CN108829794B - Alarm analysis method based on interval graph - Google Patents

Alarm analysis method based on interval graph Download PDF

Info

Publication number
CN108829794B
CN108829794B CN201810562364.7A CN201810562364A CN108829794B CN 108829794 B CN108829794 B CN 108829794B CN 201810562364 A CN201810562364 A CN 201810562364A CN 108829794 B CN108829794 B CN 108829794B
Authority
CN
China
Prior art keywords
alarm
events
alarm event
nodes
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810562364.7A
Other languages
Chinese (zh)
Other versions
CN108829794A (en
Inventor
郭宇春
尹博艺
郑宏云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201810562364.7A priority Critical patent/CN108829794B/en
Publication of CN108829794A publication Critical patent/CN108829794A/en
Application granted granted Critical
Publication of CN108829794B publication Critical patent/CN108829794B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Alarm Systems (AREA)

Abstract

The invention provides an alarm analysis method based on an interval graph. The method comprises the following steps: converting all alarm events in the same place into an alarm event sequence according to the alarm occurrence time sequence, and establishing an alarm event interval graph according to the overlapping degree and the occurrence time sequence of the alarm intervals of the alarm events in the alarm event sequence; merging all alarm event interval graphs from different places, wherein all nodes merging alarm events of the same type are a node, and edge weights are given to connecting edges among the nodes in the merged alarm event interval graphs to obtain alarm interval graphs; and obtaining the difference of the relevance among the alarm events by adopting a graph characteristic analysis method according to the edge weight of the connecting edges among the nodes in the alarm interval graph. The method of the invention is applicable to a variety of situations where alarms are distributed evenly or unevenly across the entire time series. And scientific guidance is provided for reducing the redundancy of alarm, improving the effectiveness of alarm and positioning the root cause of the fault.

