WO2021042843A1 - Alert information decision method and apparatus, computer device and storage medium - Google Patents

Alert information decision method and apparatus, computer device and storage medium Download PDF

Info

Publication number
WO2021042843A1
WO2021042843A1 PCT/CN2020/098826 CN2020098826W WO2021042843A1 WO 2021042843 A1 WO2021042843 A1 WO 2021042843A1 CN 2020098826 W CN2020098826 W CN 2020098826W WO 2021042843 A1 WO2021042843 A1 WO 2021042843A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
alarm information
decision
historical
real
Prior art date
Application number
PCT/CN2020/098826
Other languages
French (fr)
Chinese (zh)
Inventor
唐炳武
廖树繁
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021042843A1 publication Critical patent/WO2021042843A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design

Definitions

  • This application relates to the technical field of intelligent decision-making in artificial intelligence, and in particular to a method, device, computer equipment and storage medium for making alarm information.
  • risk control models are preset for each type of business system operational risk, and The risk control model monitors various business systems, and can promptly generate alarm information when system operation risks are discovered, and notify staff to deal with them to avoid risk events. Therefore, risk control analysts can analyze each piece of alarm information to make risk treatment decisions, such as closing user permissions or not allowing this user to log in to the system.
  • the embodiments of the application provide a method, device, computer equipment, and storage medium for alarm information decision-making to solve the problem that the versatility among the decision results of alarm information of different business systems is not high, leading to the analysis and decision-making of alarm information.
  • this application provides a method for determining alarm information, including:
  • N Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
  • the selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
  • this application provides an alarm information decision-making device, including:
  • a data acquisition module for acquiring historical data from the knowledge base of a preset big data system, wherein the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
  • a vector construction module configured to determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
  • the decision tree training module is used to process the information feature vector using a preset decision tree algorithm, use the information feature in the information feature vector as a split node, classify the information feature vector, and use
  • the historical decision record corresponding to the historical alarm information is used as a leaf node for decision tree training, and a trained decision tree is obtained;
  • An information receiving module for acquiring real-time alarm information generated by the preset big data system
  • the information classification module is used to calculate the similarity between the real-time alarm information and each historical alarm information using a preset classification algorithm to obtain the similarity between the real-time alarm information and each historical alarm information , And select the historical alarm information corresponding to the greatest similarity from the similarity between the real-time alarm information and each of the historical alarm information;
  • the intelligent decision module is used to input the selected historical alarm information into the trained decision tree for decision-making, and use the decision record output after the trained decision tree to make a decision as the real-time alarm
  • the decision result of the information is output to the client.
  • the present application provides a computer device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor.
  • the processor implements a computer program when the computer program is executed.
  • the method for decision-making of alarm information includes:
  • N Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
  • the selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
  • the present application also provides a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, a method for determining alarm information is implemented, wherein the alarm Information decision-making methods include:
  • N N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
  • the above-mentioned alarm information decision-making method, device, computer equipment and storage medium obtain historical data including historical alarm information and historical decision records from the knowledge base of a preset big data system to analyze historical data. And according to the historical alarm information, the information feature is determined and the information feature vector corresponding to the historical alarm information is constructed, so as to avoid too many features used for training that cause the model to be too complicated or the model is not well-targeted. Then use the preset decision tree algorithm to process the information feature vector, and use the information feature vector as the training data to train the decision tree to obtain the trained decision tree.
  • the classification algorithm is used to calculate the similarity of the real-time alarm information
  • the historical alarm information with the highest similarity to the real-time alarm information is input into the decision tree for decision-making, and the real-time alarm information is obtained.
  • Decision results By collecting the warning information and decision records of the risks in each business system in the big data system, and using supervised machine learning algorithms to learn and summarize historical data, it solves the sharing and utilization of risk decision results between different business systems Insufficient problem, which can analyze and make decisions on real-time alarm information generated by the risk control models of different business systems, realize automatic decision-making on the operational risks of business systems, and improve the decision-making of enterprises and institutions on the alarm information of business systems effectiveness.
  • FIG. 1 is a schematic diagram of an application environment of a method for determining alarm information in an embodiment of the present application
  • Fig. 2 is a flowchart of a method for determining alarm information in an embodiment of the present application
  • Fig. 3 is a schematic diagram of a trained decision tree in an embodiment of the present application.
  • FIG. 4 is a specific flow chart of normalizing information feature vectors in the method for determining alarm information in an embodiment of the present application
  • FIG. 5 is a specific flow chart of obtaining historical data corresponding to an alarm account in the method for determining alarm information in an embodiment of the present application
  • FIG. 6 is a specific flow chart of obtaining historical decision record output corresponding to similar alarm information in the method for making alarm information decision in an embodiment of the present application;
  • FIG. 7 is a specific flow chart of the incremental training of the decision tree in the alarm information decision-making method in an embodiment of the present application
  • FIG. 8 is a functional block diagram of a device for determining alarm information in an embodiment of the present application.
  • Fig. 9 is a schematic diagram of a computer device in an embodiment of the present application.
  • the application environment includes a monitoring terminal, a server and a client, where the server The network is connected to the monitoring terminal, the server and the client.
  • the server obtains historical data from the monitoring terminal for decision tree training, and analyzes the real-time alarm information generated by the monitoring terminal based on the trained decision tree. , And output the decision result to the client.
  • the monitoring terminal can be implemented by an independent server or a server cluster composed of multiple servers.
  • the client can be, but not limited to, various personal computers, laptops, smart phones, tablets, and portable wearable devices.
  • the server can be specifically used Independent server or server cluster composed of multiple servers.
  • the alarm information decision-making method provided in the embodiments of the present application is applied to the server.
  • FIG. 2 shows a flow chart of the alarm information decision-making method in this embodiment.
  • the method is applied to the server in FIG. 1 to improve the decision-making of enterprises and institutions on the alarm information of the business system. Decision-making efficiency.
  • the method for determining the alarm information includes steps S1 to S6, which are described in detail as follows:
  • S1 Obtain historical data from the knowledge base of the preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information.
  • the preset big data system is a big data risk management and control system used by enterprises and institutions to control and manage the operational risks of all business systems.
  • enterprises and institutions pre-build a corresponding risk control model for each business system, and monitor the user's operational behavior in the business system through the pre-built risk control model to control and manage the business
  • the operational risk of the system is a collection of risk control models constructed in advance by enterprises and institutions.
  • the knowledge base is a database used to store historical data in the preset big data system to record the faces of various business systems. Risk and decision-making in response to risk.
  • historical alarm information is abnormal information obtained by a preset big data system monitoring or analyzing the logs of various business systems.
  • the historical alarm information includes, but is not limited to, the alarm system, alarm type, abnormal IP address, contact information, Alarm account and abnormal data, etc.
  • the risk control model can monitor the logs of the business system. If it is monitored that a certain user in the same URL frequently operates the same URL more than 100 times within 5 minutes, the alarm system of the risk control model is triggered to generate alarm information; the risk control model also Through the security analysis of big data, when an account is monitored to log in the same business system or abnormal information of multiple business systems in two different provinces at the same time, the alarm system of the risk control model is triggered to generate alarm information.
  • the historical decision record is a response strategy for historical alarm information. Risk control analysts analyze the cause of the historical alarm information and make decisions to deal with the historical alarm information based on the results of the analysis.
  • the historical decision record includes but is not limited to the source of the alarm and the decision maker. , Decision time, decision basis analysis and decision result fields. For example, when a risk control analyst analyzes historical alarm information and determines that the historical alarm information is caused by a user's operation error, it can be determined that the historical alarm information is risk-free, and the decision result corresponding to the historical alarm information is to ignore the historical alarm information.
  • Historical alarm information when the historical alarm information generated by the analysis of risk control analysts may be triggered by abnormal cross-regional logins, high-frequency operating systems at night, or malicious registration of wool, it can be determined that the historical alarm information is high Risk, and execute the decision result of blocking or freezing the alarm account in the historical alarm information.
  • S2 Determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer.
  • historical alarm information includes, but is not limited to, the alarm system, alarm type, abnormal IP address, contact information, alarm account number, and abnormal data, etc.
  • the information feature refers to the data in the historical alarm information related to the user's operational risk in the business system .
  • the alarm system and the alarm type can be specifically determined as information features, and the contact information can be set as not belonging to information features, but it is not limited to this.
  • the information features can be specifically set according to actual application needs, and there is no limitation here.
  • the server Based on the determined information characteristics, the server converts the data corresponding to the information characteristics in the historical alarm information into a vector form, and constructs an information characteristic vector corresponding to the historical alarm information, where each historical alarm information corresponds to an information characteristic vector.
  • the server determines the information characteristics of N dimensions according to the historical alarm information in the historical data, and uses the data corresponding to the information characteristics of the N dimensions to train the machine model. There is no need for the information in the historical alarm information. Studying and analyzing each item of data can avoid too many information features for training, which may cause the model to be too complex or cause the model to be less targeted.
  • S3 Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree.
  • the server uses a preset decision tree algorithm to process the information feature vector, so as to train to obtain the decision tree.
  • the preset decision tree algorithm is a machine learning algorithm used to classify data.
  • the server uses each information feature in the information feature vector as a split node to perform the Classification until all information features have been used as split nodes, and no remaining information features are used as split nodes to further divide the information feature vector, then the historical decision record corresponding to the historical alarm information is used as the leaf node to generate the information feature vector
  • the corresponding leaf node obtains the trained decision tree.
  • the leaf node refers to the bottom node in the decision tree, the leaf node has no child nodes, and each information feature vector corresponds to a historical decision record.
  • information feature vector A (alarm system 1, alarm type 1)
  • information feature vector B (alarm system 1, alarm Type 2)
  • information feature vector C (alarm system 2, alarm type 1)
  • information feature vector A corresponds to historical decision record A
  • information feature vector B corresponds to historical decision record B
  • information feature vector C corresponds to history
  • the server uses historical alarm information as the root node to classify and learn the information feature vector A, information feature vector B, and information feature vector C corresponding to the historical alarm information; first, the alarm system is used as the split node, and the information feature vector A.
  • the information feature vector B and the information feature vector C are classified, then the information feature vector A and the information feature vector B belong to the historical alarm information in the alarm system 1, and the information feature vector C belongs to the historical alarm information in the alarm system 2; Use the alarm type as the split node to classify the information feature vector A, information feature vector B, and information feature vector C; after the splitting stops, the historical decision record corresponding to the information feature vector is used as the leaf node to complete the training of the decision tree, thus The decision tree shown in Figure 3 is obtained.
  • S4 Obtain real-time alarm information generated by a preset big data system.
  • the preset big data system is a collection of risk control models constructed in advance by enterprises and institutions. Each risk control model monitors the user's operation behavior in the corresponding business system.
  • the real-time alarm information is the risk control model Monitor the alarm triggered when there is operational risk in the business system.
  • the real-time alarm information includes but is not limited to the alarm system, alarm type, abnormal IP address, contact information, alarm account number, and abnormal data.
  • S5 Use the preset classification algorithm to calculate the similarity between the real-time alarm information and each historical alarm information, and obtain the similarity between the real-time alarm information and each historical alarm information, and from the real-time alarm information and each historical alarm information In the similarity between, select the historical alarm information corresponding to the maximum similarity.
  • the preset classification algorithm is a classification method of statistics that uses the knowledge of probability statistics to classify.
  • the preset classification algorithm can analyze the characteristics or attributes of the data and classify the data into existing categories.
  • the preset classification algorithms include, but are not limited to, the naive Bayesian classification algorithm, k-nearest neighbor method and fuzzy classification method, etc., which can be specifically set according to actual application needs.
  • a preset classification algorithm is used to calculate the similarity between the real-time alarm information and each historical alarm information, and the similarity between the real-time alarm information and each historical alarm information is obtained.
  • the similarity algorithm may be cosine similarity. Algorithm or Euclidean distance algorithm. The higher the similarity between the real-time alarm information and the historical alarm information, the more similar the alarm content of the historical alarm information and the alarm content of the real-time alarm information. Then, from the similarity between the real-time alarm information and each historical alarm information, the historical alarm information corresponding to the maximum similarity is selected, and the real-time alarm information is classified into the selected historical alarm information category.
  • S6 Input the selected historical alarm information into the trained decision tree to make a decision, and output the decision record output after the decision of the trained decision tree as the decision result of the real-time alarm information to the client.
  • the server inputs the selected historical alarm information into the trained decision tree to make a decision.
  • the alarm content of the historical alarm information is the alarm information that is closest to the alarm content of the real-time alarm information, in the trained decision tree .
  • the server performs matching from the root node level by level according to the information characteristics in the historical alarm information, so as to obtain the historical decision record corresponding to the historical alarm information at the leaf node, that is, the path from the root node to the leaf node is
  • the trained decision tree predicts and decides the category of real-time alarm information.
  • the server outputs the historical decision record as the decision result of the real-time alarm information to the client, so that the staff can review and automatically check the operational risks of each business system in real time. Decision-making to improve the efficiency of decision-making of warning information and the efficiency of risk control.
  • historical data including historical alarm information and historical decision records are acquired from the knowledge base of a preset big data system to analyze historical data. And according to the historical alarm information, the information feature is determined and the information feature vector corresponding to the historical alarm information is constructed, so as to avoid too many features used for training that cause the model to be too complicated or the model is not well-targeted. Then use the preset decision tree algorithm to process the information feature vector, and use the information feature vector as the training data to train the decision tree to obtain the trained decision tree.
  • the classification algorithm is used to calculate the similarity of the real-time alarm information
  • the historical alarm information with the highest similarity to the real-time alarm information is input into the decision tree for decision-making, and the real-time alarm information is obtained.
  • Decision results By collecting warning information and decision records of risks in each business system in the big data system, and using supervised machine learning algorithms to learn and summarize historical data, it solves the problem of insufficient sharing and utilization of decision results between different business systems Therefore, it can analyze and make decisions on the real-time alarm information generated by the risk control models of different business systems, realize the automatic decision-making on the operational risks of the business system, and improve the decision-making efficiency of enterprises and institutions on the alarm information of the business system. .
  • the alarm information decision-making method provided in this embodiment may also perform normalization processing on the information feature vector, which is described in detail as follows:
  • the method for determining the alarm information further includes the following steps:
  • S21 According to preset classification conditions, assign corresponding identification information to the information feature vector.
  • the preset classification condition is used to convert the content corresponding to the information feature into a specific value
  • the preset classification condition includes a feature value interval preset for each information feature and identification information corresponding to each feature value interval.
  • the server allocates corresponding identification information to the information feature vector according to the preset classification conditions, thereby obtaining identification information corresponding to each information feature in the information feature vector.
  • the preset classification conditions can be specifically set based on historical experience, or can be set based on the data distribution of specific information features, etc., which are not limited here.
