CN114781529A - KPI (Key performance indicator) abnormity detection method, device, equipment and medium - Google Patents
KPI (Key performance indicator) abnormity detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN114781529A CN114781529A CN202210460951.1A CN202210460951A CN114781529A CN 114781529 A CN114781529 A CN 114781529A CN 202210460951 A CN202210460951 A CN 202210460951A CN 114781529 A CN114781529 A CN 114781529A
- Authority
- CN
- China
- Prior art keywords
- kpi
- data
- layer
- time point
- dimensional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 127
- 230000002159 abnormal effect Effects 0.000 claims abstract description 84
- 238000013138 pruning Methods 0.000 claims description 33
- 230000005856 abnormality Effects 0.000 claims description 25
- 230000000694 effects Effects 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 8
- 238000012163 sequencing technique Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 5
- 230000002547 anomalous effect Effects 0.000 claims description 2
- 230000007423 decrease Effects 0.000 claims description 2
- 238000000034 method Methods 0.000 description 25
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 208000018910 keratinopathic ichthyosis Diseases 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 3
- 101001059160 Lumbricus terrestris Gelsolin-like protein 1 Proteins 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 230000004807 localization Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- YCKRFDGAMUMZLT-UHFFFAOYSA-N Fluorine atom Chemical compound [F] YCKRFDGAMUMZLT-UHFFFAOYSA-N 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 229910052731 fluorine Inorganic materials 0.000 description 1
- 239000011737 fluorine Substances 0.000 description 1
- 238000009499 grossing Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2474—Sequence data queries, e.g. querying versioned data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/285—Clustering or classification
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The application discloses KPI abnormity detection method, device, equipment and medium, which are applied to the technical field of KPI abnormity and comprise the following steps: acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the end time point of the target interval is a designated time point; extracting a first data characteristic of the single-dimensional KPI time sequence data; inputting the first data characteristics into a base classifier, and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier; extracting second data characteristics of the target time point, and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; the target time point is any time point in a second preset time length after the pointing time point; and determining a final abnormity detection result of the single-dimensional KPI time sequence data based on the classification result. Therefore, accuracy of KPI abnormity detection can be improved.
Description
Technical Field
The present application relates to the field of KPI anomaly detection technologies, and in particular, to a KPI anomaly detection method, apparatus, device, and medium.
Background
With the rapid development of the field of cloud computing, bare computer construction with physical computer performance and cloud elasticity is emerging quietly in cloud computing. In order to enable the performance of a physical machine and a cloud host in cloud computing to be optimal, analysis and monitoring data analysis has guiding significance for machine performance optimization.
Currently, the server monitoring data mainly includes performance data such as a CPU (central processing unit), a memory, a storage, a network, and the like, and the data includes sequential performance data such as a CPU usage rate, a memory usage rate, a network throughput, and the like. Most of these data are single-dimensional KPI (Key Performance Indicators) data, and in the detection of single-dimensional time series data anomaly, some challenges are often faced: lack of definable anomaly occurrence patterns; noise may be present in the data; data is often unstable and dynamically changing, and therefore, it presents a great challenge to the anomaly detection of single-dimensional time series data. How to improve the accuracy of KPI anomaly detection is a problem of continuous research in the technical field of KPI anomaly detection.
Disclosure of Invention
In view of the above, an object of the present application is to provide a KPI anomaly detection method, apparatus, device and medium, which can improve accuracy of KPI anomaly detection. The specific scheme is as follows:
in a first aspect, the present application discloses a KPI anomaly detection method, including:
acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the ending time point of the target interval is a designated time point;
extracting a first data characteristic of the single-dimensional KPI time sequence data;
inputting the first data characteristics into a base classifier, and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier;
extracting second data characteristics of a target time point, and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; the target time point is any time point within a second preset time length after the pointing time point;
and determining a final abnormal detection result of the single-dimensional KPI time sequence data based on the classification result.
Optionally, the extracting a first data feature of the single-dimensional KPI timing data includes:
carrying out normalization processing on the single-dimensional KPI time sequence data to obtain normalized data;
and determining at least one of the normalized data and the statistical characteristic, the prediction characteristic and the frequency domain characteristic of the normalized data as a first data characteristic of the single-dimensional KPI time sequence data.
Optionally, the method further includes:
constructing a candidate root cause set based on a plurality of single-dimensional KPI time sequence data with abnormal final abnormal detection results; wherein the set of candidate root causes includes one or more of the single-dimensional KPI timing data;
taking the candidate root cause set as a node, and constructing a multilayer root cause tree according to the data dimension of the candidate root cause set;
and carrying out layer-by-layer pruning on the multilayer root cause tree based on a preset pruning strategy, and determining an abnormal root cause set based on a ripple effect.
