of the post data acquisition unit 101, the post-related service identification unit 102, the sentiment analysis execution unit 103, and the anomaly detection unit 104 is realized by the control unit 11.
  • the data stored in the data storage unit 100 is not limited to the above examples.
  • the data storage unit 100 can store any data related to anomaly detection.
  • the data storage unit 100 stores various thresholds referenced when detecting anomalies, programs required for processing anomaly detection, or other data.
  • the post-related service identification unit 102 identifies at least one post-related service for the post data.
  • the post-related service identification unit 102 may identify multiple post-related services for the post data. Since there is post data on the SNS that is not related to the service that is the target of anomaly detection, the post-related service identification unit 102 may not identify a post-related service for the post data.
  • the post-related service identification unit 102 identifies the service in dictionary database DB2 in which the word is stored as a post-related service.
  • the post-related service identification unit 102 may identify the service in dictionary database DB2 in which the word is stored as a post-related service.
  • the post-related service identification unit 102 may identify, among multiple services, a service in which post data includes a relatively large number of words as a post-related service.
  • the judgment criterion may be the output of a learning model that uses a machine learning technique.
  • the machine learning technique may be any of various known techniques.
  • the learning model may be created by any of supervised learning, semi-supervised learning, or unsupervised learning.
  • the learning model may be a model used in natural language processing or image analysis.
  • the learning model learns training data including training post data and a label indicating at least one of a plurality of services.
  • the post-related service identification unit 102 inputs the post data to the learning model.
  • the learning model calculates the feature amount of the post data and outputs a label according to the feature amount.
  • the post-related service identification unit 102 may identify the service indicated by the label as the post-related service.
  • the emotion analysis execution unit 103 executes emotion analysis for each of the multiple posted data.
  • the emotion analysis is a process of analyzing the emotions of the poster.
  • the emotion analysis method itself can use various known methods.
  • the emotion analysis execution unit 103 executes a dictionary-based emotion analysis as an example, but the emotion analysis execution unit 103 may execute machine learning-based, pattern-based, or rule-based emotion analysis.
  • the emotion analysis execution unit 103 analyzes whether the posted data is negative based on a known emotion analysis method as an example. Note that the emotion analysis execution unit 103 may analyze whether the posted data is positive based on a known emotion analysis method.
  • the anomaly detection unit 104 detects an anomaly related to each of the plurality of services based on the post-related service identified for each of the plurality of post data and the result of the sentiment analysis performed on each of the plurality of post data.
  • the detection of an anomaly may also be referred to as a determination or estimation of an anomaly.
  • the anomaly detection unit 104 refers to the posting time of post data for which a certain post-related service is identified, and counts the number of negative posts for that post-related service based on the result of sentiment analysis on post data for which the posting time is included in the counting period.
  • the anomaly detection unit 104 detects an anomaly in a service among multiple services for which the number of negative posts is equal to or exceeds a threshold.
  • the threshold may be common to all services, or may be set for each service.
  • the threshold may be common to all collection periods, or may be set for each collection period.
  • the threshold may be specified by an administrator, or may be determined based on past performance of posts related to each service.
  • the anomaly detection unit 104 may detect an anomaly in a service when the number of negative posts in one collection period is equal to or exceeds the threshold.
  • the anomaly detection unit 104 may detect an anomaly in a service when the number of negative posts in multiple consecutive collection periods is equal to or exceeds the threshold.
  • the anomaly detection unit 104 increments the number of negative posts of the post-related service.
  • the anomaly detection unit 104 may increment the number of negative posts of the post-related service.
  • the anomaly detection unit 104 may increment the number of negative posts of the post-related service when the sentiment analysis method estimates that post data of a certain post-related service is a negative post.
  • the anomaly detection unit 104 detects an anomaly related to a configuration specific to a service that has a relatively large number of negative posts among multiple services.
  • a specific configuration is a configuration (e.g., hardware or software) that is used only for a specific service.
  • a configuration specific to a certain service is a server computer that a user accesses to use the service, software installed on the server computer, other computers that cooperate with the server computer, or software installed on the user terminal 30.
  • the anomaly detection unit 104 detects an anomaly related to a configuration specific to the specific service.
  • the anomaly detection unit 104 detects an anomaly related to a configuration common to multiple services when the number of negative posts for each of the multiple services is equal to or greater than a threshold.
  • a configuration common to multiple services is a configuration (e.g., hardware or software) that is not used only by a specific service, but is used by each of the multiple services.
  • a configuration common to multiple services is another computer that cooperates with each server computer of the multiple services, software installed on the other computer, a computer that cooperates with the other computer, or software (e.g., a so-called super app) common to multiple services installed on the user terminal 30.
  • the anomaly detection unit 104 detects an anomaly related to a configuration common to multiple services when the number of negative posts for each of the multiple services is equal to or greater than a threshold evenly.