  • the following takes the characteristic value interval of a specific information characteristic and the identification information corresponding to the characteristic value interval as an example for description.
  • Table 1 shows the feature value interval of each information feature and the classification condition of the corresponding identification information.
  • Table 1 shows the characteristic value range and identification information of the two information characteristics of the alarm system and the alarm type.
  • the alarm system includes the insurance policy system, the claims system and the financial system.
  • the alarm type includes cross-regional login and high-frequency operating system. And malicious registration and other types, and 1, 2, and 3 are the identification information corresponding to the policy system, the claims system and the financial system, and A, B1, B2, C1, and C2 are cross-regional login, high-frequency operating system (daytime ), high-frequency operating system (night), malicious registration (small amount) and malicious registration (large amount) corresponding identification information.
  • the server can assign corresponding identification information to the information feature vector according to the content of each information feature in the information feature vector.
  • the information feature vector T is (insurance system, cross-regional login )
  • the information feature vector T of the assigned identification information is (1, A).
  • normalization processing refers to a processing method of mapping identification information to a certain numerical interval through function transformation.
  • the server can specifically convert the identification information into a specific value, and scale the value corresponding to the identification information according to a preset ratio until it converges in the interval [0, 1]. Since the risk degree of each information feature in the information feature vector is different, the server can specifically assign the corresponding value of the information feature according to the importance of each information feature to the operational risk of the business system. Among them, the server assigns the information feature to the information feature. The larger the value, the greater the risk of the content corresponding to the information feature.
  • the information feature vector can be quantified as The specific value and converges to a specific interval, which is convenient for the computer to identify and process the data, and improves the construction efficiency of the decision tree.
  • step S22 after the normalization process of the information feature vector to which the identification information is assigned is mentioned in step S22, and the information feature in the information feature vector mentioned in step S3 is used as a split node, The information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as the leaf node for decision tree training, before the trained decision tree is obtained.
  • the processing method of the alarm information also includes:
  • any one of the information feature vectors is retained, the rest of the information feature vectors are deleted, and the training samples whose information feature vectors are completely consistent among the training samples are eliminated.
  • any one of the information feature vectors is retained, the rest of the information feature vectors are deleted, and the filtered information feature vectors are used for machine model training, which improves the use of The quality of the data used to train the machine learning model.
  • the historical alarm information includes an alarm account
  • the method for making an alarm information decision provided in this embodiment can also obtain historical data corresponding to the alarm account and output it to the client.
  • the alarm information decision method further includes the following steps:
  • the real-time alarm information includes an alarm account.
  • the alarm account refers to an account with abnormal operations in the business system.
  • the server can obtain the alarm account from the real-time alarm information and confirm that there is an abnormal account in the operation of the business system. .
  • the knowledge base is a database used to store historical data in a preset big data system.
  • the server uses the alarm account obtained from the real-time alarm information to query the knowledge base whether the alarm account has triggered historical alarm information. If the historical alarm information of the alarm account exists in the historical alarm information saved in the knowledge base, the historical alarm information of the alarm account and the historical decision record corresponding to the historical alarm information are obtained and output to the client, so that the risk control analyst can combine this
  • the historical alarm information and historical decision records of the alarm account analyze and make decisions on real-time alarm information, make the decision more targeted, and improve the accuracy of decision-making on real-time alarm information.
  • the historical data corresponding to the queried alarm account is output to the client , So that risk control analysts can combine the historical alarm information and historical decision records of the alarm account to analyze and make decisions on real-time alarm information, making decision-making more targeted and improving the accuracy of decision-making on real-time alarm information.
  • step S6 the selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the trained decision tree is made is used as the real-time alarm information decision.
  • the processing method of the alarm information further includes:
  • the real-time alarm information and the decision result of the real-time alarm information are sent to the preset information receiving address according to the preset template.
  • the preset template is a template preset to display real-time alarm information and the decision result of the real-time alarm information.
  • the preset template includes, but is not limited to, templates in formats such as documents and tables. Specific templates It can be set according to the actual situation, and there is no restriction here.
  • the preset information receiving address is the communication address used by risk control analysts to receive abnormal alarm information sent by the risk control model when facing a risk event. Specifically, it can be the mail receiving address or the SMS receiving address, etc., which is not done here. limit.
  • the server sends the real-time alarm information and the decision result of the real-time alarm information to the preset information receiving address according to the preset template, so that the risk control analyst can obtain the real-time alarm information and the decision result of the real-time alarm information in time, and Further analyze the real-time alarm information to find the frequent causes of abnormal problems. Moreover, if the risk control analyst needs to adjust the decision-making results of the real-time alarm information, they can correct the decision-making results of the real-time alarm information according to the actual setting needs to improve the accuracy of the decision-making on the alarm information.
  • the relevant staff by sending the real-time alarm information and the decision result of the real-time alarm information to the preset information receiving address according to the preset template, the relevant staff can obtain the real-time alarm information and the decision result of the real-time alarm information in time. So that the relevant staff can review and confirm the results of the automated decision-making, and when the decision-making results of the real-time alarm information need to be adjusted, the decision-making results of the real-time alarm information can be corrected in time according to the actual setting needs to improve the decision-making of the real-time alarm information The accuracy rate.
  • the alarm information decision-making method provided in this embodiment can also obtain the historical decision record output corresponding to similar alarm information according to the alarm type of the real-time alarm information, as detailed as follows:
  • the alarm information decision-making method further includes the following steps:
  • S61 Determine the alarm type of the real-time alarm information according to the real-time alarm information.
  • the real-time alarm information includes an alarm type
  • the server can determine the alarm type of the real-time alarm information from the real-time alarm information.
  • the historical alarm information that is the same as the alarm type of the real-time alarm information is queried, and the historical alarm information of the same alarm type as the real-time alarm information is acquired as similar alarm information.
  • S63 Output historical decision records corresponding to similar alarm information to the client in a preset order.
  • the preset order can be specifically based on the order of the number of alarms of historical alarm information from high to low, or according to the order of the alarm time of historical alarm information, etc.
  • the specific output order of the historical decision record It can be set according to the needs of the actual application, and there is no restriction here.
  • the server outputs the historical decision records corresponding to similar alarm information to the client in a preset order to provide risk control analysts with relevant decision records for reference, which can assist in the decision-making process of real-time alarm information. Help less experienced risk control analysts improve their decision-making capabilities. Moreover, if risk control analysts find errors in the decision results of the server, they can also select the correct decision results from the historical decision records output to the client to process the real-time alarm information, so as to obtain the most suitable decision for the real-time alarm information. As a result, the accuracy of decision-making on real-time alarm information is further improved.
  • the historical alarm information that is the same as the alarm type of the real-time alarm information is obtained from the knowledge base as similar alarm information, and the similar alarm information is corresponding
  • the historical decision records are output to the client in a preset order, making full use of the historical data stored in the knowledge base to provide relevant decision records for risk control analysts to refer to, helping inexperienced risk control analysts to improve their decision-making capabilities. At the same time, It is convenient for risk control analysts to review and modify the decision-making results of automatic decision-making, and improve the decision-making rate and accuracy of real-time alarm information.
  • the alarm information decision-making method provided in this embodiment can also collect real-time alarm information and the decision result corresponding to the real-time alarm information as a new sample, and use the new sample to perform incremental training on the decision tree.
  • the description is as follows:
  • the alarm information decision further includes the following steps:
  • the preset time refers to the time period during which the risk control analyst reviews the decision results of the automatic decision.
  • the preset time can be within five minutes or ten minutes after the decision results are output to the client. , But not limited to this, it can be set according to actual application needs.
  • the server will default to the output of the decision result to solve the operational risk in the real-time alarm information, and the server will use the real-time alarm information and decision result as The new sample is saved to the knowledge base.
  • the decision result changes within the preset time, it means that after the server analyzes the real-time alarm information, the output decision result cannot well solve the operational risk in the real-time alarm information.
  • Risk control analysis The personnel will modify the decision results output by the server, and enter the new decision results to solve the operational risks in the real-time alarm information.
  • the server receives the changed decision result sent by the client, and saves the real-time alarm information and the changed decision result as a new sample to the knowledge base. It is understandable that the decision result after the change refers to the decision result of the risk control analyst re-inputting the real-time warning information after analyzing the real-time warning information and reviewing the decision result of the server's automatic decision-making.
  • the server uses the newly added samples to perform incremental training on the trained decision tree.
  • the incremental training refers to the optimized model training of the trained decision tree. Incremental training can make full use of the trained decision tree.
  • the historical training results reduce the training time of subsequent machine models, and there is no need to repeatedly process historical data that has been trained before, so that the decision tree can learn more alarm information and the knowledge characteristics of decision records, thereby improving the decision tree’s response to new The ability to adapt to warning information and improve the accuracy of decision-making in the decision tree.
  • the newly-added samples are acquired and stored in the knowledge base, and the newly-added samples are used to incrementally train the trained decision tree to obtain a new decision tree, so that the new decision tree can learn More alarm information and knowledge characteristics of decision-making records, so as to optimize the trained decision tree, and improve the generalization ability and decision accuracy of the new decision tree to the new alarm information.
  • an alarm information decision-making device corresponds to the alarm information decision-making method in the above-mentioned embodiment one-to-one.
  • the alarm information decision-making device includes: a data acquisition module 81, a vector construction module 82, a decision tree training module 83, an information receiving module 84, an information classification module 85 and an intelligent decision module 86.
  • the detailed description of each functional module is as follows:
  • the data acquisition module 81 is configured to acquire historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
  • the vector construction module 82 is configured to determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
  • the decision tree training module 83 is used to use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as the leaf node to train the decision tree to obtain the trained decision tree;
  • the information receiving module 84 is used to obtain real-time alarm information generated by a preset big data system
  • the information classification module 85 is used to calculate the similarity between the real-time alarm information and each historical alarm information using a preset classification algorithm, to obtain the similarity between the real-time alarm information and each historical alarm information, and to obtain the similarity between the real-time alarm information and each historical alarm information. Among the similarities between each historical alarm information, select the historical alarm information corresponding to the largest similarity;
  • the intelligent decision module 86 is used to input the selected historical alarm information into the trained decision tree for decision-making, and output the decision record output after the trained decision tree to make the decision as the real-time alarm information decision result to the client.
  • the device for determining the alarm information further includes:
  • the data classification module 821 is configured to allocate corresponding identification information to the information feature vector according to preset classification conditions
  • the data processing module 822 is configured to perform normalization processing on the information feature vector to which the identification information is allocated.
  • the device for determining the alarm information further includes:
  • the data screening module 823 is used to screen the normalized information feature vector. If two or more identical information feature vectors are detected, then any one of the information is retained in the same information feature vector Feature vector, delete the rest of the information feature vector.
  • the historical alarm information includes an alarm account
  • the device for determining the alarm information further includes:
  • the account acquisition module 841 is used to acquire the alarm account in the real-time alarm information
  • the information output module 842 is configured to output the historical data corresponding to the queried alarm account to the client if the alarm account in the real-time alarm information is queried in the knowledge base.
  • the device for determining the alarm information further includes:
  • the information sending module 860 is configured to send the real-time alarm information and the decision result of the real-time alarm information to a preset information receiving address according to a preset template.
  • the device for determining the alarm information further includes:
  • the type query module 861 is used to determine the alarm type of the real-time alarm information according to the real-time alarm information
  • the information acquisition module 862 is used to acquire historical alarm information of the same alarm type as the real-time alarm information from the knowledge base as similar alarm information;
  • the auxiliary decision-making module 863 is used to output historical decision records corresponding to similar alarm information to the client in a preset order.
  • the device for determining the alarm information further includes:
  • the first storage module 871 is used to save the real-time alarm information and the decision result as a new sample in the knowledge base if the decision result has not changed within a preset time;
  • the second storage module 872 is used to receive the changed decision result sent by the client if the decision result changes within the preset time, and save the real-time alarm information and the changed decision result as a new sample To the knowledge base;
  • the incremental training module 873 is configured to use the newly added samples to perform incremental training on the trained decision tree to obtain a new decision tree.
  • Each module in the above alarm information decision-making device can be implemented in whole or in part by software, hardware and a combination thereof.
  • the above-mentioned modules may be embedded in the form of hardware or independent of the processor in the computer equipment, or may be stored in the memory of the computer equipment in the form of software, so that the processor can call and execute the operations corresponding to the above-mentioned modules.
  • a computer device is provided.
  • the computer device may be a server, and its internal structure diagram may be as shown in FIG. 9.
  • the computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus.
  • the processor of the computer device is used to provide calculation and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium and an internal memory.
  • the non-volatile storage medium stores an operating system, a computer program, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection.
  • a method for making alarm information is realized, wherein the steps of the method for making alarm information include: obtaining historical data from the knowledge base of a preset big data system, wherein the historical The data includes historical alarm information and historical decision records corresponding to the historical alarm information; N information characteristics are determined according to the historical alarm information, and an information feature vector corresponding to the historical alarm information is constructed based on the determined information characteristics, wherein , N is a positive integer; use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training , Obtain the trained decision tree; obtain the real-time alarm information generated by the preset big data system; use the preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, and obtain all The similarity between the real-time alarm information and each of the historical alarm information, and from the similarity between the real-time alarm information and each of the historical alarm information,
  • a computer device including a memory, a processor, and a computer program stored in the memory and running on the processor.
  • the processor executes the computer program to implement the alarm information decision method in the above embodiment
  • the steps in step S1 to step S6 shown in FIG. 2, or the function of each module of the alarm information decision device in the above embodiment is realized when the processor executes the computer program, for example, module 81 to module 86 shown in FIG. Function. To avoid repetition, I won’t repeat them here.
  • a computer-readable storage medium is provided.
  • the storage medium is a volatile storage medium or a non-volatile storage medium, and a computer program is stored thereon.
  • a computer program When the computer program is executed by a processor, a computer program A decision-making method for alarm information.
  • the decision-making method for alarm information includes: obtaining historical data from the knowledge base of a preset big data system, wherein the historical data includes historical alarm information and history corresponding to the historical alarm information Decision record; Determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information feature, where N is a positive integer;
  • the information feature is used as a split node, the information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as a leaf node for decision tree training to obtain a trained decision tree;
  • to obtain the preset Real-time alarm information generated by a big data system using a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, and obtain the difference between the real-time alarm information and each of the historical alarm information
  • Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Channel (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Alarm Systems (AREA)