Optionally, the data dimensions of the nodes in the same layer in the multi-layer root tree are the same, and the data dimension number of the nodes in each layer decreases from top to bottom;
correspondingly, the pruning the multilayer root cause tree layer by layer based on the preset pruning strategy comprises the following steps: and pruning the multilayer root-cause trees layer by layer from top to bottom based on a preset pruning strategy.
Optionally, the pruning the multilayer root cause tree layer by layer based on a preset pruning strategy includes:
and aiming at any layer, determining the influence value of each node based on a preset influence value calculation rule, judging whether the influence value is smaller than a preset influence threshold value, and if so, rejecting the node and child nodes of the rejected node in each layer below the layer.
Optionally, the step-by-step pruning is performed on the multilayer root cause tree based on a preset pruning strategy, and an abnormal root cause set is determined based on a ripple effect, including:
for any layer, after the nodes with the influence values smaller than the preset influence threshold value are removed, potential values corresponding to the remaining nodes are determined based on the ripple effect; wherein the potential score characterizes a degree of influence of an element of a node on elements of children of the node;
and sequencing the potential scores of the remaining nodes of each layer, and determining an abnormal root cause set based on a sequencing result.
Optionally, the determining the influence value of each node based on the preset influence value calculation rule includes:
and calculating a predicted value of each element in each node based on a preset prediction algorithm, and determining the influence value of each node based on the predicted value of each element and the actual value of each element.
In a second aspect, the present application discloses a KPI anomaly detection apparatus, comprising:
the KPI data acquisition module is used for acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the end time point of the target interval is a designated time point;
the data feature extraction module is used for extracting a first data feature of the single-dimensional KPI time sequence data;
the detection result output module is used for inputting the first data characteristics into a base classifier and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier;
the classification result acquisition module is used for extracting second data characteristics of a target time point and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; the target time point is any time point within a second preset time length after the pointing time point;
and the detection result determining module is used for determining a final abnormal detection result of the single-dimensional KPI time sequence data based on the classification result.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein,
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the KPI anomaly detection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the KPI anomaly detection method described above.
It can be seen that this application obtains the single-dimensional KPI time sequence data of target interval earlier, the length of target interval is first default time length, the finish time point of target interval is for appointing the time point, then draws the first data characteristic of single-dimensional KPI time sequence data, and will first data characteristic input base classifier, and utilize base classifier output the preliminary abnormal detection result of single-dimensional KPI time sequence data, later draw the second data characteristic of target time point, and will second data characteristic and preliminary abnormal detection result input label classifier, obtain classification result, the target time point is arbitrary time point in the second default time length after the point time point, confirm the final abnormal detection result of single-dimensional KPI time sequence data based on classification result. That is, this application has utilized two-layer classifier, utilizes basic classifier to detect the single-dimensional KPI time sequence data of target interval earlier, obtains preliminary abnormal detection result, then utilizes label classifier to judge preliminary abnormal detection result to obtain final abnormal detection result, like this, can promote KPI abnormal detection's rate of accuracy.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a KPI anomaly detection method disclosed in the present application;
fig. 2 is a flowchart of a specific KPI anomaly detection method disclosed in the present application;
FIG. 3 is a schematic diagram of a specific multi-level root cause tree disclosed herein;
FIG. 4 is a schematic diagram of specific KPI anomaly detection and root cause localization disclosed in the present application;
fig. 5 is a schematic structural diagram of a KPI anomaly detection device disclosed in the present application;
fig. 6 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Currently, the server monitoring data mainly includes performance data such as CPU, memory, storage, network, etc., and these data include sequence performance data such as CPU utilization, memory utilization, network throughput, etc. Most of the data are single-dimensional KPIs, and the single-dimensional time sequence data anomaly detection often faces some challenges: lack of definable anomaly occurrence patterns; noise may be present in the data; data is often unstable and dynamically changing, and therefore, it presents a great challenge to the anomaly detection of single-dimensional time series data. The abnormality detection methods for these single-dimensional KPIs include a time series-based method and a machine learning-based method, and the time series-based features mainly include a series of linear models such as an auto-regressive moving average (ARIMA) model and an exponential smoothing model. Currently, machine learning is mainly used for anomaly detection, and the method mainly includes supervised anomaly detection, semi-supervised anomaly detection and unsupervised anomaly detection. The supervised anomaly detection method is to train a binary classifier, such as SVM (support vector machines) and the like, through normal and abnormal data instance labels, but the supervised detection method has problems that the proportion of abnormal samples to normal samples in the data is seriously unbalanced, and the trained model is easy to be over-fitted, so the method is not popular as a semi-supervised or unsupervised method. In the anomaly detection method adopting semi-supervision, a small amount of label data is used for training a classification model, and non-label data is used for optimizing the structure information implied by a sample. The most commonly used is semi-supervised training on normal samples using a depth Auto-Encoder, so that the reconstruction error of the normal class of Auto-Encoder for normal data is low, and currently, more mainstream Auto-encoders such as VAE (i.e., variable Auto-Encoder), AAE (i.e., Adaptive Arithmetic code Encoder), and the like are used. While the third category of unsupervised one-field detection techniques detects outliers based only on intrinsic properties of the data instances, the underlying theory also comes from the self-encoder. Generally, such methods can be used for automatic labeling of data samples, and common unsupervised algorithms include a Restricted Boltzmann Machine (RBM), a deep belief network (DNB), and the like. How to improve the accuracy of KPI anomaly detection is a problem of continuous research in the technical field of KPI anomaly detection. Therefore, the KPI abnormity detection scheme is provided, and the accuracy of KPI abnormity detection can be improved.