  • the data storage unit 200 stores data related to the SNS.
  • the data storage unit 200 stores post data related to posts posted on the SNS.
  • the data storage unit 200 may store a database similar to the post database DB1, or may store a database with a data structure different from that of the post database DB1.
  • the data storage unit 200 can store various data on known SNSs.
  • the SNS providing unit 201 provides an SNS to each of a plurality of users.
  • the processing of the SNS providing unit 201 may be processing executed in a known SNS.
  • the SNS providing unit 201 causes the user terminal 30 to display a screen related to SNS posts.
  • the SNS providing unit 201 receives data related to posts input by the user from the user terminal 30.
  • the SNS providing unit 201 records the post data in the data storage unit 200 based on the data.
  • the SNS server 20 transmits the post data to the anomaly detection server 10.
  • the user terminal 30 includes a data storage unit 300 and a posting unit 301.
  • the data storage unit 300 is realized by the storage unit 32.
  • the posting unit 301 is realized by the control unit 31.
  • the data storage unit 400 stores data necessary for the administrator's work.
  • the data storage unit 400 stores data necessary for displaying the administrator screen SC.
  • the data storage unit 400 may store a maintenance tool necessary for the administrator's work.
  • the maintenance tool itself may be a known tool, for example, a tool capable of monitoring the status of at least one of hardware and software.
  • the display control unit 402 causes various screens to be displayed on the display unit 45.
  • the display control unit 402 causes the display unit 45 to display an administrator screen SC.
  • Fig. 8 is a diagram showing an example of processing executed by the anomaly detection system 1.
  • the processing in Fig. 8 is executed by the control units 11, 21, 31, and 41 executing programs stored in the storage units 12, 22, 32, and 42, respectively.
  • the processing in each step in Fig. 8 is an example of a step included in the anomaly detection method according to the present disclosure.
  • the SNS server 20 executes a process to provide the user with the SNS, in cooperation with the user terminal 30 (S1).
  • the SNS server 20 receives data related to posts entered by the user from the user terminal 30.
  • the SNS server 20 generates the post data and records it in the storage unit 22.
  • the anomaly detection server 10 executes a process to acquire the post data, in cooperation with the SNS server 20 (S2).
  • the SNS server 20 transmits all or part of the post data in the SNS to the anomaly detection server 10.
  • the anomaly detection server 10 stores the post data acquired from the SNS server 20 in the post database DB1.
  • the anomaly detection server 10 identifies a post-related service related to the post data based on the dictionary database DB2 (S3).
  • the process of S3 is as explained as the process of the post-related service identification unit 102.
  • the anomaly detection server 10 performs sentiment analysis on the post data (S4).
  • the process of S4 is as explained as the process of the sentiment analysis execution unit 103.
  • the subsequent processes of S5 to S11 correspond to the process of the anomaly detection unit 104.
  • the anomaly detection server 10 calculates the number of negative expressions for each of the multiple services during the aggregation period (S5).
  • the calculation results in S5 are stored in the anomaly detection database DB3.
  • the anomaly detection server 10 calculates the amount of change in the number of negative expressions for each of the multiple services based on the anomaly detection database DB3 (S6).
  • the anomaly detection server 10 determines whether there is a service for which the amount of change calculated in S6 is equal to or greater than a threshold value (S7).
  • the anomaly detection server 10 detects an anomaly in the configuration specific to that particular service (S8).
  • the anomaly detection server 10 executes processing between the administrator terminal 40 to display the administrator screen SC (S9), and this processing ends. If the amount of change in each of multiple services is greater than or equal to the threshold in S7 (S7: Multiple), the anomaly detection server 10 detects an anomaly in the configuration common to multiple services (S10), and proceeds to processing of S9. If the amount of change in none of the services is greater than or equal to the threshold in S7 (S7: None), this processing ends.
  • the anomaly detection system 1 of the present embodiment detects anomalies related to each of a plurality of services based on a post-related service identified for each of a plurality of post data in an SNS and a result of sentiment analysis performed on each of the plurality of post data.
  • the anomaly detection system 1 can appropriately detect anomalies related to not only one service but each of a plurality of services by using post data that directly reflects the user's opinions on the service. For example, when an anomaly occurs in one of a plurality of services, even if the anomaly is not detected by an index such as the CPU usage rate of a server computer used in the service, a user who actually uses the service may feel a sense of incongruity. Since a user may post in real time indicating that an anomaly may be occurring in a service, the anomaly detection system 1 can quickly detect an anomaly by analyzing the post data of such posts.
  • the anomaly detection system 1 also identifies the post-related service of the post data based on each of the multiple post data and the dictionary database DB2 in which words specific to each of the multiple services are registered. This allows the anomaly detection system 1 to accurately identify which service the post data is related to. As a result, the accuracy of anomaly detection is improved. For example, the anomaly detection system 1 can also identify which service the post data is related to by determining whether or not the post data contains a service name. However, in this case, if the post data does not contain a service name, the anomaly detection system 1 will not refer to the post data for anomaly detection, since it will consider the post data to be unrelated to the service.
  • the anomaly detection system 1 can identify the service to which the post data is related by using the dictionary database DB2, even if the post data does not contain a service name. As a result, the anomaly detection system 1 can refer to more post data for anomaly detection, thereby improving the accuracy of anomaly detection.
