TWM655004U - System for monitoring multiple abnormal events - Google Patents

Abstract

The present invention relates to a system for monitoring multiple anomaly events, comprising a receiving module, a conversion module, an induction module, a plurality of trend monitoring modules, and an alert module. The receiving module receives multiple indicator data. The conversion module is connected to the receiving module and receives multiple indicator data. The conversion module converts each indicator data into different trend data that vary over time. The induction module is connected to the conversion module and categorizes each of the trend data into one of several different trend types. The plurality of trend monitoring modules are respectively connected to the induction module, and each trend monitoring module monitors the trend data corresponding to each trend type to generate their respective recognition results. The alert module is connected to each trend monitoring module, and when any of the recognition results indicates an anomaly, the alert module issues a warning message.

Description

Multiple abnormal event monitoring system

This invention relates to a monitoring system, and in particular to a monitoring system for abnormal events of various performances or capabilities of different types of hardware or software of a service system.

In telecommunications service systems, many different types of hardware or software work together to provide communication services. To achieve stable and efficient communication services, it is necessary to detect abnormal events in hardware or software in real time. Therefore, it is necessary to monitor the hardware or software to maintain the quality of communication services. When monitoring different hardware or software, there are several major challenges:

1. Compatibility issues: Each software (e.g. operating system, application, database, etc.) and hardware (storage device or network device, etc.) uses different technologies and standards. This means that to implement abnormal monitoring of multiple software or hardware, you need to customize the abnormal monitoring standards separately. For example, storage devices may need to confirm both performance and capacity indicators. For performance indicators, it may be the processor usage and the I/O per second of the input and output ports. For capacity indicators, it may be the R/W throughput and latency time, etc.

2. Data heterogeneity: The data formats and types generated by software or hardware may be different. Unifying these data for analysis and monitoring becomes a very complex problem.

3. Real-time and performance issues: Telecommunications systems often require real-time or near-real-time monitoring to respond quickly to problems. Processing and analyzing large amounts of data from different devices may affect system performance.

4. Accuracy of fault detection: The abnormal behaviors of different devices may manifest differently. Accurately monitoring and identifying these abnormal conditions requires in-depth expertise and advanced analytical techniques.

In addition, the traditional method of monitoring abnormal events of hardware or software is to set a monitoring threshold for each indicator separately, and issue a warning only when the monitoring threshold is reached. However, this method may cause the service capacity of the service system to suddenly decrease after the abnormal event occurs, or even fail to provide services. However, before the abnormal event occurs, the performance or capacity of some software or hardware may have gradually decreased. If this phenomenon can be targeted, it may be possible to issue early warnings to avoid the service system's service capacity being reduced or being unable to provide services. However, there is currently no platform or technical solution to solve the above challenges and problems. Therefore, how to solve the above challenges and problems through appropriate technical solutions, which may not even be limited to the hardware or software used to monitor the telecommunications system, is a problem that the industry expects to solve.

In view of the problems of previous technologies, the purpose of this invention is to use data analysis and machine learning technology for different indicators of different software and hardware of the service system to achieve anomaly detection, especially by analyzing the trends of various indicators to issue warnings before abnormal events occur, and the service system includes but is not limited to telecommunications service systems.

According to the purpose of this invention, a system for monitoring multiple abnormal events is provided, including a receiving module, a conversion module, an induction module, multiple trend monitoring modules and an alarm module. The receiving module receives multiple indicator data, each indicator data is used to represent one of the performance or capabilities of different software or hardware. The conversion module is connected to the receiving module, and receives multiple indicator data, and converts each indicator data into different change trend data that changes over time. The induction module is connected to the conversion module, and each change trend data is summarized into one of a plurality of different trend types. Multiple trend monitoring modules are connected to the induction module respectively. Each trend monitoring module will monitor the change trend data corresponding to each trend type, and each trend monitoring module has its own change trend standard to generate its own identification result. The warning module is connected to each trend monitoring module. When the identification result of any trend monitoring module is abnormal, the warning module will issue a warning message. The warning message is to notify that one or more of the indicator data is abnormal.

Among them, one of the multiple different trend types is the stationary trend type. The definition of the stationary trend type refers to the fluctuation trend of the indicator data over time, with the amount of change in repeated cycles over time.

Among them, the trend monitoring module corresponding to the fixed trend type is established by a first machine learning model through training of multiple past indicator data of the fixed trend type to generate a changing trend standard, and the first machine learning model generates an identification result based on the changing trend standard.

Among them, the first machine learning model is an automatic encoder model.

Among them, one of the multiple different trend types is the non-stationary trend type. The definition of the non-stationary trend type is that the fluctuation trend of the indicator data changes over time and changes in an unexpected amount at an uncertain time.

Among them, the trend monitoring module corresponding to the non-fixed trend type is established by a second machine learning model through training of multiple past indicator data of the non-fixed trend type to generate a changing trend standard, and the second machine learning model generates an identification result based on the changing trend standard.

Among them, the second machine learning model is the isolation forest model.

Among them, one of the multiple different trend types is the multiple non-stationary trend type. The definition of the multiple non-stationary trend type is that multiple indicator data corresponding to different performance or capabilities of multiple software or hardware, and the fluctuation trend that changes with time is the amount of change at an uncertain time with an unexpected difference.

Among them, the trend monitoring module corresponding to the multiple non-fixed trend types is a plurality of indicator data of the same performance or capability in the multiple non-fixed trend types. After the intermediate results are generated by the same third machine learning model, at least one explanation factor of an inferred explanation algorithm is used to generate the identification results. The third machine learning model is established by training the past multiple indicator data of the same performance or capability of the multiple non-fixed trend types, and generates the intermediate standard, and the third machine learning model generates the intermediate result with the intermediate standard, and the composition of the intermediate standard and at least one explanation factor is the changing trend standard.

Among them, the third machine learning model is an isolation forest algorithm model, and the inference explanation algorithm is a Shapley addition explanation algorithm.

Among them, one of the multiple different trend types is multiple different fixed trend types. The definition of multiple different fixed trend types is that the indicator data corresponding to the same performance or capability of multiple software or hardware, and the fluctuation trend that changes with time is the amount of repeated periodic changes that occur over time.

Among them, the trend monitoring module corresponding to multiple different fixed trend types uses a clustering algorithm to generate multiple clustering results for multiple indicator data of multiple different fixed trend types. All indicator data belonging to each clustering result are then used by their respective fourth machine learning models to generate their own identification results. Each fourth machine learning model is established by training the previous multiple indicator data corresponding to each clustering result.

Among them, the clustering algorithm is the K-means clustering algorithm, and the fourth machine learning model is the automatic encoder model.

As mentioned above, various types of changing trend data can be monitored by different trend monitoring modules. Since the trend monitoring module monitors the changing trend, each trend monitoring module can provide early warning messages before the performance or capability of the corresponding software or hardware is abnormal, thus avoiding the problem of service system's service capability being reduced or unable to provide service.

1: Monitoring multiple abnormal events system

10: Receiving module

12: Conversion module

14: Induction module

16: Trend monitoring module

18: Warning module

2: Service system

S101~S106: Steps

Figure 1 is a schematic diagram of the system architecture of this invention; Figure 2 is a flow chart of this invention; Figure 3 is a schematic diagram of the occurrence time of the abnormality as the identification result presented in the human-computer interface; Figure 4 is a schematic diagram of the indicator data for identification and the indicator data for training of multiple different fixed trend types; Figure 5 is a schematic diagram of the indicator data for training of multiple different fixed trend types for one year; Figure 6 is a schematic diagram of the number of abnormal logins monitored by the commercial software of the monitoring database; Figure 7 is a schematic diagram of the number of abnormal logins detected by this invention.

The embodiments of this invention will be further explained below with the help of the relevant drawings. As far as possible, the same reference numerals in the drawings and the manual represent the same or similar components. In the drawings, the shapes and thicknesses may be exaggerated for the sake of simplicity and convenience. It is understood that the components not specifically shown in the drawings or described in the manual are in the form known to ordinary technicians in the relevant technical field. Ordinary technicians in this field can make various changes and modifications based on the content of this invention.

As shown in FIG1 , the invention is a system for monitoring multiple abnormal events. The system 1 for monitoring multiple abnormal events includes a receiving module 10, a conversion module 12, an induction module 14, a plurality of trend monitoring modules 16, and an alarm module 18. The receiving module 10 receives a plurality of indicator data of a service system 2, and each indicator data is used to represent one of the performance or capabilities of different software or hardware of the service system 2. The conversion module 12 is connected to the receiving module 10 and receives a plurality of indicator data. The conversion module 12 converts each indicator data into different change trend data that changes over time. The induction module 14 is connected to the conversion module 12 and summarizes each change trend data into one of a plurality of different trend types. A plurality of trend monitoring modules 16 are respectively connected to the induction module 14. Each trend monitoring module 16 will monitor the change trend data corresponding to each trend type, and each trend monitoring module 16 has its own change trend standard to generate its own identification result. The warning module 18 is connected to each trend monitoring module 16. When the identification result of any trend monitoring module 16 is abnormal, the warning module 18 will issue a warning message, which is to notify that one or more of the indicator data is abnormal.

In some embodiments of the present invention, the system 1 for monitoring multiple abnormal events can be a desktop computer, a laptop computer, a server, or any electronic computing device having a receiving module 10, a conversion module 12, an induction module 14, a plurality of trend monitoring modules 16, and an alarm module 18, all of which belong to the system 1 for monitoring multiple abnormal events referred to in the present invention. Moreover, the desktop computer, the laptop computer, the server, or the electronic computing device can be connected to the service system by a local or remote connection. In addition, the system 1 for monitoring multiple abnormal events can be connected to the service system by cloud computing.

Please refer to FIG. 2 . The invention is a method for monitoring multiple abnormal events. The method is applied to a system 1 for monitoring multiple abnormal events and performs the following steps: (S101) The receiving module 10 receives multiple indicator data, each indicator data is used to represent one performance or capability of different software or hardware; (S102) The conversion module 12 converts each indicator data into a variable trend data that changes over time; (S103) The induction module 14 classifies each variable trend data into one of a plurality of trend types. The plurality of trend types may include a fixed trend type, a non-fixed trend type, and multiple non-fixed trend types. (S104) a plurality of trend monitoring modules 16 monitor each variable trend data corresponding to each trend type, and each trend monitoring module 16 has its own variable trend standard to generate an identification result; (S105) The warning module 18 determines whether the identification result is normal or abnormal. When the change trend data meets the change trend standard, it indicates that the identification result is normal, and then returns to step (S101); (S106) when the change trend data does not meet the change trend standard, the warning module 18 indicates that the identification result is abnormal, and then issues a warning message.

According to the above cycle, it is possible to repeatedly identify whether the various indicator data have abnormal trends over time, and to issue a warning message before exceeding the monitoring threshold mentioned in the previous technology. In addition, since the various indicator data are obtained over time, it is possible to trace back to which performance or capability indicator data has an abnormality, so as to solve the fundamental abnormality problem.

In some embodiments of the present invention, each indicator data is used to represent one of the performance or capabilities of different software or hardware. For example, in a telecommunications service system, different hardware devices (storage devices or network devices, etc.) and different software (such as operating systems, applications, databases, etc.) have different performance (Performance) and capacity (Capacity) indicators. For example, the operating system only evaluates performance, so the performance indicators include the processor usage, the hard disk input and output transfer rate, the memory usage, and the input and output port transfer rate per second (I/O per second)... etc. For storage devices, there will be performance and capacity indicators. The performance indicators include the processor usage and the input and output port transfer rate per second, and the capacity indicators include the read and write throughput (R/W throughput) and latency time, etc.

Furthermore, in the Windows operating system, various performance indicators are equivalent to the various performance indicators that can be displayed by the task manager application, and various performance indicators can use the "typeperf" command to write performance data into their own performance log files, and each performance indicator log file can be in CSV format or plain text. In addition, by using other monitoring software to monitor the various software or hardware of the service system, it is also possible to generate performance log files for various performance indicators, or generate capability log files for various capability indicators, such as Performance Co-Pilot (PCP) or OpManager. However, when this invention is actually implemented, it is not limited to this, and various performance indicators or capability indicators of different software or hardware can be obtained.

In some embodiments of this invention, each indicator data is converted into a trend data that changes over time. For example, the aforementioned various performance log files include multiple performance records, and each performance record is accompanied by the time when the record occurs. Therefore, the performance log file can be converted into a trend data that changes over time. This conversion process can be completed by designing an editing program by yourself, or by using existing multi-functional data analysis and monitoring platforms, such as Splunk, ELK Stack, Grafana, Prometheus, and Zabbix, etc. .

In some embodiments of the present invention, the definition of fixed trend type refers to the fluctuation trend of the index data over time and the amount of change in repeated cycles over time. Fixed trend type In a fixed time period, the data has a fixed trend, for example: the utilization rate of the processor of the storage device, the transmission speed of the input and output ports per second and other performance indicators, the speed of reading or writing of the storage device, the delay time and other capability indicators belong to the fixed trend type.

In addition, the definition of non-stationary trend type is that the fluctuation trend of indicator data changes over time is the amount of change at an uncertain time with an unexpected difference. Non-stationary trend type has no fixed trend and is usually caused by the sudden emergence of a large number of tasks or programs. For example: performance indicators such as database service response time (SQL Service response Time), active session (Active Session), and the number of database processes (Process) and database sessions (Session) etc.

In addition, the definition of multiple non-fixed trend types is multiple indicator data corresponding to different performance or capabilities of multiple software or hardware. The fluctuation trend that changes with time is the amount of change at an uncertain time with unexpected differences. In addition to including multiple performance records, each performance record will also be accompanied by the time when the record occurred, and will also record their respective source information. The source information can be the Internet Protocol Address (IP Address) or the name of the hardware device. For example: the information security anomaly detection log file of the security monitoring software for multiple servers, or the login anomaly log file (login fail) of multiple databases storing data of the same nature.

Furthermore, the definition of multiple different fixed trend types is that the indicator data corresponding to the same performance or capability of multiple software or multiple hardware, and the fluctuation trends that change over time are different differential changes. For example: the number of open files on the server is used as a performance indicator, and the number of open files on multiple servers can be summarized into several different fixed trend-changing performance indicators. To be more specific, suppose there are 100 servers, of which 30 have 30 open files often within a period of time, 20 have 20 open files often within a period of time, and 50 have 50 open files often within a period of time, which are called multiple different fixed trend types in this work.

In some embodiments of the present invention, the trend monitoring module corresponding to the fixed trend type is established by training the first machine learning model on multiple past indicator data of the fixed trend type to generate a changing trend standard, and the first machine learning model generates a recognition result based on the changing trend standard. Among them, the first machine learning model corresponding to the fixed trend type is an automatic encoder model. However, the present invention is not limited to this in actual implementation, and can also be a machine learning model such as Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNN) or Gated Recurrent Unit (GRU).

In some embodiments of the present invention, the trend monitoring module corresponding to the non-stationary trend type is established by training the second machine learning model on multiple past indicator data of the non-stationary trend type to generate a changing trend standard, and the second machine learning model generates a recognition result based on the changing trend standard. The second machine learning model is an isolation forest model. However, the present invention is not limited to this in actual implementation, and can also be a random forest algorithm (Random Forest), a density-based spatial clustering algorithm (Density-Based Spatial Clustering of Applications with Noise, DBSCAN), and a K-Nearest Neighbors algorithm (KNN).

In some embodiments of the present invention, the trend monitoring module corresponding to multiple non-stationary trend types is a plurality of indicator data of similar performance or capabilities in the multiple non-stationary trend types. After the intermediate results are generated by the same third machine learning model, the explanation factors of the inferred explanation algorithm are used according to the intermediate results to generate identification results. The third machine learning model is established by training multiple past indicator data of similar performance or capabilities of multiple non-stationary trend types, and generates intermediate standards. The third machine learning model generates intermediate results according to the intermediate standards. The composition of the intermediate standards and the explanation factors is the changing trend standard. Among them, the third machine learning model is an isolation forest model, and the inferred explanation algorithm is a Shapley addition explanation algorithm. The third machine learning model can also be a random forest algorithm (Random Forest), a density-based clustering algorithm (Density-Based Spatial Clustering of Applications with Noise, DBSCAN), a K-Nearest Neighbors algorithm (KNN), and the inference explanation algorithm can also be a global explainable model (Global Explanations).

In some embodiments of the present invention, the definition of multiple different fixed trend types is that multiple indicator data corresponding to the same performance or capability of multiple software or hardware, and the fluctuation trends that change with time are different repeated periodic changes that occur with time. Among them, the trend monitoring module corresponding to the multiple different fixed trend types uses a clustering algorithm to generate multiple clustering results for multiple indicator data of multiple different fixed trend types, and then the indicator data belonging to each clustering result is respectively generated by a respective machine learning model to generate a respective identification result, and each machine learning model is established by training the past indicator data corresponding to each clustering result. Among them, the clustering algorithm is a K-means clustering algorithm, and the machine learning model is an automatic encoder model. The clustering algorithm can also be hierarchical clustering, spectral clustering or Gaussian mixture models (GMM) etc., and the machine learning model can also be a machine learning model such as long short-term memory network (LSTM), convolutional neural network (CNN) or gated recurrent unit (GRU).

In some embodiments of the present invention, the method can also calculate the system health value within a predetermined statistical range. The calculation method includes giving a health weight value to each software or hardware, respectively accumulating the total number of identification results and the total number of abnormalities of each software or hardware's performance index or capability index within the predetermined statistical range, dividing the total number of abnormalities of each software or hardware by the total number of identification results and multiplying by the health weight value to obtain the respective health deduction value, as shown in the following formula: hi =( Ai _÷ Ti ₎ × Wi _, wherein hi _is the health deduction value of one of the software or hardware, Ti _is the total number _of identification results corresponding to hi , Ai _is the total number of abnormalities _{corresponding} to hi , _and Wi _is the health deduction value of the corresponding h The health weight value of _i is calculated, and the health deduction value is subtracted from the initial health value to obtain the system health value, as shown in the following formula: Hs = H _I -( _{hi = 1} + hi _{= 2} +…+ hi _{= n} ) where Hs is the system health value, H _I is the initial health value, for example, 100 or 100% is used as the _initial health value, i = 1 represents the first hardware or software, i = 2 represents the second hardware or software, and i = n represents the last hardware or software.

據上所述，當初始健康值為100時，系統健康度值則為94.68。 For example, in a certain service system, the operating system, database, storage device, application and network device are used as the objects for evaluating the system health value of the service system. Each health weight value is 20%, and the scheduled statistical interval is once every hour. The total number of identification results of the operating system in the current scheduled statistical interval is 72 times, and the total number of abnormal times is 4 times, so the health deduction value of the operating system is 1.11. The total number of identification results of the database and storage device in the current scheduled statistical interval is 48 times, and the total number of abnormal times is 4 times, so the health deduction value of the database and storage device is 1.67. The total number of identification results of the application in the current pre-defined statistical interval is 192 times, and the total number of abnormal results is 3 times, so the health score of the application is 0.31. The total number of identification results of the network device in the current pre-defined statistical interval is 36 times, and the total number of abnormal results is 1 time, so the health score of the network device is 0.56, as shown in the following table:

As mentioned above, when the initial health value is 100, the system health value is 94.68.

In some embodiments, as shown in FIG3, each identification result of each hardware or software is presented as the abnormal occurrence time on a human-machine interface, wherein the time axis can be adjusted to the time period to be viewed as needed, such as: 1 hour, 2 hours or 24 hours, etc. FIG3 is drawn using the abnormal occurrence time of the software or hardware mentioned in the previous paragraph within the predetermined statistical interval (1 hour) as an example.

Taking the number of open files belonging to multiple different fixed trend types as an example, suppose there are 100 servers, and the number of open files of 10 of them is often around 10K (K means the number is 1,000) for a period of time, and the number of open files of one of them begins to change abnormally from 12/15 to 12/30, and the number of open files suddenly increases to more than 20K after 12/30 (as shown by the dotted line in Figure 4). The traditional warning mechanism is to issue a warning message only when the number of open files exceeds 20K. However, in this work, assuming that the fourth mechanical model (such as the auto-encoder model) is trained with the index data of each month in the past year (as shown in Figure 5), the monthly change trend standard of the fourth mechanical model is equivalent to the solid line shown in Figure 4. Therefore, when the fourth mechanical model is used for identification, five warning messages will be issued for the unusual and repeated increase trend that begins between 12/15 and 12/30.

In terms of multiple non-fixed trend types of indicator data, assume that the data management center (DMC) of the commercial software monitoring the database provides log files of various performance and capability indicators of the monitoring database, and the abnormal login status detected by the search, analysis and reporting center (SARC) of the commercial software is an average of 200 times (as shown in Figure 6). However, in this work, the various performance and capability log files of different databases are first structured into indicator data, and each performance indicator and capability indicator of the same type is identified by their respective third machine learning models (such as the isolation forest algorithm), and then the Shapley addition interpretation algorithm is used to calculate the Shapley value (Shapley value) of each intermediate result of different types. values) to interpret and confirm whether it is abnormal, and the final identification result obtained for the same data as the aforementioned commercial software is about 20 times of abnormality (as shown in Figure 7). This approach is to reduce the errors or over-judgments of the original commercial software monitoring the database as noise, so the number of abnormal warnings can be greatly reduced, and thus the manpower required to eliminate abnormal conditions can be reduced.

For another type of multiple non-fixed trend indicator data, suppose we need to detect the anomaly of login failures on 200 servers. Since each server has a different number of login failures, we can combine and train a third machine learning model, and then use the Shapley addition interpretation algorithm to calculate the Shapley values of the 200 servers in this anomaly result. Then, we can capture the server with the highest Shapley value contribution score as the object of actual anomaly performance. This can solve the problem of training and identifying each server with a different machine learning model.

In summary, this invention can monitor various types of changing trend data using different trend monitoring modules. Since the trend monitoring module monitors changing trends, each trend monitoring module can provide early warning messages before the performance or capability of the corresponding software or hardware is abnormal, thus avoiding the problem of service system's service capability being reduced or unable to provide services, and even eliminating erroneous abnormal detection situations, thereby reducing the manpower demand for system debugging.

The above is only an example to illustrate the best implementation method of this creation, and is not intended to limit the scope of implementation. All simple substitutions and equivalent changes made based on the scope of patent application of this creation and the content of the patent specification are within the scope of patent application of this creation.

1: Monitoring multiple abnormal events system

10: Receiving module

12: Conversion module

14: Induction module

16: Trend monitoring module

18: Warning module

2: Service system

Claims (15)

A system for monitoring multiple abnormal events includes: a receiving module, receiving a plurality of indicator data, each of which is used to represent a performance or capability of different software or hardware; a conversion module, connected to the receiving module, receiving the plurality of indicator data, and converting each of the indicator data into a change trend data that changes with time; an induction module, connected to the conversion module, and inducing each of the change trend data to be one of a plurality of different trend types; a plurality of trend monitoring modules, Connected to the induction module respectively, each trend monitoring module will monitor each change trend data corresponding to each trend type, and each trend monitoring module has its own change trend standard to generate its own identification result; and an alarm module connected to the plurality of trend monitoring modules, when the identification result of any one of the trend monitoring modules is abnormal, the alarm module will issue an early warning message, which is to notify that one or more of the indicator data is abnormal. A system for monitoring multiple abnormal events as described in claim 1, wherein one of the plurality of different trend types is a fixed trend type, and the fixed trend type is defined as the fluctuation trend of the indicator data over time, with the amount of repeated periodic changes over time. The system for monitoring multiple abnormal events as described in claim 2, wherein the trend monitoring module corresponding to the fixed trend type is established by a first machine learning model through training of a plurality of past indicator data of the fixed trend type to generate the changing trend standard, and the first machine learning model generates the identification result according to the changing trend standard. A system for monitoring multiple abnormal events as described in claim 3, wherein the first machine learning model is an automatic encoder model. A system for monitoring multiple abnormal events as described in claim 1, wherein one of the plurality of different trend types is a non-stationary trend type, and the definition of the non-stationary trend type is that the fluctuation trend of the indicator data over time changes with an unexpected difference at an uncertain time. The system for monitoring multiple abnormal events as described in claim 5, wherein the trend monitoring module corresponding to the non-fixed trend type is established by a second machine learning model through training of a plurality of past indicator data of the non-fixed trend type to generate the changing trend standard, and the second machine learning model generates the identification result according to the changing trend standard. A system for monitoring multiple abnormal events as described in claim 6, wherein the second machine learning model is an isolation forest model. A system for monitoring multiple abnormal events as described in claim 1, wherein one of the multiple different trend types is a multiple non-stationary trend type, and the definition of the multiple non-stationary trend type is that the multiple indicator data corresponding to the different performance or capabilities of multiple software or hardware, and the fluctuation trend that changes with time is the amount of change at an uncertain time with an unexpected difference. A system for monitoring multiple abnormal events as described in claim 8, wherein the trend monitoring module corresponding to the multiple non-fixed trend types generates an intermediate result using the same third machine learning model for multiple indicator data of similar performance or capability in the multiple non-fixed trend types, and then generates an identification result based on the intermediate result using at least one explanation factor of an inferred explanation algorithm, and the third machine learning model is established by training multiple indicator data of similar performance or capability of the multiple non-fixed trend types in the past, and generates an intermediate standard, the third machine learning model generates the intermediate result based on the intermediate standard, and the composition of the intermediate standard and the at least one explanation factor is the variable trend standard. A system for monitoring multiple abnormal events as described in claim 9, wherein the third machine learning model is an isolation forest algorithm model. A system for monitoring multiple abnormal events as described in claim 9, wherein the inference explanation algorithm is a Shapley addition explanation algorithm. A system for monitoring multiple abnormal events as described in claim 1, wherein one of the plurality of different trend types is a plurality of different fixed trend types, and the definition of the plurality of different fixed trend types is that the fluctuation trend of the indicator data corresponding to the same performance or capability of multiple software or hardware respectively changes with time is a different repetitive cycle change amount occurring with time. A system for monitoring multiple abnormal events as described in claim 12, wherein the trend monitoring module corresponding to the multiple different fixed trend types generates multiple grouping results for the multiple indicator data of the multiple different fixed trend types using a grouping algorithm, and then generates respective identification results for all the indicator data belonging to each grouping result using respective fourth machine learning models, and each fourth machine learning model is established by training the multiple past indicator data corresponding to each grouping result. A system for monitoring multiple abnormal events as described in claim 13, wherein the clustering algorithm is a K-means clustering algorithm. A system for monitoring multiple abnormal events as described in claim 13, wherein the fourth machine learning model is an automatic encoder model.