Description

Alarm analysis method based on interval graph
Technical Field
The invention relates to the technical field of alarm correlation analysis, in particular to an alarm analysis method based on an interval graph.
Background
In a conventional alarm correlation analysis method, the whole alarm data is generally regarded as a time sequence, in the alarm correlation analysis, an alarm window width is generally set by using a sliding time window, and then all alarms falling within the alarm time window are regarded as occurring simultaneously. However, the width of the alarm window and the sliding step length are not set as standards, and the selection principle is to consider the mining efficiency of the alarm event sequence pattern and the mining result accuracy. Therefore, for analysis of a new set of data, trial and error comparisons are performed with a set of parameters, and finally a relatively suitable window width and step size is selected. This time window based analysis method is limited by the distribution of alarms and is only suitable for the case where alarms are evenly distributed over the entire time series. However, in practical situations, there may be time regions where the alarm density is very high, and some regions where no alarm is provided at all, which may result in many meaningless windows and empty windows.
In the existing mining method for alarm correlation modes in the prior art, an alarm correlation rule base is generated based on various correlation algorithms such as Apriori algorithm, FP-growth and the like, and rule support is provided for related alarm prediction and alarm correlation analysis functions.
The mining method for the alarm association mode in the prior art has the following disadvantages: in addition to the above-mentioned problem of using time windows, these methods focus on mining frequently occurring alarms, and may not find alarms that occur frequently but may be important; in addition, further presentation of relevant alarms is absent, and a more intuitive visualization way for the mined association rules is also absent.
Disclosure of Invention
The embodiment of the invention provides an alarm analysis method based on an interval graph, which is used for overcoming the defects of the prior art.
In order to achieve the purpose, the invention adopts the following technical scheme.
An alarm analysis method based on an interval graph comprises the following steps:
converting all alarm events in the same place into an alarm event sequence according to an alarm occurrence time sequence, regarding each alarm event in the alarm event sequence as a node, and establishing an alarm event interval graph according to the overlapping degree and the occurrence time sequence of the alarm intervals of the alarm events in the alarm event sequence;
merging all alarm event interval graphs from different places, wherein all nodes merging alarm events of the same type are a node, and edge weights are given to connecting edges among the nodes in the merged alarm event interval graphs to obtain alarm interval graphs;
and obtaining the difference of the relevance among the alarm events by adopting a graph characteristic analysis method according to the edge weight of the connecting edges among the nodes in the alarm interval graph.
Further, the converting all the alarm events in the same place into an alarm event sequence according to the alarm occurrence time sequence includes:
one occurrence of each type of alarm is called an alarm event, one alarm event is uniquely determined by an alarm name, an occurrence time and a clearing time at one place, the duration interval of the alarm event from the occurrence to the clearing is called an alarm interval, and the occurrence time of one alarm event is recorded asTsThe clearing time is recorded as TeThe sequence of the alarm events in the alarm event sequence is denoted as k, and the alarm name of the alarm event k is denoted as mkUsing a quadruple (k, m) for each alarm eventk,Ts,Te) The alarm events with the same alarm name are the same type of alarm, and the same type of alarm events have the same alarm level;
converting alarm events of the same place into an alarm event sequence S according to the sequence of alarm occurrence time, wherein S is { (1, m)1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek) And the sequence number of the alarm event which occurs first is lower than that of the alarm event which occurs later.
Further, the step of regarding each alarm event in the alarm event sequence as a node, and establishing an alarm event interval graph according to the overlapping degree and the occurrence time sequence of the alarm intervals of the alarm events in the alarm event sequence, includes:
taking each alarm event in the alarm event sequence as a node, numbering the alarm events in sequence according to the occurrence sequence of the alarm events, recording the number as k, and recording the corresponding alarm name as mkBy kmkNaming a node corresponding to the alarm event;
selecting two alarm events (a, m) in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb),a<b, if Tea-TsaTime period of (1) and Teb-TsbIf there is time overlap in the time periods of (a), (m) are judged as alarm eventsa,Tsa,Tea) And alarm event (b, m)b,Tsb,Teb) The alarm intervals are overlapped to establish a node amaPointing to node bmbHas a directed connecting edge (am)a,bmb) (ii) a Otherwise, node am is not establishedaPointing to node bmbThe directed connecting edge of (2);