  • the anomaly detection system 1 also performs sentiment analysis on the post content by determining whether each of the multiple post data includes a negative expression. For each service, the anomaly detection system 1 tallyes up the number of negative posts, which is the number of post data that includes a negative expression. The anomaly detection system 1 detects anomalies for each of the multiple services based on the number of negative posts for each of the multiple services. This increases the accuracy of anomaly detection, as the anomaly detection system 1 detects anomalies based on an index that is directly linked to anomaly detection, such as the number of negative posts. For example, the anomaly detection system 1 can present an easy-to-understand index, such as the number of negative posts, to the administrator by displaying the number of negative posts for each service on the administrator screen SC.
  • an easy-to-understand index such as the number of negative posts
  • the anomaly detection system 1 detects anomalies in each of the multiple services based on the change over time in the number of negative posts for each of the multiple services. This improves the accuracy of anomaly detection because anomalies are detected based on an indicator that is directly linked to anomaly detection, such as the change over time in the number of negative posts.
  • the anomaly detection system 1 can present the administrator with an easy-to-understand indicator, such as the change in the number of negative posts, by displaying the change over time in the number of negative posts for each service on the administrator screen SC.
  • the anomaly detection system 1 detects anomalies related to the configuration specific to a service that has a relatively large number of negative posts among multiple services. This allows the anomaly detection system 1 to detect that an anomaly has occurred in the configuration specific to a particular service, making it possible to accurately estimate the cause of the anomaly. As a result, the service in which the anomaly occurred can be restored more quickly.
  • the anomaly detection system 1 detects an anomaly related to a configuration common to multiple services when the number of negative posts for each of the multiple services is equal to or greater than a threshold value. This allows the anomaly detection system 1 to detect that an anomaly has occurred in a configuration common to multiple services, making it possible to accurately estimate the cause of the anomaly. As a result, each of the multiple services in which an anomaly has occurred can be quickly restored.
  • FIG. 9 is a diagram showing an example of functions realized by the modified anomaly detection system 1.
  • the modified anomaly detection system 1 includes a general relation identification unit 105, a status data acquisition unit 106, a relation identification unit 107, an expertise information acquisition unit 108, a campaign information acquisition unit 109, and a distribution content information acquisition unit 110.
  • the general relation identification unit 105, the status data acquisition unit 106, the relation identification unit 107, the expertise information acquisition unit 108, the campaign information acquisition unit 109, and the distribution content information acquisition unit 110 are realized by the control unit 11.
  • the post-related service identification unit 102 identifies whether or not each piece of post data is related to a specific service.
  • Some post data may indicate general post content that spans multiple services. For example, when a single business entity provides multiple services, a user may input a post including the name of the event subject as a post that spans multiple services in general. For example, when businesses that provide multiple services each have a common name, a user may input a post including the common name as a post that spans multiple services in general.
  • the anomaly detection system 1 may detect an anomaly based on post data that indicates such a post.
  • the anomaly detection system 1 of the first modified example includes a general relation identification unit 105.
  • the general relation identification unit 105 identifies post data related to the multiple services in general based on each of the multiple post data. For example, a judgment criterion is provided to indicate that the post content is related to the multiple services in general.
  • the general relation identification unit 105 judges whether the post data satisfies the judgment criterion for each of the multiple services.
  • the general relation identification unit 105 judges whether the post data satisfies the judgment criterion. If the post data satisfies the post judgment criterion, the general relation identification unit 105 identifies the post data as post data related to the multiple services in general.
  • the judgment criterion of variant example 1 may be any criterion. Including a word in a dictionary in which words indicating multiple services in general are registered is one example of a judgment criterion.
  • the general relation identification unit 105 identifies posted data related to multiple services in general based on each of the multiple posted data and a database in which words in a dictionary in which words indicating multiple services in general are registered.
  • the general relation identification unit 105 identifies posted data related to multiple services in general when the posted data includes a word stored in the database.
  • the general relation identification unit 105 may identify posted data related to multiple services in general when the posted data includes k (k: an integer of 2 or more) or more words stored in the database.
  • the criterion may be other criteria than a dictionary database.
  • the criterion may simply be that the posted data indicates the name of a business providing multiple services, or a name common to multiple businesses. In this case, when the posted data indicates these names, the general relation identification unit 105 identifies the posted data as being related to multiple services in general.
  • the emotion analysis execution unit 103 of the first modification also performs emotion analysis on the posted data identified by the general related identification unit 105.
  • the emotion analysis method is as described in the embodiment.
  • the anomaly detection unit 104 of the first modification further detects anomalies related to each of the multiple services based on the posted data identified by the general related identification unit 105. For example, the anomaly detection unit 104 counts the number of negative expressions in the posted data identified by the general related identification unit 105.