Referring to fig. 1, an embodiment of the present application discloses a KPI anomaly detection method, including:
step S11: acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the ending time point of the target interval is a designated time point.
It should be noted that in the KPI anomaly detection scenario, the KPI anomalies are usually in the form of continuous intervals. Once an anomaly occurs, it may persist for some time, rather than a single point in time. When an KPI is abnormal at time T, the abnormality lasts to time T + T. Therefore, the anomaly detection method in the application is divided into two steps, the base classifier detects the anomaly of KPI time sequence data, and the label classifier further detects the anomaly.
For example, at time t, data X within (t-W +1, t) time is extractedt=(xt-W+1,xt-W+2,...,xt). Wherein t is a fingerAt the timing point, W is a first preset time length. XtThe single-dimensional KPI time sequence data can be represented by CPU data, memory data, network data and the like.
Step S12: and extracting a first data characteristic of the single-dimensional KPI time sequence data.
In a specific implementation manner, normalization processing may be performed on the single-dimensional KPI time series data to obtain normalized data; and determining the normalized data and at least one of the statistical characteristics, the prediction characteristics and the frequency domain characteristics of the normalized data as the first data characteristics of the single-dimensional KPI time sequence data.
In a specific embodiment, the method for normalizing the raw data may adopt a Minmax method, where the expression is:
wherein Xt_nomThe normalized data is identified. Moreover, the statistical characteristics may include at least one of a mean value, a variance, an extreme value, a quantile, a difference, and the like, the prediction characteristics may be obtained by predicting the normalized data using an EWMA (exponential Weighted Moving Average) prediction algorithm, and the frequency domain characteristics may be wavelet characteristics and decomposed using a DB2 wavelet. In these features, the normalized data and the statistical features are used to represent short-term features of KPI time series data, the prediction features may represent the possibility of KPI time series data abnormality to some extent, and the wavelet decomposition features may represent the features of KPI data in the frequency domain.
Step S13: and inputting the first data characteristic into a base classifier, and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier.
In a specific implementation, the XGBoost model may be used as a base classifier for anomaly detection, and the first data feature is used as an input of the base classifier, and an output is normal or abnormal. The KPI anomaly detection of the embodiment converts data anomaly into a two-classification problem, and takes XGboost as a two-classification classifier. The XGBoost model may be expressed as:
wherein f isk(x) The K-th weak learner is shown, and the total number of weak learners in the XGboost model is K. x is a radical of a fluorine atomiFor the (i) th sample,
is a sample xiThe predicted value of (2). These K weak classifiers, in order to compose a strong classifier, need to minimize the function:
where l (-) is the loss function and Ω (-) is the regularization function. y isiIs a sample xiThe true value of (d). T in the regularization term is the number of leaf nodes of the tree, w is the weight of the leaf nodes, and gamma and lambda are hyper-parameters in the regularization term. At each iteration, only the objective function of the t-th regression tree is optimized:
wherein,
corresponding sample x for the first t-1 treesiOutput of (f)t(xi) Is the output of the current tree. Performing Taylor expansion on the target function, and reserving a first term and a second term in the formula to obtain an approximate value of a target:
wherein,
for each sample, I ∈ I, and the first derivative and the second order on the loss functionjRepresenting each sample data mapped onto the jth leaf node. n is the number of samples. To wjThe derivative is equal to 0, find wjThe optimal solution of (2):
will be provided with
Substituting the original objective function to obtain:
and T is the number of leaf nodes. Through the iteration, the optimal splitting variables and the splitting values of the tree can be found. Use of
And finding a tree with an optimal structure, adding the tree into the model, and finding the optimal tree structure by using a greedy algorithm.
In this way, by the above detection, it is possible to obtain whether the single-dimensional KPI time-series data is abnormal or not, and the point abnormality in the abnormality detection is addressed, but the importance of the event is greater than the importance of the point in the normal system. More in this application, event exceptions are of concern and are reflected in a continuous interval in the KPI. Therefore, the above detected results need to be filtered, that is, the preliminary abnormal detection result is determined by using a tag classifier.