traversing any two alarm events in the alarm event sequence, when judging that the alarm intervals of a pair of alarm events are overlapped, establishing a directed connecting edge of a low-sequence-number node in the pair of alarm events pointing to a high-sequence-number node, and assigning an edge weight to the connecting edge between the alarm events according to the overlapping degree of the alarm intervals between the alarm events, thereby completing the establishment of an alarm event interval graph.
Further, the merging process of the alarm event interval graphs from different locations, where all the nodes of the alarm events of the same type are merged into one node, to obtain an alarm interval graph, includes:
and aiming at K alarm event occurrence places, respectively obtaining an alarm event interval graph of each alarm event occurrence place, merging the K alarm event interval graphs, merging all nodes of the same type of alarm events in the merged alarm event interval graph into one node, when at least one node pair with a connecting edge exists between the two types of alarm events, establishing a connecting edge between the node pairs of the two types of alarm events after merging, and endowing edge weights to the connecting edges between the nodes in the merged alarm event interval graph to obtain the alarm interval graph.
Further, the assigning an edge weight to a connecting edge between nodes in the alarm event interval graph after the combining process includes:
the edge weight function of the connecting edge between a pair of nodes in the alarm interval graph is comprehensively determined by the occurrence frequency of the alarm event corresponding to the pair of nodes, the connecting edge frequency between the alarm event nodes and the edge weight of the connecting edge between the nodes in the corresponding alarm event interval graph;
suppose the edge weight P of the connecting edge between a pair of nodes in the alarm interval graphbThe calculation formula of (a) is as follows:
Figure BDA0001683620900000041
∑g(a,b)(D) f is the accumulation of edge weights of all directed edges pointing from the class a alarm event to the class b alarm event in the alarm event interval graph(a,b)Graph showing intervals between alarm eventsThe number of directed edges pointing to the class b alarm event in the class a alarm event, faAnd fbRespectively representing the frequency of occurrence of the class a alarm event and the class b alarm event.
Further, the assigning an edge weight to a connecting edge between nodes in the alarm event interval graph after the combining process further includes:
setting different types of alarm events with different levels, defining a weight function based on the alarm event levels, calculating a weight function value corresponding to a connecting edge between a pair of nodes in an alarm interval graph through the weight function, and endowing an edge weight value for the connecting edge between the pair of nodes according to the weight function value.
Further, the obtaining, according to the edge weight of the connecting edge between the nodes in the alarm interval graph, the difference of the correlation between the alarm events by using a graph characteristic analysis method includes:
judging the strength of the correlation between the two types of alarms connected by the connecting edge according to the magnitude of the edge weight of the connecting edge between the nodes in the alarm interval graph, wherein the stronger the edge weight of the connecting edge is, the stronger the correlation between the two types of alarms connected by the connecting edge is;
according to the difference of the relevance between the alarm events, determining the binary relevance of the alarm events based on the edge weight of the connecting edges between the nodes, and dividing the binary relevance into 3 types: determining a pair of alarms with the edge weight value lower than a set threshold value and a pair of alarms without connecting edges as a pair of alarms in the independent association relation due to the fruit type, the concurrent type and the independent type relation;
defining the symmetry coefficient R as R ═ min (P)ab,Pba)/max(Pab,Pba) In which P isabAnd PbaRespectively represent directed edges (m) in the alarm interval grapha,mb) And (m)b,ma) When the difference between R and 1 is less than the set value, the alarm type a and the alarm type b are determined to be in a concurrent association relationship, and when the difference between R and 0 is less than the set value, the alarm type a and the alarm type b are determined to be in a causal association relationshipIs described.
Further, the obtaining, according to the edge weight between the nodes in the alarm interval graph, the difference of the correlation between the alarm events by using a graph-based feature analysis method further includes:
the method comprises the steps of discovering a multivariate incidence relation among alarm events based on community characteristics, obtaining a community structure of an alarm interval graph through a community discovery method, and judging that the incidence among all alarm events belonging to the same community is strong, and the incidence among all alarm events not belonging to the same community is weak.
It can be seen from the technical solutions provided by the embodiments of the present invention that, in the method according to the embodiments of the present invention, for the phenomenon of alarm time overlap, complex overlapping alarms are presented in a more intuitive manner by using an interval graph, the strength of association and binary and multivariate association relations among various alarms are deduced according to the edge weight of the alarm interval graph, and meanwhile, a major alarm is deduced by combining the node weight, the potential rule of alarm occurrence is explored, and the method is suitable for various situations where alarms are uniformly or non-uniformly distributed over the whole time sequence. And scientific guidance is provided for reducing the redundancy of alarm data, improving the alarm effectiveness and positioning the root cause of the fault.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating an implementation of an alarm analysis method based on an interval graph according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating that an alarm a and an alarm b are overlapped in a time interval according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an alarm event interval graph according to an embodiment of the present invention;
FIG. 4 is a diagram of an example of graph edge weight calculation for an alarm interval according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a type of association between alarms according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of performing community discovery in an alarm interval graph according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element of the present invention is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
For the convenience of understanding the embodiments of the present invention, the following description will be further explained by taking several specific embodiments as examples in conjunction with the drawings, and the embodiments are not to be construed as limiting the embodiments of the present invention.
The graph is one of the strongest frames in data structure and algorithm, can be used for representing all types of structures or systems, and the graph-based method is used for analyzing the alarm relevance, so that the limitation of the time window-based method can be overcome, and various relevance can be conveniently and visually displayed.
An implementation schematic diagram of an alarm analysis method based on an interval diagram provided by the embodiment of the invention is shown in fig. 1, and includes three processing steps: and generating and weighting an alarm event interval graph, and generating and weighting an alarm interval graph and discovering an alarm association mode.
The processing process for generating the alarm event interval graph comprises the following steps:
1. data pre-processing
The invention uses a '0-1' square wave to represent an alarm (namely an alarm event), and the occurrence time of the alarm is recorded as TsAnd the alarm clearing time is recorded as TeThen each alarm can use a quadruple (k, m)k,Ts,Te) Is denoted by k, the alarm name of the alarm event k is denoted by mk
The alarm events with the same alarm name are the same type of alarm, the same type of alarm events have the same alarm level, the same type of alarm can occur for multiple times, and one occurrence of each type of alarm is called an alarm event. In one place, an alarm event is uniquely determined by an alarm name, an occurrence time and a clearing time, and the duration interval of the event from occurrence to clearing is called an alarm interval. Obtaining an alarm event sequence S through preprocessing:
S={(1,m1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek)}
in the alarm event sequence S, the sequence number of the alarm event occurring first is lower than the sequence number of the alarm event occurring later.
2. Extraction of alarm overlap sequence
For any two alarm events (a, m) in the sequence of alarm eventsa,Tsa,Tea)、(b,mb,Tsb,Teb) If T isea-TsaTime period of (1) and Teb-TsbIf there is time overlap in the time periods of (a), (m) are judged as alarm eventsa,Tsa,Tea) And alarm event (b, m)b,Tsb,Teb) The alarm intervals of (2) overlap. As shown in fig. 2.
3. Forming an alarm event interval graph
Taking each alarm event as a node in an alarm event interval graph, numbering the alarm events in sequence according to the sequence of the occurrence time of the alarm events, recording the number as k, and recording the corresponding alarm name as mkBy kmkThe nodes are named.
Taking each alarm event in the alarm event sequence as a node, numbering the alarm events in sequence according to the occurrence sequence of the alarm events, recording the number as k, and recording the corresponding alarm name as mkBy kmkAnd naming the node corresponding to the alarm event.
Selecting two alarm events (a, m) in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb),a<b, if Tea-TsaTime period of (1) and Teb-TsbIf there is time overlap in the time periods of (a), (m) are judged as alarm eventsa,Tsa,Tea) And alarm event (b, m)b,Tsb,Teb) The alarm intervals are overlapped to establish a node amaPointing to node bmbHas a directed connecting edge (am)a,bmb) (ii) a Otherwise, node am is not establishedaPointing to node bmbHas a directional connecting edge.
Traversing any two alarm events in the alarm event sequence, when judging that the alarm intervals of a pair of alarm events are overlapped, establishing a directed connecting edge of a low-sequence-number node in the pair of alarm events pointing to a high-sequence-number node, and assigning an edge weight to the connecting edge between the alarm events according to the overlapping degree of the alarm intervals between the alarm events, thereby completing the establishment of an alarm event interval graph.
Fig. 3 is a schematic diagram of an alarm event interval diagram provided in an embodiment of the present invention, where numbers in the diagram indicate occurrence sequence numbers of alarm events, and the occurrence sequence numbers are sequentially allocated according to an alarm event occurrence time sequence. In fig. 3, an overlap function g (D) is further defined according to the overlap degree D of the alarm intervals between alarms, and an edge weight is given to the connecting edge between the corresponding alarm events according to the value of the overlap function.