  • the anomaly detection unit 104 detects an anomaly in the configuration common to multiple services when the number of negated expressions in the post data identified by the general relation identification unit 105 is equal to or greater than a threshold.
  • the anomaly detection unit 104 calculates the amount of change in the number of negated expressions in the post data identified by the general relation identification unit 105.
  • the anomaly detection unit 104 detects an anomaly in the configuration common to multiple services when the amount of change is equal to or greater than a threshold.
  • the anomaly detection unit 104 may detect an anomaly in the configuration common to multiple services based on the post data identified by the general relation identification unit 105 and other methods such as the learning model described in the embodiment.
  • the anomaly detection system 1 of the first modification identifies posted data related to the plurality of services in general, based on each of the plurality of posted data.
  • the anomaly detection system 1 detects anomalies related to each of the plurality of services further based on the posted data identified by the general related identification unit 105. This allows the anomaly detection system 1 to appropriately detect anomalies related to the plurality of services in general.
  • the anomaly detection system 1 may detect an anomaly by using not only the posting data on the SNS but also status data related to the status of a device used in each of the multiple services.
  • the anomaly detection system 1 of the second modification includes a status data acquisition unit 106.
  • the status data acquisition unit 106 acquires status data related to the status of a device used in each of the multiple services.
  • the device is a type of hardware described in the embodiment.
  • the device is a server computer, a personal computer, a tablet, a smartphone, another computer, a communication device, a memory, or a power source.
  • the status data may indicate the pinpoint state of the device at a certain point in time, but in variant example 2, the status data is data regarding changes in the state of the device over time.
  • the state of the device can also be said to be the load of the device providing the service.
  • the state of the device may refer to the hardware state or the software state.
  • the state of the device may be communication volume, CPU usage, memory usage, power consumption, communication speed, temperature, or a combination of these.
  • the state of the device may be an index called golden signal metrics, or other index used in known benchmark tests.
  • the method of acquiring the state data of the device may also be a known method.
  • the data storage unit 100 of the second modification stores status data acquired from each system of the multiple services.
  • the status data acquisition unit 106 acquires the status data stored in the data storage unit 100.
  • the status data acquisition unit 106 may acquire status data from each system of the multiple services. For example, the status data acquisition unit 106 periodically requests status data from each system of the multiple services. Each system transmits the latest status data to the anomaly detection server 10 in response to the request.
  • the status data acquisition unit 106 periodically acquires the latest status data from each system.
  • the anomaly detection unit 104 of the second modification detects an anomaly related to each of the multiple services based further on the status data of each of the multiple services. For example, when there is a service among the multiple services whose status data indicates a numerical value equal to or greater than a threshold, the anomaly detection unit 104 detects an anomaly related to that service. When there is a service among the multiple services whose status data indicates a change in a numerical value equal to or greater than a threshold, the anomaly detection unit 104 may also detect an anomaly related to that service. The anomaly detection unit 104 may detect an anomaly by inputting a time-series change in the status data to a model created using a machine learning technique.
  • the anomaly detection unit 104 may determine that an anomaly has occurred when an anomaly is detected by both the anomaly detection method based on SNS posting data described in the embodiment and the anomaly detection method based on status data described in Modification 2.
  • the anomaly detection unit 104 may determine that an anomaly has occurred when an anomaly is detected by either the anomaly detection method based on SNS posting data described in the embodiment or the anomaly detection method based on status data described in Modification 2.
  • information indicating which service the device from which the status data was obtained belongs to is stored in the data storage unit 100.
  • the anomaly detection unit 104 detects an anomaly in the service associated with certain status data when, for example, a numerical value indicated by the status data becomes equal to or exceeds a threshold value.
  • the anomaly detection system 1 of variant example 2 acquires status data relating to the status of a device used in each of the multiple services.
  • the anomaly detection system 1 detects an anomaly relating to each of the multiple services based further on the status data of each of the multiple services.
  • the anomaly detection system 1 can improve the accuracy of detecting anomalies by using both the posting data on the SNS and the device status data.
  • the anomaly detection server 10 may identify status data that is related to the SNS posting data from among the various status data.
  • this status data is referred to as association data.
  • the anomaly detection server 10 may detect an anomaly based on the association data from among the multiple status data. Status data other than the association data is not used in anomaly detection.
  • the anomaly detection system 1 of the third modified example includes an association identifying unit 107.
  • the association identifying unit 107 identifies association data from among the multiple status data for each of the multiple services that is associated with the post data for which the service has been identified as a post-related service. Association is a correlation between the post data. For example, if an increase in the post data is equal to or greater than a threshold, the post data and the status data are associated. If an increase in the post data is equal to or greater than a threshold, the post data and the status data are associated. If an increase in the post data is equal to or greater than a threshold, the status data and the status data are associated.