Abstract

The present application discloses an alert information decision method and apparatus, a computer device and a storage medium. Said method comprises: acquiring, from a knowledge base of a large data system, historical data including historical alert information and a historical decision record; constructing, according to the historical alert information, an information feature vector corresponding to the historical alert information, and using a decision tree algorithm to process the information feature vector; training a decision tree by taking the information feature vector as training data, so as to obtain a trained decision tree; then acquiring real-time alert information generated by the large data system; performing similarity calculation on the real-time alert information by using a classification algorithm; and inputting, into the trained decision tree, historical alert information having the highest similarity to the real-time alert information, so as to make a decision and obtain a decision result of the real-time alert information. According to the embodiments of the present application, the real-time alert information generated by the large data system can be automatically analyzed and decided, thereby improving the decision efficiency of an enterprise deciding alert information of a service system.

Description

告警信息的决策方法、装置、计算机设备及存储介质Alarm information decision-making method, device, computer equipment and storage medium
本申请要求于2019年9月6日提交中国专利局、申请号为201910842476.2,发明名称为“告警信息的决策方法、装置、计算机设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on September 6, 2019, with the application number 201910842476.2, and the invention title of "Decision-making method, device, computer equipment and storage medium for alarm information". The entire content of the application is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及人工智能中的智能决策技术领域,尤其涉及一种告警信息的决策方法、装置、计算机设备及存储介质。This application relates to the technical field of intelligent decision-making in artificial intelligence, and in particular to a method, device, computer equipment and storage medium for making alarm information.
背景技术Background technique
随着互联网的高速发展,现代大型企业会面临着来自各个方面的***操作风险。为了控制和管理越来越严峻的***操作风险,企业一般会建立大数据风控体系,在大数据风控体系中,针对每种类型的业务***操作风险预先设置对应的风控模型,并由风控模型对各个业务***进行监控,在发现***操作风险时能够及时产生告警信息,通知工作人员进行处理,避免发生风险事件。因此,风控分析人员可以通过对每一条告警信息进行分析,制定风险处置的决策,例如,关闭用户权限或者不允许此用户登录***等。With the rapid development of the Internet, modern large-scale enterprises will face system operation risks from all aspects. In order to control and manage increasingly severe system operational risks, companies generally establish a big data risk control system. In the big data risk control system, corresponding risk control models are preset for each type of business system operational risk, and The risk control model monitors various business systems, and can promptly generate alarm information when system operation risks are discovered, and notify staff to deal with them to avoid risk events. Therefore, risk control analysts can analyze each piece of alarm information to make risk treatment decisions, such as closing user permissions or not allowing this user to log in to the system.
但发明人意识到,随着时间推移,各种类型的风控模型越来越多,随之而来的告警信息也越来越多,风控分析人员将陷入重复繁琐的分析工作中,并且对历史告警信息的分析经验也无法应用在新的业务***的操作风险的分析工作中,导致业务***的告警信息的控制和管理的效率不高,在针对告警信息的决策不及时的情况下,甚至容易为企业带来严重的经济损失。However, the inventor realized that with the passage of time, there are more and more various types of risk control models, and more and more warning information will follow, and risk control analysts will fall into repetitive and tedious analysis work, and The analysis experience of historical alarm information cannot be applied to the analysis of the operational risk of the new business system, resulting in low efficiency in the control and management of the alarm information of the business system. In the case of untimely decision-making on the alarm information, It may even cause serious economic losses to the enterprise.
技术问题technical problem
本申请实施例中提供一种告警信息的决策方法、装置、计算机设备及存储介质,以解决目前不同的业务***告警信息的决策结果之间的通用性不高,导致对告警信息进行分析和决策的效率低的问题。The embodiments of the application provide a method, device, computer equipment, and storage medium for alarm information decision-making to solve the problem that the versatility among the decision results of alarm information of different business systems is not high, leading to the analysis and decision-making of alarm information. The problem of low efficiency.
技术解决方案Technical solutions
第一方面,本申请提供一种告警信息的决策方法,包括:In the first aspect, this application provides a method for determining alarm information, including:
从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;Use a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, obtain the similarity between the real-time alarm information and each of the historical alarm information, and obtain the similarity from the real-time alarm information. Among the similarities between the alarm information and each of the historical alarm information, the historical alarm information corresponding to the largest similarity is selected;
将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经 所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
第二方面,本申请提供一种告警信息的决策装置,包括:In the second aspect, this application provides an alarm information decision-making device, including:
数据获取模块,用于从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;A data acquisition module for acquiring historical data from the knowledge base of a preset big data system, wherein the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
向量构造模块,用于根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;A vector construction module, configured to determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
决策树训练模块,用于使用预设的决策树算法对所述信息特征向量进行处理,以所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;The decision tree training module is used to process the information feature vector using a preset decision tree algorithm, use the information feature in the information feature vector as a split node, classify the information feature vector, and use The historical decision record corresponding to the historical alarm information is used as a leaf node for decision tree training, and a trained decision tree is obtained;
信息接收模块,用于获取所述预设的大数据***产生的实时告警信息;An information receiving module for acquiring real-time alarm information generated by the preset big data system;
信息分类模块,用于使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;The information classification module is used to calculate the similarity between the real-time alarm information and each historical alarm information using a preset classification algorithm to obtain the similarity between the real-time alarm information and each historical alarm information , And select the historical alarm information corresponding to the greatest similarity from the similarity between the real-time alarm information and each of the historical alarm information;
智能决策模块,用于将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The intelligent decision module is used to input the selected historical alarm information into the trained decision tree for decision-making, and use the decision record output after the trained decision tree to make a decision as the real-time alarm The decision result of the information is output to the client.
第三方面,本申请提供一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现一种告警信息的决策方法,其中所述告警信息的决策方法包括:In a third aspect, the present application provides a computer device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor. The processor implements a computer program when the computer program is executed. The method for decision-making of alarm information, wherein the method for decision-making of alarm information includes:
从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;Use a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, obtain the similarity between the real-time alarm information and each of the historical alarm information, and obtain the similarity from the real-time alarm information. Among the similarities between the alarm information and each of the historical alarm information, the historical alarm information corresponding to the largest similarity is selected;
将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
第四方面,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现一种告警信息的决策方法,其中所述告警信息的决策方法包括:In a fourth aspect, the present application also provides a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, a method for determining alarm information is implemented, wherein the alarm Information decision-making methods include:
从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构 造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
有益效果Beneficial effect
上述告警信息的决策方法、装置、计算机设备及存储介质,通过从预设的大数据***的知识库中获取包括历史告警信息和历史决策记录的历史数据,以便对历史数据进行分析。并根据历史告警信息确定信息特征和构造历史告警信息对应的信息特征向量,避免用于训练的特征过多而导致模型过于复杂或者造成模型针对性不强。再使用预设的决策树算法对信息特征向量进行处理,以信息特征向量为训练数据进行训练决策树,得到训练好的决策树。最后,获取大数据***产生的实时告警信息,使用分类算法对实时告警信息进行相似度计算,并将与实时告警信息的相似度最高的历史告警信息输入决策树中进行决策,得到实时告警信息的决策结果。通过收集大数据***中各个业务***中的风险的告警信息和决策记录,并采用有监督的机器学习算法对历史数据进行学习和归纳,解决了不同业务***之间的风险决策结果的共享利用率不足的问题,从而能够对不同的业务***的风控模型产生的实时告警信息进行分析和决策,实现对业务***的操作风险的自动化决策,提高企事业单位对业务***的告警信息进行决策的决策效率。The above-mentioned alarm information decision-making method, device, computer equipment and storage medium obtain historical data including historical alarm information and historical decision records from the knowledge base of a preset big data system to analyze historical data. And according to the historical alarm information, the information feature is determined and the information feature vector corresponding to the historical alarm information is constructed, so as to avoid too many features used for training that cause the model to be too complicated or the model is not well-targeted. Then use the preset decision tree algorithm to process the information feature vector, and use the information feature vector as the training data to train the decision tree to obtain the trained decision tree. Finally, the real-time alarm information generated by the big data system is obtained, the classification algorithm is used to calculate the similarity of the real-time alarm information, and the historical alarm information with the highest similarity to the real-time alarm information is input into the decision tree for decision-making, and the real-time alarm information is obtained. Decision results. By collecting the warning information and decision records of the risks in each business system in the big data system, and using supervised machine learning algorithms to learn and summarize historical data, it solves the sharing and utilization of risk decision results between different business systems Insufficient problem, which can analyze and make decisions on real-time alarm information generated by the risk control models of different business systems, realize automatic decision-making on the operational risks of business systems, and improve the decision-making of enterprises and institutions on the alarm information of business systems effectiveness.
附图说明Description of the drawings
图1是本申请一实施例中告警信息的决策方法的一应用环境示意图;FIG. 1 is a schematic diagram of an application environment of a method for determining alarm information in an embodiment of the present application;
图2是本申请一实施例中告警信息的决策方法的一流程图;Fig. 2 is a flowchart of a method for determining alarm information in an embodiment of the present application;
图3是本申请一实施例中一训练好的决策树的示意图;Fig. 3 is a schematic diagram of a trained decision tree in an embodiment of the present application;
图4是本申请一实施例中告警信息的决策方法中对信息特征向量进行归一化处理的一具体流程图;FIG. 4 is a specific flow chart of normalizing information feature vectors in the method for determining alarm information in an embodiment of the present application;
图5是本申请一实施例中告警信息的决策方法中获取告警账号对应的历史数据的一具体流程图;FIG. 5 is a specific flow chart of obtaining historical data corresponding to an alarm account in the method for determining alarm information in an embodiment of the present application;
图6是本申请一实施例中告警信息的决策方法中获取相似告警信息对应的历史决策记录输出的一具体流程图;6 is a specific flow chart of obtaining historical decision record output corresponding to similar alarm information in the method for making alarm information decision in an embodiment of the present application;
图7是本申请一实施例中告警信息的决策方法中对决策树进行增量训练的一具体流程图;FIG. 7 is a specific flow chart of the incremental training of the decision tree in the alarm information decision-making method in an embodiment of the present application;
图8是本申请一实施例中告警信息的决策装置的一原理框图;FIG. 8 is a functional block diagram of a device for determining alarm information in an embodiment of the present application;
图9是本申请一实施例中计算机设备的一示意图。Fig. 9 is a schematic diagram of a computer device in an embodiment of the present application.
本发明的最佳实施方式The best mode of the present invention
本申请提供了一种告警信息的决策方法,涉及人工智能中的智能决策技术领域,可应用在如图1的应用环境中,该应用环境包括监控端、服务端和客户端,其中,服务端和监控端之间、服务端和客户端之间均通过网络进行连接,服务端从监控端获取历史数据进行决策树训练,并基于训练好的决策树对监控端产生的实时告警信息进行分析决策,得到决策结果输出到客户端。监控端具体可以用独立的服务器或者多个服务器组成的服务器集群实现,客户端具体可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备,服务 端具体可以用独立的服务器或者多个服务器组成的服务器集群实现。本申请实施例提供的告警信息的决策方法应用于服务端。This application provides a decision-making method for alarm information, which relates to the technical field of intelligent decision-making in artificial intelligence, and can be applied to the application environment as shown in Figure 1. The application environment includes a monitoring terminal, a server and a client, where the server The network is connected to the monitoring terminal, the server and the client. The server obtains historical data from the monitoring terminal for decision tree training, and analyzes the real-time alarm information generated by the monitoring terminal based on the trained decision tree. , And output the decision result to the client. The monitoring terminal can be implemented by an independent server or a server cluster composed of multiple servers. The client can be, but not limited to, various personal computers, laptops, smart phones, tablets, and portable wearable devices. The server can be specifically used Independent server or server cluster composed of multiple servers. The alarm information decision-making method provided in the embodiments of the present application is applied to the server.
在一实施例中,图2示出本实施例中告警信息的决策方法的一流程图,该方法应用在图1中的服务端,用于提高企事业单位对业务***的告警信息进行决策的决策效率。如图2所示,该告警信息的决策方法包括步骤S1至步骤S6,详述如下:In one embodiment, FIG. 2 shows a flow chart of the alarm information decision-making method in this embodiment. The method is applied to the server in FIG. 1 to improve the decision-making of enterprises and institutions on the alarm information of the business system. Decision-making efficiency. As shown in Figure 2, the method for determining the alarm information includes steps S1 to S6, which are described in detail as follows:
S1:从预设的大数据***的知识库中获取历史数据,其中,历史数据包括历史告警信息和历史告警信息对应的历史决策记录。S1: Obtain historical data from the knowledge base of the preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information.
在本实施例中,预设的大数据***是企事业单位用于控制和管理所有的业务***的操作风险的大数据风险管控***。在预设的大数据***中,企事业单位针对每个业务***预先构建对应的风控模型,通过预先构建的风控模型对用户在业务***中的操作行为进行监控,用于控制和管理业务***的操作风险,该预设的大数据***中是企事业单位预先构建的风控模型的集合,知识库是预设的大数据***中用于存储历史数据的数据库,以便记录各个业务***面临的风险和应对风险的决策。In this embodiment, the preset big data system is a big data risk management and control system used by enterprises and institutions to control and manage the operational risks of all business systems. In the preset big data system, enterprises and institutions pre-build a corresponding risk control model for each business system, and monitor the user's operational behavior in the business system through the pre-built risk control model to control and manage the business The operational risk of the system. The preset big data system is a collection of risk control models constructed in advance by enterprises and institutions. The knowledge base is a database used to store historical data in the preset big data system to record the faces of various business systems. Risk and decision-making in response to risk.
具体地,历史告警信息是预设的大数据***对各个业务***的日志进行监控或者数据进行分析得到的异常信息,历史告警信息包括但不限于告警***、告警类型、异常IP地址、联系方式、告警账号和异常数据等。例如,风控模型可以对业务***的日志进行监控,若监控到内某用户在5分钟内高频操作同一个URL超过100次,则触发风控模型的告警***生成告警信息;风控模型也可以通过大数据的安全分析,在监控到一个账号同时在两个不同的省份登录同一业务***或者多个业务***的异常信息时,则触发风控模型的告警***生成告警信息。Specifically, historical alarm information is abnormal information obtained by a preset big data system monitoring or analyzing the logs of various business systems. The historical alarm information includes, but is not limited to, the alarm system, alarm type, abnormal IP address, contact information, Alarm account and abnormal data, etc. For example, the risk control model can monitor the logs of the business system. If it is monitored that a certain user in the same URL frequently operates the same URL more than 100 times within 5 minutes, the alarm system of the risk control model is triggered to generate alarm information; the risk control model also Through the security analysis of big data, when an account is monitored to log in the same business system or abnormal information of multiple business systems in two different provinces at the same time, the alarm system of the risk control model is triggered to generate alarm information.