Step S14: extracting second data characteristics of a target time point, and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; and the target time point is any time point in a second preset time length after the pointing time point.
The second data feature extraction method may refer to the first data feature extraction method, extract the target time point and KPI timing data within a first preset time length before the target time point, and perform feature extraction to obtain the second data feature of the target time point.
Step S15: and determining a final abnormal detection result of the single-dimensional KPI time sequence data based on the classification result.
It should be noted that, the time point when the exception occurs is defined as T, if the exception still occurs within the time (T, T + T), it is determined that the discovered exception is a true exception, otherwise it is a false exception. Therefore, classification results can be classified into four categories of true positive cases, false positive cases, true negative cases and false negative cases. The detection of the abnormality in the past is a true positive case TN, the detection of the abnormality in the past but the detection of the normality in the time T is a false positive case FN, the detection of the abnormality in the past is a normal case, the detection of the abnormality in the time T is a true negative case TP, the detection of the abnormality in the past is a normal case, and the detection of the abnormality in the time T is a false negative case FP. In the label classifier, if the abnormality detected within T time after the start of the continuous abnormal section represents that the entire section is an abnormal section, the detected TN and FP are true abnormalities, and the other cases can be ignored.
The label classifier in the application still uses the XGboost model. The input of the label classifier is any time point T in T time after the abnormal time pointiFeatures extracted in the foregoing manner
Preliminary anomaly detection node corresponding to time tFruit 1tIs characterized by the combination of
That is, tiE (T, T + T), and further, the mode of judging whether the abnormal interval is formed: when t isiCharacteristic f of time of daylWhen the label classifier is input, a result y is obtainediIf y isiAnd e, TN or FP, determining the continuous interval as an abnormal interval, and finally determining that the detection result is abnormal.
It can be seen that, in the embodiment of the present application, single-dimensional KPI time sequence data of a target interval is obtained first, the length of the target interval is a first preset time length, an ending time point of the target interval is a designated time point, then a first data feature of the single-dimensional KPI time sequence data is extracted, the first data feature is input to a base classifier, and a preliminary anomaly detection result of the single-dimensional KPI time sequence data is output by the base classifier, then a second data feature of the target time point is extracted, and the second data feature and the preliminary anomaly detection result are input to a tag classifier to obtain a classification result, the target time point is any time point within a second preset time length after the designated time point, and a final anomaly detection result of the single-dimensional KPI time sequence data is determined based on the classification result. That is, this application embodiment has utilized two-layer classifier, utilizes basic classifier to detect the single-dimensional KPI time sequence data of target interval earlier, obtains preliminary abnormal detection result, then utilizes label classifier to judge preliminary abnormal detection result to obtain final abnormal detection result, like this, can promote KPI abnormal detection's rate of accuracy.
Referring to fig. 2, the present application discloses a root cause positioning method, including:
step S21: constructing a candidate root cause set based on a plurality of pieces of single-dimensional KPI time sequence data with abnormal final abnormal detection results; wherein the set of candidate root causes includes one or more of the single-dimensional KPI timing data.
That is, in the same target interval, there may be an abnormality in the single-dimensional KPI timing data, and a candidate root set is constructed based on a plurality of single-dimensional KPI timing data. One single-dimensional KPI timing data is an element in the candidate root cause set. For the abnormal detection of the single-dimensional KPI time sequence data, reference may be made to the disclosure of the foregoing embodiments, which are not described herein again.
Step S22: and taking the candidate root cause set as a node, and constructing a multilayer root cause tree according to the data dimension of the candidate root cause set.
The data dimensions of the same layer of nodes in the multi-layer root cause tree are the same, and the data dimension number of each layer of nodes is decreased progressively from top to bottom. For example, referring to fig. 3, the embodiment of the present application discloses a specific multi-level root cause tree diagram. Wherein, K1, K2, K3 and K4 respectively represent single-dimensional KPI time series data of 4 kinds of abnormalities. And the root cause set corresponding to each node in the first layer only comprises single-dimensional KPI time sequence data. The root cause set corresponding to each node in the second layer includes 2-dimensional KPI time sequence data, that is, includes two types of single-dimensional KPI time sequence data, and the root cause set corresponding to each node in the third layer includes 3-dimensional KPI time sequence data. And the root cause set corresponding to each node of the third layer comprises 4-dimensional KPI time sequence data.
It should be noted that, for a set of abnormal KPI timing data, the root of the abnormal KPI timing data can be obtained according to the correlation between the abnormalities. The root cause can be searched based on fig. 3, specifically, the root cause can be searched layer by layer according to the dimension of the root cause, each node is a root cause combination, and the final root cause falls on a certain leaf node.
Step S23: and carrying out layer-by-layer pruning on the multilayer root cause tree based on a preset pruning strategy, and determining an abnormal root cause set based on a ripple effect.