  • the relationship identification unit 107 calculates the time series change in the number of negative posts for each service based on each of the multiple posted data. This calculation method is as described in the embodiment.
  • the relevance identification unit 107 performs clustering of the time series change in the number of negative posts in each of the multiple services and the time series change in the state indicated by each of the multiple status data based on a known clustering method. Clustering can be performed based on a known method. For example, the relevance identification unit 107 performs clustering based on k-means clustering, hierarchical clustering, DBSCAN clustering, or another clustering method. The relevance identification unit 107 performs clustering so that data with similar time series changes belong to the same cluster. The relevance identification unit 107 identifies, from the multiple status data, status data that belongs to the same cluster as the time series change in the number of negative posts for a certain service as relevance data that is related to the post data in that service.
  • the anomaly detection unit 104 of the third modification detects an anomaly in a service based on the association data of the service among the multiple state data for each of the multiple services.
  • the anomaly detection unit 104 does not refer to state data that is not association data among the multiple state data when detecting an anomaly. It differs in that state data identified as association data among the multiple state data is used for anomaly detection, but in other respects is similar to the anomaly detection unit 104 of the second modification.
  • the anomaly detection system 1 of variant example 3 identifies, from among the multiple status data for each of the multiple services, association data that is associated with post data for which the service has been identified as a post-related service.
  • the anomaly detection system 1 detects an anomaly for a service based on the association data for that service from among the multiple status data for each of the multiple services.
  • the anomaly detection system 1 can improve the accuracy of detecting anomalies by detecting anomalies based on status data that is associated with post data on SNS.
  • the posted data may contain highly specialized words that directly indicate an anomaly, such as "traffic,””access,” or "system failure.” Such posted data is considered to be particularly useful for detecting an anomaly. Therefore, the anomaly detection server 10 may detect an anomaly by placing more importance on posted data that contains highly specialized words than on other posted data.
  • the anomaly detection system 1 includes an expertise information acquisition unit 108.
  • the expertise information acquisition unit 108 acquires expertise information on the expertise of words included in each of the multiple post data.
  • the expertise information indicates the degree of expertise of the word.
  • an example is given in which the expertise information is expressed numerically, but the expertise information may also be expressed by letters or symbols.
  • a higher numerical value indicated by the expertise information means a higher level of expertise.
  • the expertise information of the word may be stored in the dictionary database DB2, or may be stored in another database different from the dictionary database DB2.
  • the anomaly detection unit 104 of the fourth modification detects an anomaly in each of the multiple services further based on the expertise information of each of the multiple post data. For example, when a certain post data includes a negative expression and a word associated with the expertise information, the anomaly detection unit 104 increases the number of negative posts based on the expertise indicated by the expertise information associated with the word. The anomaly detection unit 104 calculates the number of negative posts so that the number of negative posts increases as the expertise indicated by the expertise information increases. In the embodiment, an example was given of a case in which the number of negative posts increases by one if a certain post data includes a negative expression, regardless of the type of post. However, in the fourth modification, if the expertise indicated by the expertise information is high, the number of negative posts increases by two or more for one post data.
  • the anomaly detection unit 104 increases the number of negative posts by 3 for each piece of post data. If a negative expression is included in post data including a word with level 2 expertise, the anomaly detection unit 104 increases the number of negative posts by 2 for each piece of post data. If a negative expression is included in post data including a word with level 1 expertise, the anomaly detection unit 104 increases the number of negative posts by 1 for each piece of post data.
  • the processing of the anomaly detection unit 104 in variant example 4 is not limited to the above example.
  • the anomaly detection unit 104 may take expertise information into account when calculating the other index.
  • the anomaly detection unit 104 calculates an index for the service such that the higher the expertise indicated by the expertise information, the higher the index for the service. It is assumed that the formula required for calculating the index is stored in the data storage unit 100.
  • the anomaly detection system 1 of variant example 4 acquires expertise information regarding the expertise of words contained in each of the multiple posted data.
  • the anomaly detection system 1 detects anomalies in each of the multiple services based further on the expertise information for each of the multiple posted data. This enables the anomaly detection system 1 to detect anomalies by placing emphasis on posted data that contains more specialized words, thereby improving the accuracy of anomaly detection.
  • the anomaly detection system 1 of the fifth modified example includes a campaign information acquisition unit 109.
  • the campaign information acquisition unit 109 acquires campaign information related to campaigns in each of a plurality of services.
  • the campaign information indicates identification information of the service for which the campaign is being held and the period during which the campaign is being held.
  • the campaign information may also indicate the content of the campaign.
  • the campaign information is assumed to be stored in the data storage unit 100.
  • the campaign information may be registered in the data storage unit 100 by an administrator, or may be registered in the data storage unit 100 by another person.
  • the anomaly detection unit 104 of the fifth modification detects anomalies in each of the multiple services further based on the campaign information. For example, the anomaly detection unit 104 identifies a service for which a campaign is being held from among the multiple services based on the campaign information. The anomaly detection unit 104 increases the threshold for detecting anomalies in the identified service. During the campaign period, the anomaly detection unit 104 detects anomalies based on the increased threshold. Although the method for determining the threshold differs from the embodiment, other points are similar to the embodiment.
  • the anomaly detection system 1 of variant example 5 acquires campaign information related to campaigns in each of the multiple services.
  • the anomaly detection system 1 further detects anomalies in each of the multiple services based on the campaign information. This allows the anomaly detection system 1 to realize anomaly detection that takes into account noise that may occur due to the holding of a campaign, and therefore can properly detect anomalies even if a campaign is held.
  • a service that is the subject of anomaly detection may be introduced in a distribution service such as a television program, video distribution on the Internet, or live distribution.
  • a distribution service such as a television program, video distribution on the Internet, or live distribution.
  • the anomaly detection server 10 may change the criteria for anomaly detection, taking into account the distributed content in the distribution service.
  • the anomaly detection system 1 includes a distribution content information acquisition unit 110.
  • the distribution content information acquisition unit 110 acquires distribution content information related to the distribution content of a distribution service capable of distributing information related to each of a plurality of services.
  • the distribution content information indicates the distribution date and time of the distribution service and the distribution content of the distribution service.
  • the distribution content information is assumed to be stored in the data storage unit 100.
  • the distribution content information may be registered in the data storage unit 100 by an administrator, or may be registered in the data storage unit 100 by another person.
  • the distribution content information indicates whether or not the content is related to a service that is the target of anomaly detection.
  • the anomaly detection unit 104 of the sixth modification detects an anomaly in each of the multiple services further based on the distribution content information. For example, the anomaly detection unit 104 identifies a service introduced in the distribution service from among the multiple services based on the distribution content information. The anomaly detection unit 104 increases the threshold for detecting an anomaly in the identified service. During the distribution period or the period before and after the period, the anomaly detection unit 104 detects an anomaly based on the increased threshold. Although the method of determining the threshold differs from the embodiment, other points are similar to the embodiment.
  • the anomaly detection system 1 of variant example 6 acquires distribution content information regarding the distribution content of a distribution service that can distribute information regarding each of a plurality of services.
  • the anomaly detection system 1 further detects anomalies in each of the plurality of services based on the distribution content information. This allows the anomaly detection system 1 to realize anomaly detection that takes into account noise that may occur due to distribution in the distribution service, and therefore can appropriately detect anomalies even if distribution in the distribution service is performed.
  • the anomaly detection system 1 can be applied to services other than electronic commerce services, financial services, and communication services.
  • the anomaly detection system 1 may detect anomalies in other services such as travel reservation services, payment services, online flea market services, or video distribution services.
  • the main processing is executed by the anomaly detection server 10, but the processing described as being executed by the anomaly detection server 10 may be executed by the administrator terminal 40 or another computer.
  • the processing described as being executed by the anomaly detection server 10 may be shared among multiple computers.
  • the sentiment analysis execution unit 103 may perform sentiment analysis on SNS posting data posted by some users or by other users excluding the some users.
  • the some users may refer to users who subscribe to a certain subscription service in the SNS, and may refer to users whose activities related to the users, such as the frequency of posting data containing negative expressions in the SNS or the frequency of logins in the SNS, satisfy a certain condition. This allows the sentiment analysis execution unit 103 to omit sentiment analysis on posting data of users who may not be included as targets of sentiment analysis of bots, etc.
  • the some users may refer to users whose metrics related to posting data, such as the number of impressions in the SNS, exceed a certain value at a certain frequency during a certain period, and may refer to users whose metrics related to accounts, such as the number of followers in the SNS, exceed a certain value at a certain frequency during a certain period.
  • the part of users may refer to users whose profiles on the SNS are classified into a predetermined category.
  • the emotion analysis execution unit 103 determines whether or not the account name or profile name of the user is classified into a person category excluding character names, and if classified into the person category, performs emotion analysis on the post data posted by the user corresponding to the account image.
  • the part of users may refer to users whose account images on the SNS are classified into a predetermined category.
  • the emotion analysis execution unit 103 for example, inputs the account image into a trained machine learning model to determine whether or not the account image is classified into the person category, and if classified into the person category, performs emotion analysis on the post data posted by the user corresponding to the account image.
  • the post-related service identification unit 102 may identify the post as being related to the service based on the posting time, operation information indicating the service provision status of the service, maintenance information indicating time periods when the service is unavailable on the service side, promotion information indicating advertising activities such as commercials and news on the service side, or system alert information on the service side, for example, if the posting time matches the service's operation hours (service provision hours).
  • the anomaly detection system can be configured as follows. (1) a post data acquisition unit that acquires each of a plurality of post data in a social networking service (SNS); a post-related service identification unit that identifies a post-related service related to each of the plurality of post data from among a plurality of services that are targets of anomaly detection; a sentiment analysis execution unit that executes a sentiment analysis on each of the plurality of pieces of posted data; an anomaly detection unit that detects an anomaly related to each of the plurality of services based on the post-related service identified for each of the plurality of post data and a result of the sentiment analysis performed on each of the plurality of post data; Anomaly detection system including.
  • SNS social networking service
  • a post-related service identification unit that identifies a post-related service related to each of the plurality of post data from among a plurality of services that are targets of anomaly detection
  • a sentiment analysis execution unit that executes a sentiment analysis on each of the plurality of pieces of posted data
  • the post-related service identification unit identifies the post-related service for the post data based on each of the plurality of post data and a dictionary database in which words specific to each of the plurality of services are registered; An anomaly detection system as described in (1).
  • the sentiment analysis execution unit executes the sentiment analysis on the posted data by determining whether each of the plurality of posted data includes a negative expression; the anomaly detection unit counts, for each of the services, a number of negative posts which is the number of the posted data including the negative expression, and detects the anomaly for each of the plurality of services based on the number of negative posts for each of the plurality of services; An anomaly detection system according to (1) or (2).
  • the anomaly detection unit detects the anomaly in each of the plurality of services based on a time-series change in the number of negative posts in each of the plurality of services. (3) An anomaly detection system according to the present invention. (5) The anomaly detection unit detects the anomaly related to a configuration specific to the service having a relatively large number of negative posts among the plurality of services. An anomaly detection system according to (3) or (4). (6) the anomaly detection unit detects the anomaly regarding a configuration common to the plurality of services when the number of negative posts for each of the plurality of services is equal to or greater than a threshold; An anomaly detection system according to any one of (3) to (5).
  • the anomaly detection system further includes a general association identification unit that identifies the post data related to all of the plurality of services based on each of the plurality of post data, The anomaly detection unit detects the anomaly related to each of the plurality of services further based on the posting data identified by the general association identification unit.
  • the anomaly detection system further includes a status data acquisition unit that acquires status data regarding a status of a device used in each of the plurality of services; the anomaly detection unit detects the anomaly related to each of the plurality of services further based on the status data of each of the plurality of services; An anomaly detection system according to any one of (1) to (7).
  • the anomaly detection system further includes a relationship identification unit that identifies, from among the plurality of status data for each of the plurality of services, relationship data that is related to the post data identified as the post-related service for the service, and the anomaly detection unit detects the anomaly of the service based on the association data of the service among the plurality of status data of the service; (8) An anomaly detection system according to (8).
  • the anomaly detection system further includes a specialization information acquisition unit that acquires specialization information regarding a specialization of a word included in each of the plurality of posting data, The anomaly detection unit detects the anomaly in each of the plurality of services further based on the expertise information of each of the plurality of posting data.
  • An anomaly detection system according to any one of (1) to (9).
  • the anomaly detection system further includes a campaign information acquisition unit that acquires campaign information related to a campaign in each of the plurality of services; The anomaly detection unit detects the anomaly in each of the plurality of services further based on the campaign information.
  • An anomaly detection system according to any one of (1) to (10).
  • the anomaly detection system further includes a distribution content information acquisition unit that acquires distribution content information regarding distribution content in a distribution service capable of distributing information regarding each of the plurality of services, The anomaly detection unit detects the anomaly in each of the plurality of services further based on the distribution content information.
  • An anomaly detection system according to any one of (1) to (11).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
PCT/JP2023/035439 2023-09-28 2023-09-28 異常検知システム、異常検知方法、及びプログラム Pending WO2025069315A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/JP2023/035439 WO2025069315A1 (ja) 2023-09-28 2023-09-28 異常検知システム、異常検知方法、及びプログラム
EP23948667.3A EP4561043A4 (en) 2023-09-28 2023-09-28 ANOMALY DETECTION SYSTEM, ANOMALY DETECTION METHOD, AND PROGRAM
JP2024567628A JP7854518B2 (ja) 2023-09-28 2023-09-28 異常検知システム、異常検知方法、及びプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/035439 WO2025069315A1 (ja) 2023-09-28 2023-09-28 異常検知システム、異常検知方法、及びプログラム

Publications (1)

Publication Number Publication Date
WO2025069315A1 true WO2025069315A1 (ja) 2025-04-03

Family

ID=95203110

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/035439 Pending WO2025069315A1 (ja) 2023-09-28 2023-09-28 異常検知システム、異常検知方法、及びプログラム

Country Status (3)

Country Link
EP (1) EP4561043A4 (https=)
JP (1) JP7854518B2 (https=)
WO (1) WO2025069315A1 (https=)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014154051A (ja) * 2013-02-13 2014-08-25 Kddi Corp 不特定多数のユーザからの投稿文を用いて特定の異常を検知する異常検知装置、プログラム及び方法
JP2021144474A (ja) * 2020-03-12 2021-09-24 ヤフー株式会社 情報提供装置、情報提供方法、およびプログラム
US20220342745A1 (en) * 2021-04-23 2022-10-27 Capital One Services, Llc Detecting system events based on user sentiment in social media messages
JP7334803B2 (ja) * 2020-01-15 2023-08-29 富士通株式会社 会話制御プログラム、会話制御方法および情報処理装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005063242A (ja) * 2003-08-15 2005-03-10 Nippon Telegr & Teleph Corp <Ntt> 情報解析システム及び方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014154051A (ja) * 2013-02-13 2014-08-25 Kddi Corp 不特定多数のユーザからの投稿文を用いて特定の異常を検知する異常検知装置、プログラム及び方法
JP7334803B2 (ja) * 2020-01-15 2023-08-29 富士通株式会社 会話制御プログラム、会話制御方法および情報処理装置
JP2021144474A (ja) * 2020-03-12 2021-09-24 ヤフー株式会社 情報提供装置、情報提供方法、およびプログラム
US20220342745A1 (en) * 2021-04-23 2022-10-27 Capital One Services, Llc Detecting system events based on user sentiment in social media messages

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4561043A4 *

Also Published As

Publication number Publication date
JPWO2025069315A1 (https=) 2025-04-03
EP4561043A1 (en) 2025-05-28
EP4561043A4 (en) 2025-10-22
JP7854518B2 (ja) 2026-05-01

Similar Documents

Publication Publication Date Title
CN111401777B (zh) 企业风险的评估方法、装置、终端设备及存储介质
CN115002200B (zh) 基于用户画像的消息推送方法、装置、设备及存储介质
US11580447B1 (en) Shared per content provider prediction models
US10394953B2 (en) Meme detection in digital chatter analysis
US20180083995A1 (en) Identifying significant anomalous segments of a metrics dataset
US10074097B2 (en) Classification engine for classifying businesses based on power consumption
US20180284971A1 (en) Intelligent visual object management system
CN112330412B (zh) 一种产品推荐方法、装置、计算机设备及存储介质
CN118606559A (zh) 产品推荐方法、装置、设备及存储介质
CN113706249B (zh) 数据推荐方法、装置、电子设备及存储介质
JP2019185595A (ja) 情報処理装置、情報処理方法、情報処理プログラム、判定装置、判定方法及び判定プログラム
CN112561565A (zh) 一种基于行为日志的用户需求识别方法
CN107809370B (zh) 用户推荐方法及装置
CN114219544A (zh) 消费倾向分析方法、装置、设备及存储介质
CN118886986A (zh) 产品推荐方法、装置、设备及存储介质
CN118886965A (zh) 公域私域转化方法、装置、设备、介质及产品
CN112084408B (zh) 名单数据筛选方法、装置、计算机设备及存储介质
CN114219663A (zh) 产品推荐方法、装置、计算机设备及存储介质
CN111460300B (zh) 网络内容推送方法、装置及存储介质
EP4134849A1 (en) Fraud detection system, fraud detection method, and program
CN114612225A (zh) 产品推荐方法、装置、电子设备及计算机可读存储介质
JP7854518B2 (ja) 異常検知システム、異常検知方法、及びプログラム
CN113052677A (zh) 基于机器学习的两阶段贷款预测模型的构建方法和装置
US11741486B1 (en) Machine learning technique with targeted feature sets for categorical anomaly detection
US20240070269A1 (en) Automatic selection of data for target monitoring

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2024567628

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2024567628

Country of ref document: JP

ENP Entry into the national phase

Ref document number: 2023948667

Country of ref document: EP

Effective date: 20250221

WWP Wipo information: published in national office

Ref document number: 2023948667

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 11202501223X

Country of ref document: SG

WWP Wipo information: published in national office

Ref document number: 11202501223X

Country of ref document: SG