The value of the overlapping function is comprehensively determined by the length of a corresponding alarm interval and the time length of the overlapping phenomenon of a pair of alarms, and the function form of the overlapping function g (D) is not unique. It can be assumed that g (D) is calculated as follows:
for two alarm events (a, m)a,Tsa,Tea)、(b,mb,Tsb,Teb),a<b, alarm interval Tea-TsaAnd alarm interval Teb-TsbThe time length of the overlapping phenomenon is tdFrom TsaTo max (T)ea,Teb) Has a duration of tsThen, then
Figure BDA0001683620900000091
Secondly, the processing procedure for generating the alarm interval graph comprises the following steps:
and aiming at the K alarm event occurrence places, respectively obtaining the alarm event interval graph of each alarm event occurrence place, and merging the K alarm event interval graphs. And merging all nodes of the alarm events of the same type in the alarm event interval graph after merging into one node, when at least one node pair with a connecting edge exists between the alarm events of the two types before merging, establishing the connecting edge between the node pairs of the alarm events of the two types after merging, and giving an edge weight value to the connecting edge between the nodes in the alarm event interval graph after merging to obtain the alarm interval graph.
The edge weight of the connecting edge between a pair of nodes in the alarm interval graph is comprehensively determined by the occurrence frequency of the alarm event corresponding to the pair of nodes, the connecting edge frequency between the alarm event nodes and the edge weight of the connecting edge between the nodes in the corresponding alarm event interval graph, and the expression form of the edge weight function is not unique.
Assuming the edge weight P of the connecting edge between a pair of nodes in the alarm interval graphabThe calculation formula of (a) is as follows:
Figure BDA0001683620900000092
∑g(a,b)(D) f is the accumulation of edge weights of all directed edges pointing from the class a alarm event to the class b alarm event in the alarm event interval graph(a,b)Indicating the number of directed edges pointing from class a alarm events to class b alarm events in the alarm event interval graph, faAnd fbRespectively representing the frequency of occurrence of the class a alarm event and the class b alarm event.
Fig. 4A is a diagram showing two alarm event intervals generated at two alarm generation sites, respectively, and fig. 4B is a diagram showing an alarm interval obtained by merging two alarm event intervals. In FIG. 4A, Σ g(a,b)(D)=0.2,∑g(a,c)(D)=0.6,∑g(b,c)(D)=0.1+0.23+0.72=1.05,∑g(c,a)(D)=0.45f(a,b)=1,f(a,c)=1,f(c,a)=1,f(b,c)=3,fa=2,fb=3,fc=4。
The result of calculating the edge weight according to the above values to obtain the edge weight in the alarm interval graph is shown in fig. 4B.
3. Setting different classes of alarm events, defining a weight function based on the classes of alarm events,
suppose thatFor each alarm, i represents the importance degree of the alarm, and the larger the value of i, the higher the grade of the alarm, and the higher the importance degree of the alarm. For the class a alarm and the class b alarm, the importance degree i can be further determined according to the importance degreeaAnd ibOpposite side weight PabFurther calculations were made:
Figure BDA0001683620900000101
and calculating a weight function value corresponding to a connecting edge between a pair of nodes in the alarm interval graph through the weight function, and endowing an edge weight value for the connecting edge between the pair of nodes according to the weight function value.
Thirdly, the processing process of the alarm association mode discovery comprises the following steps:
1. and judging the strength of the correlation between the two types of alarms connected by the connecting edge according to the size of the edge weight of the connecting edge between the nodes in the alarm interval graph, wherein the stronger the edge weight of the connecting edge is, the stronger the correlation between the two types of alarms connected by the connecting edge is.
2. Relevance mode is judged based on threshold value screening and symmetry
Fig. 5 is a schematic diagram of a type of association between alarms according to an embodiment of the present invention. According to the difference of relevance among various alarms, the invention divides the alarm relationship into 3 types: the fruit type (α type), concurrent type (β type) and independent type (γ type) are shown in fig. 5. Wherein, the causal direction is represented by directional edges, the concurrent relation is represented by undirected edges, and the independent relation (or the weak relation which can be ignored) is represented by dotted lines.
According to the size of the edge weight in the alarm interval graph, the strength of the relevance can be judged. And (4) introducing threshold value screening, and determining a pair of alarms with the edge weight value lower than a set threshold value and a pair of alarms without connecting edges as a pair of alarms in an independent incidence relation.
And for the strong relevance indicated by the obvious edge weight, carrying out symmetry analysis further according to the edge weight between two nodes in the alarm interval graph, and further distinguishing the concurrency relation and the causal relation. Due to directed edges, PabAnd PbaDifferent in size, these two marginsThe magnitude of symmetry of the values can reveal whether there is causality between alarms.