历史决策记录是历史告警信息的应对策略,风控分析人员对历史告警信息进行告警原因的分析,并根据分析的结果制定应对历史告警信息的决策,历史决策记录包括但不限于告警来源、决策人、决策时间、决策依据分析和决策结果等字段。例如,当风控分析人员对历史告警信息进行分析,确定该历史告警信息是用户的操作失误而引起的,则可以判定该历史告警信息为无风险,并且历史告警信息对应的决策结果为忽略该历史告警信息;当风控分析人员分析产生的历史告警信息可能是由异常跨地区登录、夜间高频操作***或者恶意注册薅羊毛等异常问题触发的告警信息,则可以判定该历史告警信息为高风险,并执行拉黑或者冻结该历史告警信息中的告警账号的决策结果。The historical decision record is a response strategy for historical alarm information. Risk control analysts analyze the cause of the historical alarm information and make decisions to deal with the historical alarm information based on the results of the analysis. The historical decision record includes but is not limited to the source of the alarm and the decision maker. , Decision time, decision basis analysis and decision result fields. For example, when a risk control analyst analyzes historical alarm information and determines that the historical alarm information is caused by a user's operation error, it can be determined that the historical alarm information is risk-free, and the decision result corresponding to the historical alarm information is to ignore the historical alarm information. Historical alarm information; when the historical alarm information generated by the analysis of risk control analysts may be triggered by abnormal cross-regional logins, high-frequency operating systems at night, or malicious registration of wool, it can be determined that the historical alarm information is high Risk, and execute the decision result of blocking or freezing the alarm account in the historical alarm information.
S2:根据历史告警信息确定N个信息特征,并基于确定的信息特征构造历史告警信息对应的信息特征向量,其中,N为正整数。S2: Determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer.
具体地,历史告警信息包括但不限于告警***、告警类型、异常IP地址、联系方式、告警账号和异常数据等,信息特征是指历史告警信息中与用户在业务***中的操作风险有关的数据。例如,具体可以将告警***和告警类型确定为信息特征,而联系方式设置为不属于信息特征等,但并不限于此,信息特征具体可以根据实际应用的需要进行设置,此处不做限制。Specifically, historical alarm information includes, but is not limited to, the alarm system, alarm type, abnormal IP address, contact information, alarm account number, and abnormal data, etc. The information feature refers to the data in the historical alarm information related to the user's operational risk in the business system . For example, the alarm system and the alarm type can be specifically determined as information features, and the contact information can be set as not belonging to information features, but it is not limited to this. The information features can be specifically set according to actual application needs, and there is no limitation here.
基于已经确定的信息特征,服务端将历史告警信息中的信息特征对应的数据转换成向量的形式,构造历史告警信息对应的信息特征向量,其中,每个历史告警信息对应一个信息特征向量。Based on the determined information characteristics, the server converts the data corresponding to the information characteristics in the historical alarm information into a vector form, and constructs an information characteristic vector corresponding to the historical alarm information, where each historical alarm information corresponds to an information characteristic vector.
例如,信息特征向量具体可以设置为Y=(X 1,X 2,X 3,…,X N),其中,Y是信息特征向量,X 1为告警***,X 2为告警类型,X 3为异常IP地址,X N为第N个信息特征,N为正整数,N具体可以是5,也可以是10,此处不做限制。 For example, the information feature vector can be specifically set to Y=(X 1 , X 2 , X 3 ,..., X N ), where Y is the information feature vector, X 1 is the alarm system, X 2 is the alarm type, and X 3 is Abnormal IP address, X N is the Nth information feature, N is a positive integer, N can be 5 or 10 specifically, and there is no restriction here.
可以理解的是,服务端根据历史数据中的历史告警信息进行确定N个维度的信息特征,并使用该N个维度的信息特征对应的数据进行机器模型的训练,不需要对历史告警信息中的每项数据进行学习分析,能够避免用于训练的信息特征过多而导致模型过于复杂或者造成模型针对性不强。It is understandable that the server determines the information characteristics of N dimensions according to the historical alarm information in the historical data, and uses the data corresponding to the information characteristics of the N dimensions to train the machine model. There is no need for the information in the historical alarm information. Studying and analyzing each item of data can avoid too many information features for training, which may cause the model to be too complex or cause the model to be less targeted.
S3:将信息特征向量中的信息特征作为***节点,对信息特征向量进行分类,并以历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树。S3: Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree.
具体地,服务端使用预设的决策树算法对信息特征向量进行处理,以便训练得到决策树。该预设的决策树算法是一种用于对数据进行分类的机器学习算法,在决策树的训练过程中,服务端以信息特征向量中的每个信息特征作为***节点,对信息特征向量进行分类,直到所有的信息特征均已被作为***节点,没有剩余的信息特征作为***节点用于进一步划分信息特征向量时,则以历史告警信息对应的历史决策记录作为叶子节点,为信息特征向量生成相应的叶子节点,得到训练好的决策树。其中,叶节点是指决策树中最底端的节点,叶节点没有子节点,每一个信息特征向量对应一个历史决策记录。Specifically, the server uses a preset decision tree algorithm to process the information feature vector, so as to train to obtain the decision tree. The preset decision tree algorithm is a machine learning algorithm used to classify data. During the training process of the decision tree, the server uses each information feature in the information feature vector as a split node to perform the Classification until all information features have been used as split nodes, and no remaining information features are used as split nodes to further divide the information feature vector, then the historical decision record corresponding to the historical alarm information is used as the leaf node to generate the information feature vector The corresponding leaf node obtains the trained decision tree. Among them, the leaf node refers to the bottom node in the decision tree, the leaf node has no child nodes, and each information feature vector corresponds to a historical decision record.
为了更好地理解本步骤,下面以一个具体的决策树训练过程为例加以说明。In order to better understand this step, the following takes a specific decision tree training process as an example to illustrate.
如图3所示,以信息特征向量A、信息特征向量B和信息特征向量C为例,信息特征向量A=(告警***1,告警类型1),信息特征向量B=(告警***1,告警类型2),信息特征向量C=(告警***2,告警类型1),并且信息特征向量A与历史决策记录A相对应,信息特征向量B与历史决策记录B相对应,信息特征向量C与历史决策记录C相对应。具体地,服务端以历史告警信息为根节点,对历史告警信息对应的信息特征向量A、信息特征向量B和信息特征向量C进行分类和学习;先以告警***为***节点,对信息特征向量A、信息特征向量B和信息特征向量C进行分类,则信息特征向量A和信息特征向量B均属于告警***1中的历史告警信息,信息特征向量C属于告警***2中的历史告警信息;再以告警类型为***节点,对信息特征向量A、信息特征向量B和信息特征向量C进行分类;在***停止后,以信息特征向量对应的历史决策记录作为叶子节点,完成决策树的训练,从而得到如图3所示的决策树。As shown in Figure 3, taking information feature vector A, information feature vector B, and information feature vector C as examples, information feature vector A = (alarm system 1, alarm type 1), information feature vector B = (alarm system 1, alarm Type 2), information feature vector C = (alarm system 2, alarm type 1), and information feature vector A corresponds to historical decision record A, information feature vector B corresponds to historical decision record B, and information feature vector C corresponds to history The decision record C corresponds. Specifically, the server uses historical alarm information as the root node to classify and learn the information feature vector A, information feature vector B, and information feature vector C corresponding to the historical alarm information; first, the alarm system is used as the split node, and the information feature vector A. The information feature vector B and the information feature vector C are classified, then the information feature vector A and the information feature vector B belong to the historical alarm information in the alarm system 1, and the information feature vector C belongs to the historical alarm information in the alarm system 2; Use the alarm type as the split node to classify the information feature vector A, information feature vector B, and information feature vector C; after the splitting stops, the historical decision record corresponding to the information feature vector is used as the leaf node to complete the training of the decision tree, thus The decision tree shown in Figure 3 is obtained.
S4:获取预设的大数据***产生的实时告警信息。S4: Obtain real-time alarm information generated by a preset big data system.
具体地,预设的大数据***中是企事业单位预先构建的风控模型的集合,每个风控模型对用户在相应的业务***中的操作行为进行监控,实时告警信息是风控模型在监控到业务***中存在操作风险时触发的告警,该实时告警信息包括但不限于告警***、告警类型、异常IP地址、联系方式、告警账号和异常数据等。Specifically, the preset big data system is a collection of risk control models constructed in advance by enterprises and institutions. Each risk control model monitors the user's operation behavior in the corresponding business system. The real-time alarm information is the risk control model Monitor the alarm triggered when there is operational risk in the business system. The real-time alarm information includes but is not limited to the alarm system, alarm type, abnormal IP address, contact information, alarm account number, and abnormal data.
需要说明的是,企事业单位为了控制和管理所有的业务***的操作风险,针对每个业务***预先构建对应的风控模型,预先构建企事业单位的大数据***。随着企事业单位的业务的不断拓展,预设的大数据***中的风控模型也会相应地增加,用于监控新的业务***中的操作风险,也即实时告警信息可能有新的类型告警信息的产生。It should be noted that, in order to control and manage the operational risks of all business systems, enterprises and institutions have pre-built corresponding risk control models for each business system and pre-built their big data systems. With the continuous expansion of the business of enterprises and institutions, the risk control model in the preset big data system will increase accordingly, which is used to monitor the operational risks in the new business system, that is, there may be new types of real-time alarm information The generation of alarm information.
S5:使用预设的分类算法对实时告警信息与每个历史告警信息进行相似度计算,得到实时告警信息与每个历史告警信息之间的相似度,并从实时告警信息与每个历史告警信息之间的相似度中,选取最大相似度对应的历史告警信息。S5: Use the preset classification algorithm to calculate the similarity between the real-time alarm information and each historical alarm information, and obtain the similarity between the real-time alarm information and each historical alarm information, and from the real-time alarm information and each historical alarm information In the similarity between, select the historical alarm information corresponding to the maximum similarity.
其中,预设的分类算法是统计学的一种利用概率统计知识进行分类的分类方法,该预设的分类算法能够对数据的特征或属性进行分析,将该数据划分到已有的类别中,预先设置的分类算法包括但不限于朴素的贝叶斯分类算法、k-最近邻 法和模糊分类法等,具体可以根据实际应用的需要进行设置。Among them, the preset classification algorithm is a classification method of statistics that uses the knowledge of probability statistics to classify. The preset classification algorithm can analyze the characteristics or attributes of the data and classify the data into existing categories. The preset classification algorithms include, but are not limited to, the naive Bayesian classification algorithm, k-nearest neighbor method and fuzzy classification method, etc., which can be specifically set according to actual application needs.
具体地,使用预设的分类算法对实时告警信息与每个历史告警信息进行相似度计算,得到实时告警信息与每个历史告警信息之间的相似度,该相似度算法具体可以是余弦相似度算法或者欧几里得距离算法等,实时告警信息与历史告警信息之间的相似度越高,表示该历史告警信息的告警内容与实时告警信息的告警内容越相似。则从实时告警信息与每个历史告警信息之间的相似度中,选取最大相似度对应的历史告警信息,将实时告警信息划分到该选取的历史告警信息的类别中。Specifically, a preset classification algorithm is used to calculate the similarity between the real-time alarm information and each historical alarm information, and the similarity between the real-time alarm information and each historical alarm information is obtained. The similarity algorithm may be cosine similarity. Algorithm or Euclidean distance algorithm. The higher the similarity between the real-time alarm information and the historical alarm information, the more similar the alarm content of the historical alarm information and the alarm content of the real-time alarm information. Then, from the similarity between the real-time alarm information and each historical alarm information, the historical alarm information corresponding to the maximum similarity is selected, and the real-time alarm information is classified into the selected historical alarm information category.
S6:将选取到的历史告警信息输入训练好的决策树中进行决策,并将经训练好的决策树决策后输出的决策记录作为实时告警信息的决策结果输出到客户端。S6: Input the selected historical alarm information into the trained decision tree to make a decision, and output the decision record output after the decision of the trained decision tree as the decision result of the real-time alarm information to the client.
具体地,服务端将选取到的历史告警信息输入训练好的决策树中进行决策,该历史告警信息的告警内容是与实时告警信息的告警内容最近接的告警信息,在训练好的决策树中,服务端根据历史告警信息中的信息特征从根节点开始逐级向下进行匹配,从而在叶节点处得到该历史告警信息对应的历史决策记录,即从根节点到叶节点的这一条路径是训练好的决策树对实时告警信息的类别预测和决策,服务端将该历史决策记录作为实时告警信息的决策结果输出到客户端,以便工作人员进行审阅,实时对各个业务***的操作风险进行自动决策,提高告警信息的决策效率和风险管控的效率。Specifically, the server inputs the selected historical alarm information into the trained decision tree to make a decision. The alarm content of the historical alarm information is the alarm information that is closest to the alarm content of the real-time alarm information, in the trained decision tree , The server performs matching from the root node level by level according to the information characteristics in the historical alarm information, so as to obtain the historical decision record corresponding to the historical alarm information at the leaf node, that is, the path from the root node to the leaf node is The trained decision tree predicts and decides the category of real-time alarm information. The server outputs the historical decision record as the decision result of the real-time alarm information to the client, so that the staff can review and automatically check the operational risks of each business system in real time. Decision-making to improve the efficiency of decision-making of warning information and the efficiency of risk control.
在图2对应的实施例中,通过从预设的大数据***的知识库中获取包括历史告警信息和历史决策记录的历史数据,以便对历史数据进行分析。并根据历史告警信息确定信息特征和构造历史告警信息对应的信息特征向量,避免用于训练的特征过多而导致模型过于复杂或者造成模型针对性不强。再使用预设的决策树算法对信息特征向量进行处理,以信息特征向量为训练数据进行训练决策树,得到训练好的决策树。最后,获取大数据***产生的实时告警信息,使用分类算法对实时告警信息进行相似度计算,并将与实时告警信息的相似度最高的历史告警信息输入决策树中进行决策,得到实时告警信息的决策结果。通过收集大数据***中各个业务***中的风险的告警信息和决策记录,并采用有监督的机器学习算法对历史数据进行学习和归纳,解决了不同业务***之间的决策结果的共享利用率不足的问题,从而能够对不同的业务***的风控模型产生的实时告警信息进行分析和决策,实现对业务***的操作风险的自动化决策,提高企事业单位对业务***的告警信息进行决策的决策效率。In the embodiment corresponding to FIG. 2, historical data including historical alarm information and historical decision records are acquired from the knowledge base of a preset big data system to analyze historical data. And according to the historical alarm information, the information feature is determined and the information feature vector corresponding to the historical alarm information is constructed, so as to avoid too many features used for training that cause the model to be too complicated or the model is not well-targeted. Then use the preset decision tree algorithm to process the information feature vector, and use the information feature vector as the training data to train the decision tree to obtain the trained decision tree. Finally, the real-time alarm information generated by the big data system is obtained, the classification algorithm is used to calculate the similarity of the real-time alarm information, and the historical alarm information with the highest similarity to the real-time alarm information is input into the decision tree for decision-making, and the real-time alarm information is obtained. Decision results. By collecting warning information and decision records of risks in each business system in the big data system, and using supervised machine learning algorithms to learn and summarize historical data, it solves the problem of insufficient sharing and utilization of decision results between different business systems Therefore, it can analyze and make decisions on the real-time alarm information generated by the risk control models of different business systems, realize the automatic decision-making on the operational risks of the business system, and improve the decision-making efficiency of enterprises and institutions on the alarm information of the business system. .
在一实施例中,本实施例提供的告警信息的决策方法还可以对信息特征向量进行归一化处理,详述如下:In an embodiment, the alarm information decision-making method provided in this embodiment may also perform normalization processing on the information feature vector, which is described in detail as follows:
如图4所示,在步骤S2之后,并且在步骤S3之前,该告警信息的决策方法还包括如下步骤:As shown in Fig. 4, after step S2 and before step S3, the method for determining the alarm information further includes the following steps:
S21:根据预设的分类条件,对信息特征向量分配对应的标识信息。S21: According to preset classification conditions, assign corresponding identification information to the information feature vector.
具体地,预设的分类条件用于将信息特征对应的内容转换为具体数值,该预设的分类条件包括针对每个信息特征预先设置的特征值区间和每个特征值区间对应的标识信息,服务端根据预设的分类条件对信息特征向量分配对应的标识信息,从而得到信息特征向量中的每个信息特征对应的标识信息。其中,该预设的分类条件具体可以根据历史经验进行设置,也可以根据具体的信息特征的数据分布情况设置等,此处不作限制。Specifically, the preset classification condition is used to convert the content corresponding to the information feature into a specific value, and the preset classification condition includes a feature value interval preset for each information feature and identification information corresponding to each feature value interval. The server allocates corresponding identification information to the information feature vector according to the preset classification conditions, thereby obtaining identification information corresponding to each information feature in the information feature vector. Among them, the preset classification conditions can be specifically set based on historical experience, or can be set based on the data distribution of specific information features, etc., which are not limited here.
为了更好地理解本步骤,下面以一个具体的信息特征的特征值区间和特征值区间对应的标识信息为例加以说明。如表一所示,表一示出了各个信息特征的特 征值区间和对应的标识信息的分类条件。In order to better understand this step, the following takes the characteristic value interval of a specific information characteristic and the identification information corresponding to the characteristic value interval as an example for description. As shown in Table 1, Table 1 shows the feature value interval of each information feature and the classification condition of the corresponding identification information.