According to the embodiment of the application, the multi-layer root-cause tree is pruned layer by layer from top to bottom based on a preset pruning strategy. And in the layer-by-layer pruning process, aiming at any layer, determining the influence value of each node based on a preset influence value calculation rule, judging whether the influence value is smaller than a preset influence threshold value, and if so, rejecting the node and child nodes of the rejected node in each layer below the layer. Further, for any layer, after the nodes with the influence values smaller than the preset influence threshold value are removed, potential values corresponding to the remaining nodes are determined based on the ripple effect; wherein the potential score characterizes a degree of influence of an element of a node on elements of children of the node; and sequencing the potential scores of the remaining nodes of each layer, and determining an abnormal root cause set based on a sequencing result.
The method comprises the steps of calculating a predicted value of each element in each node based on a preset prediction algorithm, and determining an influence value of each node based on the predicted value of each element and an actual value of each element.
It should be noted that, if a group of KPI data can affect KPI values of other macro-elements according to the ripple effect, the group of KPI data is a root cause set, and other KPI data are leaf nodes of the group of KPI data. Assuming that a candidate set of a root set is S, KPI values of leaf nodes of its descendant may be derived according to the ripple effect, and KPI data in the candidate set is compared with the derived KPI values. Therefore, the embodiment of the present application designs an evaluation criterion capable of expressing a comparison between a candidate set KPI and a derived KPI, and the closer these two values are, the greater the probability that S becomes a root cause set, but if there are a plurality of candidate sets, it is necessary to preferentially select a set with fewer dimensions according to the ocamer' S principle.
In an implementation manner, the abnormal root cause positioning method adopted in the embodiment of the present application may be based on a HotSpot algorithm and increase a strategy of pruning layer by layer for improving efficiency, and a specific process is as follows:
when the KPI is detected to be abnormal, the time t when the abnormality occurs and the KPI leaf element value in the window of the length W before the abnormal time, namely the actual value of the single-dimensional KPI time sequence data with the abnormal final detection result are given as v ═ v { (v)t-W+1,vt-W+2,...,vt},VtFor the KPI actual values, V, of all leaf elements in any node at time tt={v(e1,t),v(e2,t),...,v(enT), e represents an element, n represents the number of elements in a node, and the KPI predicted value F of any node at the time tt={f(e1,t),f(e2,t),...,f(enT), the prediction algorithm uses the EWAM algorithm.
According to the ripple effect, if an element x is abnormal, all sub-elements will change accordingly, and the variation of the element needs to be distributed to all the subsequent elements in proportion, so as to calculate the derived values of all the elements. Assuming that the variation value of x is h (x), then h (x) ═ f (x) -v (x), the derived value of each element x' is calculated according to the formula:
wherein x' is an element different from x in the child node of the node to which the element x belongs. f (x) represents the predicted value of x, the prediction algorithm uses the EWAM algorithm, and v (x) represents the actual value of x.
Further, the influence degree of the element x on other leaf node elements can be represented by a potential score ps:
wherein,
is a variable of
Euler distance therebetween:
It will be appreciated that the ps value of a node is instead determined from the ps value of an element. The root cause set S may be determined based on the ranking of the ps values. For example, as shown in fig. 3, assuming that ps values of K1 nodes in the first layer are calculated, K1 is x, K1,2, K1, and 3 are all remaining nodes, K2 in K1,2, and K3 in K1, and 3 are all x ', ps values of K1 to K2 in K1, K1, and K3 in K382, and K1, and 3 are calculated, respectively, and then summed to obtain a potential score of the K1 node, and for the potential scores of K1,2, K1 and K2 are x, f (x) (f 1) + f (K2), v (x) (K1) + v (K2), and K1,2,3 are all remaining nodes, K1, K3, 2, and 3 are x'.
It should be noted that any set of potential scores may be determined according to the foregoing process. However, in the process of searching for abnormal root causes, namely in a set of any dimension combination, the process of searching for a candidate root cause set with the largest potential score is carried out, the search space is very huge, and in the case of one-dimensional root causes, the search space is n3But the root is not necessarily one-dimensional, the search space grows exponentially. Therefore, in order to solve the problem of search space explosion, in the application, a root set is searched by using a strategy of pruning layer by layer, and pruning is performed according to the influence of the root set, wherein in one embodiment, the influence of the root set S is defined as:
wherein h (S) is the sum of absolute values of change values of each element in the root cause set S, and e represents KPI time sequence data with abnormal final detection result. In another embodiment, the influence of the root cause set may also be calculated by the formula e(s) ═ h(s).
Note that the influence indicates the possibility that the candidate root cause set S becomes a root cause. In addition, a threshold value T needs to be determinedEWhen traversing to a certain node, when E (S)<TEWhen it is ready to useThe combinations in the node are represented with low probability as root causes and are not used as candidate root cause sets. Through the pruning strategy and the potential score calculation process, nodes without influence are removed, a plurality of candidate root cause sets are obtained in each layer, sorting is performed according to the potential scores from large to small, and the obtained root cause set with the highest potential score is the root cause with the highest probability.
For example, referring to fig. 4, the embodiment of the present application discloses a specific KPI anomaly detection and root cause localization diagram. In the KPI abnormal detection process, the multi-dimensional KPI is divided into single-dimensional KPI to be detected respectively. The abnormal detection algorithm is designed aiming at the continuous section abnormality in the KPI, a multi-layer classifier is used for detecting, the base classifier detects abnormal points in the KPI, the label classifier detects that the abnormal points in the time section are determined as true abnormality only when the abnormal points occur, and all abnormal KPIs occurring at the same moment are detected. And forming a root cause candidate set according to the discovered abnormal KPIs, and discovering the root cause set by combining a layer-by-layer calculation mode of the root cause tree based on the ripple effect and by using the potential scores in the HotSpot to quantify the influence of the KPIs. Therefore, the KPI point abnormity in abnormity detection is converted into KPI continuous interval abnormity through the multilayer classifier, the abnormity detector focuses more on abnormal events, the ripple effect of KPI abnormity is used in the root cause analysis stage, the potential scores and the influence are quantified, the search speed is accelerated in a layer-by-layer pruning mode, and the abnormal root cause is positioned.
Referring to fig. 5, an embodiment of the present application discloses a KPI abnormality detection apparatus, including:
a KPI data acquisition module 11, configured to acquire single-dimensional KPI timing sequence data of a target interval; the length of the target interval is a first preset time length, and the ending time point of the target interval is a designated time point;
a data feature extraction module 12, configured to extract a first data feature of the single-dimensional KPI timing data;
a detection result output module 13, configured to input the first data feature into a base classifier, and output a preliminary abnormal detection result of the single-dimensional KPI timing data by using the base classifier;
a classification result obtaining module 14, configured to extract a second data feature of the target time point, and input the second data feature and the preliminary anomaly detection result into a tag classifier to obtain a classification result; the target time point is any time point within a second preset time length after the pointing time point;
and the detection result determining module 15 is configured to determine a final abnormal detection result of the single-dimensional KPI timing data based on the classification result.
It can be seen that, in the embodiment of the present application, single-dimensional KPI time sequence data of a target interval is obtained first, the length of the target interval is a first preset time length, an ending time point of the target interval is a designated time point, then a first data feature of the single-dimensional KPI time sequence data is extracted, the first data feature is input to a base classifier, and a preliminary anomaly detection result of the single-dimensional KPI time sequence data is output by the base classifier, then a second data feature of the target time point is extracted, and the second data feature and the preliminary anomaly detection result are input to a tag classifier to obtain a classification result, the target time point is any time point within a second preset time length after the designated time point, and a final anomaly detection result of the single-dimensional KPI time sequence data is determined based on the classification result. That is, this application embodiment has utilized two-layer classifier, utilizes basic classifier to detect the single-dimensional KPI time sequence data of target interval earlier, obtains preliminary abnormal detection result, then utilizes label classifier to judge preliminary abnormal detection result to obtain final abnormal detection result, like this, can promote KPI abnormal detection's rate of accuracy.
The data feature extraction module 12 specifically includes:
the normalization processing submodule is used for performing normalization processing on the single-dimensional KPI time sequence data to obtain normalized data;
and the data feature extraction submodule is used for determining the normalized data and at least one of the statistical feature, the prediction feature and the frequency domain feature of the normalized data as the first data feature of the single-dimensional KPI time sequence data.
Further, the device further comprises a root cause positioning module, wherein the root cause positioning module specifically comprises:
a candidate root cause set constructing submodule, configured to construct a candidate root cause set based on the plurality of single-dimensional KPI time-series data in which the final anomaly detection result is anomalous; wherein the set of candidate root causes includes one or more of the single-dimensional KPI timing data;
the root cause tree construction submodule is used for taking the candidate root cause sets as nodes and constructing a multi-layer root cause tree according to the data dimensions of the candidate root cause sets;
and the abnormal root cause set determining submodule is used for carrying out layer-by-layer pruning on the multilayer root cause tree based on a preset pruning strategy and determining an abnormal root cause set based on a ripple effect.
The data dimensions of the same layer of nodes in the multi-layer root cause tree are the same, and the data dimension number of each layer of nodes is decreased progressively from top to bottom;
correspondingly, the abnormal root cause set determining submodule is used for carrying out layer-by-layer pruning on the multilayer root cause tree from top to bottom based on a preset pruning strategy.
In a specific embodiment, the abnormal root cause set determining submodule is specifically configured to:
aiming at any layer, determining the influence value of each node based on a preset influence value calculation rule, judging whether the influence value is smaller than a preset influence threshold value, and if so, rejecting the node and child nodes of rejected nodes in layers below the layer;
for any layer, after the nodes with the influence values smaller than the preset influence threshold value are removed, potential values corresponding to the remaining nodes are determined based on the ripple effect; wherein the potential score characterizes a degree of influence of an element of a node on elements of children of the node;
and sequencing the potential scores of the remaining nodes of each layer, and determining an abnormal root cause set based on a sequencing result.
Further, the abnormal root cause set determining submodule is specifically configured to: and calculating a predicted value of each element in each node based on a preset prediction algorithm, and determining the influence value of each node based on the predicted value of each element and the actual value of each element.
Referring to fig. 6, an embodiment of the present application discloses an electronic device 20, which includes a processor 21 and a memory 22; wherein, the memory 22 is used for storing computer programs; the processor 21 is configured to execute the computer program, and the KPI abnormality detection method disclosed in the foregoing embodiment.
For the specific process of the KPI abnormality detection method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
The memory 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, and the storage mode may be a transient storage mode or a permanent storage mode.
In addition, the electronic device 20 further includes a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26; the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to a specific application requirement, which is not specifically limited herein.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the KPI anomaly detection method disclosed in the foregoing embodiment.
For the specific process of the KPI abnormality detection method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The KPI anomaly detection method, apparatus, device and medium provided by the present application are introduced in detail above, and specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A KPI anomaly detection method is characterized by comprising the following steps:
acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the ending time point of the target interval is a designated time point;
extracting a first data characteristic of the single-dimensional KPI time sequence data;
inputting the first data characteristics into a base classifier, and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier;
extracting second data characteristics of a target time point, and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; the target time point is any time point within a second preset time length after the pointing time point;
and determining a final abnormal detection result of the single-dimensional KPI time sequence data based on the classification result.
2. A KPI anomaly detection method according to claim 1, wherein said extracting a first data characteristic of said single-dimensional KPI timing data comprises:
carrying out normalization processing on the single-dimensional KPI time sequence data to obtain normalized data;
and determining the normalized data and at least one of the statistical characteristics, the prediction characteristics and the frequency domain characteristics of the normalized data as the first data characteristics of the single-dimensional KPI time sequence data.
3. A KPI abnormality detection method according to claim 1, characterized by further comprising:
constructing a candidate root cause set based on a plurality of single-dimensional KPI time sequence data with abnormal final abnormal detection results; wherein the set of candidate root causes includes one or more of the single-dimensional KPI timing data;
taking the candidate root cause set as a node, and constructing a multilayer root cause tree according to the data dimension of the candidate root cause set;
and performing layer-by-layer pruning on the multilayer root cause tree based on a preset pruning strategy, and determining an abnormal root cause set based on a ripple effect.
4. A KPI anomaly detection method according to claim 3, wherein the data dimensions of the same layer of nodes in the multi-layer root tree are the same, and the data dimension number of each layer of nodes decreases from top to bottom;
correspondingly, the pruning the multilayer root cause tree layer by layer based on the preset pruning strategy comprises the following steps: and pruning the multilayer root-cause trees layer by layer from top to bottom based on a preset pruning strategy.
5. A KPI anomaly detection method according to claim 4, wherein said pruning the multi-layer root cause tree layer by layer based on a preset pruning strategy comprises:
and aiming at any layer, determining the influence value of each node based on a preset influence value calculation rule, judging whether the influence value is smaller than a preset influence threshold value, and if so, rejecting the node and child nodes of the rejected node in each layer below the layer.
6. A KPI anomaly detection method according to claim 5, wherein said pruning said multilayer root cause tree layer by layer based on a preset pruning strategy and determining an anomalous root cause set based on a ripple effect comprises:
for any layer, after the nodes with the influence values smaller than the preset influence threshold value are removed, potential values corresponding to the remaining nodes are determined based on the ripple effect; wherein the potential score characterizes a degree of influence of an element of a node on elements of children of the node;
and sequencing the potential scores of the remaining nodes of each layer, and determining an abnormal root cause set based on a sequencing result.
7. A KPI anomaly detection method according to claim 5, wherein said determining an influence value for each node based on preset influence value calculation rules comprises:
and calculating a predicted value of each element in each node based on a preset prediction algorithm, and determining an influence value of each node based on the predicted value of each element and the actual value of each element.
8. An KPI abnormality detection apparatus, characterized by comprising:
the KPI data acquisition module is used for acquiring single-dimensional KPI time sequence data of a target interval; the length of the target interval is a first preset time length, and the ending time point of the target interval is a designated time point;
the data feature extraction module is used for extracting a first data feature of the single-dimensional KPI time sequence data;
the detection result output module is used for inputting the first data characteristics into a base classifier and outputting a preliminary abnormal detection result of the single-dimensional KPI time sequence data by using the base classifier;
the classification result acquisition module is used for extracting second data characteristics of a target time point and inputting the second data characteristics and the preliminary abnormal detection result into a label classifier to obtain a classification result; the target time point is any time point within a second preset time length after the pointing time point;
and the detection result determining module is used for determining a final abnormal detection result of the single-dimensional KPI time sequence data based on the classification result.
9. An electronic device comprising a processor and a memory; wherein,
the memory is used for storing a computer program;
the processor for executing the computer program to implement a KPI anomaly detection method according to any of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a KPI anomaly detection method according to any one of claims 1 to 7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210460951.1A CN114781529A (en) | 2022-04-28 | 2022-04-28 | KPI (Key performance indicator) abnormity detection method, device, equipment and medium |
| PCT/CN2023/091310 WO2023208136A1 (en) | 2022-04-28 | 2023-04-27 | Kpi anomaly detection method and apparatus, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210460951.1A CN114781529A (en) | 2022-04-28 | 2022-04-28 | KPI (Key performance indicator) abnormity detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114781529A true CN114781529A (en) | 2022-07-22 |
Family
ID=82434848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210460951.1A Pending CN114781529A (en) | 2022-04-28 | 2022-04-28 | KPI (Key performance indicator) abnormity detection method, device, equipment and medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114781529A (en) |
| WO (1) | WO2023208136A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117708622B (en) * | 2023-11-27 | 2024-07-26 | 深圳市溪数科技有限公司 | Abnormal index analysis method and system of operation and maintenance system and electronic device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109145948A (en) * | 2018-07-18 | 2019-01-04 | 宁波沙塔信息技术有限公司 | A kind of injection molding machine putty method for detecting abnormality based on integrated study |
| CN109032829B (en) * | 2018-07-23 | 2020-12-08 | 腾讯科技(深圳)有限公司 | Data anomaly detection method and device, computer equipment and storage medium |
| US11005872B2 (en) * | 2019-05-31 | 2021-05-11 | Gurucul Solutions, Llc | Anomaly detection in cybersecurity and fraud applications |
| CN111858231B (en) * | 2020-05-11 | 2024-07-26 | 北京必示科技有限公司 | Single-index anomaly detection method based on operation and maintenance monitoring |
-
2022
- 2022-04-28 CN CN202210460951.1A patent/CN114781529A/en active Pending
-
2023
- 2023-04-27 WO PCT/CN2023/091310 patent/WO2023208136A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023208136A1 (en) | 2023-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110825877A (en) | Semantic similarity analysis method based on text clustering | |
| CN110059181B (en) | Short text label method, system and device for large-scale classification system | |
| US10013636B2 (en) | Image object category recognition method and device | |
| CN111339313A (en) | Knowledge base construction method based on multi-mode fusion | |
| CN112131352A (en) | Method and system for detecting bad information of webpage text type | |
| CN110717535A (en) | Automatic modeling method and system based on data analysis processing system | |
| CN107205016A (en) | The search method of internet of things equipment | |
| CN113779272A (en) | Data processing method, device and equipment based on knowledge graph and storage medium | |
| CN113268370B (en) | Root cause alarm analysis method, system, equipment and storage medium | |
| CN113111924A (en) | Electric power customer classification method and device | |
| CN112529053A (en) | Short-term prediction method and system for time sequence data in server | |
| WO2023208136A1 (en) | Kpi anomaly detection method and apparatus, device and medium | |
| CN117235137B (en) | Professional information query method and device based on vector database | |
| Wang et al. | Exploring semantics of software artifacts to improve requirements traceability recovery: a hybrid approach | |
| CN114282875A (en) | Flow approval certainty rule and semantic self-learning combined judgment method and device | |
| CN111352820A (en) | Method, equipment and device for predicting and monitoring running state of high-performance application | |
| CN116467461A (en) | Data processing method, device, equipment and medium applied to power distribution network | |
| CN114822562A (en) | Training method of voiceprint recognition model, voiceprint recognition method and related equipment | |
| CN110309285B (en) | Automatic question answering method, device, electronic equipment and storage medium | |
| CN114530163A (en) | Method and system for recognizing life cycle of equipment by adopting voice based on density clustering | |
| CN113722431A (en) | Named entity relationship identification method and device, electronic equipment and storage medium | |
| CN114168733A (en) | Method and system for searching rules based on complex network | |
| Zhang | Research on quantitative investment based on machine learning | |
| Mohseni et al. | Outlier Detection in Test Samples using Standard Deviation and Unsupervised Training Set Selection | |
| CN112579667B (en) | Data-driven engine multidisciplinary knowledge machine learning method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |