CN118035049B - Application interface abnormality warning method, device, electronic equipment and medium - Google Patents

Abstract

The embodiments of the present disclosure disclose an application interface abnormality alarm method, device, electronic device and medium. A specific implementation of the method includes: obtaining an application interface information set to be detected; performing non-invasive monitoring processing on the application interface information set to be detected to obtain an application interface monitoring information group set; classifying and processing the interface response information group to obtain a category interface response information group; determining a category interface call volume group; determining a category interface call volume difference group; determining the application interface information to be detected as the target application interface information; performing abnormality detection on the target application interface information set to obtain an abnormal application interface information set; performing root cause location processing on the abnormal application interface information set to obtain an interface abnormality information set, and controlling the associated alarm device to issue an abnormality alarm. This implementation can improve the accuracy of abnormality detection, reduce the false detection rate and missed detection rate, and improve the stability of the application system and the user experience.

Description

Application interface abnormality alarm method, device, electronic device and medium

Technical Field

Embodiments of the present disclosure relate to the field of computer technology, and in particular to an application interface abnormality alarm method, device, electronic device, and medium.

Background Art

Monitoring the interface calls of the application system can not only grasp the usage of the application system, but also understand the operation of the application system. When an abnormal situation occurs in the application system, timely alarm and notification of relevant personnel can be made to ensure the stability and security of the application system. For alarming application interface abnormalities, the usual method is: through the form of probes, the calls of each application interface of the application system are explicitly monitored to obtain the interface call information set, and then the fixed alarm threshold of each application interface is set. Finally, in response to determining that the application interface reaches the fixed alarm threshold, the associated alarm device is controlled to issue an alarm.

However, it is found in practice that when the above method is used to issue an alarm for application interface anomalies, the following technical problems often occur: Since the calls to the application interface are monitored explicitly, the business logic of the application will be affected, increasing the tight coupling between the program logic and the monitoring logic; and since the setting of fixed alarm thresholds relies on expert experience, the coverage of the alarm range is narrow, resulting in false alarms and missed alarms, which in turn leads to lower stability of the application system and lower user experience.

In the process of adopting technical solutions to solve the above-mentioned technical problem one, the following technical problem two is often accompanied: due to the large number of interface call logs, the intricate calling relationships between application interfaces, and the involvement of multiple call indicators, the fine-grained root cause analysis of abnormal alarms takes a long time, the accuracy of the root cause location analysis is low, and the stability of the application system is low. In response to the above-mentioned technical problem two, the conventional solution is generally: through the interface call log, a fine-grained root cause location analysis is performed on the application interface where the abnormality occurs. However, the above-mentioned conventional solution still has the following problems: due to the large number of interface call logs, the intricate calling relationships between application interfaces, and the involvement of multiple call indicators, the fine-grained root cause analysis of abnormal alarms takes a long time, the accuracy of the root cause location analysis is low, and the stability of the application system is low.

In the process of adopting technical solutions to solve the above technical problem one, the following technical problem three is often accompanied: one-hot encoding of user behavior data causes sparse data features and data dimension explosion, which is not conducive to model fitting, and one-hot encoding cannot accurately identify the correlation between data, resulting in low accuracy of user churn rate prediction, low accuracy of user churn alarm, large number of user churn and increased operating costs of application systems. For the above technical problem three, the conventional solution is generally: input the user behavior feature vector obtained by one-hot encoding into the user churn process prediction model to obtain the user churn rate. However, the above conventional solution still has the following problems: one-hot encoding of user behavior data causes sparse data features and data dimension explosion, which is not conducive to model fitting, and one-hot encoding cannot accurately identify the correlation between data, resulting in low accuracy of user churn rate prediction, low accuracy of user churn alarm, large number of user churn and increased operating costs of application systems.

The above information disclosed in this Background section is only for enhancement of understanding of the background of the inventive concept and therefore it may contain information that does not form the prior art that is already known in this country to a person of ordinary skill in the art.

Summary of the invention

The content of this disclosure is used to introduce concepts in a brief form, which will be described in detail in the detailed implementation section below. The content of this disclosure is not intended to identify the key features or essential features of the technical solution claimed for protection, nor is it intended to limit the scope of the technical solution claimed for protection.

Some embodiments of the present disclosure propose an application interface abnormality alarm method, device, electronic device and medium to solve one or more of the technical problems mentioned in the above background technology section.

In a first aspect, some embodiments of the present disclosure provide an application interface abnormality alarm method, comprising: obtaining a set of application interface information to be detected of a target evaluation application; performing non-intrusive monitoring processing on each application interface information to be detected in the above-mentioned application interface information set to generate an application interface monitoring information group, and obtaining an application interface monitoring information group set; for each application interface monitoring information group in the above-mentioned application interface monitoring information group set, performing the following determination steps: classifying the interface response information group included in the above-mentioned application interface monitoring information group to obtain a category interface response information group; determining the category interface call volume of each category interface response information in the above-mentioned category interface response information group to obtain a category interface call volume group; determining the above The category interface call volume difference between each category interface call volume in the category interface call volume group and the corresponding historical category interface call volume is obtained to obtain a category interface call volume difference group, and the above-mentioned category interface call volume difference group is visually displayed; in response to determining that there is a category interface call volume difference greater than or equal to a preset call volume range in the above-mentioned category interface call volume difference group, the application interface information to be detected corresponding to the above-mentioned application interface monitoring information group is determined as the target application interface information; anomaly detection is performed on the obtained target application interface information set to obtain an abnormal application interface information set; root cause location processing is performed on the above-mentioned abnormal application interface information set to obtain an interface abnormality information set, and the associated alarm device is controlled to issue an abnormal alarm.

In a second aspect, some embodiments of the present disclosure provide an application interface abnormality alarm device, comprising: an acquisition unit, configured to acquire a set of application interface information to be detected of a target evaluation application; a non-intrusive monitoring unit, configured to perform non-intrusive monitoring processing on each application interface information to be detected in the above-mentioned application interface information set to generate an application interface monitoring information group, and obtain an application interface monitoring information group set; an execution unit, configured to perform the following determination steps for each application interface monitoring information group in the above-mentioned application interface monitoring information group set: classify the interface response information group included in the above-mentioned application interface monitoring information group to obtain a category interface response information group; determine the category interface call volume of each category interface response information in the above-mentioned category interface response information group to obtain a category interface call volume group ; Determine the category interface call volume difference between each category interface call volume in the above-mentioned category interface call volume group and the corresponding historical category interface call volume, obtain the category interface call volume difference value group, and visualize the above-mentioned category interface call volume difference value group; in response to determining that there is a category interface call volume difference value greater than or equal to the preset call volume range in the above-mentioned category interface call volume difference value group, determine the application interface information to be detected corresponding to the above-mentioned application interface monitoring information group as the target application interface information; the anomaly detection unit is configured to perform anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set; the abnormal alarm unit is configured to perform root cause location processing on the above-mentioned abnormal application interface information set to obtain an interface abnormality information set, and control the associated alarm device to issue an abnormal alarm.

In a third aspect, some embodiments of the present disclosure provide an electronic device comprising: one or more processors; a storage device on which one or more programs are stored, and when the one or more programs are executed by the one or more processors, the one or more processors implement the method described in any implementation manner in the first aspect.

In a fourth aspect, some embodiments of the present disclosure provide a computer-readable medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method described in any implementation manner in the first aspect is implemented.

The above-mentioned embodiments of the present disclosure have the following beneficial effects: the application interface abnormal alarm method in some embodiments of the present disclosure can improve the accuracy of abnormal detection, reduce the false detection rate and missed detection rate, and improve the stability of the application system and the user experience. Specifically, the reasons for the low stability and low user experience of the relevant applications are: due to the display monitoring of the call of the application interface, it will affect the business logic of the application, increase the tight coupling of the program logic and the monitoring logic, and because the setting of the fixed alarm threshold depends on expert experience, the coverage alarm range is narrow, resulting in false alarms and missed alarms, which in turn leads to low stability of the application system and low user experience. Based on this, the application interface abnormal alarm method of some embodiments of the present disclosure can first obtain the application interface information set to be detected of the target evaluation application. Here, the application interface information set to be detected is used for subsequent abnormal detection and root cause location. Secondly, each application interface information to be detected in the above-mentioned application interface information set to be detected is subjected to non-intrusive monitoring processing to generate an application interface monitoring information group, and obtain an application interface monitoring information group set. Here, non-intrusive monitoring can decouple the business logic and monitoring logic of the application, improve the scalability of the application system, reduce the waste of resources of the application system, and improve the stability of the application system. Subsequently, for each application interface monitoring information group in the above-mentioned application interface monitoring information group set, the following determination steps are performed: the first step is to classify the interface response information group included in the above-mentioned application interface monitoring information group to obtain a category interface response information group. Here, it is convenient to perform call volume statistics on different types of interface response information for the application interface to be detected, and improve the comprehensiveness of the monitoring of the application interface to be detected. The second step is to determine the category interface call volume of each category interface response information in the above-mentioned category interface response information group to obtain a category interface call volume group. Here, it is convenient to determine the difference in interface call volume later. The third step is to determine the category interface call volume difference between each category interface call volume in the above-mentioned category interface call volume group and the corresponding historical category interface call volume, obtain a category interface call volume difference group, and visualize the above-mentioned category interface call volume difference group. Here, determining the call volume difference with the corresponding historical category interface call volume can clarify the development trend of the call volume of the application interface to be detected, and display it in a visual form, which can more intuitively show the development trend of the application interface to be detected, and facilitate the relevant personnel to grasp the call situation of the application interface to be detected. In the fourth step, in response to determining that there is a category interface call amount difference greater than or equal to the preset call amount range in the above-mentioned category interface call amount difference group, the application interface information to be detected corresponding to the above-mentioned application interface monitoring information group is determined as the target application interface information. Here, the application interface to be detected whose call amount is greater than or equal to the preset call amount range is determined as the target application interface, which can reduce the number of interfaces for subsequent abnormal detection. Then, the obtained target application interface information set is subjected to abnormal detection to obtain an abnormal application interface information set. Here, the target application interface information set is subjected to abnormal detection, which can reduce the amount of interface data for abnormal detection and reduce the computing resources of the application system. The interface call abnormal detection is performed from coarse granularity to fine granularity, which can improve the accuracy of subsequent abnormal detection and the stability of the application system. Finally, the above-mentioned abnormal application interface information set is subjected to root cause location processing to obtain an interface abnormal information set, and the associated alarm device is controlled to perform abnormal alarm. Here, the root cause location can determine the root cause of the abnormal application interface, and the control of the associated alarm device to perform abnormal alarm can timely remind relevant personnel to perform relevant operations, reduce the loss rate of the application system, and improve the user experience. It can be concluded that the application interface abnormality alarm method can perform non-invasive monitoring of the application interface to be detected, decouple the application business logic and the monitoring logic, reduce the resource waste of the application system, and first determine the difference in the call volume of different types for each application interface to be detected, and then perform abnormal detection on the call volume that exceeds the preset call volume range to obtain the abnormal application interface, which can improve the accuracy of abnormality detection, reduce the false detection rate and missed detection rate, and locate the root cause and alarm of the abnormal application interface, which can determine the real factor causing the interface abnormality, handle the abnormal problem in time, and improve the stability of the application system.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features, advantages and aspects of the embodiments of the present disclosure will become more apparent with reference to the following detailed description in conjunction with the accompanying drawings. Throughout the accompanying drawings, the same or similar reference numerals represent the same or similar elements. It should be understood that the drawings are schematic and that components and elements are not necessarily drawn to scale.

FIG1 is a flow chart of some embodiments of the application interface abnormality alarm method according to the present disclosure;

FIG2 is a schematic diagram of the structure of some embodiments of the application interface abnormality alarm device according to the present disclosure;

FIG. 3 is a schematic diagram of the structure of an electronic device suitable for implementing some embodiments of the present disclosure.

DETAILED DESCRIPTION

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, these embodiments are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are only for exemplary purposes and are not intended to limit the scope of protection of the present disclosure.

It should also be noted that, for ease of description, only the parts related to the invention are shown in the drawings. In the absence of conflict, the embodiments and features in the embodiments of the present disclosure may be combined with each other.

It should be noted that the concepts such as "first" and "second" mentioned in the present disclosure are only used to distinguish different devices, modules or units, and are not used to limit the order or interdependence of the functions performed by these devices, modules or units.

It should be noted that the modifications of "one" and "plurality" mentioned in the present disclosure are illustrative rather than restrictive, and those skilled in the art should understand that unless otherwise clearly indicated in the context, it should be understood as "one or more".

The names of the messages or information exchanged between multiple devices in the embodiments of the present disclosure are only used for illustrative purposes and are not used to limit the scope of these messages or information.

The present disclosure will be described in detail below with reference to the accompanying drawings and in conjunction with embodiments.

FIG1 shows a process 100 of some embodiments of the application interface abnormality alarm method according to the present disclosure. The application interface abnormality alarm method comprises the following steps:

Step 101: Obtain an application interface information set to be detected of a target evaluation application.

In some embodiments, the execution subject (e.g., electronic device) of the above-mentioned application interface abnormality alarm method can obtain the application interface information set to be detected of the target evaluation application through a wired connection method or a wireless connection method. Among them, the above-mentioned target evaluation application (credit investigation software) can be an application program referenced by the evaluation user. The application interface information to be detected in the above-mentioned application interface information set to be detected can be the information of the interface of the target evaluation application waiting to be detected. For example, the above-mentioned application interface information to be detected can be the name information of the application interface to be detected.

Step 102 : performing non-intrusive monitoring processing on each piece of application interface information to be detected in the application interface information set to be detected, so as to generate an application interface monitoring information group, and obtain an application interface monitoring information group set.

In some embodiments, the execution subject may perform non-intrusive monitoring on each application interface information to be detected in the application interface information set to be detected, so as to generate an application interface monitoring information group and obtain an application interface monitoring information group set. The application interface monitoring information in the application interface monitoring information group may be the monitored call and response information of the application interface to be detected. For example, the application interface monitoring information may include but is not limited to at least one of the following: traffic information, call volume, and abnormal call information of the application interface to be detected.

As an example, the execution subject may parse the interface log information set corresponding to the application interface information set to be detected to obtain an application interface monitoring information group set.

In some optional implementations of some embodiments, the non-intrusive monitoring process is performed on each piece of application interface information to be detected in the above-mentioned application interface information set to be detected to generate an application interface monitoring information group to obtain an application interface monitoring information group set, which may include the following steps:

In the first step, for each piece of application interface information to be detected in the above-mentioned application interface information set to be detected, the following monitoring steps are performed:

Sub-step 1, obtaining the interface call source code file of the above-mentioned application interface information to be detected. Among them, the above-mentioned interface call source code file can be a call protocol file of the application interface to be detected. In practice, the above-mentioned execution subject can obtain the interface call source code file of the above-mentioned application interface information to be detected through a source file extractor.

Sub-step 2, constructing an abstract syntax tree for the above-mentioned interface call source code file to obtain an interface call syntax tree. The above-mentioned interface call syntax tree can represent the tree structure of the call relationship between the call method set and the call object set included in the interface call source code file. In practice, the above-mentioned execution subject can first perform word segmentation processing on the above-mentioned interface call source code file to obtain an interface syntax unit set. The interface syntax unit in the above-mentioned interface syntax unit set can be the smallest indivisible unit in the interface call source code file. For example, the above-mentioned interface syntax unit set can include but is not limited to at least one of the following: keywords, identifiers, operators, parameter values, strings, spaces, comments. Then, the above-mentioned interface syntax unit set is subjected to syntax analysis to obtain an interface call syntax tree.

Sub-step 3, parse the above-mentioned interface call syntax tree to obtain an interface call connectivity graph. Among them, the above-mentioned interface call connectivity graph can be a directed graph that shows the call relationship and process between each node. The nodes included in the above-mentioned interface call connection graph include interface call method nodes and data nodes. The above-mentioned interface call method nodes can represent method calls and operators in interface calls. The above-mentioned data nodes can represent objects and parameter values in interface calls. The edges in the above-mentioned interface call connection graph can represent the call relationship between interface call method nodes and data nodes.

Sub-step 4, performing a breadth-first search on the above interface call connectivity graph to obtain interface parameter configuration information. The above interface parameter configuration information may be configuration information of parameters of the application interface to be detected. The above interface parameter configuration information may include but is not limited to at least one of the following: interface address information, interface parameter name, interface type information, and interface parameter format.

Sub-step 5, adding the preset aspect programming component to the above interface parameter configuration information to obtain the aspect application interface information. The above aspect application interface information can be information of adding interface monitoring code in the interface parameter configuration information. The above preset aspect programming component can be a monitoring component formed by using AOP (Aspect oriented programming).

Sub-step 6, in response to determining that the above-mentioned application interface information to be detected is called, controlling the above-mentioned preset aspect programming component to monitor the above-mentioned aspect application interface information, and obtaining the interface call information group and interface response information group of the above-mentioned application interface information to be detected.

In the second step, the obtained interface call information set and the obtained interface response information set are determined as the application interface monitoring information set.

Step 103: for each application interface monitoring information group in the application interface monitoring information group set, perform the following determination steps:

Step 1031, classify the interface response information group included in the application interface monitoring information group to obtain a category interface response information group.

In some embodiments, the execution subject may classify the interface response information group included in the application interface monitoring information group to obtain a category interface response information group. The category interface response information in the category interface response information group may be interface response information of the same type. The category interface response information group may include but is not limited to at least one of the following: response information with return data, response information without return data, and response information with return data inconsistent with call information.

Step 1032: determine the category interface call quantity of each category interface response information in the category interface response information group to obtain a category interface call quantity group.

In some embodiments, the execution entity may determine the category interface call volume of each category interface response information in the category interface response information group to obtain a category interface call volume group. The category interface call volume in the category interface call volume group may be the number of times the application interface to be detected is called within a time slice. The time slice may be 15 minutes. In practice, a statistical method is used to perform statistical calculations on each category interface response information in the category interface response information group to generate a category interface call volume and obtain a category interface call volume group.

Step 1033, determining the category interface call volume difference between each category interface call volume in the category interface call volume group and the corresponding historical category interface call volume, obtaining the category interface call volume difference value group, and visually displaying the category interface call volume difference value group.

In some embodiments, the above-mentioned execution entity can determine the difference in category interface call volume between each category interface call volume in the above-mentioned category interface call volume group and the corresponding historical category interface call volume, obtain a category interface call volume difference group, and visualize the above-mentioned category interface call volume difference group. Among them, the above-mentioned corresponding historical category interface call volume can be the call volume of the application interface to be detected before the current time slice. The above-mentioned historical category interface call volume can be the month-on-month category interface call volume of the previous time slice of the above-mentioned category interface call volume, or it can be the year-on-year category interface call volume of the same time slice of the previous year of the above-mentioned category interface call volume. The above-mentioned visual display can be to display the category interface call volume difference group in the form of a chart.

Step 1034, in response to determining that there is a category interface call amount difference greater than or equal to a preset call amount range in the category interface call amount difference group, the to-be-detected application interface information corresponding to the application interface monitoring information group is determined as the target application interface information.

In some embodiments, the execution subject may determine the application interface information to be detected corresponding to the application interface monitoring information group as the target application interface information in response to determining that there is a category interface call volume difference greater than or equal to a preset call volume range in the category interface call volume difference group. The preset call volume range may be a call volume difference range that is pre-set and determined based on expert experience. The preset call volume range may be a call volume range of negative and positive numbers.

Step 104: perform anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set.

In some embodiments, the execution subject may perform anomaly detection on the target application interface information set obtained to obtain an abnormal application interface information set. The abnormal application interface information in the abnormal application interface information set may be information of an application interface to be detected that has an abnormality. In practice, the execution subject may use an interface anomaly detection model to perform anomaly detection on the target application interface information set obtained to obtain an abnormal application interface information set. The interface anomaly detection model may be an XGBoost (eXtreme Gradient Boosting) model.

In some optional implementations of some embodiments, the above-mentioned performing anomaly detection on the obtained target application interface information set to obtain the abnormal application interface information set may include the following steps:

The first step is to perform feature extraction on the interface call log information set corresponding to the above target application interface information set to obtain an interface call feature vector set. Among them, the interface call log information in the above interface call log information set can be log information that records the call and response of the target application interface information. The interface call feature vector in the above interface call feature vector set can represent the feature information of the interface call log information. In practice, the above execution entity can use a log feature extraction model to perform feature extraction on the interface call log information set corresponding to the above target application interface information set to obtain an interface call feature vector set. Among them, the above log feature extraction model can be a neural network model.

In the second step, the interface call feature vector set is input into the encoder network included in the interface call exception model to obtain the interface call hidden feature vector set. Among them, the interface call exception model can be a model that performs anomaly detection on the input interface call feature vector set to obtain anomaly detection results. The interface call exception model can be CAVE (Conditional VAE, conditional variational autoencoder). The encoder network can be a network that extracts hidden feature vectors from the interface call feature vector. The encoder network can be one of MLP (Multi-Layer Perceptron), CNN (Convolutional Neural Networks) or RNN (Recurrent Neural Network). The interface call hidden feature vector in the interface call hidden feature vector set can characterize the feature information and feature vector distribution of the interface call feature vector.

The third step is to determine the interface hidden mean group and the interface hidden standard deviation group of each interface call hidden feature vector in the above interface call hidden feature vector set, and obtain the interface hidden mean group set and the interface hidden standard deviation group set.

Step 4: Generate a random variable set based on the interface hidden mean set and the interface hidden standard deviation set, wherein the random variables in the random variable set may be variables that obey Gaussian distribution generated by the interface hidden mean and the corresponding interface hidden standard deviation.

As an example, the execution subject may generate a random variable set according to the interface hidden mean set and the interface hidden standard deviation set by using a function.

The fifth step is to randomly select a random variable from each random variable group in the above random variable group set as a potential feature vector to obtain a potential feature vector set.

The sixth step is to perform backward transmission flow processing on the above-mentioned potential feature vector set to obtain an interface potential feature variable set. Among them, the interface potential feature variables in the above-mentioned interface potential feature variable set can be variables obtained by performing nonlinear transformation on the potential feature vector. In practice, the above-mentioned execution subject can use the backward transmission flow to perform backward transmission flow processing on the above-mentioned potential feature vector set to obtain an interface potential feature variable set. Among them, the above-mentioned backward transmission flow can be a nonlinear transformation method, which can further adjust and optimize the potential feature vector and better capture the structure of the potential feature vector.

In the seventh step, the interface potential feature variable set is input into the decoder network included in the interface call anomaly model to obtain a reconstructed interface call feature vector set. The decoder network can be a network model that reconstructs the interface potential feature variables and generates a network model that is as similar as possible to the input interface call feature vector. The decoder network can be a generator.

In the eighth step, a feature similarity value between each reconstructed interface call feature vector in the reconstructed interface call feature vector set and the interface call feature vector corresponding to the reconstructed interface call feature vector in the interface call feature vector set is determined to obtain a feature similarity value set.

In the ninth step, at least one feature similarity value in the feature similarity value set that is not within a preset similarity range is determined as a target feature similarity value set. The preset similarity range may be a pre-set feature similarity value range.

In the tenth step, at least one piece of application interface information to be detected corresponding to the above target feature similarity value set is determined as an abnormal application interface information set.

Step 105: perform root cause location processing on the abnormal application interface information set to obtain an interface abnormality information set, and control the associated alarm device to issue an abnormality alarm.

In some embodiments, the above-mentioned execution subject can perform root cause location processing on the above-mentioned abnormal application interface information set to obtain an interface abnormal information set, and control the associated alarm device to issue an abnormal alarm. Among them, the interface abnormality information in the above-mentioned interface abnormality information set can be the interface indicator information that causes the abnormality of the application interface to be detected, or it can be the application interface information to be detected. The above-mentioned interface indicator information may include but is not limited to at least one of the following: interface CPU (Central Processing Unit) utilization, interface memory utilization, and interface impact time. In practice, the above-mentioned execution subject can associate rule algorithms and heuristic algorithms to perform root cause location processing on the above-mentioned abnormal application interface information set to obtain an interface abnormality information set, and control the associated alarm device to issue an abnormal alarm.

Considering the problem that the conventional solution above uses interface call logs to perform fine-grained root cause location analysis on abnormal application interfaces, facing the above technical problem 2: due to the large number of interface call logs, the complex call relationships between application interfaces, and the involvement of multiple call indicators, the fine-grained root cause analysis of abnormal alarms takes a long time, the accuracy of root cause location analysis is low, and the stability of the application system is low. Combined with the current technical status, we can decide to adopt the following solution.

In some optional implementations of some embodiments, the root cause analysis of the abnormal application interface information set is performed to obtain the interface abnormality information set, including:

The first step is to determine the interface call chain information corresponding to each abnormal application interface information in the above abnormal application interface information set, and obtain the interface call chain information set. Among them, the interface call chain information in the above interface call chain information set can be an interface call chain information formed by a user request to call the abnormal application interface information, other application interface information sets and server node sets. The above other application interface information sets can be application interface information sets other than the above abnormal application interface information. The above interface call chain information can be the interface call chain information formed within the first 1 minute when the abnormal application interface information is detected to be abnormal. In practice, the above execution subject can perform the following interface call chain generation steps for each abnormal application interface information in the above abnormal application interface information set: First, obtain the call log information of each abnormal application interface information in the above abnormal application interface information set. Secondly, determine the interface log information group with call association information with the above call log information. The above call association information can be the information corresponding to the parent call interface parameter included in the call log information. Subsequently, the initial call chain information is generated through the application interface information group corresponding to the parent call interface parameter group included in the above interface log information group. Among them, the above application interface information can be each application interface information included in the target evaluation application. The application interface information group includes the abnormal application interface information. Then, the server node corresponding to the application interface information set included in the initial call chain information is determined to obtain the interface server node. Finally, the initial call chain information and the interface server node set are determined as the interface call chain information.

The second step is to construct an interface call topology graph for the interface call chain information set to obtain an interface call topology graph set, wherein the interface call topology graph in the interface call topology graph set can represent the call relationship between application interfaces and the directed graph of the server nodes to which the application interfaces belong.

Step 3: For each interface call topology graph in the above interface call topology graph set, perform the following root cause analysis steps:

Sub-step 1, determine the interface load information of each application interface in the application interface set included in the above-mentioned interface call topology diagram and the node load information of each server node in the server node set, and obtain an interface load information set and a node load information set. Among them, the above-mentioned interface load information can characterize the index information of the performance of the application interface. The above-mentioned interface load information may include: interface response time, interface CPU utilization and interface memory utilization. The above-mentioned node load information can characterize the index information of the performance of the server node. The above-mentioned node complex information may include: server CPU utilization, server memory utilization and server network throughput. In practice, the above-mentioned execution subject can determine the interface load information of each application interface in the application interface set included in the above-mentioned interface call topology diagram and the node load information of each server node in the server node set through a query statement, and obtain an interface load information set and a node load information set.

Sub-step 2: using a kernel density estimation algorithm, perform abnormal screening on the node load information set and the interface load information set to obtain an abnormal interface set and an abnormal server node set.

Sub-step 3, pruning the interface call topology graph according to the abnormal interface set and the abnormal server node set to obtain an abnormal call topology graph. The abnormal call topology graph may be an abnormal call topology graph obtained by removing the node set that is irrelevant to the abnormal interface set and the abnormal server node set from the interface call topology graph. The node set may include: the remaining application interface set excluding the abnormal interface set and the abnormal server node set, and the nodes in the remaining server node set that have no call relationship and belonging relationship with the abnormal interface set and the abnormal server node.

As an example, the execution subject may first determine the application node set and the server node set that have a call relationship and an affiliation relationship with the abnormal interface set and the abnormal server node set as the target interface set and the target server node set. Then, using the call relationship and the affiliation relationship, a directed graph is constructed for the abnormal interface set, the abnormal server node set, the target interface set, and the target server node set to obtain an abnormal call topology graph.

Sub-step 4, determining the edge weight coefficient of each call edge in the call edge set included in the above-mentioned abnormal call topology graph, and obtaining an edge weight value set. Among them, the edge weight in the above-mentioned edge weight value set can be a weight value composed of the Pearson correlation coefficient of each node included in the node pair corresponding to the call edge. The above-mentioned node pair may include: abnormal interface and target interface, abnormal interface and target server node, abnormal server node and target interface, abnormal server node and target server node, abnormal interface and abnormal interface, abnormal server node and abnormal server node, abnormal interface and abnormal server node.

Sub-step 5, according to the above-mentioned edge weight value set, determine the node abnormality value of each abnormal call node in the abnormal call node set included in the above-mentioned abnormal call topology graph, and obtain the node abnormality value set. Among them, the node abnormality value in the above-mentioned node abnormality value set can be the average value of the sum of the edge weight values of each call edge connected to the node. The above-mentioned abnormal call node set can include: an abnormal interface set and an abnormal server node set.

As an example, the execution subject may perform the following node call abnormality step for each abnormal call node in the abnormal call node set included in the abnormal call topology graph: determine the call edge group corresponding to the abnormal call node and the edge weight value group of the call edge group. Then, determine the sum of the edge weight values included in the edge weight value group as the target weight value. Finally, determine the ratio of the target weight value to the number of call edges included in the call edge group as the node abnormality value.

Sub-step 6, based on the edge weight value set, determine the abnormal propagation probability matrix of the abnormal call node set. The abnormal propagation probability matrix can represent the probability value of the abnormal situation being transmitted between the nodes included in the abnormal call topology graph. The horizontal volume and column vector of the abnormal propagation probability matrix are the nodes included in the abnormal call topology graph.

As an example, the execution subject may perform the following abnormal propagation value determination step for each abnormal propagation value in the abnormal propagation probability matrix: determine the abnormal node pair corresponding to the abnormal propagation value. Secondly, determine the edge weight value of the abnormal node pair as the abnormal edge weight value. Subsequently, determine the edge weight value group of the nodes located in the horizontal quantity in the abnormal node pair as the abnormal edge weight value group. Then, determine the sum of the abnormal edge weight value group as the abnormal target weight value. Finally, determine the ratio of the abnormal edge weight value to the abnormal target weight value as the abnormal propagation value.

Sub-step 7, according to the above-mentioned abnormal propagation probability matrix and the above-mentioned node abnormality value set, determine the node root factor value of each call abnormal node in the above-mentioned abnormal call node set to obtain the node root factor value set. Among them, the node root factor value in the above-mentioned node root factor value set can represent the probability value of the node being the root cause of the abnormality of the application node to be detected.

As an example, the execution subject may perform the following node root factor value determination step for each call abnormal node in the abnormal call node set: first, determine the product of the first preset weight value and the node abnormality value of the call abnormal node as the first abnormality value. The first preset weight value may be a preset threshold. For example, the first abnormality value may be 0.15. Then, determine the product of the second preset weight value and the abnormal propagation value of the call abnormal node as the second abnormality value. The second preset weight value may be a preset value whose sum with the first preset weight value is 1. Finally, determine the sum of the first abnormality value and the second abnormality value as the node root factor value.

Sub-step 8, sorting the above node root factor value set to obtain a node root factor value sequence.

Sub-step 9, selecting the abnormal call node corresponding to the value with the largest root factor value from the above node root factor value sequence as the target abnormal call node.

Sub-step 10: determining the abnormal node information of the above target abnormal call node as an interface abnormal information set.

The above technical scheme and its related contents, as an inventive point of an embodiment of the present disclosure, solve the second technical problem mentioned in the background technology: "Due to the large number of interface call logs, the intricate calling relationships between application interfaces, and the involvement of multiple call indicators, the fine-grained root cause analysis of abnormal alarms takes a long time, the accuracy of root cause location analysis is low, and the stability of the application system is low." The factors that lead to the long time spent on fine-grained root cause analysis of abnormal alarms, the low accuracy of root cause location analysis, and the low stability of the application system are often as follows: due to the large number of interface call logs, and the intricate calling relationships between application interfaces, and the involvement of multiple call indicators. If the above factors are solved, the effect of reducing the time spent on fine-grained root cause analysis of abnormal alarms, improving the accuracy of root cause location analysis, and the stability of the application system can be achieved. In order to achieve this effect, the present disclosure first constructs a call topology diagram for each abnormal application interface information in the above abnormal interface information set, so that the application interface and server nodes related to the abnormal interface information can be intuitively grasped. Secondly, the interface call topology is pruned through the interface load information set and the node load information set. The interface call topology is pruned through multi-dimensional information, which can reduce the amount of data for subsequent root cause analysis and reduce the load of the application system. Then, the edge weight value set and node abnormality value set of each node and each call edge included in the above-mentioned abnormal call topology are determined to facilitate the subsequent determination of the abnormal propagation probability matrix. Finally, the interface abnormal information set is determined through the abnormal probability matrix, and the relationship between the application interface and the server node is clearly displayed in the form of a topology map. Through multi-dimensional indicators, the root cause of the abnormal situation that causes the application interface to be detected is determined from coarse to fine, which can reduce the time-consuming fine-grained root cause analysis of abnormal alarms and improve the accuracy of root cause location and the stability of the application system.

Optionally, after step 105, the execution subject may further perform the following steps:

The first step is to perform data embedding for each abnormal application interface information in the abnormal application interface information set to generate user behavior data and obtain a user behavior data set. The user behavior data can be data that characterizes the user's behavior information. In practice, the execution subject can visualize the embedding and perform data embedding for each abnormal application interface information in the abnormal application interface information set to generate user behavior data and obtain a user behavior data set.

The second step is to predict the user churn rate of the user behavior data set to obtain a user churn rate set. The user churn rate in the user churn rate set can represent the probability value of a user giving up using the application. In practice, the execution subject can use a user churn rate prediction algorithm to predict the user churn rate of the user behavior data set to obtain a user churn rate set. The user churn rate prediction algorithm can be a decision tree algorithm.

The third step is to identify user preferences on the user behavior data set to obtain a user preference information set. The user preference information in the user preference information set can represent the user's preferences and selection tendencies for applications. In practice, the execution entity can use the user preference model to identify user preferences on the user behavior data set to obtain a user preference information set.

The fourth step is to iteratively update the target evaluation application based on the user preference information set and the user churn rate set.

As an example, the execution subject may first select at least one user churn rate greater than or equal to a preset user churn rate threshold from the user churn rate set to obtain a target user churn rate set. The preset user churn rate threshold may be a preset minimum user churn rate. Secondly, determine the user preference information corresponding to the target user churn rate set. Then, based on the user preference information, perform personalized iterative updates on the target evaluation application.

Considering the above conventional solution, the user behavior feature vector obtained by one-hot encoding is input into the user churn process prediction model to obtain the user churn rate. In the face of the above technical problem three: one-hot encoding of user behavior data causes sparse data features and data dimension explosion, which is not conducive to model fitting, and one-hot encoding cannot accurately identify the relationship between data, resulting in low accuracy of user churn rate prediction, low accuracy of user churn alarm, large number of user churn and increased operating costs of the application system. Combined with the current technical status, we can decide to adopt the following solution.

In some optional implementations of some embodiments, the above-mentioned performing user churn rate identification on the above-mentioned user behavior data set to obtain a user churn rate set may include the following steps:

The first step is to perform feature encoding on at least one user behavior data of the classification type included in the above user behavior data set to obtain a classified user behavior feature vector set. The above classification type may be data with classification characteristics. For example, the at least one user behavior data of the above classification row may include but is not limited to at least one of the following: user type, user access path information. The classified user behavior feature vector in the above classified user behavior feature vector set may characterize the feature information of the user behavior data. In practice, the above execution entity may perform one-hot encoding on at least one user behavior data of the classification type included in the above user behavior data set to obtain a classified user behavior feature vector set.

The second step is to perform feature embedding processing on the above-mentioned classified user behavior vector set to obtain a low-dimensional classified behavior feature vector set. The low-dimensional classified behavior feature vector in the above-mentioned low-dimensional classified behavior feature vector set can be a feature vector obtained by mapping the classified user behavior vector to a low-dimensional space.

The third step is to perform context feature representation on the above-mentioned low-dimensional classification behavior feature vector set to obtain a classification semantic behavior feature vector set. Among them, the classification semantic behavior feature vector in the above-mentioned classification semantic behavior feature vector set can be a feature vector containing context information. In practice, the above-mentioned execution entity can input the above-mentioned low-dimensional classification behavior feature vector set into the encoder of the Transformer to obtain the classification semantic behavior feature vector set. Among them, the encoder of the above-mentioned Transformer can include: a multi-head self-attention layer (Multi-Head Self-Attention) and a feed-forward layer (Feed-Forward).

The fourth step is to perform layer normalization processing on at least one numerical user behavior data included in the above user behavior data set to obtain a normalized behavior data set. Among them, the normalized behavior data in the above normalized behavior data set can be data that characterizes the numerical user behavior data by the mean and standard deviation of the numerical user behavior data. In practice, the above execution entity can use layer normalization to perform layer normalization processing on at least one numerical user behavior data included in the above user behavior data set to obtain a normalized behavior data set.

The fifth step is to perform graph embedding representation on the above-mentioned low-dimensional classification behavior feature vector set and the above-mentioned normalized behavior data set respectively, to obtain a classification behavior graph feature vector set and a numerical behavior graph feature vector set. Among them, the classification behavior graph feature vectors in the above-mentioned classification behavior graph feature vector set can represent the characteristic information of the graph structure between the low-dimensional classification behavior feature vectors. The numerical behavior graph feature vectors in the above-mentioned numerical behavior graph feature vector set can represent the characteristic information of the graph structure between the normalized behavior data. In practice, the above-mentioned execution entity can use an adaptive adjacency matrix to perform graph embedding representation on the above-mentioned low-dimensional classification behavior feature vector set and the above-mentioned normalized behavior data set respectively, to obtain a classification behavior graph feature vector set and a numerical behavior graph feature vector set.

Step 6: Perform feature concatenation on the above-mentioned classification behavior graph feature vector set and the above-mentioned numerical behavior graph feature vector set to obtain a behavior concatenation graph feature vector set. The above-mentioned feature concatenation may be a feature concatenation with superimposed channel numbers.

In the seventh step, feature splicing is performed on the classification enhanced behavior feature vector set, the behavior splicing graph feature vector set and the normalized behavior data set to obtain a behavior splicing feature vector set. The feature splicing may be a feature splicing with a superposition of the number of channels.

In the eighth step, mapping prediction is performed on the above behavior concatenated feature vector set to obtain a user churn rate set, and according to the above user churn rate set, relevant alarm devices are controlled to issue user churn rate alarms.

As an example, the execution subject may input the behavior concatenation feature vector set into an MLP (Multi-Layer Perceptron) to obtain a user churn rate set. Then, in response to determining that there is a user churn rate greater than or equal to a preset churn rate threshold in the user churn rate set, control the relevant alarm device to issue a user churn rate alarm.

The above technical solution and its related contents, as an inventive point of the embodiment of the present disclosure, solve the technical problem three mentioned in the background technology, "One-hot encoding of user behavior data causes sparse data features and data dimension explosion, which is not conducive to model fitting, and one-hot encoding cannot accurately identify the correlation between data, resulting in low accuracy of user churn rate prediction, low accuracy of user churn alarm, large number of user churn and increased operating costs of application systems". The factors that lead to low accuracy of user churn rate prediction, low accuracy of user churn alarm, large number of user churn and increased operating costs of application systems are often as follows: One-hot encoding of user behavior data causes sparse data features and data dimension explosion, which is not conducive to model fitting, and one-hot encoding cannot accurately identify the correlation between data. If the above factors are solved, the effect of improving the accuracy of user churn rate prediction and the accuracy of user churn alarm, reducing large number of user churn and operating costs of application systems can be achieved. In order to achieve this effect, the present disclosure firstly embeds features and represents context features of the classified user behavior data sets after one-hot encoding, which can reduce the dimension of the encoded data and enhance the potential correlation between the classified user behavior data sets. Then, the numerical user behavior data set is layer-normalized. By performing different processing on different types of user behavior data sets, the quality of the processed feature vector can be improved, and the accuracy of subsequent user churn rate prediction can be improved. Then, the above low-dimensional classification behavior feature vector set and the above normalized behavior data set are respectively represented by graph embedding, and the potential correlation between feature vectors can be mined. Finally, feature concatenation of different feature vectors and mapping prediction of the concatenated feature vectors can improve the accuracy of user churn rate prediction and user churn rate alarm, reduce false alarms and missed alarms, and reduce the operating cost of the application system.

In some optional implementations of some embodiments, the above-mentioned data embedding for each abnormal application interface information in the above-mentioned abnormal application interface information set to generate user behavior data and obtain the user behavior data set may include the following steps:

The first step is to generate a user fingerprint information set according to the interface call information set included in the application interface monitoring information set corresponding to the abnormal application interface information set. The user fingerprint information in the user fingerprint information set may be information that uniquely identifies the user.

As an example, the execution subject may first parse the interface call information set to obtain a browser identification information set and a browser version information set. The browser identification information in the browser identification information set may be information representing the type of browser used by the user. Secondly, the browser identification information set and the browser version information set are standardized to obtain a standardized browser identification information set and a standardized browser version information set. Then, the standardized browser identification information set and the standardized browser version information set are combined to obtain a browser combination information set. Finally, a hash operation is performed on the combined information set to obtain a browser hash value set as a user fingerprint information set.

The second step is to generate a user access path set based on the user fingerprint information set, wherein the user access path in the user access path set may be a path formed by the user accessing each application page.

As an example, the execution subject may first, in response to detecting that the browser's access address has changed, obtain an access record set of the changed access address by calling the PushState method. The access record in the access record set may be a text recording whether the browser's access address has changed. Then, a directed graph is constructed for the access addresses included in the access record set to obtain a user access path set.

The third step is to obtain the page buried point data set and event buried point data set of each access application page corresponding to the above user access path set. Among them, the page buried point data in the above page buried point data set can be data recording the user access to the application page. The above page buried point data may include but is limited to at least one of the following: page visits, number of visitors, page dwell time and page path. The above page buried point data can determine the overall access to the application page, and facilitate the user to locate the application page. The event buried point data in the above event buried point data set can be data recording the access to each part of the application page. The above event buried point data may include but is not limited to at least one of the following: the number of visits and dwell time of each part of the application page. The event buried point data set can determine the function and content preference information of the application corresponding to each part of the application page. This step generates the user access path through non-invasive user fingerprints, obtains the user browsing each application page, thereby replacing the acquisition of page buried point data set and event buried point data set through the invasive code buried point method, solving the problem of redeploying the code every time a new buried point is set.

The fourth step is to preprocess the page embedding data set and the event embedding data set to obtain a preprocessed page embedding data set and a preprocessed event embedding data set. The preprocessing may include but is not limited to at least one of: missing value filling, deduplication, and data conversion.

The fifth step is to report the pre-processed page embedding data set and the pre-processed event embedding data set to obtain a user behavior data set. In practice, the execution subject can report the pre-processed page embedding data set and the pre-processed event embedding data set through Kafka message middleware to obtain a user behavior data set.

In some optional implementations of some embodiments, the generating of the user fingerprint information set according to the interface call information set included in the application interface monitoring information set corresponding to the abnormal application interface information set may include the following steps:

For each interface call information in the above interface call information set, perform the following value transformation steps:

Sub-step 1, divide the interface call information into data to obtain interface call information groups, wherein the data division may be performed based on a separator, which may be a comma.

Sub-step 2: for each interface partition call information in the above interface partition call information group, perform the following bitwise accumulation step:

The first sub-step is to prefix encode the above-mentioned interface division call information to obtain at least one prefix interface coding information. Among them, the prefix interface coding information in the above-mentioned at least one prefix interface coding information can be the information obtained by prefix encoding the interface division call information. In practice, the above-mentioned execution subject can first determine the sequence number of the above-mentioned interface division call information in the above-mentioned interface division call information group. Then, the above-mentioned sequence number is added to the front of each interface division call information item included in the above-mentioned interface division call information to obtain at least one prefix interface coding information.

The second sub-step is to perform feature selection processing on the at least one prefix interface coding information to obtain at least one interface coding feature. Among them, the interface coding feature in the at least one interface coding feature can represent the feature information of the prefix interface coding information. In practice, the execution subject can use the Bi-gram model to perform feature selection processing on the at least one prefix interface coding information to obtain at least one interface coding feature.

The third sub-step is to perform a local sensitive hashing operation on each of the at least one interface coding feature to generate an interface hash value, thereby obtaining at least one interface hash value. In practice, the execution subject may use an MD5 (Message-Digest Algorithm 5) hash function to perform a local sensitive hashing operation on each of the at least one interface coding feature to generate an interface hash value, thereby obtaining at least one interface hash value.

The fourth sub-step is to perform a hash value transformation on each of the at least one interface hash value to obtain at least one transformed hash value. In practice, the execution subject may transform the interface hash value of 0 included in the at least one interface hash value into an interface hash value of -1, and the interface hash values other than the interface hash value of 0 remain unchanged.

The fifth sub-step is to perform bitwise accumulation processing on the at least one transformed hash value group to obtain a hash accumulation value.

Sub-step 3, performing a numerical transformation process on each hash cumulative value in the obtained hash cumulative value group to obtain a transformed cumulative value group as the user fingerprint information. The transformed cumulative value group can be a value group in which the hash cumulative values with values greater than or equal to 0 in the hash cumulative value group are transformed into a transformed cumulative value with a value of 1, and the hash cumulative values with values less than 0 are transformed into a transformed cumulative value with a value of 0.

The above-mentioned embodiments of the present disclosure have the following beneficial effects: the application interface abnormal alarm method in some embodiments of the present disclosure can improve the accuracy of abnormal detection, reduce the false detection rate and missed detection rate, and improve the stability of the application system and the user experience. Specifically, the reasons for the low stability and low user experience of the relevant applications are: due to the display monitoring of the call of the application interface, it will affect the business logic of the application, increase the tight coupling of the program logic and the monitoring logic, and because the setting of the fixed alarm threshold depends on expert experience, the coverage alarm range is narrow, resulting in false alarms and missed alarms, which in turn leads to low stability of the application system and low user experience. Based on this, the application interface abnormal alarm method of some embodiments of the present disclosure can first obtain the application interface information set to be detected of the target evaluation application. Here, the application interface information set to be detected is used for subsequent abnormal detection and root cause location. Secondly, each application interface information to be detected in the above-mentioned application interface information set to be detected is subjected to non-intrusive monitoring processing to generate an application interface monitoring information group, and obtain an application interface monitoring information group set. Here, non-intrusive monitoring can decouple the business logic and monitoring logic of the application, improve the scalability of the application system, reduce the waste of resources of the application system, and improve the stability of the application system. Subsequently, for each application interface monitoring information group in the above-mentioned application interface monitoring information group set, the following determination steps are performed: the first step is to classify the interface response information group included in the above-mentioned application interface monitoring information group to obtain a category interface response information group. Here, it is convenient to perform call volume statistics on different types of interface response information for the application interface to be detected, and improve the comprehensiveness of the monitoring of the application interface to be detected. The second step is to determine the category interface call volume of each category interface response information in the above-mentioned category interface response information group to obtain a category interface call volume group. Here, it is convenient to determine the difference in interface call volume later. The third step is to determine the category interface call volume difference between each category interface call volume in the above-mentioned category interface call volume group and the corresponding historical category interface call volume, obtain a category interface call volume difference group, and visualize the above-mentioned category interface call volume difference group. Here, determining the call volume difference with the corresponding historical category interface call volume can clarify the development trend of the call volume of the application interface to be detected, and display it in a visual form, which can more intuitively show the development trend of the application interface to be detected, and facilitate the relevant personnel to grasp the call situation of the application interface to be detected. In the fourth step, in response to determining that there is a category interface call amount difference greater than or equal to the preset call amount range in the above-mentioned category interface call amount difference group, the application interface information to be detected corresponding to the above-mentioned application interface monitoring information group is determined as the target application interface information. Here, the application interface to be detected whose call amount is greater than or equal to the preset call amount range is determined as the target application interface, which can reduce the number of interfaces for subsequent abnormal detection. Then, the obtained target application interface information set is subjected to abnormal detection to obtain an abnormal application interface information set. Here, the target application interface information set is subjected to abnormal detection, which can reduce the amount of interface data for abnormal detection and reduce the computing resources of the application system. The interface call abnormal detection is performed from coarse granularity to fine granularity, which can improve the accuracy of subsequent abnormal detection and the stability of the application system. Finally, the above-mentioned abnormal application interface information set is subjected to root cause location processing to obtain an interface abnormal information set, and the associated alarm device is controlled to perform abnormal alarm. Here, the root cause location can determine the root cause of the abnormal application interface, and the control of the associated alarm device to perform abnormal alarm can timely remind relevant personnel to perform relevant operations, reduce the loss rate of the application system, and improve the user experience. It can be concluded that the application interface abnormality alarm method can perform non-invasive monitoring of the application interface to be detected, decouple the application business logic and the monitoring logic, reduce the resource waste of the application system, and first determine the difference in the call volume of different types for each application interface to be detected, and then perform abnormal detection on the call volume that exceeds the preset call volume range to obtain the abnormal application interface, which can improve the accuracy of abnormality detection, reduce the false detection rate and missed detection rate, and locate the root cause and alarm of the abnormal application interface, which can determine the real factor causing the interface abnormality, handle the abnormal problem in time, and improve the stability of the application system.

Further referring to FIG. 2 , as an implementation of the methods shown in the above figures, the present disclosure provides some embodiments of an application interface abnormality alarm device, which correspond to the method embodiments shown in FIG. 1 , and the application interface abnormality alarm device can be specifically applied to various electronic devices.

As shown in FIG2 , an application interface abnormality alarm device 200 includes: an acquisition unit 201, a non-intrusive monitoring unit 202, an execution unit 203, an abnormality detection unit 204, and an abnormality alarm unit 205. The acquisition unit 201 is configured to: acquire a set of application interface information to be detected of a target evaluation application. The non-intrusive monitoring unit 202 is configured to: perform non-intrusive monitoring processing on each application interface information to be detected in the above-mentioned set of application interface information to be detected, so as to generate an application interface monitoring information group, and obtain an application interface monitoring information group set. The execution unit 203 is configured to: for each application interface monitoring information group in the above application interface monitoring information group set, perform the following determination steps: classify the interface response information group included in the above application interface monitoring information group to obtain a category interface response information group; determine the category interface call volume of each category interface response information in the above category interface response information group to obtain a category interface call volume group; determine the category interface call volume difference between each category interface call volume in the above category interface call volume group and the corresponding historical category interface call volume to obtain a category interface call volume difference group, and visualize the above category interface call volume difference group; in response to determining that there is a category interface call volume difference greater than or equal to a preset call volume range in the above category interface call volume difference group, determine the application interface information to be detected corresponding to the above application interface monitoring information group as the target application interface information. The abnormality detection unit 204 is configured to: perform abnormality detection on the obtained target application interface information set to obtain an abnormal application interface information set. The abnormal alarm unit 205 is configured to: perform root cause location processing on the abnormal application interface information set to obtain an interface abnormal information set, and control the associated alarm device to issue an abnormal alarm.

It is understandable that the units recorded in the application interface abnormality alarm device 200 correspond to the steps in the method described with reference to Figure 1. Therefore, the operations, features and beneficial effects described above for the method are also applicable to the application interface abnormality alarm device 200 and the units contained therein, and will not be repeated here.

Referring to FIG3, a schematic diagram of an electronic device (eg, an electronic device) 300 suitable for implementing some embodiments of the present disclosure is shown. The electronic device shown in FIG3 is only an example and should not limit the functions and scope of use of the embodiments of the present disclosure.

As shown in FIG3 , the electronic device 300 may include a processing device (e.g., a central processing unit, a graphics processing unit, etc.) 301, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 302 or a program loaded from a storage device 308 into a random access memory (RAM) 303. In the RAM 303, various programs and data required for the operation of the electronic device 300 are also stored. The processing device 301, the ROM 302, and the RAM 303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to the bus 304.

Typically, the following devices may be connected to the I/O interface 305: input devices 306 including, for example, a touch screen, a touchpad, a keyboard, a mouse, a camera, a microphone, an accelerometer, a gyroscope, etc.; output devices 307 including, for example, a liquid crystal display (LCD), a speaker, a vibrator, etc.; storage devices 308 including, for example, a magnetic tape, a hard disk, etc.; and communication devices 309. The communication device 309 may allow the electronic device 300 to communicate with other devices wirelessly or by wire to exchange data. Although FIG. 3 shows an electronic device 300 with various devices, it should be understood that it is not required to implement or have all the devices shown. More or fewer devices may be implemented or have alternatively. Each box shown in FIG. 3 may represent one device, or may represent multiple devices as needed.

In particular, according to some embodiments of the present disclosure, the process described above with reference to the flowchart can be implemented as a computer software program. For example, some embodiments of the present disclosure include a computer program product, which includes a computer program carried on a computer-readable medium, and the computer program includes a program code for executing the method shown in the flowchart. In some such embodiments, the computer program can be downloaded and installed from the network through the communication device 309, or installed from the storage device 308, or installed from the ROM 302. When the computer program is executed by the processing device 301, the above-mentioned functions defined in the method of some embodiments of the present disclosure are executed.

It should be noted that the computer-readable medium in some embodiments of the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the two. The computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media may include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. In some embodiments of the present disclosure, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in combination with an instruction execution system, device or device. In some embodiments of the present disclosure, the computer-readable signal medium may include a data signal propagated in a baseband or as part of a carrier wave, which carries a computer-readable program code. This propagated data signal may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. The computer readable signal medium may also be any computer readable medium other than a computer readable storage medium, which may send, propagate or transmit a program for use by or in conjunction with an instruction execution system, apparatus or device. The program code contained on the computer readable medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.

In some embodiments, the client and the server may communicate using any currently known or future developed network protocol such as HTTP (Hyper Text Transfer Protocol), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), an internet (e.g., the Internet), and a peer-to-peer network (e.g., an ad hoc peer-to-peer network), as well as any currently known or future developed network.

The above-mentioned computer-readable medium may be included in the above-mentioned electronic device; or it may exist independently without being assembled into the electronic device. The above-mentioned computer-readable medium carries one or more programs. When the above-mentioned one or more programs are executed by the electronic device, the electronic device: obtains the application interface information set to be detected of the target evaluation application; performs non-intrusive monitoring processing on each application interface information to be detected in the above-mentioned application interface information set to be detected to generate an application interface monitoring information group and obtain an application interface monitoring information group set; for each application interface monitoring information group in the above-mentioned application interface monitoring information group set, performs the following determination steps: classifies the interface response information group included in the above-mentioned application interface monitoring information group to obtain a category interface response information group; determines the category interface call amount of each category interface response information in the above-mentioned category interface response information group to obtain a category interface response information group. interface call volume group; determine the category interface call volume difference between each category interface call volume in the above category interface call volume group and the corresponding historical category interface call volume to obtain the category interface call volume difference group, and visualize the above category interface call volume difference group; in response to determining that there is a category interface call volume difference greater than or equal to a preset call volume range in the above category interface call volume difference group, determine the application interface information to be detected corresponding to the above application interface monitoring information group as the target application interface information; perform anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set; perform root cause location processing on the above abnormal application interface information set to obtain an interface abnormality information set, and control the associated alarm device to issue an abnormal alarm.

Computer program code for performing the operations of some embodiments of the present disclosure may be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional procedural programming languages such as "C" or similar programming languages. The program code may be executed entirely on the user's computer, partially on the user's computer, as a separate software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user's computer via any type of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (e.g., via the Internet using an Internet service provider).

The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present disclosure. In this regard, each square box in the flow chart or block diagram can represent a module, a program segment or a part of a code, and the module, the program segment or a part of the code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some implementations as replacements, the functions marked in the square box can also occur in a sequence different from that marked in the accompanying drawings. For example, two square boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each square box in the block diagram and/or flow chart, and the combination of the square boxes in the block diagram and/or flow chart can be implemented with a dedicated hardware-based system that performs the specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.

The units described in some embodiments of the present disclosure may be implemented by software or by hardware. The described units may also be provided in a processor, for example, may be described as: a processor including an acquisition unit, a non-intrusive monitoring unit, an execution unit, an anomaly detection unit, and an anomaly alarm unit. The names of these units do not, in some cases, constitute limitations on the units themselves, for example, the acquisition unit may also be described as a "unit for acquiring a set of application interface information to be detected of a target evaluation application".

The functions described above herein may be performed at least in part by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chip (SOCs), complex programmable logic devices (CPLDs), and the like.

The above descriptions are only some preferred embodiments of the present disclosure and an explanation of the technical principles used. Those skilled in the art should understand that the scope of the invention involved in the embodiments of the present disclosure is not limited to the technical solutions formed by a specific combination of the above technical features, but should also cover other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the above invention concept. For example, the above features are replaced with (but not limited to) technical features with similar functions disclosed in the embodiments of the present disclosure.

Claims (8)

1. An application interface abnormality alarm method, comprising: Obtaining the application interface information set to be detected of the target evaluation application; Performing non-intrusive monitoring processing on each piece of application interface information to be detected in the application interface information set to be detected, so as to generate an application interface monitoring information group, and obtain an application interface monitoring information group set; For each application interface monitoring information group in the application interface monitoring information group set, the following determination steps are performed: Classifying the interface response information group included in the application interface monitoring information group to obtain a category interface response information group; Determine the category interface call amount of each category interface response information in the category interface response information group to obtain a category interface call amount group; Determine the category interface call volume difference between each category interface call volume in the category interface call volume group and the corresponding historical category interface call volume, obtain the category interface call volume difference value group, and visualize the category interface call volume difference value group; In response to determining that there is a category interface call amount difference value greater than or equal to a preset call amount range in the category interface call amount difference value group, determining the application interface information to be detected corresponding to the application interface monitoring information group as the target application interface information; Performing anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set, wherein performing anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set includes: Performing feature extraction on the interface call log information set corresponding to the target application interface information set to obtain an interface call feature vector set; Inputting the interface call feature vector set into an encoder network included in an interface call exception model to obtain an interface call hidden feature vector set; Determine the interface hidden mean and the interface hidden standard deviation of each interface call hidden feature vector in the interface call hidden feature vector set to obtain an interface hidden mean set and an interface hidden standard deviation set; Generate a random variable set according to the interface hidden mean set and the interface hidden standard deviation set; Randomly select a random variable from each random variable group in the random variable group set as a potential feature vector to obtain a potential feature vector set; Performing backward transmission stream processing on the potential feature vector set to obtain an interface potential feature variable set; Inputting the interface potential feature variable set into the decoder network included in the interface call anomaly model to obtain a reconstructed interface call feature vector set; Determine a feature similarity value between each reconstructed interface call feature vector in the reconstructed interface call feature vector set and an interface call feature vector in the interface call feature vector set corresponding to the reconstructed interface call feature vector, to obtain a feature similarity value set; Determine at least one feature similarity value in the feature similarity value set that is not within a preset similarity range as a target feature similarity value set; Determine at least one piece of application interface information to be detected corresponding to the target feature similarity value set as an abnormal application interface information set; The abnormal application interface information set is processed for root cause location to obtain an abnormal interface information set, and the associated alarm device is controlled to generate an abnormal alarm. 2. The method according to claim 1, wherein the method further comprises: Performing data embedding for each abnormal application interface information in the abnormal application interface information set to generate user behavior data and obtain a user behavior data set; Performing user churn rate identification on the user behavior data set to obtain a user churn rate set; Performing user preference identification on the user behavior data set to obtain a user preference information set; The target evaluation application is iteratively updated according to the user preference information set and the user churn rate set. 3. The method according to claim 2, wherein the step of performing data embedding on each abnormal application interface information in the abnormal application interface information set to generate user behavior data and obtain a user behavior data set comprises: Generate a user fingerprint information set according to the interface call information set included in the application interface monitoring information set corresponding to the abnormal application interface information set; Generating a user access path set according to the user fingerprint information set; Obtaining a page embedding data set and an event embedding data set of each access application page corresponding to the user access path set; Preprocessing the page embedding point data set and the event embedding point data set to obtain a preprocessed page embedding point data set and a preprocessed event embedding point data set; The pre-processed page embedding data set and the pre-processed event embedding data set are reported to obtain a user behavior data set. 4. The method according to claim 3, wherein the generating of the user fingerprint information set according to the interface call information set included in the application interface monitoring information set corresponding to the abnormal application interface information set comprises: For each interface call information in the interface call information set, the following value conversion steps are performed: Performing data division on the interface call information to obtain an interface division call information group; For each interface partition call information in the interface partition call information group, the following bitwise accumulation step is performed: Prefix encoding the interface division calling information to obtain at least one prefix interface encoding information; Performing feature selection processing on the at least one prefix interface coding information to obtain at least one interface coding feature; Performing a locality sensitive hash operation on each interface coding feature of the at least one interface coding feature to generate an interface hash value, thereby obtaining at least one interface hash value; Performing a hash value transformation on each of the at least one interface hash value to obtain at least one transformed hash value; Performing bitwise accumulation processing on the at least one transformed hash value to obtain a hash accumulation value; A numerical transformation process is performed on each hash cumulative value in the obtained hash cumulative value group to obtain a transformed cumulative value group as user fingerprint information. 5. The method according to claim 1, wherein the step of performing non-intrusive monitoring on each piece of application interface information to be detected in the application interface information set to generate an application interface monitoring information group to obtain the application interface monitoring information group set comprises: For each piece of application interface information to be detected in the application interface information set to be detected, the following monitoring steps are performed: Obtaining the interface calling source code file of the application interface information to be detected; Constructing an abstract syntax tree for the interface call source code file to obtain an interface call syntax tree; Parsing the interface call syntax tree to obtain an interface call connectivity graph; Performing a breadth-first search on the interface call connectivity graph to obtain interface parameter configuration information; Adding a preset aspect programming component to the interface parameter configuration information to obtain aspect application interface information; In response to determining that the application interface information to be detected is called, controlling the preset aspect programming component to monitor the aspect application interface information to obtain an interface call information group and an interface response information group of the application interface information to be detected; The obtained interface call information set and the obtained interface response information set are combined and processed to be determined as an application interface monitoring information set. 6. An application interface abnormality alarm device, comprising: An acquisition unit, configured to acquire a to-be-detected application interface information set of a target evaluation application; a non-intrusive monitoring unit configured to perform non-intrusive monitoring processing on each piece of application interface information to be detected in the application interface information set to be detected, so as to generate an application interface monitoring information group, and obtain an application interface monitoring information group set; The execution unit is configured to perform the following determination steps for each application interface monitoring information group in the application interface monitoring information group set: classify the interface response information group included in the application interface monitoring information group to obtain a category interface response information group; determine the category interface call volume of each category interface response information in the category interface response information group to obtain a category interface call volume group; determine the category interface call volume difference between each category interface call volume in the category interface call volume group and the corresponding historical category interface call volume to obtain a category interface call volume difference group, and visualize the category interface call volume difference group; in response to determining that there is a category interface call volume difference greater than or equal to a preset call volume range in the category interface call volume difference group, determine the application interface information to be detected corresponding to the application interface monitoring information group as the target application interface information; The anomaly detection unit is configured to perform anomaly detection on the obtained target application interface information set to obtain an abnormal application interface information set, wherein the anomaly detection on the obtained target application interface information set to obtain the abnormal application interface information set includes: performing feature extraction on the interface call log information set corresponding to the target application interface information set to obtain an interface call feature vector set; inputting the interface call feature vector set into the encoder network included in the interface call anomaly model to obtain an interface call hidden feature vector set; determining the interface hidden mean and interface hidden standard deviation of each interface call hidden feature vector in the interface call hidden feature vector set to obtain an interface hidden mean set and an interface hidden standard deviation set; generating a random variable set according to the interface hidden mean set and the interface hidden standard deviation set; and randomly extracting a random variable from each random variable group in the random variable set. Select random variables as potential feature vectors to obtain a potential feature vector set; perform backward transmission stream processing on the potential feature vector set to obtain an interface potential feature variable set; input the interface potential feature variable set into a decoder network included in the interface call anomaly model to obtain a reconstructed interface call feature vector set; determine the feature similarity value between each reconstructed interface call feature vector in the reconstructed interface call feature vector set and the interface call feature vector corresponding to the reconstructed interface call feature vector in the interface call feature vector set to obtain a feature similarity value set; determine at least one feature similarity value in the feature similarity value set whose feature similarity value is not within a preset similarity range as a target feature similarity value set; determine at least one application interface information to be detected corresponding to the target feature similarity value set as an abnormal application interface information set; The abnormal alarm unit is configured to perform root cause location processing on the abnormal application interface information set to obtain an interface abnormal information set, and control the associated alarm device to issue an abnormal alarm. 7. An electronic device comprising: one or more processors; a storage device having one or more programs stored thereon, When the one or more programs are executed by the one or more processors, the one or more processors implement the method according to any one of claims 1 to 5. 8. A computer-readable medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method according to any one of claims 1 to 5 is implemented.