表一Table I
Figure PCTCN2020098826-appb-000001
Figure PCTCN2020098826-appb-000001
其中,表一示出了告警***和告警类型这两个信息特征的特征值区间和标识信息,告警***包括保单***、理赔***和财务***等***,告警类型包括跨地区登录、高频操作***和恶意注册等类型,并且,1、2、3分别为保单***、理赔***和财务***对应的标识信息,A、B1、B2、C1、和C2分别为跨地区登录、高频操作***(白天)、高频操作***(夜间)、恶意注册(少量)和恶意注册(大量)对应的标识信息。Among them, Table 1 shows the characteristic value range and identification information of the two information characteristics of the alarm system and the alarm type. The alarm system includes the insurance policy system, the claims system and the financial system. The alarm type includes cross-regional login and high-frequency operating system. And malicious registration and other types, and 1, 2, and 3 are the identification information corresponding to the policy system, the claims system and the financial system, and A, B1, B2, C1, and C2 are cross-regional login, high-frequency operating system (daytime ), high-frequency operating system (night), malicious registration (small amount) and malicious registration (large amount) corresponding identification information.
针对表一中设置好的预设的分类条件,服务端能够根据信息特征向量中各个信息特征的内容,对信息特征向量分配对应的标识信息,如信息特征向量T为(保单***,跨地区登录),则分配好标识信息的信息特征向量T为(1,A)。According to the preset classification conditions set in Table 1, the server can assign corresponding identification information to the information feature vector according to the content of each information feature in the information feature vector. For example, the information feature vector T is (insurance system, cross-regional login ), the information feature vector T of the assigned identification information is (1, A).
S22:对分配好标识信息的信息特征向量进行归一化处理。S22: Perform normalization processing on the information feature vector to which the identification information is allocated.
具体地,归一化处理是指通过函数变换将标识信息映射到某个数值区间的处理方式。服务端具体可以将标识信息转换为具体的数值,并按照预设的比例将标识信息对应的数值进行缩放,直至收敛到区间[0,1]中。由于信息特征向量中的各个信息特征的风险程度是不同的,服务端具体可以根据每个信息特征对于业务***的操作风险的重要性赋予信息特征相应的数值,其中,服务端为信息特征赋予的数值越大,表示该信息特征对应的内容存在的风险性越大。Specifically, normalization processing refers to a processing method of mapping identification information to a certain numerical interval through function transformation. The server can specifically convert the identification information into a specific value, and scale the value corresponding to the identification information according to a preset ratio until it converges in the interval [0, 1]. Since the risk degree of each information feature in the information feature vector is different, the server can specifically assign the corresponding value of the information feature according to the importance of each information feature to the operational risk of the business system. Among them, the server assigns the information feature to the information feature. The larger the value, the greater the risk of the content corresponding to the information feature.
在图4对应的实施例中,通过根据预设的分类条件,对信息特征向量分配对应的标识信息,并对分配好标识信息的信息特征向量进行归一化处理,使得信息特征向量能够量化成为具体的数值,且收敛到特定区间,方便计算机对数据进行识别处理,提高了决策树的构建效率。In the embodiment corresponding to FIG. 4, by assigning corresponding identification information to the information feature vector according to preset classification conditions, and normalizing the information feature vector assigned with the identification information, the information feature vector can be quantified as The specific value and converges to a specific interval, which is convenient for the computer to identify and process the data, and improves the construction efficiency of the decision tree.
在一实施例中,在步骤S22所提及的对分配好标识信息的信息特征向量进行归一化处理之后,并在步骤S3所提及的将信息特征向量中的信息特征作为***节点,对信息特征向量进行分类,并以历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前。该告警信息的处理方法还包括:In one embodiment, after the normalization process of the information feature vector to which the identification information is assigned is mentioned in step S22, and the information feature in the information feature vector mentioned in step S3 is used as a split node, The information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as the leaf node for decision tree training, before the trained decision tree is obtained. The processing method of the alarm information also includes:
对归一化处理后的信息特征向量进行筛选,若检测到存在两个或两个以上相同的信息特征向量,则在相同的信息特征向量中,保留其中任意一个信息特征向量,删除其余的信息特征向量。Filter the normalized information feature vector. If two or more identical information feature vectors are detected, then in the same information feature vector, any one of the information feature vectors is retained, and the rest of the information is deleted Feature vector.
具体地,若检测到存在多个相同的信息特征向量,则保留其中任意一个信息特征向量,删除其余的信息特征向量,剔除训练样本中信息特征向量完全一致的训练样本。Specifically, if it is detected that there are multiple identical information feature vectors, any one of the information feature vectors is retained, the rest of the information feature vectors are deleted, and the training samples whose information feature vectors are completely consistent among the training samples are eliminated.
例如,归一化处理后的信息特征向量Y 1和Y 2为: Y 1=(X 11,X 12,X 13,X 14,X 15,X 16,X 17,X 18),Y 2=(X 21,X 22,X 23,X 24,X 25,X 26,X 27,X 28)。若Y 1和Y 2的信息特征完全相同,则只需要保留其中任意一个信息特征向量,删除掉另一个信息特征向量。 For example, the normalized information feature vectors Y 1 and Y 2 are: Y 1 = (X 11 , X 12 , X 13 , X 14 , X 15 , X 16 , X 17 , X 18 ), Y 2 = (X 21 , X 22 , X 23 , X 24 , X 25 , X 26 , X 27 , X 28 ). If the information features of Y 1 and Y 2 are exactly the same, only one of the information feature vectors needs to be retained, and the other information feature vector is deleted.
在本实施例中,通过对归一化处理后的信息特征向量进行筛选,保留其中任意一个信息特征向量,删除其余的信息特征向量,使用筛选后的信息特征向量进行机器模型训练,提高用于训练机器学习模型的数据的质量。In this embodiment, by filtering the normalized information feature vector, any one of the information feature vectors is retained, the rest of the information feature vectors are deleted, and the filtered information feature vectors are used for machine model training, which improves the use of The quality of the data used to train the machine learning model.
在一实施例中,历史告警信息包括告警账号,本实施例提供的告警信息的决策方法还可以获取告警账号对应的历史数据输出到客户端,详述如下:In an embodiment, the historical alarm information includes an alarm account, and the method for making an alarm information decision provided in this embodiment can also obtain historical data corresponding to the alarm account and output it to the client. The details are as follows:
如图5所示,在步骤S4之后,该告警信息的决策方法还包括如下步骤:As shown in Figure 5, after step S4, the alarm information decision method further includes the following steps:
S41:获取实时告警信息中的告警账号。S41: Obtain the alarm account in the real-time alarm information.
具体地,实时告警信息包括告警账号,该告警账号是指在业务***中的操作存在异常的账号,服务端从实时告警信息中可以获取到告警账号,确认在业务***的操作中存在异常的账号。Specifically, the real-time alarm information includes an alarm account. The alarm account refers to an account with abnormal operations in the business system. The server can obtain the alarm account from the real-time alarm information and confirm that there is an abnormal account in the operation of the business system. .
S42:若在知识库中,查询到实时告警信息中的告警账号,则将查询到的告警账号对应的历史数据输出到客户端。S42: If the alarm account in the real-time alarm information is queried in the knowledge base, the historical data corresponding to the queried alarm account is output to the client.
具体地,知识库是预设的大数据***中用于存储历史数据的数据库,服务端使用实时告警信息中获取到的告警账号,在知识库中进行查询该告警账号是否触发过历史告警信息。若知识库保存的历史告警信息中,存在该告警账号的历史告警信息,则获取该告警账号的历史告警信息和历史告警信息对应的历史决策记录输出到客户端,以便风控分析人员能够结合该告警账号的历史告警信息和历史决策记录,对实时告警信息进行分析和决策,使得决策更具有针对性,提高对实时告警信息的决策准确率。Specifically, the knowledge base is a database used to store historical data in a preset big data system. The server uses the alarm account obtained from the real-time alarm information to query the knowledge base whether the alarm account has triggered historical alarm information. If the historical alarm information of the alarm account exists in the historical alarm information saved in the knowledge base, the historical alarm information of the alarm account and the historical decision record corresponding to the historical alarm information are obtained and output to the client, so that the risk control analyst can combine this The historical alarm information and historical decision records of the alarm account, analyze and make decisions on real-time alarm information, make the decision more targeted, and improve the accuracy of decision-making on real-time alarm information.
在图5对应的实施例中,通过获取实时告警信息中的告警账号,并在知识库中查询到存在实时告警信息中的告警账号时,将查询到的告警账号对应的历史数据输出到客户端,以便风控分析人员能够结合该告警账号的历史告警信息和历史决策记录,对实时告警信息进行分析和决策,使得决策更具有针对性,提高对实时告警信息的决策准确率。In the embodiment corresponding to FIG. 5, by obtaining the alarm account in the real-time alarm information, and querying the alarm account in the real-time alarm information in the knowledge base, the historical data corresponding to the queried alarm account is output to the client , So that risk control analysts can combine the historical alarm information and historical decision records of the alarm account to analyze and make decisions on real-time alarm information, making decision-making more targeted and improving the accuracy of decision-making on real-time alarm information.
在一实施例中,在步骤S6所提及的将选取到的历史告警信息输入训练好的决策树中进行决策,并将经训练好的决策树决策后输出的决策记录作为实时告警信息的决策结果输出到客户端之后,该告警信息的处理方法还包括:In one embodiment, in step S6, the selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the trained decision tree is made is used as the real-time alarm information decision. After the result is output to the client, the processing method of the alarm information further includes:
将实时告警信息和实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址。The real-time alarm information and the decision result of the real-time alarm information are sent to the preset information receiving address according to the preset template.
在本实施例中,预设的模板是预先设置好用于展示实时告警信息和实时告警信息的决策结果的模板,该预设的模板包括但不限于文档和表格等格式的模板,具体的模板可以根据实际情况的需要进行设置,此处不做限制。预设的信息接收地址是风控分析人员用于接收风控模型在面临风险事件时发出的异常告警信息的通讯地址,具体可以是邮件接收地址,也可以是短信接收地址等,此处不做限制。In this embodiment, the preset template is a template preset to display real-time alarm information and the decision result of the real-time alarm information. The preset template includes, but is not limited to, templates in formats such as documents and tables. Specific templates It can be set according to the actual situation, and there is no restriction here. The preset information receiving address is the communication address used by risk control analysts to receive abnormal alarm information sent by the risk control model when facing a risk event. Specifically, it can be the mail receiving address or the SMS receiving address, etc., which is not done here. limit.
具体地,服务端将实时告警信息和实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址,使得风控分析人员能够及时获取实时告警信息和实时告警信息的决策结果,并对实时告警信息进行进一步的分析,寻找异常问题的频发原因。并且,若风控分析人员需要对实时告警信息的决策结果进行调整,则可以根据实际设置的需要对实时告警信息的决策结果进行更正,提高对告警信息的决策的准确性。Specifically, the server sends the real-time alarm information and the decision result of the real-time alarm information to the preset information receiving address according to the preset template, so that the risk control analyst can obtain the real-time alarm information and the decision result of the real-time alarm information in time, and Further analyze the real-time alarm information to find the frequent causes of abnormal problems. Moreover, if the risk control analyst needs to adjust the decision-making results of the real-time alarm information, they can correct the decision-making results of the real-time alarm information according to the actual setting needs to improve the accuracy of the decision-making on the alarm information.
在本实施例中,通过将实时告警信息和实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址,使得相关工作人员能够及时获取实时告警信息和实时告警信息的决策结果,以便相关工作人员对自动化决策的结果进行审核确认,并在需要对实时告警信息的决策结果进行调整时,及时根据实际设置的需要对实时告警信息的决策结果进行更正,提高对实时告警信息的决策的准确率。In this embodiment, by sending the real-time alarm information and the decision result of the real-time alarm information to the preset information receiving address according to the preset template, the relevant staff can obtain the real-time alarm information and the decision result of the real-time alarm information in time. So that the relevant staff can review and confirm the results of the automated decision-making, and when the decision-making results of the real-time alarm information need to be adjusted, the decision-making results of the real-time alarm information can be corrected in time according to the actual setting needs to improve the decision-making of the real-time alarm information The accuracy rate.
在一实施例中,本实施例提供的告警信息的决策方法还可以根据实时告警信息的告警类型,获取相似告警信息对应的历史决策记录输出,详述如下:In one embodiment, the alarm information decision-making method provided in this embodiment can also obtain the historical decision record output corresponding to similar alarm information according to the alarm type of the real-time alarm information, as detailed as follows:
如图5所示,在步骤S6之后,该告警信息的决策方法还包括如下步骤:As shown in Figure 5, after step S6, the alarm information decision-making method further includes the following steps:
S61:根据实时告警信息确定实时告警信息的告警类型。S61: Determine the alarm type of the real-time alarm information according to the real-time alarm information.
具体地,实时告警信息包括告警类型,服务端从实时告警信息中可以确定实时告警信息的告警类型。Specifically, the real-time alarm information includes an alarm type, and the server can determine the alarm type of the real-time alarm information from the real-time alarm information.
S62:从知识库中,获取与实时告警信息的告警类型相同的历史告警信息作为相似告警信息。S62: Obtain historical alarm information of the same alarm type as the real-time alarm information from the knowledge base as similar alarm information.
具体地,根据实时告警信息的告警类型,在知识库中,查询与实时告警信息的告警类型相同的历史告警信息,并获取与实时告警信息的告警类型相同的历史告警信息作为相似告警信息。Specifically, according to the alarm type of the real-time alarm information, in the knowledge base, the historical alarm information that is the same as the alarm type of the real-time alarm information is queried, and the historical alarm information of the same alarm type as the real-time alarm information is acquired as similar alarm information.
S63:将相似告警信息对应的历史决策记录按照预设的顺序输出到客户端。S63: Output historical decision records corresponding to similar alarm information to the client in a preset order.
在本实施例中,预设的顺序具体可以是按照历史告警信息的告警次数从高到低的顺序,也可以是按照历史告警信息的告警时间的先后顺序等,历史决策记录的具体的输出顺序可以根据实际应用的需要进行设置,此处不做限制。In this embodiment, the preset order can be specifically based on the order of the number of alarms of historical alarm information from high to low, or according to the order of the alarm time of historical alarm information, etc. The specific output order of the historical decision record It can be set according to the needs of the actual application, and there is no restriction here.
具体地,服务端将相似告警信息对应的历史决策记录按照预设的顺序输出到客户端,为风控分析人员提供相关的决策记录进行参考,对实时告警信息的决策过程能够起到辅助作用,帮助经验不足的风控分析人员提高决策能力。并且,风控分析人员若发现服务端的决策结果存在误差,还可以从输出到客户端的历史决策记录中,选取正确的决策结果对实时告警信息进行处理,从而能够获取最适合该实时告警信息的决策结果,进一步提高对实时告警信息的决策准确率。Specifically, the server outputs the historical decision records corresponding to similar alarm information to the client in a preset order to provide risk control analysts with relevant decision records for reference, which can assist in the decision-making process of real-time alarm information. Help less experienced risk control analysts improve their decision-making capabilities. Moreover, if risk control analysts find errors in the decision results of the server, they can also select the correct decision results from the historical decision records output to the client to process the real-time alarm information, so as to obtain the most suitable decision for the real-time alarm information. As a result, the accuracy of decision-making on real-time alarm information is further improved.
在图6对应的实施例中,通过根据实时告警信息确定实时告警信息的告警类型,从知识库中获取与实时告警信息的告警类型相同的历史告警信息作为相似告警信息,并将相似告警信息对应的历史决策记录按照预设的顺序输出到客户端,充分利用知识库中存储的历史数据,提供相关的决策记录给风控分析人员参考,帮助经验不足的风控分析人员提高决策能力,同时,方便风控分析人员对自动决策的决策结果进行审阅和修正,提高对实时告警信息的决策速率和决策准确率。In the embodiment corresponding to FIG. 6, by determining the alarm type of the real-time alarm information according to the real-time alarm information, the historical alarm information that is the same as the alarm type of the real-time alarm information is obtained from the knowledge base as similar alarm information, and the similar alarm information is corresponding The historical decision records are output to the client in a preset order, making full use of the historical data stored in the knowledge base to provide relevant decision records for risk control analysts to refer to, helping inexperienced risk control analysts to improve their decision-making capabilities. At the same time, It is convenient for risk control analysts to review and modify the decision-making results of automatic decision-making, and improve the decision-making rate and accuracy of real-time alarm information.
在一实施例中,本实施例提供的告警信息的决策方法还可以收集实时告警信息和该实时告警信息对应的决策结果作为新增样本,并使用新增样本对决策树进行增量训练,详述如下:In one embodiment, the alarm information decision-making method provided in this embodiment can also collect real-time alarm information and the decision result corresponding to the real-time alarm information as a new sample, and use the new sample to perform incremental training on the decision tree. The description is as follows:
如图7所示,在步骤S63之后,该告警信息的决策还包括如下步骤:As shown in Figure 7, after step S63, the alarm information decision further includes the following steps:
S71:若在预设的时间内,决策结果未发生变更,则将实时告警信息和决策结果作为新增样本保存到知识库。S71: If there is no change in the decision result within the preset time, save the real-time alarm information and decision result in the knowledge base as a new sample.
其中,预设的时间是指风控分析人员对自动决策的决策结果进行审阅的时间段,该预设的时间具体可以是决策结果输出到客户端的五分钟之内,也可以是十分钟之内,但并不限于此,具体可以根据实际应用的需要进行设置。Among them, the preset time refers to the time period during which the risk control analyst reviews the decision results of the automatic decision. The preset time can be within five minutes or ten minutes after the decision results are output to the client. , But not limited to this, it can be set according to actual application needs.
具体地,若在预设的时间内,输出到客户端的决策结果未发生变更,服务端将默认输出的决策结果能够解决实时告警信息中存在的操作风险,服务端将实时告警信息和决策结果作为新增样本保存到知识库。Specifically, if the decision result output to the client has not changed within the preset time, the server will default to the output of the decision result to solve the operational risk in the real-time alarm information, and the server will use the real-time alarm information and decision result as The new sample is saved to the knowledge base.
S72:若在预设的时间内,决策结果发生变更,则接收客户端发送的变更后的决策结果,并将实时告警信息和该变更后的决策结果作为新增样本保存到知识库。S72: If the decision result changes within the preset time, the changed decision result sent by the client is received, and the real-time alarm information and the changed decision result are stored in the knowledge base as a new sample.
具体地,若在预设的时间内,决策结果发生变更,即表示在服务端对实时告警信息分析之后,输出的决策结果不能够很好地解决实时告警信息中存在的操作风险,风控分析人员将对服务端输出的决策结果进行修改,输入新的决策结果用于解决实时告警信息中存在的操作风险。服务端则接收客户端发送的变更后的决策结果,并将实时告警信息和该变更后的决策结果作为新增样本保存到知识库。可以理解的是,该变更后的决策结果是指风控分析人员通过对实时告警信息的分析,以及对服务端自动决策的决策结果的进行审核之后,针对该实时告警信息重新输入的决策结果。Specifically, if the decision result changes within the preset time, it means that after the server analyzes the real-time alarm information, the output decision result cannot well solve the operational risk in the real-time alarm information. Risk control analysis The personnel will modify the decision results output by the server, and enter the new decision results to solve the operational risks in the real-time alarm information. The server receives the changed decision result sent by the client, and saves the real-time alarm information and the changed decision result as a new sample to the knowledge base. It is understandable that the decision result after the change refers to the decision result of the risk control analyst re-inputting the real-time warning information after analyzing the real-time warning information and reviewing the decision result of the server's automatic decision-making.
S73:使用新增样本对训练好的决策树进行增量训练,得到新的决策树。S73: Use the newly added samples to perform incremental training on the trained decision tree to obtain a new decision tree.
具体地,服务端使用新增样本对训练好的决策树进行增量训练,该增量训练是指对训练好的决策树进行优化的模型训练,增量训练能够充分利用训练好的决策树的历史训练结果,减少了后续机器模型的训练时间,不需要重复处理以前已经训练过的历史数据,使得决策树能够学习到更多的告警信息和决策记录的知识特征,从而提高决策树对新的告警信息的适应能力,以及提高决策树的决策准确率。Specifically, the server uses the newly added samples to perform incremental training on the trained decision tree. The incremental training refers to the optimized model training of the trained decision tree. Incremental training can make full use of the trained decision tree. The historical training results reduce the training time of subsequent machine models, and there is no need to repeatedly process historical data that has been trained before, so that the decision tree can learn more alarm information and the knowledge characteristics of decision records, thereby improving the decision tree’s response to new The ability to adapt to warning information and improve the accuracy of decision-making in the decision tree.
在图7对应的实施例中,通过获取新增样本保存到知识库中,并使用新增样本对训练好的决策树进行增量训练,得到新的决策树,使得新的决策树能够学习到更多的告警信息和决策记录的知识特征,从而实现对训练好的决策树的优化,提高新的决策树对新的告警信息的泛化能力和决策准确率。In the embodiment corresponding to FIG. 7, the newly-added samples are acquired and stored in the knowledge base, and the newly-added samples are used to incrementally train the trained decision tree to obtain a new decision tree, so that the new decision tree can learn More alarm information and knowledge characteristics of decision-making records, so as to optimize the trained decision tree, and improve the generalization ability and decision accuracy of the new decision tree to the new alarm information.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence number of each step in the foregoing embodiment does not mean the order of execution. The execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application.
在一实施例中,提供一种告警信息的决策装置,该告警信息的决策装置与上述实施例中告警信息的决策方法一一对应。如图8所示,该告警信息的决策装置包括:数据获取模块81、向量构造模块82、决策树训练模块83、信息接收模块84、信息分类模块85和智能决策模块86。各功能模块详细说明如下:In an embodiment, an alarm information decision-making device is provided, and the alarm information decision-making device corresponds to the alarm information decision-making method in the above-mentioned embodiment one-to-one. As shown in FIG. 8, the alarm information decision-making device includes: a data acquisition module 81, a vector construction module 82, a decision tree training module 83, an information receiving module 84, an information classification module 85 and an intelligent decision module 86. The detailed description of each functional module is as follows:
数据获取模块81,用于从预设的大数据***的知识库中获取历史数据,其中,历史数据包括历史告警信息和历史告警信息对应的历史决策记录;The data acquisition module 81 is configured to acquire historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
向量构造模块82,用于根据历史告警信息确定N个信息特征,并基于确定的信息特征构造历史告警信息对应的信息特征向量,其中,N为正整数;The vector construction module 82 is configured to determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
决策树训练模块83,用于将信息特征向量中的信息特征作为***节点,对信息特征向量进行分类,并以历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;The decision tree training module 83 is used to use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as the leaf node to train the decision tree to obtain the trained decision tree;
信息接收模块84,用于获取预设的大数据***产生的实时告警信息;The information receiving module 84 is used to obtain real-time alarm information generated by a preset big data system;
信息分类模块85,用于使用预设的分类算法对实时告警信息与每个历史告警信息进行相似度计算,得到实时告警信息与每个历史告警信息之间的相似度,并从实时告警信息与每个历史告警信息之间的相似度中,选取最大相似度对应的历史告警信息;The information classification module 85 is used to calculate the similarity between the real-time alarm information and each historical alarm information using a preset classification algorithm, to obtain the similarity between the real-time alarm information and each historical alarm information, and to obtain the similarity between the real-time alarm information and each historical alarm information. Among the similarities between each historical alarm information, select the historical alarm information corresponding to the largest similarity;
智能决策模块86,用于将选取到的历史告警信息输入训练好的决策树中进行决策,并将经训练好的决策树决策后输出的决策记录作为实时告警信息的决策结果输出到客户端。The intelligent decision module 86 is used to input the selected historical alarm information into the trained decision tree for decision-making, and output the decision record output after the trained decision tree to make the decision as the real-time alarm information decision result to the client.
进一步地,该告警信息的决策装置还包括:Further, the device for determining the alarm information further includes:
数据分类模块821,用于根据预设的分类条件,对信息特征向量分配对应的标识信息;The data classification module 821 is configured to allocate corresponding identification information to the information feature vector according to preset classification conditions;
数据处理模块822,用于对分配好标识信息的信息特征向量进行归一化处理。The data processing module 822 is configured to perform normalization processing on the information feature vector to which the identification information is allocated.
进一步地,该告警信息的决策装置还包括:Further, the device for determining the alarm information further includes:
数据筛选模块823,用于对归一化处理后的信息特征向量进行筛选,若检测到存在两个或两个以上相同的信息特征向量,则在相同的信息特征向量中,保留其中任意一个信息特征向量,删除其余的信息特征向量。The data screening module 823 is used to screen the normalized information feature vector. If two or more identical information feature vectors are detected, then any one of the information is retained in the same information feature vector Feature vector, delete the rest of the information feature vector.
进一步地,历史告警信息包括告警账号,该告警信息的决策装置还包括:Further, the historical alarm information includes an alarm account, and the device for determining the alarm information further includes:
账号获取模块841,用于获取实时告警信息中的告警账号;The account acquisition module 841 is used to acquire the alarm account in the real-time alarm information;
信息输出模块842,用于若在知识库中,查询到实时告警信息中的告警账号,则将查询到的告警账号对应的历史数据输出到客户端。The information output module 842 is configured to output the historical data corresponding to the queried alarm account to the client if the alarm account in the real-time alarm information is queried in the knowledge base.
进一步地,该告警信息的决策装置还包括:Further, the device for determining the alarm information further includes:
信息发送模块860,用于将实时告警信息和实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址。The information sending module 860 is configured to send the real-time alarm information and the decision result of the real-time alarm information to a preset information receiving address according to a preset template.
进一步地,该告警信息的决策装置还包括:Further, the device for determining the alarm information further includes:
类型查询模块861,用于根据实时告警信息确定实时告警信息的告警类型;The type query module 861 is used to determine the alarm type of the real-time alarm information according to the real-time alarm information;
信息获取模块862,用于从知识库中,获取与实时告警信息的告警类型相同的历史告警信息作为相似告警信息;The information acquisition module 862 is used to acquire historical alarm information of the same alarm type as the real-time alarm information from the knowledge base as similar alarm information;
辅助决策模块863,用于将相似告警信息对应的历史决策记录按照预设的顺序输出到客户端。The auxiliary decision-making module 863 is used to output historical decision records corresponding to similar alarm information to the client in a preset order.
进一步地,该告警信息的决策装置还包括:Further, the device for determining the alarm information further includes:
第一存储模块871,用于若在预设的时间内,决策结果未发生变更,则将实时告警信息和决策结果作为新增样本保存到知识库;The first storage module 871 is used to save the real-time alarm information and the decision result as a new sample in the knowledge base if the decision result has not changed within a preset time;
第二存储模块872,用于若在预设的时间内,决策结果发生变更,则接收客户端发送的变更后的决策结果,并将实时告警信息和该变更后的决策结果作为新增样本保存到知识库;The second storage module 872 is used to receive the changed decision result sent by the client if the decision result changes within the preset time, and save the real-time alarm information and the changed decision result as a new sample To the knowledge base;
增量训练模块873,用于使用新增样本对训练好的决策树进行增量训练,得到新的决策树。The incremental training module 873 is configured to use the newly added samples to perform incremental training on the trained decision tree to obtain a new decision tree.
关于告警信息的决策装置的具体限定可以参见上文中对于告警信息的决策方法的限定,在此不再赘述。上述告警信息的决策装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For the specific definition of the alarm information decision-making device, please refer to the above definition of the alarm information decision-making method, which will not be repeated here. Each module in the above alarm information decision-making device can be implemented in whole or in part by software, hardware and a combination thereof. The above-mentioned modules may be embedded in the form of hardware or independent of the processor in the computer equipment, or may be stored in the memory of the computer equipment in the form of software, so that the processor can call and execute the operations corresponding to the above-mentioned modules.
在一个实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图9所示。该计算机设备包括通过***总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作***、计算机程序和数据库。该内存储器为非易失性存储介质中的操作***和计算机程序的运行提供环境。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时以实现一种告警信息的决策方法,其中所述告警信息的决策方法的步骤包括:从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;根据所述历史告警信息确定N个信息特征,并基于确 定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;获取所述预设的大数据***产生的实时告警信息;使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。In one embodiment, a computer device is provided. The computer device may be a server, and its internal structure diagram may be as shown in FIG. 9. The computer equipment includes a processor, a memory, a network interface, and a database connected through a system bus. Among them, the processor of the computer device is used to provide calculation and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, a method for making alarm information is realized, wherein the steps of the method for making alarm information include: obtaining historical data from the knowledge base of a preset big data system, wherein the historical The data includes historical alarm information and historical decision records corresponding to the historical alarm information; N information characteristics are determined according to the historical alarm information, and an information feature vector corresponding to the historical alarm information is constructed based on the determined information characteristics, wherein , N is a positive integer; use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training , Obtain the trained decision tree; obtain the real-time alarm information generated by the preset big data system; use the preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, and obtain all The similarity between the real-time alarm information and each of the historical alarm information, and from the similarity between the real-time alarm information and each of the historical alarm information, the historical alarm corresponding to the maximum similarity is selected Information; input the selected historical alarm information into the trained decision tree to make a decision, and use the decision record output after the decision of the trained decision tree as the decision result of the real-time alarm information Output to the client.
在一个实施例中,提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时实现上述实施例中告警信息的决策方法中的步骤,例如图2所示的步骤S1至步骤S6,或者,处理器执行计算机程序时实现上述实施例中告警信息的决策装置的各模块的功能,例如图8所示模块81至模块86的功能。为避免重复,这里不再赘述。In one embodiment, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and running on the processor. The processor executes the computer program to implement the alarm information decision method in the above embodiment For example, the steps in step S1 to step S6 shown in FIG. 2, or the function of each module of the alarm information decision device in the above embodiment is realized when the processor executes the computer program, for example, module 81 to module 86 shown in FIG. Function. To avoid repetition, I won’t repeat them here.
在一个实施例中,提供了一种计算机可读存储介质,所述存储介质为易失性存储介质或非易失性存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现一种告警信息的决策方法,所述告警信息的决策方法包括:从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;获取所述预设的大数据***产生的实时告警信息;使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。In one embodiment, a computer-readable storage medium is provided. The storage medium is a volatile storage medium or a non-volatile storage medium, and a computer program is stored thereon. When the computer program is executed by a processor, a computer program A decision-making method for alarm information. The decision-making method for alarm information includes: obtaining historical data from the knowledge base of a preset big data system, wherein the historical data includes historical alarm information and history corresponding to the historical alarm information Decision record; Determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information feature, where N is a positive integer; The information feature is used as a split node, the information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as a leaf node for decision tree training to obtain a trained decision tree; to obtain the preset Real-time alarm information generated by a big data system; using a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, and obtain the difference between the real-time alarm information and each of the historical alarm information And select the historical alarm information corresponding to the greatest similarity from the similarity between the real-time alarm information and each of the historical alarm information; input the selected historical alarm information into the Decisions are made in the trained decision tree, and the decision record output after the decision is made by the trained decision tree is output to the client as the decision result of the real-time alarm information.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The computer program can be stored in a non-volatile computer readable storage. In the medium, when the computer program is executed, it may include the procedures of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other media used in the embodiments provided in this application may include non-volatile and/or volatile memory. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. As an illustration and not a limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous chain Channel (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功 能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。Those skilled in the art can clearly understand that for the convenience and conciseness of description, only the division of the above functional units and modules is used as an example. In practical applications, the above functions can be allocated to different functional units and modules as required. Module completion, that is, the internal structure of the device is divided into different functional units or modules to complete all or part of the functions described above.

Claims (20)

  1. 一种告警信息的决策方法,其中,所述告警信息的决策方法包括:A decision-making method for alarm information, wherein the decision-making method for alarm information includes:
    从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
    根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
    将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
    获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
    使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;Use a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, obtain the similarity between the real-time alarm information and each of the historical alarm information, and obtain the similarity from the real-time alarm information. Among the similarities between the alarm information and each of the historical alarm information, the historical alarm information corresponding to the largest similarity is selected;
    将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
  2. 如权利要求1所述的告警信息的决策方法,其中,在所述根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量之后,并且在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:The alarm information decision-making method according to claim 1, wherein after said determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics And in the step of using the information feature in the information feature vector as a split node, classifying the information feature vector, and using the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training, Before obtaining the trained decision tree, the alarm information decision-making method further includes:
    根据预设的分类条件,对所述信息特征向量分配对应的标识信息;Assign corresponding identification information to the information feature vector according to preset classification conditions;
    对分配好标识信息的所述信息特征向量进行归一化处理。Perform normalization processing on the information feature vector to which the identification information is allocated.
  3. 如权利要求2所述的告警信息的决策方法,其中,在所述对分配好标识信息的所述信息特征向量进行归一化处理之后,并在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:The alarm information decision-making method according to claim 2, wherein after said normalizing said information feature vector to which identification information has been assigned, and after said normalizing said information feature vector in said information feature vector The information feature is used as a split node, the information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as the leaf node for decision tree training. Before the trained decision tree is obtained, the decision method of the alarm information Also includes:
    对归一化处理后的所述信息特征向量进行筛选,若检测到存在两个或两个以上相同的所述信息特征向量,则在相同的所述信息特征向量中,保留其中任意一个所述信息特征向量,删除其余的所述信息特征向量。The normalized information feature vector is screened, and if it is detected that there are two or more identical information feature vectors, then any one of the information feature vectors is retained in the same information feature vector. Information feature vector, delete the rest of the information feature vector.
  4. 如权利要求1所述的告警信息的决策方法,其中,所述历史告警信息包括告警账号,在所述获取所述预设的大数据***产生的实时告警信息之后,所述告警信息的决策方法还包括:The alarm information decision-making method according to claim 1, wherein the historical alarm information includes an alarm account, and after the acquisition of the real-time alarm information generated by the preset big data system, the alarm information decision-making method Also includes:
    获取所述实时告警信息中的告警账号;Acquiring the alarm account in the real-time alarm information;
    若在所述知识库中,查询到所述实时告警信息中的告警账号,则将查询到的所述告警账号对应的所述历史数据输出到所述客户端。If the alarm account in the real-time alarm information is queried in the knowledge base, the historical data corresponding to the queried alarm account is output to the client.
  5. 如权利要求1所述的告警信息的决策方法,其中,在所述将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端之后,所述告警信息的决策方法还包括:The method for making alarm information decisions according to claim 1, wherein the selected historical alarm information is input into the trained decision tree to make a decision, and the decision tree is made after the trained decision tree. After the subsequent output of the decision record is output to the client as the decision result of the real-time alarm information, the decision method for the alarm information further includes:
    将所述实时告警信息和所述实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址。The real-time alarm information and the decision result of the real-time alarm information are sent to a preset information receiving address according to a preset template.
  6. 如权利要求1所述的告警信息的决策方法,其中,在所述将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端之后,所述告警信息的决策方法还包括:The method for making alarm information decisions according to claim 1, wherein the selected historical alarm information is input into the trained decision tree to make a decision, and the decision tree is made after the trained decision tree. After the subsequent output of the decision record is output to the client as the decision result of the real-time alarm information, the decision method for the alarm information further includes:
    根据所述实时告警信息确定所述实时告警信息的告警类型;Determining the alarm type of the real-time alarm information according to the real-time alarm information;
    从所述知识库中,获取与所述实时告警信息的告警类型相同的所述历史告警信息作为相似告警信息;Acquiring, from the knowledge base, the historical alarm information of the same alarm type as the real-time alarm information as similar alarm information;
    将所述相似告警信息对应的历史决策记录按照预设的顺序输出到所述客户端。The historical decision records corresponding to the similar alarm information are output to the client in a preset order.
  7. 如权利要求6所述的告警信息的决策方法,其中,在所述将所述相似告警信息对应的历史决策记录按照预设的顺序输出到所述客户端之后,所述告警信息的决策方法还包括:The alarm information decision-making method according to claim 6, wherein after the historical decision records corresponding to the similar alarm information are output to the client in a preset order, the alarm information decision-making method further include:
    若在预设的时间内,所述决策结果未发生变更,则将所述实时告警信息和所述决策结果作为新增样本保存到所述知识库;If the decision result has not been changed within a preset time, save the real-time alarm information and the decision result as a new sample in the knowledge base;
    若在所述预设的时间内,所述决策结果发生变更,则接收所述客户端发送的变更后的决策结果,并将所述实时告警信息和该变更后的决策结果作为所述新增样本保存到所述知识库;If within the preset time, the decision result is changed, then the changed decision result sent by the client is received, and the real-time alarm information and the changed decision result are used as the new Save the sample to the knowledge base;
    使用所述新增样本对所述训练好的决策树进行增量训练,得到新的决策树。Use the newly added samples to perform incremental training on the trained decision tree to obtain a new decision tree.
  8. 一种告警信息的决策装置,其中,所述告警信息的决策装置包括:An alarm information decision-making device, wherein the alarm information decision-making device includes:
    数据获取模块,用于从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;A data acquisition module for acquiring historical data from the knowledge base of a preset big data system, wherein the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
    向量构造模块,用于根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;A vector construction module, configured to determine N information features according to the historical alarm information, and construct an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
    决策树训练模块,用于将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;The decision tree training module is configured to use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node to make a decision tree Train to get a well-trained decision tree;
    信息接收模块,用于获取所述预设的大数据***产生的实时告警信息;An information receiving module for acquiring real-time alarm information generated by the preset big data system;
    信息分类模块,用于使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;The information classification module is used to calculate the similarity between the real-time alarm information and each historical alarm information using a preset classification algorithm to obtain the similarity between the real-time alarm information and each historical alarm information , And select the historical alarm information corresponding to the greatest similarity from the similarity between the real-time alarm information and each of the historical alarm information;
    智能决策模块,用于将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The intelligent decision module is used to input the selected historical alarm information into the trained decision tree for decision-making, and use the decision record output after the trained decision tree to make a decision as the real-time alarm The decision result of the information is output to the client.
  9. 如权利要求8所述的告警信息决策装置,其中,还包括:The alarm information decision-making device according to claim 8, further comprising:
    数据分类模块,用于根据预设的分类条件,对信息特征向量分配对应的标识信息;The data classification module is used to assign corresponding identification information to the information feature vector according to preset classification conditions;
    数据处理模块,用于对分配好标识信息的信息特征向量进行归一化处理。The data processing module is used to normalize the information feature vector to which the identification information is allocated.
  10. 如权利要求9所述的告警信息决策装置,其中,还包括:The alarm information decision-making device according to claim 9, further comprising:
    数据筛选模块,用于对归一化处理后的信息特征向量进行筛选,若检测到存在两个或两个以上相同的信息特征向量,则在相同的信息特征向量中,保留其中任意一个信息特征向量,删除其余的信息特征向量。The data screening module is used to screen the normalized information feature vector. If two or more identical information feature vectors are detected, then any one of the information features will be retained in the same information feature vector Vector, delete the rest of the information feature vector.
  11. 一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时实现一种告警信息的决策方法,其中所述告警信息的决策方法包括以下步骤:A computer device including a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor implements a method for determining alarm information when the processor executes the computer program , Wherein the method for determining the alarm information includes the following steps:
    从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
    根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
    将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
    获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
    使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;Use a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, obtain the similarity between the real-time alarm information and each of the historical alarm information, and obtain the similarity from the real-time alarm information. Among the similarities between the alarm information and each of the historical alarm information, the historical alarm information corresponding to the largest similarity is selected;
    将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
  12. 如权利要求11所述的计算机设备,其中,在所述根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量之后,并且在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:The computer device according to claim 11, wherein after said determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, and after The information feature in the information feature vector is used as a split node, the information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as a leaf node for decision tree training, and the training is good Before the decision tree, the alarm information decision method further includes:
    根据预设的分类条件,对所述信息特征向量分配对应的标识信息;Assign corresponding identification information to the information feature vector according to preset classification conditions;
    对分配好标识信息的所述信息特征向量进行归一化处理。Perform normalization processing on the information feature vector to which the identification information is allocated.
  13. 如权利要求12所述的计算机设备,其中,在所述对分配好标识信息的所述信息特征向量进行归一化处理之后,并在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:The computer device according to claim 12, wherein, after the normalization process is performed on the information feature vector to which the identification information is allocated, the information feature in the information feature vector is used as Split nodes, classify the information feature vector, and use the historical decision records corresponding to the historical alarm information as leaf nodes for decision tree training. Before obtaining the trained decision tree, the alarm information decision-making method further includes:
    对归一化处理后的所述信息特征向量进行筛选,若检测到存在两个或两个以上相同的所述信息特征向量,则在相同的所述信息特征向量中,保留其中任意一个所述信息特征向量,删除其余的所述信息特征向量。The normalized information feature vector is screened, and if it is detected that there are two or more identical information feature vectors, then any one of the information feature vectors is retained in the same information feature vector. Information feature vector, delete the rest of the information feature vector.
  14. 如权利要求11所述的计算机设备,其中,所述历史告警信息包括告警账号,在所述获取所述预设的大数据***产生的实时告警信息之后,所述告警信息的决策方法还包括:The computer device of claim 11, wherein the historical alarm information includes an alarm account, and after the acquisition of the real-time alarm information generated by the preset big data system, the method for determining the alarm information further comprises:
    获取所述实时告警信息中的告警账号;Acquiring the alarm account in the real-time alarm information;
    若在所述知识库中,查询到所述实时告警信息中的告警账号,则将查询到的所述告警账号对应的所述历史数据输出到所述客户端。If the alarm account in the real-time alarm information is queried in the knowledge base, the historical data corresponding to the queried alarm account is output to the client.
  15. 如权利要求11所述的计算机设备,其中,在所述将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端之后,所述告警信息的决策方法还包括:The computer device according to claim 11, wherein the selected historical alarm information is input into the trained decision tree to make a decision, and the decision tree is output after the decision is made by the trained decision tree. After the decision record is output to the client as the decision result of the real-time alarm information, the decision method for the alarm information further includes:
    将所述实时告警信息和所述实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址。The real-time alarm information and the decision result of the real-time alarm information are sent to a preset information receiving address according to a preset template.
  16. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其中,所述计算机程序被处理器执行时实现一种告警信息的决策方法,其中所述告警信息的决策方法包括以下步骤:A computer-readable storage medium, the computer-readable storage medium stores a computer program, wherein when the computer program is executed by a processor, an alarm information decision-making method is implemented, wherein the alarm information decision-making method includes the following step:
    从预设的大数据***的知识库中获取历史数据,其中,所述历史数据包括历史告警信息和所述历史告警信息对应的历史决策记录;Acquiring historical data from the knowledge base of a preset big data system, where the historical data includes historical alarm information and historical decision records corresponding to the historical alarm information;
    根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量,其中,N为正整数;Determining N information features according to the historical alarm information, and constructing an information feature vector corresponding to the historical alarm information based on the determined information characteristics, where N is a positive integer;
    将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树;Use the information feature in the information feature vector as a split node, classify the information feature vector, and use the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training to obtain a trained decision tree;
    获取所述预设的大数据***产生的实时告警信息;Acquiring real-time alarm information generated by the preset big data system;
    使用预设的分类算法对所述实时告警信息与每个所述历史告警信息进行相似度计算,得到所述实时告警信息与每个所述历史告警信息之间的相似度,并从所述实时告警信息与每个所述历史告警信息之间的相似度中,选取最大相似度对应的所述历史告警信息;Use a preset classification algorithm to calculate the similarity between the real-time alarm information and each of the historical alarm information, obtain the similarity between the real-time alarm information and each of the historical alarm information, and obtain the similarity from the real-time alarm information. Among the similarities between the alarm information and each of the historical alarm information, the historical alarm information corresponding to the largest similarity is selected;
    将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端。The selected historical alarm information is input into the trained decision tree for decision-making, and the decision record output after the decision of the trained decision tree is output as the decision result of the real-time alarm information Client.
  17. 如权利要求16所述的计算机可读存储介质,其中,在所述根据所述历史告警信息确定N个信息特征,并基于确定的所述信息特征构造所述历史告警信息对应的信息特征向量之后,并且在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:The computer-readable storage medium according to claim 16, wherein, after the N information features are determined according to the historical alarm information, and the information feature vector corresponding to the historical alarm information is constructed based on the determined information characteristics And in the step of using the information feature in the information feature vector as a split node, classifying the information feature vector, and using the historical decision record corresponding to the historical alarm information as a leaf node for decision tree training, Before obtaining the trained decision tree, the alarm information decision-making method further includes:
    根据预设的分类条件,对所述信息特征向量分配对应的标识信息;Assign corresponding identification information to the information feature vector according to preset classification conditions;
    对分配好标识信息的所述信息特征向量进行归一化处理。Perform normalization processing on the information feature vector to which the identification information is allocated.
  18. 如权利要求17所述的计算机可读存储介质,其中,在所述对分配好标识信息的所述信息特征向量进行归一化处理之后,并在所述将所述信息特征向量中的所述信息特征作为***节点,对所述信息特征向量进行分类,并以所述历史告警信息对应的历史决策记录作为叶子节点进行决策树训练,得到训练好的决策树之前,所述告警信息的决策方法还包括:17. The computer-readable storage medium according to claim 17, wherein, after the normalization process is performed on the information feature vector assigned with identification information, and the information feature vector in the information feature vector is normalized The information feature is used as a split node, the information feature vector is classified, and the historical decision record corresponding to the historical alarm information is used as the leaf node for decision tree training. Before the trained decision tree is obtained, the decision method of the alarm information Also includes:
    对归一化处理后的所述信息特征向量进行筛选,若检测到存在两个或两个以上相同的所述信息特征向量,则在相同的所述信息特征向量中,保留其中任意一个所述信息特征向量,删除其余的所述信息特征向量。The normalized information feature vector is screened. If two or more identical information feature vectors are detected, then any one of the same information feature vectors is retained. Information feature vector, delete the rest of the information feature vector.
  19. 如权利要求16所述的计算机可读存储介质,其中,所述历史告警信息包括告警账号,在所述获取所述预设的大数据***产生的实时告警信息之后,所述告警信息的决策方法还包括:The computer-readable storage medium of claim 16, wherein the historical alarm information includes an alarm account, and after the acquisition of the real-time alarm information generated by the preset big data system, the method for determining the alarm information Also includes:
    获取所述实时告警信息中的告警账号;Acquiring the alarm account in the real-time alarm information;
    若在所述知识库中,查询到所述实时告警信息中的告警账号,则将查询到的所述告警账号对应的所述历史数据输出到所述客户端。If the alarm account in the real-time alarm information is queried in the knowledge base, the historical data corresponding to the queried alarm account is output to the client.
  20. 如权利要求16所述的计算机可读存储介质,其中,在所述将选取到的所述历史告警信息输入所述训练好的决策树中进行决策,并将经所述训练好的决 策树决策后输出的所述决策记录作为所述实时告警信息的决策结果输出到客户端之后,所述告警信息的决策方法还包括:The computer-readable storage medium of claim 16, wherein the selected historical alarm information is input into the trained decision tree to make a decision, and the trained decision tree is used to make a decision. After the subsequent output of the decision record is output to the client as the decision result of the real-time alarm information, the decision method for the alarm information further includes:
    将所述实时告警信息和所述实时告警信息的决策结果按照预设的模板发送到预设的信息接收地址。The real-time alarm information and the decision result of the real-time alarm information are sent to a preset information receiving address according to a preset template.
PCT/CN2020/098826 2019-09-06 2020-06-29 Alert information decision method and apparatus, computer device and storage medium WO2021042843A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910842476.2A CN110752942B (en) 2019-09-06 2019-09-06 Alarm information decision method and device, computer equipment and storage medium
CN201910842476.2 2019-09-06

Publications (1)

Publication Number Publication Date
WO2021042843A1 true WO2021042843A1 (en) 2021-03-11

Family

ID=69276124

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/098826 WO2021042843A1 (en) 2019-09-06 2020-06-29 Alert information decision method and apparatus, computer device and storage medium

Country Status (2)

Country Link
CN (1) CN110752942B (en)
WO (1) WO2021042843A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113220946A (en) * 2021-05-25 2021-08-06 平安付科技服务有限公司 Fault link searching method, device, equipment and medium based on reinforcement learning
CN113361855A (en) * 2021-05-07 2021-09-07 浙江警官职业学院 Short, medium and long-term risk warning method and device
CN113570166A (en) * 2021-09-08 2021-10-29 湖南惠农科技有限公司 Wind control real-time prediction identification method and device
CN113592606A (en) * 2021-08-10 2021-11-02 平安银行股份有限公司 Product recommendation method, device, equipment and storage medium based on multiple decisions
CN113590767A (en) * 2021-09-28 2021-11-02 西安热工研究院有限公司 Multilingual alarm information category judgment method, system, equipment and storage medium
CN113778792A (en) * 2021-08-19 2021-12-10 济南浪潮数据技术有限公司 Alarm classification method and system for IT equipment
CN113904913A (en) * 2021-08-19 2022-01-07 济南浪潮数据技术有限公司 Alarm processing method, device, equipment and storage medium based on pipeline
CN114064421A (en) * 2021-11-16 2022-02-18 展讯通信(上海)有限公司 Alarm processing method and device
CN114500011A (en) * 2022-01-13 2022-05-13 中国电子科技网络信息安全有限公司 Auxiliary decision-making method based on behavior baseline anomaly analysis and event arrangement
CN114760186A (en) * 2022-03-23 2022-07-15 深信服科技股份有限公司 Alarm analysis method and device, electronic equipment and storage medium
CN115577836A (en) * 2022-09-29 2023-01-06 深圳市三正电子有限公司 Method and device for information acquisition based on MCU
CN115833935A (en) * 2022-10-31 2023-03-21 国网山东省电力公司信息通信公司 Power optical transmission system fault positioning method and system based on decision tree
CN116883175A (en) * 2023-07-10 2023-10-13 青岛闪收付信息技术有限公司 Investment and financing activity decision generation method and device
CN117155746A (en) * 2023-10-31 2023-12-01 中孚安全技术有限公司 Electromagnetic signal combination processing method, system and medium
CN117234776A (en) * 2023-09-18 2023-12-15 厦门国际银行股份有限公司 Intelligent judging method, device and equipment for batch processing error reporting operation
CN117390379A (en) * 2023-12-11 2024-01-12 博睿康医疗科技(上海)有限公司 On-line signal measuring device and confidence measuring device for signal characteristics
CN117389997A (en) * 2023-12-12 2024-01-12 云和恩墨(北京)信息技术有限公司 Fault detection method and device for database installation flow, electronic equipment and medium

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110752942B (en) * 2019-09-06 2021-09-17 平安科技(深圳)有限公司 Alarm information decision method and device, computer equipment and storage medium
CN111475804B (en) * 2020-03-05 2023-10-24 杭州未名信科科技有限公司 Alarm prediction method and system
CN113497716B (en) 2020-03-18 2023-03-10 华为技术有限公司 Similar fault recommendation method and related equipment
CN113496335A (en) * 2020-04-07 2021-10-12 厦门邑通软件科技有限公司 Method, system and equipment for recording decision-making behaviors
CN111522719B (en) * 2020-04-27 2023-12-01 中国银行股份有限公司 Big data task state monitoring method and device
CN113807622A (en) * 2020-06-15 2021-12-17 海信集团有限公司 Event decision generation method and device, electronic equipment and storage medium
CN111813765B (en) * 2020-06-19 2024-04-12 北京金堤科技有限公司 Method, device, electronic equipment and computer readable medium for processing abnormal data
CN112231185A (en) * 2020-10-21 2021-01-15 中国银行股份有限公司 Knowledge acquisition method and device based on alarm information of application system
CN112312209B (en) * 2020-10-30 2023-07-21 中移(杭州)信息技术有限公司 Comprehensive alarm generation method, device, server and storage medium
CN112561236B (en) * 2020-11-23 2022-12-06 中国南方电网有限责任公司 Alarm information compression method based on frequent item set mining
CN112330069A (en) * 2020-11-27 2021-02-05 上海眼控科技股份有限公司 Early warning removing method and device, electronic equipment and storage medium
CN112699934B (en) * 2020-12-28 2024-06-14 深圳前海微众银行股份有限公司 Alarm classification method and device and electronic equipment
CN112966838B (en) * 2021-03-03 2024-02-20 中国联合网络通信集团有限公司 Disaster intelligent operation and maintenance order-distributing method, device and equipment
CN113591393B (en) * 2021-08-10 2024-05-31 国网河北省电力有限公司电力科学研究院 Fault diagnosis method, device, equipment and storage medium of intelligent substation
CN113645073A (en) * 2021-08-11 2021-11-12 未鲲(上海)科技服务有限公司 Alarm mail processing method and device, electronic equipment and storage medium
CN113762392A (en) * 2021-09-08 2021-12-07 平安普惠企业管理有限公司 Financial product recommendation method, device, equipment and medium based on artificial intelligence
CN114374596A (en) * 2021-11-26 2022-04-19 北京市天元网络技术股份有限公司 Alarm information display method, device, equipment and product
CN114268365B (en) * 2021-12-02 2023-07-11 国网甘肃省电力公司酒泉供电公司 Communication optical cable intelligent early warning method and system based on visualization technology
CN114742247A (en) * 2022-04-08 2022-07-12 广东电网有限责任公司 Characteristic extraction method and device based on distribution network distribution transformer abnormal alarm information
CN115378738B (en) * 2022-10-24 2023-03-24 中孚安全技术有限公司 Alarm filtering method, system and equipment based on classification algorithm
CN116451190B (en) * 2023-06-15 2023-08-18 恺恩泰(南京)科技有限公司 Data authority setting method based on Internet medical service system
CN117544425B (en) * 2024-01-09 2024-03-12 成都运荔枝科技有限公司 Network system login security control method based on data analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282242A (en) * 2007-04-06 2008-10-08 中兴通讯股份有限公司 System and method for monitoring telecommunication network service quality
CN106100885A (en) * 2016-06-23 2016-11-09 浪潮电子信息产业股份有限公司 A kind of network security warning system and design
CN106452825A (en) * 2016-07-20 2017-02-22 国网江苏省电力公司南京供电公司 Power distribution and utilization communication network alarm correlation analysis method based on improved decision tree
US20190147354A1 (en) * 2017-11-13 2019-05-16 International Business Machines Corporation Event identification through machine learning
CN110752942A (en) * 2019-09-06 2020-02-04 平安科技(深圳)有限公司 Alarm information decision method and device, computer equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012085744A2 (en) * 2010-12-22 2012-06-28 Koninklijke Philips Electronics N.V. Device, system and method for handling alarm message storms in a communications network
GB2550111B (en) * 2016-04-29 2019-10-09 Marss Ventures S A Method of verifying a triggered alert and alert verification processing apparatus
CN108073611A (en) * 2016-11-14 2018-05-25 国网江苏省电力公司镇江供电公司 The filter method and device of a kind of warning information
CN108280104B (en) * 2017-02-13 2020-06-02 腾讯科技(深圳)有限公司 Method and device for extracting characteristic information of target object
CN108665159A (en) * 2018-05-09 2018-10-16 深圳壹账通智能科技有限公司 A kind of methods of risk assessment, device, terminal device and storage medium
CN108833139B (en) * 2018-05-22 2021-02-19 桂林电子科技大学 OSSEC alarm data aggregation method based on category attribute division

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282242A (en) * 2007-04-06 2008-10-08 中兴通讯股份有限公司 System and method for monitoring telecommunication network service quality
CN106100885A (en) * 2016-06-23 2016-11-09 浪潮电子信息产业股份有限公司 A kind of network security warning system and design
CN106452825A (en) * 2016-07-20 2017-02-22 国网江苏省电力公司南京供电公司 Power distribution and utilization communication network alarm correlation analysis method based on improved decision tree
US20190147354A1 (en) * 2017-11-13 2019-05-16 International Business Machines Corporation Event identification through machine learning
CN110752942A (en) * 2019-09-06 2020-02-04 平安科技(深圳)有限公司 Alarm information decision method and device, computer equipment and storage medium

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113361855A (en) * 2021-05-07 2021-09-07 浙江警官职业学院 Short, medium and long-term risk warning method and device
CN113220946A (en) * 2021-05-25 2021-08-06 平安付科技服务有限公司 Fault link searching method, device, equipment and medium based on reinforcement learning
CN113592606A (en) * 2021-08-10 2021-11-02 平安银行股份有限公司 Product recommendation method, device, equipment and storage medium based on multiple decisions
CN113592606B (en) * 2021-08-10 2023-08-22 平安银行股份有限公司 Product recommendation method, device, equipment and storage medium based on multiple decisions
CN113778792B (en) * 2021-08-19 2023-12-26 济南浪潮数据技术有限公司 Alarm classifying method and system for IT equipment
CN113778792A (en) * 2021-08-19 2021-12-10 济南浪潮数据技术有限公司 Alarm classification method and system for IT equipment
CN113904913A (en) * 2021-08-19 2022-01-07 济南浪潮数据技术有限公司 Alarm processing method, device, equipment and storage medium based on pipeline
CN113570166A (en) * 2021-09-08 2021-10-29 湖南惠农科技有限公司 Wind control real-time prediction identification method and device
CN113590767A (en) * 2021-09-28 2021-11-02 西安热工研究院有限公司 Multilingual alarm information category judgment method, system, equipment and storage medium
CN113590767B (en) * 2021-09-28 2022-01-07 西安热工研究院有限公司 Multilingual alarm information category judgment method, system, equipment and storage medium
CN114064421A (en) * 2021-11-16 2022-02-18 展讯通信(上海)有限公司 Alarm processing method and device
CN114500011A (en) * 2022-01-13 2022-05-13 中国电子科技网络信息安全有限公司 Auxiliary decision-making method based on behavior baseline anomaly analysis and event arrangement
CN114500011B (en) * 2022-01-13 2023-12-05 中国电子科技网络信息安全有限公司 Auxiliary decision-making method based on behavior baseline anomaly analysis and event arrangement
CN114760186A (en) * 2022-03-23 2022-07-15 深信服科技股份有限公司 Alarm analysis method and device, electronic equipment and storage medium
CN114760186B (en) * 2022-03-23 2024-05-28 深信服科技股份有限公司 Alarm analysis method, alarm analysis device, electronic equipment and storage medium
CN115577836A (en) * 2022-09-29 2023-01-06 深圳市三正电子有限公司 Method and device for information acquisition based on MCU
CN115577836B (en) * 2022-09-29 2023-06-30 深圳市三正电子有限公司 Method and device for information acquisition based on MCU
CN115833935A (en) * 2022-10-31 2023-03-21 国网山东省电力公司信息通信公司 Power optical transmission system fault positioning method and system based on decision tree
CN116883175A (en) * 2023-07-10 2023-10-13 青岛闪收付信息技术有限公司 Investment and financing activity decision generation method and device
CN117234776A (en) * 2023-09-18 2023-12-15 厦门国际银行股份有限公司 Intelligent judging method, device and equipment for batch processing error reporting operation
CN117155746A (en) * 2023-10-31 2023-12-01 中孚安全技术有限公司 Electromagnetic signal combination processing method, system and medium
CN117155746B (en) * 2023-10-31 2024-02-23 中孚安全技术有限公司 Electromagnetic signal combination processing method, system and medium
CN117390379A (en) * 2023-12-11 2024-01-12 博睿康医疗科技(上海)有限公司 On-line signal measuring device and confidence measuring device for signal characteristics
CN117390379B (en) * 2023-12-11 2024-03-19 博睿康医疗科技(上海)有限公司 On-line signal measuring device and confidence measuring device for signal characteristics
CN117389997A (en) * 2023-12-12 2024-01-12 云和恩墨(北京)信息技术有限公司 Fault detection method and device for database installation flow, electronic equipment and medium
CN117389997B (en) * 2023-12-12 2024-04-16 云和恩墨(北京)信息技术有限公司 Fault detection method and device for database installation flow, electronic equipment and medium

Also Published As

Publication number Publication date
CN110752942A (en) 2020-02-04
CN110752942B (en) 2021-09-17

Similar Documents

Publication Publication Date Title
WO2021042843A1 (en) Alert information decision method and apparatus, computer device and storage medium
US20210273955A1 (en) Processing pipeline for monitoring information systems
Tuor et al. Overcoming noisy and irrelevant data in federated learning
US10311044B2 (en) Distributed data variable analysis and hierarchical grouping system
WO2021052394A1 (en) Model training method, apparatus, and system
US11461368B2 (en) Recommending analytic tasks based on similarity of datasets
US8966036B1 (en) Method and system for website user account management based on event transition matrixes
D’angelo et al. An uncertainty-managing batch relevance-based approach to network anomaly detection
CN108509424B (en) System information processing method, apparatus, computer device and storage medium
WO2021159834A1 (en) Abnormal information processing node analysis method and apparatus, medium and electronic device
CN113313170B (en) Full-time global training big data platform based on artificial intelligence
US11711327B1 (en) Data derived user behavior modeling
US20220006814A1 (en) System, method, and computer program for automatically classifying user accounts in a computer network using keys from an identity management system
Fan et al. An interactive visual analytics approach for network anomaly detection through smart labeling
Kumar et al. A semantic machine learning algorithm for cyber threat detection and monitoring security
Lambert II Security analytics: Using deep learning to detect cyber attacks
Tang et al. Deep anomaly detection with ensemble-based active learning
US20210124674A1 (en) System for intelligent code update for a test automation engine
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN110740111B (en) Data leakage prevention method and device and computer readable storage medium
CN116227989A (en) Multidimensional business informatization supervision method and system
CN116991675A (en) Abnormal access monitoring method and device, computer equipment and storage medium
CN114049204A (en) Suspicious transaction data entry method, device, computer equipment and computer-readable storage medium
Pandeeswari et al. Analysis of Intrusion Detection Using Machine Learning Techniques
CN111475380A (en) Log analysis method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20861445

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20861445

Country of ref document: EP

Kind code of ref document: A1