Defining the symmetry coefficient R, R ═ min (P)ab,Pba)/max(Pab,Pba) It is apparent that R.ltoreq.1. And judging the symmetry between alarms according to the symmetry coefficient R. When the R is closer to 1, or the difference value between the R and the 1 is smaller than a set numerical value, the stronger the symmetry of the two types of alarms a and b is, the two types of alarms do not have obvious precedence, namely the two types of alarms are a pair of alarms in a concurrent incidence relation. When the R is closer to 0 or the difference value between the R and the 0 is smaller than a set value, the two types of alarms have stronger sequence, and simultaneously, the more probable the causal relationship exists between the alarms, namely, the pair of alarms with the causal relationship is the causal relationship.
Example (c): suppose Pab=0.9,PbaThe case of 0.1 indicates that the alarm a occurs before the alarm b with a high probability, that is, there is a possibility that b occurs due to the occurrence of a. Namely alarm a and alarm b are causally related.
3. And obtaining an association mode among the multiple alarms based on community discovery.
If a group of alarms have a relatively close relationship, the community phenomenon of the alarms can be explored by utilizing a community discovery method. Based on the edge weight values among the alarm nodes, the community structure of the alarm interval graph is obtained through a community discovery method, namely whether community phenomena formed by a plurality of clusters or groups exist in the alarms or not. Alarms belonging to the same community are more likely to have similar properties or similar functions, while alarms belonging to different communities generally have greater diversity. Fig. 6 is a schematic diagram of performing community discovery in an alarm interval graph according to an embodiment of the present invention, where fig. 6 is a schematic diagram of performing community discovery in the alarm interval graph, and fig. 6 collectively discovers 3 groups of community phenomena, and the alarm event nodes in the same community have a strong association and the alarm event nodes in different communities have a weak association.
In summary, the method of the embodiment of the present invention presents the complex overlapping alarm in a more intuitive manner by using an interval graph manner for the phenomenon of alarm time overlapping. Meanwhile, the edge weight of an alarm interval graph is obtained by calculating the overlapping frequency and the overlapping degree of various alarms in a large-scale data set and the occurrence frequency of various alarms, the relevance strength and binary and multivariate relations among various alarms are deduced according to the edge weight of the alarm interval graph, the alarm types with low frequency but possibly important are found according to the node weight, the potential rule of alarm occurrence is researched, the method is suitable for various conditions that the alarms are uniformly or non-uniformly distributed on the whole time sequence, scientific guidance is provided for reducing the redundancy of the alarm data, improving the alarm effectiveness, positioning the fault root cause and simplifying the reporting mode of the alarm data, the working efficiency of enterprise operation and maintenance personnel is improved, and support is provided for subsequent scientific research work, management decision and the like.
The existing alarm correlation analysis method considers the alarms in the same window to be simultaneous by using a sliding time window mode, the mode of setting the time window is limited by the distribution condition of the alarms, and the method is difficult to use when the alarms are not uniformly distributed. The method of the invention excavates the alarm association relationship through the time overlapping phenomenon of the alarm, and is suitable for the condition of even or uneven alarm distribution.
The existing alarm correlation analysis is mostly realized based on association rule mining algorithms such as Apriori algorithm, Fp-Growth algorithm and the like, and the algorithm and the improved algorithm thereof can only mine association rules of frequent alarms and cannot mine association rules of low-frequency but possibly important alarms. The method can mine the low-frequency alarm with higher level, thereby having more practical significance.
By using the method provided by the invention, the incidence relation of various alarms can be obtained, the generation modes of various alarms can be found according to the symmetry, the occurrence sequence of the alarms can be mined, and scientific guidance is further provided for removing redundant alarms, positioning faults and judging causality.
The existing research lacks visual expression of each alarm event and the relationship among various alarms, and the invention visually displays the complex alarm relationship by using an interval graph mode and provides a clearer alarm association rule visual mode.
The invention converts the incidence relation of the alarm into the graph theory problem, and further can solve the practical problem by utilizing the knowledge of the graph theory in the subsequent work.
Those of ordinary skill in the art will understand that: the figures are merely schematic representations of one embodiment, and the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, they are described in relative terms, as long as they are described in partial descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (4)

1. An alarm analysis method based on an interval graph is characterized by comprising the following steps:
converting all alarm events of the same place into alarm event sequence according to alarm occurrence time sequence, and regarding each alarm event in the alarm event sequence asA node, establishing an alarm event interval graph according to the overlapping degree and the occurrence time sequence of the alarm intervals of the alarm events in the alarm event sequence; the method specifically comprises the following steps: one occurrence of each type of alarm is called an alarm event, one alarm event is uniquely determined by an alarm name, an occurrence time and a clearing time at one place, the duration interval of the alarm event from the occurrence to the clearing is called an alarm interval, and the occurrence time of one alarm event is marked as TsThe clearing time is recorded as TeThe sequence of the alarm events in the alarm event sequence is denoted as k, and the alarm name of the alarm event k is denoted as mkUsing a quadruple (k, m) for each alarm eventk,Ts,Te) The alarm events with the same alarm name are the same type of alarm, and the same type of alarm events have the same alarm level; converting alarm events of the same place into an alarm event sequence S according to the sequence of alarm occurrence time, wherein S is { (1, m)1,Ts1,Te1),(2,m2,Ts2,Te2),……(k,mk,Tsk,Tek) The sequence number of the alarm event which occurs first is lower than that of the alarm event which occurs later; using kmkNaming the nodes corresponding to the alarm events, selecting two alarm events (a, m) in the alarm event sequencea,Tsa,Tea)、(b,mb,Tsb,Teb),a<b, if Tea-TsaTime period of (1) and Teb-TsbIf there is time overlap in the time periods of (a), (m) are judged as alarm eventsa,Tsa,Tea) And alarm event (b, m)b,Tsb,Teb) The alarm intervals are overlapped to establish a node amaPointing to node bmbHas a directed connecting edge (am)a,bmb) (ii) a Otherwise, node am is not establishedaPointing to node bmbThe directed connecting edge of (2); traversing any two alarm events in the alarm event sequence, when judging that the alarm intervals of a pair of alarm events are overlapped, establishing a directed connecting edge of a low sequence number node pointing to a high sequence number node in the pair of alarm events, and according to the condition between the alarm eventsThe overlapping degree of the alarm intervals gives edge weight values to connecting edges between the alarm events, and the establishment of an alarm event interval graph is completed;
merging all alarm event interval graphs from different places, wherein all nodes merging alarm events of the same type are a node, and edge weights are given to connecting edges among the nodes in the merged alarm event interval graphs to obtain alarm interval graphs;
according to the edge weight of the connecting edge between the nodes in the alarm interval graph, the difference of the relevance between the alarm events is obtained by adopting a graph characteristic analysis method, and the method comprises the following steps:
judging the strength of the correlation between the two types of alarms connected by the connecting edge according to the magnitude of the edge weight of the connecting edge between the nodes in the alarm interval graph, wherein the stronger the edge weight of the connecting edge is, the stronger the correlation between the two types of alarms connected by the connecting edge is;
according to the difference of the relevance between the alarm events, determining the binary relevance of the alarm events based on the edge weight of the connecting edges between the nodes, and dividing the binary relevance into 3 types: determining a pair of alarms with the edge weight value lower than a set threshold value and a pair of alarms without connecting edges as a pair of alarms in the independent association relation due to the fruit type, the concurrent type and the independent type relation;
defining the symmetry coefficient R as R ═ min (P)AB,PBA)/max(PAB,PBA) In which P isABAnd PBARespectively represent directed edges (m) in the alarm interval graphA,mB) And (m)B,mA) When the difference between R and 1 is smaller than a set value, determining that the alarm type A and the alarm type B are in a concurrent incidence relation, and when the difference between R and 0 is smaller than the set value, determining that the alarm type A and the alarm type B are in a causal incidence relation;
the method comprises the steps of discovering a multivariate incidence relation among alarm events based on community characteristics, obtaining a community structure of an alarm interval graph through a community discovery method, and judging that the incidence among all alarm events belonging to the same community is strong, and the incidence among all alarm events not belonging to the same community is weak.
2. The method according to claim 1, wherein said merging the alarm event interval graphs from different locations, where all the nodes merging the alarm events of the same type are a node, and assigning an edge weight to the connecting edges between the nodes in the merged alarm event interval graph to obtain the alarm interval graph comprises:
and aiming at K alarm event occurrence places, respectively obtaining an alarm event interval graph of each alarm event occurrence place, merging the K alarm event interval graphs, merging all nodes of the same type of alarm events in the merged alarm event interval graph into one node, when at least one node pair with a connecting edge exists between the two types of alarm events, establishing a connecting edge between the node pairs of the two types of alarm events after merging, and endowing edge weights to the connecting edges between the nodes in the merged alarm event interval graph to obtain the alarm interval graph.
3. The method according to claim 2, wherein the assigning an edge weight to a connecting edge between nodes in the alarm event interval graph after the merging process comprises:
the edge weight function of the connecting edge between a pair of nodes in the alarm interval graph is comprehensively determined by the occurrence frequency of the alarm event corresponding to the pair of nodes, the connecting edge frequency between the alarm event nodes and the edge weight of the connecting edge between the nodes in the corresponding alarm event interval graph;
suppose the edge weight P of the connecting edge between a pair of nodes in the alarm interval graphABThe calculation formula of (a) is as follows:
Figure FDA0003458503830000031
∑g(A,B)(D) f is the accumulation of edge weights of all directed edges pointing from the class A alarm event to the class B alarm event in the alarm event interval graph(A,B)Indicating the number of directed edges pointing to class B alarm events for class A alarm events in the alarm event interval graph, fAAnd fBRespectively representing the occurrence frequency of the class A alarm event and the class B alarm event.
4. The method according to claim 2, wherein the assigning an edge weight to a connecting edge between nodes in the alarm event interval graph after the merging process further comprises:
setting different types of alarm events with different levels, defining a weight function based on the alarm event levels, calculating a weight function value corresponding to a connecting edge between a pair of nodes in an alarm interval graph through the weight function, and endowing an edge weight value for the connecting edge between the pair of nodes according to the weight function value.
CN201810562364.7A 2018-06-04 2018-06-04 Alarm analysis method based on interval graph Active CN108829794B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810562364.7A CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810562364.7A CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Publications (2)

Publication Number Publication Date
CN108829794A CN108829794A (en) 2018-11-16
CN108829794B true CN108829794B (en) 2022-04-12

Family

ID=64143423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810562364.7A Active CN108829794B (en) 2018-06-04 2018-06-04 Alarm analysis method based on interval graph

Country Status (1)

Country Link
CN (1) CN108829794B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493065B (en) * 2019-09-03 2023-04-14 浪潮云信息技术股份公司 Alarm correlation degree analysis method and system for cloud center operation and maintenance
WO2021087896A1 (en) * 2019-11-07 2021-05-14 Alibaba Group Holding Limited Data-driven graph of things for data center monitoring copyright notice
CN113822570B (en) * 2021-09-20 2023-09-26 北京瀚博网络科技有限公司 Enterprise production data storage method and system based on big data analysis
CN114944956B (en) * 2022-05-27 2024-07-09 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291247A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Alarm association diagram generation method and device and association alarm determination method and device
CN102938708A (en) * 2012-11-05 2013-02-20 国网电力科学研究院 Alarm transmission mode based alarm correlation analysis system and analysis method thereof
CN105677759A (en) * 2015-12-30 2016-06-15 国家电网公司 Alarm correlation analysis method in communication network
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms
CN107547262A (en) * 2017-07-25 2018-01-05 新华三技术有限公司 Generation method, device and the Network Management Equipment of alarm level
CN107918670A (en) * 2017-11-29 2018-04-17 国网电力信息通信有限公司 A kind of alert processing method applied to power communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009854B (en) * 2013-02-21 2019-01-22 中兴通讯股份有限公司 A kind of alert processing method and device, alarm association information setting method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291247A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Alarm association diagram generation method and device and association alarm determination method and device
CN102938708A (en) * 2012-11-05 2013-02-20 国网电力科学研究院 Alarm transmission mode based alarm correlation analysis system and analysis method thereof
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN105677759A (en) * 2015-12-30 2016-06-15 国家电网公司 Alarm correlation analysis method in communication network
CN106330533A (en) * 2016-01-21 2017-01-11 华南师范大学 Real-time topology establishment method of large-scale network alarms
CN107547262A (en) * 2017-07-25 2018-01-05 新华三技术有限公司 Generation method, device and the Network Management Equipment of alarm level
CN107918670A (en) * 2017-11-29 2018-04-17 国网电力信息通信有限公司 A kind of alert processing method applied to power communication system

Also Published As

Publication number Publication date
CN108829794A (en) 2018-11-16

Similar Documents

Publication Publication Date Title
CN108829794B (en) Alarm analysis method based on interval graph
CN105677759B (en) A kind of alarm association analysis method in communication network
US20090106174A1 (en) Methods, systems, and computer program products extracting network behavioral metrics and tracking network behavioral changes
CN114465874B (en) Fault prediction method, device, electronic equipment and storage medium
CN110147387B (en) Root cause analysis method, root cause analysis device, root cause analysis equipment and storage medium
US9043647B2 (en) Fault detection and localization in data centers
CN109861858B (en) Error checking method for root cause node of micro-service system
CN109753591B (en) Business process predictive monitoring method
KR20190019493A (en) It system fault analysis technique based on configuration management database
KR101910926B1 (en) Technique for processing fault event of it system
Luo et al. Local Search with Efficient Automatic Configuration for Minimum Vertex Cover.
EP2997756A1 (en) Method and network device for cell anomaly detection
CN111310139B (en) Behavior data identification method and device and storage medium
US8972308B2 (en) Combining multivariate time-series prediction with motif discovery
DE102022201746A1 (en) MANAGE DATA CENTERS WITH MACHINE LEARNING
US10616040B2 (en) Managing network alarms
CN112769605B (en) Heterogeneous multi-cloud operation and maintenance management method and hybrid cloud platform
CN108847993B (en) Link prediction method based on multi-order path intermediate node resource allocation
CN115237717A (en) Micro-service abnormity detection method and system
CN107454089A (en) A kind of network safety situation diagnostic method based on multinode relevance
US11487747B2 (en) Anomaly location identification device, anomaly location identification method, and program
Aynaud et al. Long range community detection
CN110888850A (en) Data quality detection method based on power Internet of things platform
Materassi et al. Graphoid-based methodologies in modeling, analysis, identification and control of networks of dynamic systems
CN114500229B (en) Network alarm positioning and analyzing method based on space-time information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant