TWI789003B - Service anomaly detection and alerting method, apparatus using the same, storage media for storing the same, and computer software program for generating service anomaly alert - Google Patents

Abstract

A service anomaly detection and alerting method considers business operating data and system data to perform service anomaly/risk detection and alarm, and based on the operating data (for example, business operations, public information such as community, public news, etc.) and system data (for example, system software and hardware information, log) categorizes a system to be monitored that provide services to a group to determine its service characteristics. Even, in order to further improve the accuracy of detection and alarm, when detecting an abnormal behavior exist in the service, it will further determine whether the detected abnormal behavior of the service occurs in the group of the same service characteristics, and whether it is an abnormal event. Therefore, compared with the prior art, the service anomaly detection and alarm method has the beneficial technical effects of improving the efficiency of system monitoring and reducing the risk of maintenance and operation.

Description

Service anomaly detection and alarm method, equipment using this method, storing this method illegal storage media and computer software programs that generate abnormal alarms

The invention relates to a detection and alarm method for analyzing whether the service of a monitored system is abnormal, and in particular to an intelligent service abnormality detection and alarm method, and equipment and systems using the method.

In a general enterprise, whether it is internal or external online services, there are usually several to dozens of systems and hundreds of software and hardware modules in the server, of which every day (or even every minute or every second) There may be a lot of system monitoring values recorded, or a large number of log files (Log). When events such as service or system abnormalities, information security attacks, etc. Do interpretation (or detection), find out the cause of the abnormality and eliminate it. In the maintenance and operation of traditional Information Technology (IT), system managers will define rules for abnormal events based on past experience, but with the popularization and expansion of IT infrastructure and cloud services, system architecture and maintenance The environment becomes complex, and wrong or complex rules often trigger a large number of false alarms, making system administrators exhausted and more likely to be ignored due to negligence serious threat. In addition, traditional maintenance personnel can only deal with problems passively after abnormal events or signals occur.

In recent years, maintenance and operation based on human judgment has not only progressed to automated monitoring, but many maintenance and operation methods, enterprises and services have introduced artificial intelligence (AI) and machine learning into IT infrastructure and maintenance and operation management. For example, use past historical system load monitoring values (such as, but not limited to, central processing unit (CPU) usage or memory load), use machine learning to train normal system load curves and allowable values, and monitor in real time in the future If the value deviates from the allowable value, a system alarm can be triggered to speed up maintenance and response time.

There are also technical methods that use artificial intelligence to analyze the correlation of abnormal events, analyze historical logs through algorithms and text analysis techniques, group seemingly unrelated events, and then find out the hidden correlation of events. For example, it is found that seemingly unrelated situations such as interruption of service web pages (recording HTTP error response codes), high CPU usage, and low page views often occur at the same time, and these events can be identified through abnormal event correlation algorithms. The root cause analysis of the event (Root Cause Analysis), in the future it is possible to achieve early warning and increase the efficiency of IT maintenance and operation.

One of the methods in the existing technology can completely collect three kinds of heterogeneous data, the health status of the equipment in the whole area of the unit, the amount of network traffic used by the unit, and various logs (including information security events), and perform correlation analysis, eliminating the need for manual comparison and search. Time-consuming and use the trend algorithm of artificial intelligence. Then, according to the collected historical data of various logs and/or the amount of network traffic used by the unit, it automatically learns to establish a dynamic benchmark, and continuously compares the various logs that come in every minute and/or the data of the amount of network traffic used by the unit , to detect the number of events (Hit Count), the number of traffic packets or the number of bytes (Byte) in real time, the source Internet Protocol (IP) address (usually the attack end) and the destination IP address (Usually the attacked end). This method does not need to manually set thresholds one by one, which makes maintenance and information security work easier.

Another approach in the existing technology is to use machine learning algorithms to sort out similar behavioral events after comparing various abnormal events, and automatically detect whether the delay of system services has increased sharply, whether the system error rate has increased, and even Check whether the network of the public cloud vendor is abnormal. With this method, users do not need to set alarm trigger conditions, and the system will automatically monitor whether the platform has abnormal performance events.

The above-mentioned artificial intelligence detection only collects system monitoring data of a single company or service, etc. The relevant field knowledge of this kind of artificial intelligence maintenance operation cannot be connected with the real business operation, and it does not consider that different service systems have the same or different characteristics , so there is still room for improvement in the accuracy of monitoring.

According to the purpose of the present invention, an embodiment of the present invention proposes a service anomaly detection and alarm method, which is executed on a computer device connected to a plurality of monitored systems, and the service anomaly/risk detection and alarm method includes: receiving the corresponding service information operating data and system data of one of the monitored systems of the monitored system, and performing data preprocessing on the operating data and the system data of the monitored system to obtain a plurality of status parameters of the monitored system; Grouping each state parameter of the monitoring system to obtain a cluster label corresponding to each state parameter of the monitored system; grouping the monitored system according to the cluster labels of the state parameters of the monitored system , to obtain a group number corresponding to the monitored system; detect whether the monitored system has an abnormal behavior according to at least one of the status parameters of the monitored system; and detect that the monitored system has the abnormal behavior , judging whether there are abnormal behaviors in the group corresponding to the group number of the monitored system exceeding a specific number, if the group corresponding to the group number does not exceed the specified number If a number of the monitored systems also have abnormal behavior, an alarm is generated.

The embodiment of the present invention also provides a service anomaly detection and alarm method, which is similar to the aforementioned service anomaly detection and alarm method, but a plurality of monitored systems are grouped in advance without relevant grouping steps.

The embodiment of the present invention also provides a device for detecting abnormality and issuing an alarm, which is configured with multiple units to execute the above-mentioned service abnormality/risk detection and alarming method, and the embodiment of the present invention further provides a storage medium for use in A plurality of program codes associated with the above-mentioned service anomaly detection and alarm method are stored.

The embodiment of the present invention also provides a plurality of computer software programs for determining abnormal events in the monitored system and generating abnormal alarms for the abnormal events.

To sum up, the service anomaly/risk detection and warning method, the cloud device using the method and the storage medium storing the method can accurately detect service anomalies/risks according to the embodiments of the present invention.

In order to further understand the techniques, means and effects of the present invention, reference can be made to the following detailed description and accompanying drawings, so that the purpose, features and concepts of the present invention can be thoroughly and specifically understood. However, the following detailed description and drawings are only for reference and illustration of the implementation of the present invention, and are not intended to limit the present invention.

1: Abnormal alarm system

11:Cloud device

121~12N: Monitored system

111: Data pre-processing unit

112: Individual parameter grouping unit

113: Individual grouping unit

114: Peer comparison unit

115: Detection unit

116:Alarm unit

S31~S45: steps

The accompanying drawings are provided to enable those skilled in the art to which the present invention pertains to further understand the present invention, and are incorporated in and constitute a part of the specification of the present invention. The drawings illustrate exemplary embodiments of the invention and together with the description serve to explain principles of the invention.

FIG. 1 is a block diagram of an anomaly alarm system using a service anomaly detection and alarm method according to an embodiment of the present invention.

FIG. 2 is a block diagram of a cloud device using a service anomaly detection and alarm method according to an embodiment of the present invention.

FIG. 3 is a flow chart of the service anomaly detection and alarm method operating in the interpretation mode according to the embodiment of the present invention.

FIG. 4 is a flow chart of the service anomaly detection and alarm method operating in the modeling mode according to the embodiment of the present invention.

Reference will now be made in detail to the exemplary embodiments of the invention, which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used in the drawings and description to refer to the same or like parts. In addition, the practice of the exemplary embodiment is only one of the implementations of the design concept of the present invention, and the following demonstrations are not intended to limit the present invention.

The previous technology using artificial intelligence to detect service anomalies probably has the following technical problems: (1) It cannot be connected with real business operations, for example, the traffic of news websites often increases sharply during the lunch break every day, but such a surge is a normal phenomenon , if the administrator and the AI alarm regard the CPU usage and system load increase during this period as abnormal, false alarms may be issued; (2) Most of the general IT monitoring values or historical logs are based on a single system or a single enterprise For facility maintenance and operation data, different service systems have different characteristics. Even similar systems may have different responses to monitoring records or logs among enterprises in different industries. If there is no machine for different business or service characteristics The correctness of the preventive alarm is often insufficient for the establishment of the learning model; and (3) traditional AI requires a large amount of data to train the model, but service exceptions do not occur very often, so only using infrastructure and environmental data will make the machine learning There is not enough abnormal data and labels to train the model. Even if the curve of the normal service state is trained, it is still necessary to set a relatively conservative alarm trigger threshold to deal with unexpected risks.

In order to solve the above technical problems, the embodiments of the present invention provide a service anomaly detection and alarm method and the equipment and system using this method consider the operation data and system data to detect and alarm service anomalies, and according to the operation data (for example, business operation face, public information (such as community, public news, etc.) and system information (for example, system software and hardware information, operation logs) to group the monitored systems that provide services to determine their service characteristics, in order to further improve detection and alarm When an abnormality is detected, it will further determine whether the detected abnormal behavior often occurs in the same service characteristic group, or it is a common behavior rather than a real abnormality, that is, It is judged whether the detected abnormal behavior is the same or similar to the normal behavior with higher frequency or the abnormal behavior with lower frequency in the group of the same service characteristic. Therefore, compared with the prior art, the service anomaly detection and alarm method provided by the embodiment of the present invention and the equipment and system using the method have beneficial technical effects of improving system monitoring efficiency and reducing maintenance and operation risks.

In several embodiments of the present invention, services generally refer to digital services composed of software and hardware of information equipment, including online business systems, enterprise operation systems, etc., or services can generally refer to digital interactive information systems , such as online physical or virtual commodity purchase transactions, financial transactions, message exchange and release, uploading, browsing and downloading of audio, video, and text, etc. The service can be identified and reflected by the actual workload, and the data related to the service can be structured or unstructured data, where the data related to the service can refer to various data related to the operation or system of the service, such as Input, output, and calculation data processed through the service or system, or the setting, operation, and monitoring data of the service or system itself, or the derived data of the aforementioned data, etc. In several embodiments of the present invention, the collected service-related data include operating data and system data, wherein the operating data includes real-time orders (Gross Merchandise Volume, referred to as GMV), turnover, number of online users, and page views (Page View, PV for short), Repeat Visitors (RV for short), Unique Visitor (UV for short), At least one of the number of IP addresses, traffic sources, regions, devices used, user browsing events, service website or application operation behaviors, and customer service call records, as well as system data including system log files (Log), infrastructure operation data and at least one of system indicators. Infrastructure may refer to IT equipment, its software and hardware, or the environment or structure of its software and hardware. Infrastructure operation data may refer to energy consumption data, flow data, data of other resources of the infrastructure used by the system or data of the performance of the infrastructure used when providing these services. . System indicators may refer to resource data or performance data used by the monitored system that provides these services, such as CPU usage, memory usage, I/O count (Read/Write PS), network outflow/incoming volume , packet outflow/inflow, number of elastically enabled machines/clusters, number of swaps, queries per second (QPS for short), responses per second (RPS for short), database connection At least one of the line number and the machine response time, but the present invention is not limited by the types of the above operation data and system data.

Please refer to FIG. 1 first. FIG. 1 is a block diagram of an anomaly alarm system using a service anomaly detection and alarm method according to an embodiment of the present invention. The present invention can also be applied to an on-premises system (On-Premises System) or a hybrid system of on-premises and cloud; for example, the cloud device 11 in FIG. 1 can be replaced by an on-premises device or a hybrid cloud device. The abnormality warning system 1 of the embodiment of the present invention includes a cloud device 11 , and a plurality of monitored systems 121 - 12N communicate with the cloud device 11 , for example, directly or indirectly through wired or wireless connections. The monitored systems 121~12N may include at least one of the following: services provided by the system, workloads carried by the system, servers providing services, networks, network-related devices such as switches, gateways, etc., firewalls or storage devices These devices, components of these devices such as CPU, memory, I/O ports, etc., virtual machines, containers, virtual private clouds, databases, software programs, etc. running on these devices. The monitored systems 121~12N may include cloud devices, ground devices, terminal devices, and so on. The monitored systems 121~12N may belong to multiple different service providers, or may belong to the same service provider, or, the monitored systems 121~12N A part belongs to one of the service providers, and another part of the monitored systems 121~12N belongs to another service provider.

The monitored systems 121~12N are used to provide the above-mentioned various services, wherein the service characteristics of the multiple services may not all be the same with each other, and the service characteristics of the services can be manually labeled in advance (when the service type is known in advance, it can be grouped, For example, the monitored systems involving online shopping services are labeled as the same group, while the monitored systems involving online consulting services are labeled as another same group), or through other supervised machine learning clustering methods. The service characteristics of the service do not need to be known in advance, but after collecting data, find out the status parameters through the collected data and use the unsupervised machine learning grouping method to interpret. The multiple status parameters include CPU usage, number of online users, and turnover , page views, memory usage and input/output volume and other operational data and system data. After unsupervised machine learning grouping, each cluster can be labeled, and each label can represent the service characteristics of different clusters. Labels can be automatically marked by order variables, type or category variables, index values, unique values, numbers, etc. For example, labels can be automatically obtained by programming the grouping model. Tags can also have tag descriptions attached to them. For example, a cluster can be labeled or described as "live broadcast", "portal", "e-commerce platform", "forum", etc. according to the commercial nature of the service, or as "evening intensive", "weekend intensive" or "weekend intensive" according to load or traffic trends. "active", "winter period", "office worker mode", etc., or mark or describe according to the technical type or monitoring parameters such as I/O trend, connection frequency, etc., or according to the characteristics of the abnormal problems that have occurred in the cluster Marks or descriptions such as overload, underload, overclock, timeout, spike, etc. Multiple services marked with the same service characteristics through manual labeling in advance may also belong to groups with different service characteristics after being grouped according to data. Multiple services marked with different service characteristics through manual labeling may be grouped according to data may also belong to groups of the same service characteristic. The cloud device 11 is used to receive the operating data and system data provided by the monitored systems 121~12N, and thereby monitor the monitored systems 121~12N. 12N Whether there is a service abnormality, so as to achieve the purpose of service abnormality detection and alarm. The operation data and system data can be described above, so it will not be described again.

Please refer to FIG. 2. FIG. 2 is a block diagram of a cloud device using a service anomaly detection and alarm method according to an embodiment of the present invention. As shown in FIG. 2, the cloud device 11 includes a data preprocessing unit 111, a state parameter grouping unit 112, an individual grouping unit 113, a group comparison unit 114, and a detection unit 115, which can be implemented through hardware circuits and software programs. To implement the above-mentioned multiple functional units 111-115, but the present invention is not limited by the implementation manner of the functional units 111-115. The data pre-processing unit 111 is signally connected to the state parameter grouping unit 112 and the detection unit 115 , the state parameter grouping unit 112 is signally connected to the individual grouping unit 113 , and the individual grouping unit 113 is signally connected to the peer comparison unit 114 . The cloud device 11 may further include an alarm unit 116 signal-connected to the peer comparison unit 114 .

The data pre-processing unit 111 receives the operation data and system data of the aforementioned monitored systems 121-12N, and performs data pre-processing on the operation data and system data. For example, the pre-processing is to analyze the text of the system log files to establish the frequency of keywords at different time points, such as the access log files (Access.log) or error log files (Error. log) will have different keywords such as "emerg", "alert", "err", and "warning" (keywords may vary with different monitored systems), and perform TF-IDF (Term Frequency-Inverse Document Frequency ) to obtain the word frequency, and the obtained word frequency will be used as different state parameters, for example, the memory overflow frequency or quantity can be known by parsing the error log file. Pre-processing can also record infrastructure operating indicators, such as CPU usage, memory usage, and I/O count, or anonymize business operation data output by customer service. The purpose of the pre-processing is to obtain a plurality of state parameters of each monitored system 121~12N from the operation data and system data (the state parameters can be used to represent the resources used or the quantitative indicators of the performance of the monitored system), so as to be used later Carry out grouping of service characteristics. in some implementations In the example, it is necessary to observe 1000 state parameters, and seven days a week is used as an observation period, and each state parameter collects its parameter value in units of one minute, then each state parameter will have 7*24*60=10080 Data points (each data point has a parameter value).

The state parameter grouping unit 112 receives a plurality of state parameters of the monitored systems 121~12N, and groups each state parameter (parameter value) based on a grouping model, and assigns a related grouping label. For example, the CPU utilization rate of the monitored system 121 is grouped based on the grouping model, and various corresponding cluster tags can be marked. From the analysis of the grouping results, the corresponding cluster tags may represent those that are busier at night, busier in the morning, or busier at noon. Service characteristics for different CPU usage patterns. In several embodiments of the present invention, the grouping model can be regularly updated and trained according to real-time data, or it can be used after pre-training, and the training or updating of the grouping model can be done in a non-supervised machine learning manner (without prior know the type and labeling) to achieve. For example, regularly obtain the CPU utilization rate of each monitored system 121~12N, and establish a clustering model according to K-means, hierarchical agglomerative clustering algorithm (HAC) or density-based clustering algorithm (DBSCAN), Group the CPU usage into groups, and give cluster labels according to the grouping results. Training or updating the grouping model can also be achieved using a supervised learning grouping algorithm (labeling known categories), such as support vector machine (SVM), K-nearest neighbor algorithm (KNN), decision tree (Decision Tree) ) or Random Forests.

The individual grouping unit 113 groups each monitored system 121~12N to give the corresponding group number (or label, order variable, type variable, index value, unique value, etc.) to each monitored system 121~12N, wherein each monitored system The monitoring system 121-12N may be grouped based on a grouping model according to a plurality of cluster labels of a plurality of state parameters of each monitored system 121-12N. In some embodiments, the monitored system can be regarded as the services it provides or the workload it carries, and the individual grouping unit 113 can be said to group these services or workloads; the monitored system can also be regarded as all People, customers, users, enterprises, users, service objects, etc., The individual grouping unit 113 can be said to group the owners, customers, users, enterprises, users, or service objects. For example, when a single monitored system represents a single user, the grouping of the monitored system can be regarded as a grouping of users; when a single monitored system represents a single service, the grouping of the monitored system can be regarded as a grouping of services; In the case of equipment or software programs, the grouping of the monitored system can be regarded as the grouping of equipment or software programs. For example, based on the grouping model, the monitored systems 121~12N are determined according to the cluster tags of the CPU usage rate, the number of online users, the cluster tags of turnover, and the cluster tags of network outflow/incoming traffic of the monitored systems 121~12N. Which groups the provided services belong to. Each group can represent that the services grouped into each group have certain same or similar service characteristics, and can be assigned a related group number, variable, or label. Similarly, the model used for clustering can also be trained and updated by unsupervised machine learning or supervised machine learning. Without specifying the service characteristics, the cluster labels of multiple state parameters can be used for unsupervised learning model training (such as K-means, HAC or DBSCAN), or, for certain known characteristics of service labeling in advance, such as electricity For business services, enterprise resource planning (ERP) systems, trading systems, live broadcast systems, etc., the cluster labels of multiple state parameters of the labeled services are used for supervised learning model training (such as SVM, KNN, decision tree or random Forest), and then there are unknown services that can be grouped with this model to summarize the service characteristics of the service.

The detection unit 115 performs modeling according to a plurality of state parameters of each monitored system 121-12N based on the model, so as to detect whether each monitored system 121-12N is abnormal (for example, predicting that the future or current state parameters exceed the threshold value, or there may be specific abnormal events in the future), where the model here can be a time series model, a historical data model and/or a risk prediction model. The historical data model of each monitored system 121~12N can be applied to multiple state parameters collected in the past using machine learning algorithms to establish a time series model under normal conditions. The algorithm used can be differential integration moving average autoregressive calculation method (ARIMA), long and short term Memory Algorithm (LSTM) or Random Cut Forests (RCF). For example, a time series model of the CPU usage rate of the monitored system 121 can be established. Through the prediction of the time series model, it can be known whether the CPU usage rate is currently abnormal or may be abnormal in the future. In some embodiments, if certain abnormal conditions such as system problems, information security incidents, and attacks are known, the parameter values of multiple state parameters of the monitored system can be combined to mark the risk value, so as to train The risk prediction model of each monitored system 121 - 12N at a single time point, wherein the algorithm for training the risk prediction model can be random forest or extreme gradient boosting algorithm (XGBoost). For example, in the risk prediction model of the monitored system 121, the risk value of a single piece of data can be marked according to the actual abnormal situation (the parameter observation value of this piece of data may be CPU usage = 0.5, memory usage = 15GB , the number of inputs/outputs = 2500, etc.), so by labeling the risk of each data in the historical data set, fitting the data set to train the risk prediction model, the monitored system can be predicted for new data 121 whether to suffer an exception. A risk value sequence can be formed for these risk values, and a time series model can be trained for this risk value sequence, so that the risk value at the next time point can be predicted. As will be explained below, by comparing the risk values predicted by the risk prediction model and the time series model, and by judging by the peer comparison unit 114 , it can be judged whether there is an abnormality.

In some embodiments, for the services provided by the monitored system, for a service with a certain service characteristic, the abnormal behavior detected by the detection unit 115 may not be really abnormal, and may be in the same service characteristic group, The detected abnormal behavior will actually be judged as normal behavior in the group. Therefore, the peer comparison unit 114 judges whether the detected abnormal behavior is an abnormal behavior or a normal behavior in the monitored systems of the group with the same service characteristics (such as the same group number). For example, the monitored systems 121, 122, 129, and 12N all provide online shopping services, and during the Mother's Day period, the number of online users of the monitored system 121 is detected as a surge, so it is first judged as an abnormal behavior, and It is found that the monitored systems 122, 129 and 12N are also detected by the peer comparison unit 114 It is detected that the number of online users has increased dramatically. Therefore, the peer comparison unit 114 judges that the abnormal behavior of the detected sudden increase in the number of online users of the monitored system 121 belongs to the normal behavior in the group, so it is judged that the monitored system 121 is not abnormal. . For another example, the monitored systems 123, 126, and 129 are all accounting systems, and during the tax reporting period, the traffic sources of the monitored system 123 increase rapidly, and are detected as having the risk of being attacked through the risk prediction model, but compared with the same group The comparison unit 114 detects that the traffic sources of the monitored systems 126 and 129 are also increasing rapidly, so the peer comparison unit 114 will not regard the risk of detecting the rapid increase of the traffic sources of the monitored system 121 as an abnormal event, that is, it will not The monitored system 121 would be deemed to be at risk of being attacked. The cloud device 11 can be signal-connected to an alarm unit 116, and the alarm unit 116 can generate an abnormal alarm according to the abnormal event judged above, and can send the abnormal alarm to a terminal device (not shown) that is signal-connected to the cloud device 11 , so that the terminal device displays the abnormal alarm. In this way, the cloud device 11 can avoid false alarms to the system administrator, so that the service provider can operate more efficiently.

Please refer to FIG. 3 . FIG. 3 is a flow chart of the service anomaly detection and alarm method operating in the interpretation mode according to the embodiment of the present invention. The service anomaly detection and alarm method can be executed by the above-mentioned cloud device 11 . After training or updating each model, the cloud device 11 can operate in the interpretation mode, and execute the following steps in the interpretation mode. First, in step S31, the operation data and system data corresponding to each monitored system are received, and data preprocessing is performed to generate a plurality of status parameters of each monitored system. Then, in step S32, each status parameter of each monitored system is grouped based on the model for grouping the category of each status parameter, so as to give each status parameter of each monitored system a cluster label. Then, in step S33, based on the model for grouping the service characteristics of each service, each monitored device is grouped according to a plurality of cluster labels corresponding to a plurality of state parameters of each monitored device, so as to give each monitored device a Group number (or call it another set of cluster labels).

In step S34 , based on multiple historical data models and/or multiple risk prediction models of each monitored system, it is detected whether each monitored device has abnormal behavior according to multiple state parameters of each monitored system. If no abnormal behavior is detected, no alarm is required, and if abnormal behavior is detected, go to step S35. In step S35, it is judged whether the abnormal behavior of each monitored system detected is abnormal behavior or common behavior in the group of its group number, that is to say whether it is abnormal, the way of judging can be that the same group At least a specified number of the monitored systems of the number have also been detected to have the abnormal behavior, where the specified number can be half, all, a quarter or a quarter of the monitored systems of the same group of numbers Other values, such as "1" (one monitored system in the group), "2" (two monitored systems in the group), etc. Simply put, as long as the same or similar abnormal behavior is detected in more than a certain number of monitored systems in the group with the same group number, the detected abnormal behavior is not a real abnormal behavior in the group It should be a normal behavior, so there is no need to send an alarm. If the same abnormal behavior has not been detected in the monitored systems of the group with the same group number exceeding a certain number, then proceed to step S36. In step S36 , an abnormality alarm is sent to a terminal device electrically connected to the cloud device 11 , and the terminal device is made to display the abnormality alarm, so as to warn the corresponding system administrator or maintenance personnel.

Next, please refer to FIG. 4 . FIG. 4 is a flow chart of the service anomaly detection and alarm method operating in the modeling mode according to the embodiment of the present invention. The model in the interpretation mode is established by the cloud device 11 in the modeling mode, and the steps of the modeling mode are as follows. In step S41 , receiving operation data and system data corresponding to a plurality of monitored systems, and performing data preprocessing to generate a plurality of status parameters of each of the plurality of monitored systems. Next, in step S42, for each state parameter, a model for grouping state parameters is established according to a plurality of same state parameters of a plurality of monitored systems. Afterwards, in step S43, for each monitored system, each state parameter of the monitored system is grouped, so as to give each state parameter a cluster label. Then, in step S44, cluster tags based on a plurality of state parameters of a plurality of monitored systems are established for targeting Clustering model of service characteristics of monitored systems. Next, in step S45 , for each state parameter of each monitored system, a model for detecting anomalies is established according to a numerical sequence of each state parameter for a period of time.

The embodiment of the present invention also provides a storage medium, which is a non-volatile storage medium, such as a flash memory, an optical disc or a hard disk, etc., which stores a plurality of program codes, and these program codes can be installed by a computer read, so as to allow the computer device that reads these program codes to perform the steps of the service anomaly detection and alarm method as shown in FIG. 3 and FIG. 4 .

Based on the above content, a practical example is used below to illustrate. In some embodiments, an alarm will be issued if the CPU utilization rate of the monitored system is greater than 80% for more than 5 minutes, or an external IP connection exceeds 50 times within 1 minute. The running business and service are related, and with the running of the business, the threshold value of the alarm needs to be adjusted according to different time periods, not necessarily a fixed value. In addition, as time goes by and rules continue to be added, it is difficult for system administrators to clarify the relationship or logic between different rules, and system differences between systems for different services are likely to cause noise or false alarms.

Therefore, the service anomaly detection and alarm method used by the system or device of the embodiment of the present invention can solve the above technical problems. First, take the state parameter "number of online users" as an example, the number of online users of a certain type of e-commerce system is usually more at 20 to 24 o'clock, and the peak number of online users of a certain type of news website system Usually at 7 to 9 o'clock, 12 to 13 o'clock and 18:00 to 21 o'clock. In the stage of grouping status parameters, each status parameter can be grouped using unsupervised learning methods, for example, using K-means to summarize 10 patterns of the number of online people in the monitored system, and sorting out the status of each monitored system. What kind of online population patterns belong to, and give corresponding cluster labels (for example, order variable labels of 1, 2, 3...). Similarly, the status of the CPU usage of each monitored system can also be obtained by using the above-mentioned grouping method. After obtaining each cluster label of each status parameter of each monitored system, each monitored system can be Group. In Tables 1 to 3 below, examples of state parameter grouping and monitored system grouping are clearly given.

As shown in the above table, the cluster labels of the monitored system #1 and the monitored system #2 are similar to each other, so they are given the same group number, indicating that they are classified into groups with the same service characteristics. Then, the future observed values of the number of online users and CPU usage of the monitored system #1 can be compared with the predicted values of the historical data model and/or risk prediction model of the number of online users and CPU usage to detect the number of online users and the CPU Is there any unusual behavior in usage. If any If there is an abnormal behavior in the status parameter, compare whether the number of online users or the CPU usage of each monitored system in the group whose group number is 1 (that is, other monitored systems in the group) is also detected. Abnormal behavior, if not , it means that the detected abnormal behavior of the number of online users or CPU usage of the monitored system #1 is an abnormal event in the group, and the system administrator or maintenance personnel of the monitored system #1 needs to be alerted. Furthermore, when the detected abnormal behavior of the number of online users or the CPU usage rate of the monitored system #1 is considered an abnormal event, the abnormal data or the historical data before the abnormal occurrence can be used to train another historical data Model or risk prediction model, so that the monitored systems of the same group can use this historical data model or risk prediction model to detect anomalies.

Based on the above, in some embodiments, the operation data and system data corresponding to the plurality of monitored systems are still received and subjected to data pre-processing, so as to generate a plurality of status parameters of each of the plurality of monitored systems. However, multiple monitored systems are grouped manually in advance, or grouped by unsupervised learning grouping methods. For each monitored system, according to whether the actual abnormal behavior occurred in the past (for example, hacker intrusion, service interruption, system crash, etc.), the parameter values of multiple state parameters of the monitored system are combined to mark the risk value. In a certain embodiment, it is known that the CPU usage rate of a monitored system is 0.6 when it is hacked, its memory usage is 20GB, and its input/output quantity is 3000, then the data can be Label the risk value as 1. For other data without abnormal occurrence, the risk value is marked as 0. Then, a machine learning algorithm (such as XGBoost) is used to establish (train) a risk prediction model of the monitored system based on the data marked with the risk value. This risk prediction model can predict the risk value at a future time point. Incidentally, the risk prediction model of the monitored system may be periodic, or change after a long period of time, or after specific events (such as system software and hardware version updates, new modules added to the system, business model changes , changes in market demand, etc.) will change after. For example, the present invention can use time series analysis such as seasonality and periodicity to judge the risk trend from the time series graph learned from historical data, so as to find out the change trend of the risk value, thereby retraining the model or adjusting the model hyperparameters wait to get to the model applicable to the new cycle. After establishing the risk prediction model corresponding to the monitored system, after obtaining the new multiple state parameters (parameter values) of the monitored system, the predicted risk can be calculated based on the risk prediction model based on the new multiple state parameters (parameter values) Value, you can define the value range between 0 and 1. If the predicted risk value is greater than a specific value, such as 0.5, it is equivalent to detecting abnormal behavior. At this time, according to whether there are other monitored systems in the same group that exceed a specific number, the predicted risk value is greater than a specific value. If not, The detected abnormal behavior is regarded as abnormal (abnormal event), otherwise, it is regarded as non-abnormal (non-abnormal event). In this practical example, the result of predicting the risk value may come from the influence of many parameters, and the relationship between parameters is too complicated to be understood by artificial rules, but at this time, the implicit relationship between parameters and time series relationship can be obtained through the model training to obtain.

Incidentally, if the status parameters such as the number of online users or the CPU usage rate of the monitored system #1 are abnormal, the reason is to launch a specific event (for example, the online shopping service of the monitored system #1 is held as an anniversary Celebrating a specific online activity) or a specific event (such as adjusting the CPU usage policy), etc., the number of online users and CPU usage of other monitored systems with group number 1 have not been detected to have abnormal behavior, so although this The service anomaly detection and alarm method provided by the embodiment of the invention and the equipment and system using this method will identify the detected abnormal behavior of the number of online users or CPU usage of the monitored system #1 as abnormal, but when using the unsupervised In the real-time learning method, after the system administrator or maintenance personnel of the monitored system 1 confirms that the actual cause of the detected abnormality can be determined, the number of online users and the CPU of the detected monitored system #1 will be The abnormal usage rate can be judged comprehensively with the specific activity. In addition, the historical data model or risk prediction model can also be corrected, updated or retrained by adjusting the risk value, so that the specific activity will not be predicted as an abnormal behavior. .

In some embodiments, the present invention can be implemented by a computer software program for determining that an abnormal event occurs in a monitored system and generating an abnormal alarm for the abnormal event. It can be loaded into a computer device such as a server. The computer software program may perform the following steps after being loaded into the computer device: receiving a plurality of first monitoring data sets, each of the first monitoring data sets includes a plurality of monitoring data, and the monitoring data includes the first monitoring data parameter and a second monitoring parameter, the first monitoring parameter and the second monitoring parameter respectively include a plurality of monitoring data points, each of the data points includes a monitoring parameter value, and the first monitoring data sets respectively include different The monitoring data of the monitored system, the plurality of monitoring data of each of the first monitoring data sets includes operation data and system data; the monitoring parameters of the first monitoring parameters of the first monitoring data sets using the first clustering model Values are grouped and a plurality of first cluster labels are generated, so that each of the first monitoring data sets corresponds to one of the first cluster labels, and the first clustering model is used to classify the first monitoring data sets The monitoring parameter values of the second monitoring parameters are grouped and a plurality of second cluster labels are generated, so that each of the first monitoring data sets corresponds to one of the second cluster labels; The first cluster label and the second cluster label of the first monitoring data set are grouped to generate a plurality of third cluster labels, so that each of the first monitoring data sets corresponds to one of the third cluster labels, and the At least a plurality of the first monitoring data sets correspond to one of the third cluster labels to form a first monitoring group, and the first monitoring group includes corresponding a plurality of monitored systems in the first monitored group comprising the first monitored system; receiving a plurality of second monitored data sets from the first monitored group, the second monitored data sets are respectively received from a plurality of monitored systems in the first monitoring group, each of the second monitoring data sets includes the first monitoring parameter and the second monitoring parameter; based on the second monitoring data sets, A time series algorithm is used to predict a plurality of predicted values of the first monitored parameters and a plurality of predicted values of the second monitored parameters respectively corresponding to the first monitored parameter and the second monitored parameter of the first monitored group, so that the first monitored parameter Each of the plurality of monitored systems in the monitoring group corresponds to its first predicted value of the monitored parameter and its predicted value of the second monitored parameter; A plurality of observed values of the first monitored parameters of the monitored parameters, the observed values of the first monitored parameters are respectively corresponding to the predicted values of the first monitored parameters; each of the plurality of monitored systems in the first monitored group Comparing the corresponding observed value of the first monitoring parameter with the predicted value of the first monitoring parameter, judging that the observed value of the first monitoring parameter corresponding to the first monitored system does not meet the corresponding predicted value of the first monitoring parameter, and judging that the first monitored parameter The number of monitored systems whose observed value of the first monitored parameter does not conform to the predicted value of the corresponding first monitored parameter in other monitored systems other than the first monitored system in a monitored group is less than a monitored system a system quantity threshold, whereby it is judged that an abnormal event has occurred in the first monitored system, wherein the monitored system quantity threshold is smaller than the monitored system quantity of the first monitoring group; and an abnormal alarm is generated according to the judgment of the abnormal event .

In some embodiments, the steps performed by the aforementioned computer software programs may include the following implementations. A monitoring data set may be received directly or indirectly from a monitored system; the monitoring data set may be a historical data set, such as a data set that has occurred or has been collected by the monitored system. The monitoring data sets can be received at different periods or time points, for example, the first monitoring data set can be received at the first time point, and the second monitoring data set can be received at the second time point. The first monitoring data set and the second monitoring data set may include monitoring data of the same feature dimension, for example, the first monitoring data set and the second monitoring data set may include the same monitoring parameters, such as when the first monitoring data set includes the number of people online, When there are 25 monitoring parameters such as CPU usage, the second monitoring data set also includes the same 25 monitoring parameters. The first monitoring parameter and the second monitoring parameter may be different monitoring parameters of the monitored system, for example, the first monitoring parameter may be the number of people online, and the second monitoring parameter may be the CPU utilization rate. The monitoring parameters may be parameters related to the operation of the monitored system, or parameters related to the system of the monitored system. Data pre-processing can be performed on the monitoring data set to form a plurality of monitoring parameters and/or monitoring data points. Monitoring data may refer to data generated by the monitored system being monitored, and such data may include those exemplified in this disclosure. The monitoring parameters included in the monitoring data may include operating data parameters and/or system data parameters, and the monitoring data may also include The state value of the state. A monitoring data may refer to a data received from a monitored system including monitoring parameters. If the data is processed in the form of a table, the monitoring data can be its data form in the form of "row". Monitoring data points can refer to different time points, and multiple monitoring data points can include a time series pattern. The monitoring data points can be the time points in Table 1, and the monitoring parameter values can be the corresponding parameter values of the monitored system at each time point. The first monitoring data set and the second monitoring data set may contain monitoring data of different periods or time points. For example, each monitoring data contains a time value, which can be used as the time point or a time within the period of interest point. The first monitoring data set may include the monitoring data of the first period, and the second monitoring data set may include the monitoring data of the second period. The first clustering model and the second clustering model can use the same clustering algorithm. The first grouping model and the second grouping model may include different hyperparameters, such as different numbers of clusters. The distinction between the first grouping model and the second grouping model can only be made according to the different stages of grouping. The relationship between monitoring data sets and cluster tags can be a many-to-one relationship, that is, one or more monitoring data sets can correspond to a cluster tag. When the monitoring dataset has a one-to-one relationship with the monitored systems, the monitored systems and the cluster tags thus have a many-to-one relationship, ie, one cluster tag can be assigned or correspond to one or more monitored systems. By the grouping method disclosed in this disclosure, a plurality of monitoring groups can be generated, and each monitoring group corresponds to or is assigned a cluster label, such as one of the third cluster labels, and each third cluster label can be a unique label, so that each monitoring group Groups can be distinguished from each other, ie similar monitored systems can be grouped into the same group, so that each monitoring group can contain one or more monitored systems. The time series algorithm can adopt ARIMA, LSTM, RCF and other algorithms that can be applied to time series data. The second monitoring data set can be input into the model established by the time series algorithm, so as to generate the predicted value predicted based on the second monitoring data set. For example, the second monitoring data set can be the data points of the previous week of the data point to be predicted. If every minute is a data point, for a single monitoring parameter, the second monitoring data set can contain 10080 data points. The time series model can be modeled by training historical data first, such as using the history of each monitoring parameter of each monitored system The data are used to establish the time series model of each monitored system, so the time series model corresponding to each monitored system is produced. When the second monitoring data set includes 25 monitoring parameters such as number of online users and CPU usage, the historical data may include the same 25 monitoring parameters as the second monitoring data set. A confidence interval can be set so that the predicted value of the monitoring parameter includes a value within a range, for example, the confidence interval can be set to 95%. For different monitoring parameters, confidence intervals of different values can be set. Confidence intervals can be automatically calculated and set by using a time series module or a library of culverts. The observed value of the monitored parameter can correspond to the predicted value of the monitored parameter at the same time point. For example, for a certain monitored parameter, the predicted value of the monitored parameter of the next data point of a monitored system can be predicted, and the monitored system can be obtained at Observed values of monitored parameters for the same data point. When comparing the observed value of the monitored parameter with the predicted value of the monitored parameter, the observed value of the monitored parameter can be compared with the confidence interval of the predicted value of the monitored parameter. If the observed value of the monitored parameter is not within the confidence interval, it can be judged that the observed value of the monitored parameter does not conform to Monitor parameter predictions. The observed value of the monitoring parameter is not within the confidence interval may mean that the observed value exceeds the confidence interval, for example, the observed value is greater than or smaller than the upper limit or lower limit of the confidence interval. The comparison between the observed value of the monitoring parameter and the predicted value of the monitoring parameter may include calculating or receiving multiple values at multiple time points and performing an overall comparison. For example, a time series of predicted values of the monitoring parameter and its corresponding time series may be established within the same period of time. One monitoring parameter observation value time series, each time series includes the monitoring parameter prediction value or monitoring parameter observation value corresponding to multiple time points in the period, the comparison of the two time series is carried out, if the judgment between the two time series There is a group of observed values that do not match the predicted values, there is an array of observed values that do not match the predicted values, there is an array of observed values that do not match the predicted values continuously, and there is another set of observed values that do not match the predicted values If it does not conform, or if there is a continuous discrepancy between the observed value of the array and the predicted value, followed by a group of observed values that do not conform to the predicted value, it can be judged that the observed value of the monitoring parameter does not conform to the predicted value of the monitoring parameter. Alternatively, if there is no discrepancy between the observed values and the predicted values of the continuous array after a group of observed values and predicted values occurs, it can be judged that the observed values of the monitored parameters do not conform to the predicted values of the monitored parameters. The threshold for the number of monitored systems can be based on the monitored The number of monitoring systems is set. The threshold of the number of monitored systems can be set to "2", so that in the group, except for the monitored system of concern (such as the first monitored system) that judges that the observed value of the monitored parameter does not meet the predicted value of the monitored parameter, only When another monitored system also judges that the observed value of the monitored parameter does not meet the predicted value of the monitored parameter, or when no other monitored system judges that the observed value of the monitored parameter does not meet the predicted value of the monitored parameter, it can determine that an abnormal event has occurred; If you want to set the standard for judging abnormal events to be looser, in other words, you want to reduce the sensitivity of abnormal detection, you can set the threshold to a higher value, such as "3"; if you want to adopt a stricter standard, you can set the threshold It can be set to "1", so that when only the monitored system of interest in the group judges that the observed value of the monitored parameter does not meet the predicted value of the monitored parameter, it can be judged that an abnormal event has occurred. The threshold of the number of monitored systems may also be set as a percentage, such as 10%. In addition, for those in other monitored systems in the group other than the monitored system of interest, it is judged that the observed value does not meet the predicted value, it can be judged as an abnormal event, that is, it is judged that the judgment in the other monitored system An abnormal event occurs for each of the observed values that do not meet the predicted value, so as to issue an alarm for each abnormal event; The number of monitored systems in the group that are not judged to have abnormal events, and the proportion of this number can be set by setting a threshold similar to the present disclosure. According to the principle of judging abnormal events in the group disclosed in this disclosure, the present invention also includes adopting the opposite judging method based on the same principle, for example, it can judge the abnormal events in other monitored systems in the first monitoring group except the first monitored system. The number of monitored systems corresponding to the observed value of the first monitored parameter conforming to the predicted value of the corresponding first monitored parameter is higher than a threshold of the number of monitored systems, thereby judging that an abnormal event has occurred in the first monitored system, and setting the threshold to a higher Higher values reflect stricter standards, etc. Anomaly alerts can include messages, notifications, flags, labels, audio, etc. The abnormal alarm may include information related to the monitored system to be concerned (such as the first monitored system), for example, indicating that the abnormality is the monitored system to be concerned, so that the abnormal alarm and/or the monitored system can be Carry out follow-up processing such as recording, statistics, and reflection.

In some embodiments, the present invention can use a computer software program that generates an abnormal alarm. After the program is loaded into the computer, the steps comprising the following steps are executed: receiving the first set of monitoring data from each of a plurality of monitored systems, Each of the first group of monitoring data includes the monitored operation data and system data of the corresponding monitored system, and the operation data and system data are classified by a plurality of status parameters; using the status of the first group of monitoring data grouping the monitored systems by parameter to generate a plurality of status parameter cluster tags such that each of the monitored systems corresponds to one of the status parameter cluster tags; using the status parameter clusters of the status parameters tags group the monitored systems to generate a plurality of monitored system cluster tags such that each of the monitored systems corresponds to one of the monitored system cluster tags, the monitored systems form a plurality of monitored system cluster tags Monitored system clusters, the monitored system clusters corresponding to the monitored system cluster labels respectively, the monitored system clusters include a first monitored system cluster, the first monitored system cluster includes a plurality of monitored systems of tags; for each of the state parameters, receiving a monitored observation for each of the plurality of monitored systems of the first cluster of monitored systems, and for each of the first cluster of monitored systems Each of the plurality of monitored systems generates a monitoring data time series corresponding to each of the corresponding state parameters, and generates a monitoring prediction value according to each monitoring data time series, and the monitoring prediction value corresponds to the monitoring on a time axis Observation value: judging whether the monitoring observation value of each of the plurality of monitored systems in the first monitored system cluster conforms to its corresponding monitoring prediction value, if not, it is determined that an abnormal behavior has occurred in the corresponding monitored system, And when the number of monitored systems determined to have abnormal behavior in the first monitored system cluster is greater than one and less than or equal to an abnormal threshold, it is determined that an abnormal event has occurred in the at least one monitored system that has abnormal behavior, and the abnormal threshold is less than the number of all monitored systems in the first monitored system cluster; and when it is determined that the abnormal event occurs, an abnormal alarm is generated, and the abnormal alarm indicates that the abnormal event occurred is the at least one monitored system.

In some embodiments, the aforementioned steps can be implemented in the following ways. The so-called abnormal behavior may mean or represent the judgment result that the parameter value does not conform to, and does not necessarily refer to the abnormal event based on which the abnormal alarm is generated. Abnormal behavior can be regarded as the preliminary result or intermediate result of abnormal judgment, and the final result is judged by comprehensive judgment of multiple abnormal behaviors, such as judging the number of monitored systems where abnormal behavior occurs, such as judging the final result as abnormal Events, using abnormal events as the basis for generating abnormal alarms. The abnormal behavior can be used as the abnormal judgment result of a single monitored system. Since the present invention can make an overall judgment of multiple monitored systems in a group, multiple abnormal behaviors in a group can be used as a whole to determine whether an abnormal event occurs in a single monitored system. Judgments based. For example, when the first monitored system cluster contains 15 monitored systems, the abnormality threshold can be set to 50%, and when it is determined that at least one and no more than seven monitored systems in the cluster have abnormal behaviors, it can be judged that such abnormalities occur Abnormal events occur in the monitored systems of the behavior, and abnormal alarms can be generated accordingly, and the generated abnormal alarms can indicate that abnormal events occur in at least one and no more than seven monitored systems. In addition, if it is determined that more than seven monitored systems have abnormal behaviors, an abnormal alarm can be generated for the monitored systems in the cluster that do not have abnormal behaviors, that is, the monitored systems that are judged to have abnormal behaviors are not judged to have abnormal events, but It is to judge a monitored system that does not have abnormal behavior as an abnormal event. This method can make a small number of people in the cluster whose behavior is different from other monitored systems be judged to have an abnormal event. Accordingly, this method can be implemented through the following steps: judging whether the monitoring observed value of each of the plurality of monitored systems of the first monitored system cluster conforms to its corresponding monitoring predicted value, and if not, it is judged to be An abnormal behavior occurs in the corresponding monitored system, and when the number of monitored systems that are judged to have abnormal behaviors in the first monitored system cluster is greater than the number of monitored systems that are not judged to have abnormal behaviors in the cluster, the The at least one monitored system that is not determined to have an abnormal behavior is determined to have an abnormal event, and when it is determined that the at least one abnormal event has occurred, an abnormal alarm is generated, and the abnormal alarm indicates the at least one monitored system that has an abnormal event. . Of course, in this method, the judgment of the number in the cluster (such as how many Number/minority judgment, or distinguishing two sub-clusters within a cluster by judging abnormal behavior) can be regarded as equivalent to setting a threshold, or the judgment method can be controlled by setting a threshold. For example, for a specific monitored system cluster including multiple monitored systems, the method of judging abnormal behavior disclosed in this disclosure is used to establish the first abnormal event judgment condition, that is, when less than half of the monitored systems in the cluster have abnormal behavior, Judging that less than half of the monitored systems have abnormal events; in addition, a second abnormal event judgment condition can be established, that is, when more than half of the monitored systems in the cluster have abnormal behaviors, the remaining ones that are not judged to have occurred An abnormal event occurs in the monitored system with abnormal behavior, and the second abnormal event judging condition can be independently used as the judging abnormal event in the cluster, or used together with the first abnormal event judging condition. In addition, this method can be implemented together with other threshold methods of the present disclosure to establish judgment conditions in different situations, and the present invention can alert different abnormal event judgment methods by setting multiple thresholds. For example, different or hierarchical numerical thresholds can be set to represent abnormal events of different levels. For example, the first type of abnormal threshold can be set to "2" and the second type of moderate abnormal threshold to "5". When the abnormal behavior of the monitored system is regarded as the first type of abnormal event, the abnormal alarm can indicate the occurrence of the first type of abnormal event, and the abnormal behavior of more than three to less than five monitored systems is regarded as the second type of abnormal event When , the abnormal alarm can indicate the occurrence of the second type of abnormal event, etc.; different types of abnormal events can represent different abnormal degrees, etc. For each monitored system cluster, the intra-cluster abnormal alarm method disclosed in this disclosure can be adopted, thus ensuring that each monitored system can be monitored in its own cluster and generate an alarm when an abnormal event occurs.

In some embodiments, the present invention can be implemented by a computer software program that generates an abnormal alarm. After the program is loaded through the computer, the following steps can be performed: grouping a plurality of status parameters of a plurality of monitored systems and generating a plurality of first cluster label sets each comprising a plurality of first cluster label sets, such that each of the monitored systems is assigned a first cluster label in each of the first cluster label sets, the etc. The first cluster label set corresponds to The status parameters, the plurality of status parameters are status parameters including the operating data and system data of the monitored systems; the monitored systems are grouped by a plurality of first cluster tags of the first cluster tag set and generating a second cluster label set comprising a plurality of second cluster labels such that each of the monitored systems is assigned a second cluster label in the second cluster label set, wherein the monitored systems have a plurality of monitored systems form a first monitored system group such that all monitored systems of the first monitored system group are assigned the same second cluster label, the first monitored system group includes a target monitored system system; for the first monitored system group, forming a training data set for each monitored system in the group, each of the training data sets includes the state parameters and further includes an outlier parameter, the abnormal The value parameter indicates an abnormal state of the corresponding monitored system; a first abnormal prediction model corresponding to each monitored system in the first monitored system group is established based on the training data sets, and the first abnormal prediction models each for predicting a first outlier parameter prediction value for the corresponding monitored system; forming an outlier parameter time series from outlier parameters in each of the training data sets, based on the outlier parameter The time series establishes a second abnormality prediction model corresponding to each monitored system in the first monitored system group, and each of the second abnormality prediction models is used to predict a second abnormal value parameter of the corresponding monitored system Predicted value: For each monitored system in the first monitored system group, use the corresponding one in the first abnormality prediction model to predict the first abnormal value parameter prediction value at a target time point, use the second The corresponding person in the abnormality prediction model predicts the predicted value of the second abnormal value parameter at the target time point, and judges that the corresponding monitored system occurs when the predicted value of the first abnormal value parameter does not meet the predicted value of the second abnormal value parameter Abnormal behavior, judging that abnormal behavior has occurred in the target monitored system according to the aforementioned abnormal behavior judging method, and judging according to the aforementioned abnormal behavior judging method that there are less than a specific number of the first monitored system group except the target monitored system Abnormal behavior occurs in other monitored systems, the number is lower than that of the first monitored system the number of monitored systems in the system group; and generating an anomaly alert associated with the target monitored system.

In some embodiments, the outlier parameter of the aforementioned training data set represents an outlier or risk value, such as the risk value described in this disclosure. The outlier parameter can contain outliers at multiple time points or a time series. These outliers can be marked with or without abnormality or risk. If there is an abnormality, it will be marked as "1", and if there is no abnormality, it will be marked as "0"; for For this outlier parameter, the data marked as "1" in the training data set may represent the abnormal state of the monitored system as abnormal, and the data marked as "0" may represent the abnormal state of the monitored system as non-abnormal. The training data set can contain historical data, such as data containing outliers or values at risk. Each piece of data in the training data set may include data at a specific time point, and accordingly, the outlier parameter reflects the abnormal state of the monitored system at the specific time point. The first anomaly prediction model can be trained by using the training data set, and the algorithm used in this model can include a suitable supervised machine learning algorithm. In other words, the outlier parameters are the data that mark the joint set of state parameters, so that all state parameters can be monitored as a whole without monitoring individual state parameters, and based on this, the first abnormality prediction model to predict exceptions. In addition, the outliers at each time point can be formed into a time series, and the outlier parameter time series can be used to train a second outlier prediction model formed by using LSTM algorithm or the like. For example, for a monitored system, every minute is a data point, and an outlier parameter is marked for each data point. If there is data marked for a week, there are 10080 outlier parameter values (or outlier parameters include Each data point of the week), these parameter values can form an outlier parameter time series and be used to build a time series model. For a piece of new data, such as a new observation value, the new data may contain state parameters but not abnormal value parameters, and the first and second abnormal prediction models can be used to predict the predicted values of each model. If the predicted values are When there is a difference, it can be judged that there is abnormal behavior. For example, when the second abnormality prediction model is used as the reference model, the predicted value of the second outlier parameter can be used as the prediction reference value. If the predicted value of the first outlier parameter does not match When the predicted value of the second outlier parameter or exceeds the upper and lower limits of its confidence interval, it can be judged that abnormal behavior occurs.

Based on the above, the service anomaly detection and alarm method provided by the embodiment of the present invention and the equipment and system using this method can include the following advantages compared with the prior art: (1) It can avoid only using information such as IT maintenance and operation Use logs to monitor or judge abnormal events, improve early warning opportunities, and reduce the possibility of false alarms; (2) use data judgment or training from similar services or companies to avoid insufficient data and improve model accuracy; (3) use Based on the data and modeling of the same type of service or company, the efficiency of comparison and warning of abnormal conditions can be improved; (4) It can be prevented in advance under the unobvious features or combination of features, and abnormalities can be predicted, no need for artificially defined logic; ( 5) The periodicity and seasonality of events, and the impact of long-term and short-term data can be considered; and (6) preventive warnings of comprehensive time series trends, and risk value assessment methods, avoiding subjective bias of traditional risk prediction methods, and processing The efficiency and accuracy of a large amount of data are too low. In addition, the service anomaly detection and alarm method provided by the embodiment of the present invention and the equipment and system using this method can be applied to various AI-related products and services, such as e-commerce, abnormal detection in the game industry, and abnormal detection in the manufacturing industry. , Fraud detection in financial statement insurance system (FSI) financial insurance industry, and automated maintenance and operation of management service provider (MSP), etc.

It should be understood that the examples and embodiments described herein are for illustrative purposes only, and that the disclosed embodiments and technical features can have various combinations in accordance with the spirit of the present invention, and various modifications or changes will be suggested to the present invention. skilled in the art and are to be included within the spirit and scope of this application and the purview of the appended claims.

S31~S36: steps

Claims (16)

A service anomaly detection and alarm method, executed on a computer device connected to a plurality of monitored systems, and the service anomaly detection and alarm method includes: receiving the operation of one of the monitored systems corresponding to a service Data and system data, and pre-processing the operating data and system data of the monitored system to obtain multiple status parameters of the monitored system; grouping each status parameter of the monitored system, Obtain a cluster label corresponding to each state parameter of the monitored system; group the monitored system according to the cluster labels of the state parameters of the monitored system, so as to obtain a group corresponding to the monitored system group number; detect whether the monitored system has an abnormal behavior according to at least one of the status parameters of the monitored system; and when detecting the abnormal behavior of the monitored system, determine Whether there are abnormal behaviors in the group corresponding to the group number exceeding a specific number of the monitored systems, and if the group corresponding to the group number does not exceed the specific number of the monitored systems also have abnormal behaviors, Then an alarm is generated. The service anomaly detection and alarm method as described in claim 1, wherein the specific number is half of the number of all the monitored systems in the group corresponding to the group number of the monitored system. The service anomaly detection and alarm method as described in claim 1, wherein each of the status parameters of the monitored system is grouped based on a model, and the model is based on the corresponding of each of the monitored systems The state parameters are obtained through training. The service anomaly detection and alarm method as described in claim 1, wherein the monitored system is grouped according to the cluster tags of the status parameters of the monitored system based on a model, and the model is based on the monitored system The cluster labels of the state parameters are obtained by training. The service anomaly detection and alarm method as described in Claim 1, wherein it is determined whether the monitored system has the abnormal behavior according to at least one of the state parameters of the monitored system based on at least one model, wherein at least one of the models includes a risk predictive model. The service anomaly detection and alarm method as described in Claim 1, wherein the monitored system includes a server, a database, a network, a firewall or a storage device for providing the service. The service anomaly detection and alarm method as described in claim item 5, wherein the status parameters corresponding to the monitored system when an abnormality occurred in the past are marked with a risk value of 1, and the corresponding status parameters when the monitored system has no abnormality in the past These status parameters are marked with a risk value of 0, and the risk prediction model is established based on the risk values. The service anomaly detection and alarm method as described in claim item 7, wherein whether a predicted risk value exceeds a specific value is calculated based on the current state parameters of the monitored system based on the risk prediction model, so as to detect whether the monitored system has this unusual behavior. The service anomaly detection and alarm method as described in claim item 1, wherein the operation data includes a real-time order number, a turnover, a number of online users, a page view number, a repeat customer number, a visit number, and an IP address number , a traffic source, a region, a device used, a user browsing event, a service website or an application program operation behavior or a customer service call record, and the system information includes a system log file, a basic At least one of facility operating data or a system indicator. The service anomaly detection and alarm method as described in claim 9, wherein each of the state parameters includes a CPU usage rate, a number of online users, a turnover, a page view number, a memory usage, or an input /Number of outputs. A service anomaly detection and alarm method, executed on a computer device connected with a plurality of monitored systems, the monitored systems are grouped into multiple groups, and the service anomaly detection and alarm method includes: receiving a corresponding service operating data and system data of one of the monitored systems, and perform data pre-processing on the operating data and the system data of the monitored system to obtain multiple status parameters of the monitored system; Detecting whether the monitored system has an abnormal behavior according to at least one of the status parameters of the monitored system; and when detecting that the monitored system has the abnormal behavior, determining whether the monitored system is in a group corresponding to Whether there are more than a certain number of the monitored systems also have the abnormal behavior, if the group corresponding to the group number does not exceed the specified number of the monitored systems also have the If the abnormal behavior is detected, it is determined that the detected abnormal behavior of the monitored system is an abnormal event, and an abnormal alarm is generated according to the abnormal event. A device for detecting abnormality and issuing an alarm, including: a data pre-processing unit, receiving operation data and system data of a monitored device corresponding to a service, and performing data pre-processing on the operation data of the monitored device and the system data processing to obtain a plurality of state parameters of the monitored equipment; a state parameter grouping unit for grouping each of the state parameters of the monitored equipment to obtain a cluster corresponding to each of the state parameters of the monitored equipment label; an individual grouping unit, which groups the monitored equipment according to the cluster labels of the state parameters of the monitored equipment, so as to obtain a group number corresponding to the monitored equipment; a detection unit, according to the monitored equipment At least one of the status parameters of the monitoring device detects whether the monitored device has an abnormal behavior; and a group comparison unit, when detecting the abnormal behavior of the monitored device, determines Whether there are more than a specific number of monitored devices in a group corresponding to the group number are also detected to have the abnormal behavior, if the group corresponding to the group number does not exceed the specific number of the monitored devices If the monitoring device also has the abnormal behavior, it is judged that the detected abnormal behavior of the monitored device is an abnormal event; and an alarm unit generates an abnormal alarm according to the abnormal event. A storage medium, which is a non-volatile storage medium, stores a plurality of program codes, and the program codes can be read by a computer device, so that the computer device executes as described in one of claims 1 to 11 The steps of the service anomaly detection and alarm method. A computer software program that generates an abnormal alarm is used to determine that an abnormal event has occurred in a monitored system and generate an abnormal alarm for the abnormal event. After the computer software program is loaded into the program through a computer, it executes the following steps: A monitoring data set, each of the first monitoring data sets includes a plurality of monitoring data, the monitoring data includes a first monitoring parameter and a second monitoring parameter, and the first monitoring parameter and the second monitoring parameter respectively include a plurality of monitoring data points, each of the data points contains a monitoring parameter value, the first monitoring data sets respectively include monitoring data of different monitored systems, and each of the first monitoring data sets includes a plurality of monitoring The data includes operational data and system data; a first grouping model is used to group the monitoring parameter values of the first monitoring parameters of the first monitoring data sets and generate a plurality of first cluster labels, so that the first monitoring data sets Each corresponds to one of the first cluster labels, and uses the first grouping model to group the monitoring parameter values of the second monitoring parameters of the first monitoring data sets to generate a plurality of second cluster labels, so that Each of the first monitoring data sets corresponds to one of the second cluster labels; using the second clustering model to group the first cluster labels and the second cluster labels of the first monitoring data sets and generate plural a third cluster label such that each of the first monitoring data sets corresponds to one of the third cluster labels, at least a plurality of the first monitoring data sets The first monitoring group is formed corresponding to one of the third cluster labels, and the first monitoring group includes a plurality of corresponding monitored systems according to the corresponding plurality of first monitoring data sets. The plurality of monitored systems in the first monitoring group includes the first monitored system; a plurality of second monitoring data sets are received from the first monitoring group, the second monitoring data sets are respectively received from the first monitoring a plurality of monitored systems in a group, each of the second monitoring data sets includes the first monitoring parameter and the second monitoring parameter; based on the second monitoring data sets, using a time series algorithm to predict respectively a plurality of predicted values of the first monitored parameters and a plurality of predicted values of the second monitored parameters corresponding to the first monitored parameter and the second monitored parameter of the first monitored group, so that the plurality of subjects in the first monitored group monitoring systems each corresponding to its first monitored parameter predicted value and its second monitored parameter predicted value; receiving a plurality of first monitored parameter observations for the first monitored parameter from a plurality of monitored systems in the first monitored group Values, the observed values of the first monitoring parameters are respectively corresponding to the predicted values of the first monitoring parameters; Comparing the predicted value of a monitoring parameter, judging that the observed value of the first monitoring parameter corresponding to the first monitored system does not meet the corresponding predicted value of the first monitoring parameter, and judging that the first monitoring group except the first monitored system The number of monitored systems whose observed value of the first monitored parameter does not meet the predicted value of the corresponding first monitored parameter in other monitored systems other than the monitored system is lower than a threshold of the number of monitored systems, thereby judging that the first An abnormal event occurs in the monitored system, wherein the monitored system quantity threshold is less than the monitored system quantity of the first monitored group; and An abnormal alarm is generated according to the judgment of the abnormal event. A computer software program that generates abnormal alarms. After the program is loaded into the computer, it executes the following steps: receiving a first set of monitoring data from each of a plurality of monitored systems, and each of the first sets of monitoring data includes The monitored operating data and system data of the corresponding monitored system are classified by a plurality of status parameters; the monitored systems are grouped by using the status parameters of the first group of monitoring data to generating a plurality of status parameter cluster tags such that each of the monitored systems corresponds to one of the status parameter cluster tags; grouping the monitored systems by using the status parameter cluster tags of the status parameters to generating a plurality of monitored system cluster labels such that each of the monitored systems corresponds to one of the monitored system cluster labels, the monitored systems forming a plurality of monitored system clusters, the monitored system clusters respectively corresponding to the monitored system cluster labels, the monitored system clusters comprising a first monitored system cluster comprising a plurality of monitored systems corresponding to the same monitored system cluster label; for the For each of the state parameters, a monitored observation for each of the plurality of monitored systems of the first monitored system cluster is received, and a corresponding value is generated for each of the plurality of monitored systems of the first monitored system cluster A monitoring data time series of each of the state parameters, and a monitoring predicted value is generated according to each monitoring data time series, and the monitoring predicted value corresponds to the monitoring observed value on a time axis; Judging whether the monitoring observed value of each of the plurality of monitored systems in the first monitored system cluster conforms to its corresponding monitoring predicted value, if not, it is determined that an abnormal behavior has occurred in the corresponding monitored system, and when the When the number of monitored systems that are determined to have abnormal behavior in the first monitored system cluster is greater than one and less than or equal to an abnormal threshold, it is determined that an abnormal event has occurred in at least one monitored system that has abnormal behavior, and the abnormal threshold is less than The quantity of all monitored systems in the first monitored system cluster; and according to the at least one abnormal event, an abnormal alarm is generated, and the abnormal alarm indicates the at least one monitored system where the abnormal event occurs. A computer software program that generates abnormal alarms. After the program is loaded into the computer, it executes the following steps: grouping a plurality of status parameters of a plurality of monitored systems and generating a plurality of first group labels each containing a plurality of a first cluster label set such that each of the monitored systems is assigned a first cluster label in each of the first cluster label sets, the first cluster label sets corresponding to the state parameters respectively , the plurality of status parameters are the status parameters including the operating data and system data of the monitored systems; the monitored systems are grouped with the plurality of first cluster tags of the first cluster tag sets and generate a plurality of a second cluster label set of second cluster labels, such that the monitored systems are each assigned a second cluster label in the second cluster label set, wherein a plurality of the monitored systems are monitored systems forming a first group of monitored systems such that all monitored systems of the first group of monitored systems are assigned the same second cluster label, the first group of monitored systems including a target monitored system; For the first group of monitored systems, forming a training data set for each monitored system in the group, each of the training data sets includes the state parameters and further includes an outlier parameter, the outlier parameter Indicates an abnormal state of the corresponding monitored system; establishes a first abnormal prediction model corresponding to each monitored system in the first monitored system group based on the training data sets, and each of the first abnormal prediction models which is used to predict the first outlier parameter prediction value of the corresponding monitored system; an outlier parameter time series is formed from the outlier parameters in each of the training data sets, based on the outlier parameter time series establishing a second anomaly prediction model corresponding to each monitored system in the first monitored system group, each of the second anomaly prediction models is used to predict a second outlier parameter prediction value of the corresponding monitored system ; For each monitored system in the first monitored system group, use the corresponding one of the first abnormality prediction models to predict the first abnormal value parameter prediction value at a target time point, and use the second abnormality prediction The corresponding person in the model predicts the predicted value of the second outlier parameter at the target time point, and when the predicted value of the first outlier parameter does not meet the predicted value of the second outlier parameter, it is judged that the corresponding monitored system has an abnormal behavior , judging that abnormal behavior has occurred in the target monitored system according to the aforementioned abnormal behavior judgment method, and judging that there are less than a certain number of other monitoring systems in the first monitored system group except the target monitored system Abnormal behavior occurs in the monitored system, the number is lower than the number of monitored systems in the first monitored system group; and an abnormal alarm associated with the target monitored system is generated.

Images