WO2022259307A1 - Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program - Google Patents

Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program Download PDF

Info

Publication number
WO2022259307A1
WO2022259307A1 PCT/JP2021/021559 JP2021021559W WO2022259307A1 WO 2022259307 A1 WO2022259307 A1 WO 2022259307A1 JP 2021021559 W JP2021021559 W JP 2021021559W WO 2022259307 A1 WO2022259307 A1 WO 2022259307A1
Authority
WO
WIPO (PCT)
Prior art keywords
alarm
node
difference
relevance
location
Prior art date
Application number
PCT/JP2021/021559
Other languages
French (fr)
Japanese (ja)
Inventor
篤 高田
直輝 林
亮介 佐藤
登志彦 関
恭子 山越
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to JP2023527151A priority Critical patent/JPWO2022259307A1/ja
Priority to PCT/JP2021/021559 priority patent/WO2022259307A1/en
Publication of WO2022259307A1 publication Critical patent/WO2022259307A1/en

Links

Images

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B25/00Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B31/00Predictive alarm systems characterised by extrapolation or other computation using updated historic data

Definitions

  • the present invention relates to an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program.
  • Network monitoring and operation work includes the process of detecting equipment status changes and alarms through constant monitoring, understanding events such as failures and construction work, analyzing and judging the isolation of failure factors, and implementing (handling) failure recovery. exist.
  • This process is realized by dispatching local workers to the site when maintenance personnel (remote workers) who manage the entire network need to perform physical work such as repairing or replacing faulty devices on-site. is doing.
  • a maintenance person remotely manages the devices located all over the country from a centralized location.
  • Non-Patent Document 1 describes a technique for correlating multiple alarms generated by a single event by combining network connection configuration information and predefined rules.
  • a large number of alarms occur because a single event can generate an alarm from multiple devices, and a nationwide network can generate multiple events at the same time.
  • the maintenance person correlates (associates) this alarm group for each event.
  • Telecommunications carrier networks are multi-layered, consisting of multiple layers, such as a transmission layer made up of transmission equipment and an IP layer made up of NGN mass equipment. There are many different types mixed together. Correlation of alarms generated in such a network requires advanced knowledge and experience on the part of maintenance personnel, and places a heavy burden on them. For this reason, there is a need to reduce the burden on maintenance personnel who determine the relevance of alarms and eliminate the need for skills.
  • Non-Patent Document 1 it is necessary for the maintainer to define the rules in advance, and this rule definition requires the maintainer's advanced knowledge and experience, and cannot be fully automated.
  • the present invention has been made in view of the above circumstances, and an object of the present invention is to provide an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program for easily correlating alarms. It is in.
  • one aspect of the present invention is an alarm analysis apparatus comprising a Bayesian network model, an estimation unit that estimates a first degree of relevance of a plurality of alarms using the Bayesian network model, and the first a determination unit that groups alarm groups generated by the same event using 1 relevance
  • the Bayesian network model includes a plurality of type nodes indicating alarm types, a time node linked to each type node, and and a location node, wherein the time node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node includes the link
  • a third degree of relevance is set according to the difference from the child node of the identified type node or the alarm generation location of the parent node.
  • One aspect of the present invention is an alarm analysis method performed by an alarm analysis device, comprising a step of estimating a first degree of relevance of a plurality of alarms using a Bayesian network model; grouping event-generated alarms, wherein the Bayesian network model has a plurality of type nodes indicating alarm types, and time and place nodes linked to each type node; A node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node is set to the child node or parent of the linked type node. A third degree of relevance is set according to the difference from the node's warning occurrence location.
  • One aspect of the present invention is an alarm analysis program that causes a computer to function as the alarm analysis device.
  • an alarm analysis device it is possible to provide an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program for easily correlating alarms.
  • FIG. 1 is a configuration diagram showing the configuration of an alarm analysis device according to an embodiment of the present invention.
  • FIG. It is a figure which shows an example of a Bayesian NW model. It is a figure which shows an example of alarm information. It is a figure which shows an example of a determination result. It is a flow chart which shows operation of an alarm analysis device. It is a hardware configuration example.
  • FIG. 1 is a configuration diagram showing the configuration of the alarm analysis device 1 of this embodiment.
  • Groups of alarms that occur on the same event originate from multiple devices that have physical or logical connections at approximately the same time. Therefore, if the alarm occurrence time and the alarm occurrence location (issue area) are close, it can be estimated that there is a high possibility that the alarms are caused by the same event.
  • the same event occurred It is judged to be an alarm group.
  • the illustrated alarm analysis device 1 includes an acquisition unit 11, an estimation unit 12, a determination unit 13, an alarm information DB 14, a model storage unit 15, and a configuration information DB 16.
  • the acquisition unit 11 acquires alarm information 101 (alarm list) issued from a plurality of devices and stores it in the alarm information DB 15.
  • the alert information 101 includes multiple alerts.
  • An alarm has an alarm type, time of occurrence, place of occurrence, device identifier, and the like.
  • the acquisition unit 11 acquires alarm information from at least one OpS (Operation Support System).
  • OpS Operaation Support System
  • Common carrier equipment eg, network equipment
  • OpS provides maintenance personnel with functions such as collecting alarm information from equipment and displaying alarms on the screen.
  • the acquisition unit 11 acquires alarm information stored by the OpS at a predetermined timing, stores the alarm information in the alarm information DB 15 , and sends the information to the estimation unit 12 .
  • the estimation unit 12 uses a Bayesian NW model to estimate the relevance of multiple alarms included in the alarm information.
  • the determination unit 13 uses the degree of relevance to group alarm groups generated by the same event. Specifically, the determination unit 13 determines whether or not a certain alarm (first alarm) and another alarm (second alarm) are caused by the same event based on the degree of association, and issues an alarm for each event. to group.
  • Bayesian NW model A Bayesian network model (hereinafter referred to as "Bayesian NW model”) is stored in the model storage unit 15 in advance.
  • FIG. 2 is a diagram showing an example of the Bayesian NW model of this embodiment.
  • a Bayesian NW model is one of probabilistic models with a graph structure.
  • each event is represented by a node, and the nodes are connected by unidirectional links (arrows) that indicate dependencies.
  • Each node is assigned a conditional probability (CPT: Conditional Probability Table).
  • CPT Conditional Probability Table
  • the illustrated Bayesian NW model has multiple type nodes A, B, C indicating alarm types (ALM types), time nodes A1, B1, B3, C1 and location nodes A2, B2, B4 linked to each type node. , C2.
  • the type node is the main node, and the time node and location node are subnodes.
  • the Bayesian NW model in FIG. 2 is an example, and is not limited to the model in FIG.
  • a Bayesian NW model may have two type nodes or four or more.
  • Each time node is set with a degree of relevance (second degree of relevance) according to the difference from the alarm generation time of the child node or parent node of the linked type node.
  • Each location node is set with a degree of relevance (third degree of relevance) corresponding to the difference from the child node of the linked type node or the alarm generation location of the parent node.
  • type node A is an event indicating the occurrence of an alarm of type A
  • type node B is an event indicating the occurrence of an alarm of type B
  • type node C is an event indicating the occurrence of an alarm of type C.
  • the dependency relationship among kind nodes A, B, and C can be expressed as kind node A ⁇ kind node B ⁇ kind node C.
  • the node at the end of the link is the child node, and the node at the origin of the link is the parent node. From type node A to type node B, type node A is the parent node and type node B is the child node.
  • Conditional probabilities are set for each type of node A, B, and C. For the conditional probability, an occurrence probability is set according to the difference from the occurrence time and the difference from the occurrence location of the alarm of the child node or parent node of the type node.
  • FIG. 2 shows the conditional probability 201 of type node A, which is the starting point.
  • the conditional probability of type node B includes the difference between the alarm occurrence time and location of the parent node, and the occurrence probability corresponding to the difference between the alarm occurrence time and location of the child node. is set.
  • the conditional probability of the type node C an occurrence probability corresponding to the difference from the time and place of occurrence of the alarm of the parent node is set.
  • an occurrence probability is set according to the difference between the alarm occurrence time and the occurrence location of the child node (type node B) of the type node A. For example, if there is no difference in occurrence location (i.e., if the alarm occurs on the same device), and the difference in occurrence time is less than ⁇ 5 seconds, the probability of an alert of type A occurring is set to "0.9". , the probability of non-occurrence is defined as "0.1". Also, if there is no difference in occurrence location and the difference in occurrence time is ⁇ 5 seconds or more, the probability that an alarm of type A will occur is defined as "0.8" and the probability that it will not occur is defined as "0.2". ing.
  • the probability that an alarm of type A will occur is 0.8, and the probability that it will not occur is 0.2.
  • the probability that an alarm of type A will occur is set to "0.7" and the probability that it will not occur is set to "0.3".
  • conditional probability 201 the difference in occurrence time is divided into less than 5 seconds and 5 seconds or more, and two probabilities are set. You may set so that it may become a high probability.
  • the difference in the occurrence location is divided into the same device without difference, in the same building, in the same prefecture, and other (different prefectures), and the smaller the difference in the occurrence location, the higher the probability. It is set to be the probability, but the difference of the occurrence location may be classified by a method other than this.
  • time nodes and place nodes linked to each type of node A, B, and C are defined.
  • time nodes B1 and B3 and location nodes B2 and B4 are defined.
  • the time node B1 is a node relating to the difference in occurrence time from the parent node (here, type node A)
  • the time node B3 is a node relating to the difference in occurrence time from the child node (here, type node C).
  • the location node B2 is a node relating to the difference in occurrence location from the parent node
  • the location node B4 is a node relating to the difference in occurrence location from the child node.
  • Each of these nodes B1-B4 is assigned a conditional probability.
  • the degree of relevance is set to "0.9" when the difference in occurrence time from the alarm of the parent node (type node A) is less than ⁇ 5 seconds, and the difference in occurrence time is ⁇
  • the degree of relevance in the case of 5 seconds or more is set to "0.1".
  • the degree of relevance is set to "0.5" when the alarm occurs in the same device as the parent node (type node A).
  • the degree of relevance is set to "0.3” if it has occurred, and the degree of relevance is set to "0.15" if it has occurred on a device in the same prefecture as the parent node's alarm device, and otherwise (parent node's alarm device If it occurs on a device in a prefecture different from
  • a Bayesian NW model that calculates a high degree of relevance (first degree of relevance) is used to group alarms generated by the same event.
  • FIG. 3 shows an example of alarm information (alarm list) input to the alarm analysis device 1.
  • the alert information includes multiple alerts. Each illustrated alarm has an alarm identifier, time of occurrence (date and time of occurrence), type of warning (ALM type), prefecture, building, and device identifier. This alarm information indicates that each alarm has occurred in order from the alarm with the alarm identifier 1.
  • Alarm types include, for example, a type that indicates a device failure (eg Eqp failure alarm), a type that indicates an abnormality related to the interface of the device (eg: Link down alarm), and so on.
  • the prefecture, building, and device identifier are information indicating the place where the alarm is issued.
  • FIG. 4 shows an example of determination results for each alarm in the alarm information shown in FIG. A group number is set for each alarm (alarm identification information) in the judgment result.
  • the estimating unit 12 sequentially reads out each alarm of the alarm information, estimates the degree of relevance to the alarm read before the relevant alarm, and the determining unit 13 uses the degree of relevance to group alarm groups generated by the same event. .
  • (1) Alarm with alarm identifier 1 [ALM type B] The estimating unit 12 reads the [ALM type B] alarm with the alarm identifier 1 from the alarm information 101 shown in FIG. The estimation unit 12 does not estimate the degree of relevance of the alarm identifier 1 because there is no alarm generated before the alarm identifier 1, and the determination unit 13 sets a predetermined group number for the alarm. In the determination result shown in FIG. 4, the determination unit 13 sets "1" as the group number.
  • the estimation unit 12 reads out the [ALM type A] alarm with the alarm identifier 2, and estimates the degree of relevance to the child node side alarm (alarm identifier 1 [ALM type B]) that occurred before the alarm. do. That is, the estimation unit 12 estimates the degree of association between the alarm identifiers 2-1 using the Bayesian NW model.
  • the estimating unit 12 estimates, as the degree of relevance, the probability “0.3” that the difference in occurrence location of the conditional probability 201 in FIG.
  • the determining unit 13 determines that the alarms with the alarm identifiers 2 and 1 belong to different groups.
  • the determination unit 13 sets the group number “2” different from the group number “1” of the alarm identifier 1 to the alarm of the alarm identifier 2 .
  • the estimation unit 12 uses the conditional probabilities of the time node A1 and the location node A2 when part of the alarm information is missing. For example, if the occurrence time of [ALM type A] of alarm identifier 2 cannot be obtained and is missing, there is no evidence (condition) of "difference in occurrence time". In this case, the following formula is obtained, and the estimating unit 12 uses the conditional probability of the location node A2 to perform probabilistic inference calculation using only the evidence of the “difference of the location of occurrence”.
  • the estimating unit 12 reads the [ALM type B] alarm with the alarm identifier 3, and does not estimate the degree of relevance for the alarm identifier 1 among the alarms that occurred before the alarm because the ALM type is the same. , the degree of relevance to the alarm (alarm identifier 2 [ALM type A]) on the parent node side is estimated. That is, the estimation unit 12 estimates the degree of association between the alarm identifiers 3-2 using the Bayesian NW model.
  • the difference in time of occurrence between alarms with alarm identifiers 3 and 2 is 1 second, and the difference in location is the same prefecture.
  • the estimation unit 12 uses the conditional probability 202 of the time node B1 in FIG. 2, the location nodes B2 and 203, and the conditional probability of the type node B (not shown) to calculate the degree of association between the alarm identifiers 3-2. do.
  • the estimating unit 12 calculates the probability that ALM type B occurs from the conditional probability 202 of "0.9", the conditional probability 203 of "0.15", and the corresponding probability of the conditional probability of type node B (not shown). , and probabilistic inference to calculate the degree of relevance between the alarm identifiers 3-2.
  • the calculated degree of association is assumed to be "0.8" here.
  • the determination unit 13 determines that the alarms with the alarm identifiers 3 and 2 belong to the same group because the degree of association "0.8" is equal to or greater than a predetermined threshold value (for example, 0.5). That is, the determination unit 13 associates the alarms with the alarm identifiers 3 and 2 as an alarm group generated by the same event. Therefore, the determination unit 13 sets the group number "2", which is the same as the group number "2" of the alarm identifier 2, to the alarm of the alarm identifier 3.
  • a predetermined threshold value for example, 0.5
  • the estimating unit 12 reads the alarm with alarm identifier 4 [ALM type A], Estimate the degree of relevance with the alarm (alarm identifier 1 [ALM type B], alarm identifier 3 [ALM type B]).
  • the estimation unit 12 estimates the degree of association between the alarm identifiers 4-1 using the Bayesian NW model. As shown in FIG. 3, the difference in time of occurrence between the alarms with alarm identifiers 4 and 1 is 5 seconds or more, and the difference in location is the same building. Therefore, the estimating unit 12 sets the probability "0.7" that the difference in the occurrence location of the conditional probability 201 of the type node A in FIG. presume.
  • the estimation unit 12 estimates the degree of association between the alarm identifiers 4-3 using the Bayesian NW model. As shown in FIG. 3, the difference in time of occurrence between alarms with alarm identifiers 4 and 3 is less than 5, and the difference in place of occurrence is otherwise. Therefore, the estimating unit 12 sets the probability "0.5" that the difference in the occurrence location of the conditional probability 201 of the type node A in FIG. presume.
  • the determination unit 13 determines that the alarms with alarm identifiers 1 and 4, which both have a degree of relevance of 0.5 or more, are in the same group, and assigns the group number "1", which is the same as the group number "1" of the alarm identifier 1. ” to the alarm with alarm identifier 4.
  • the estimation unit 12 and determination unit 13 similarly set group numbers for alarms with an alarm identifier of 5 or later, and group the alarms.
  • the estimation unit 12 when calculating the degree of association between ALM type C and ALM type B, if the read alarm is ALM type C, the estimation unit 12 uses the conditional probabilities of type node C, time node C1, and location node C2. . Note that when the difference in occurrence time and the difference in occurrence location are known, the estimation unit 12 calculates the degree of association based only on the conditional probability of the type node C. FIG. On the other hand, when the read alarm is of ALM type B, the conditional probabilities of type node B, time node B3 and location node B4 are used. Regarding the degree of association between ALM type C and ALM type A, the estimation unit 12 does not calculate the degree of association because type node C and type node A are separated by two or more nodes.
  • the alarm analysis device 1 of the present embodiment uses a Bayesian NW model that increases the calculated degree of relevance for alarms whose occurrence times and locations are close to each other, among a plurality of newly generated alarms, When the alarm generation time, generation location, and alarm type are close to those of the Bayesian NW model, it can be determined that the alarm group is generated by the same event.
  • the configuration information DB 16 is a database that stores information regarding the network configuration of each device. Information about the network configuration includes the device ID of each device, physical location (building name, state/province, etc.), logical location (AS number, IP address, subnetwork of IP address, etc.), port (IF), port It includes connection destination information and the like.
  • the estimating unit 12 may acquire the location of each alarm from the configuration information DB 16 using the device identifier or the like included in the alarm as a key.
  • the difference in the location of occurrence of the alarm is the difference in the physical location (distance).
  • a difference may also be used.
  • the estimating unit 12 may acquire the logical occurrence location included in each alarm, or use the device identifier or the like included in the alarm as a key to store the logical occurrence location of each alarm in the configuration information DB 16. may be obtained from
  • FIG. 5 is a flowchart showing the operation of the alarm analysis device 1.
  • the acquisition unit 11 acquires alarm information issued by each device from, for example, OpS at a predetermined timing (time interval) (S11).
  • the estimation unit 12 reads the first alarm included in the alarm information, and estimates the degree of relevance (first degree of relevance) with the second alarm read before the first alarm using the Bayesian NW model (S12). .
  • the determination unit 13 determines whether the first and second alarms are alarms generated by the same event and belonging to the same group by comparing the degree of association with a predetermined threshold (S13). If it is determined that the alarms belong to the same group (S13: YES), the determination unit 13 sets the same group number as the second alarm to the first alarm and groups them (S14). On the other hand, if it is determined that the groups are different (S13: NO), the determination unit 13 sets a group number different from that of the second alarm to the first alarm (S15).
  • the estimating unit 12 If there is an unprocessed next alarm in the alarm information (S16: YES), the estimating unit 12 returns to S12 and performs subsequent processing, and if there is no next alarm in the alarm information (S16: NO), 4 is output (S17), and the process is terminated.
  • the alarm analysis device 1 of the present embodiment described above uses a Bayesian network model, an estimating unit 12 that estimates the first degree of relevance of a plurality of alarms using the Bayesian network model, and the first degree of relevance. , and a determination unit 13 for grouping alarm groups generated by the same event, and the Bayesian network model has a plurality of type nodes indicating alarm types, and a time node and a place node linked to each type node.
  • the time node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node is set with the type node linked.
  • a third degree of association is set according to the difference from the child node or parent node where the alarm is issued.
  • a general-purpose computer system as shown in FIG. 6 can be used.
  • the illustrated computer system includes a CPU (Central Processing Unit, processor) 901, memory 902, storage 903 (HDD: Hard Disk Drive, SSD: Solid State Drive), communication device 904, input device 905, and output device. 906.
  • Memory 902 and storage 903 are storage devices.
  • each function of the alarm analysis device 1 is realized by the CPU 901 executing a predetermined program loaded on the memory 902 .
  • the alarm analysis device 1 may be implemented by one computer, or may be implemented by a plurality of computers. Also, the alarm analysis device 1 may be a virtual machine implemented in a computer.
  • the program for the alarm analysis device 1 can be stored in a computer-readable recording medium such as HDD, SSD, USB (Universal Serial Bus) memory, CD (Compact Disc), DVD (Digital Versatile Disc), etc., or can be downloaded via a network. can also be delivered.
  • a computer-readable recording medium such as HDD, SSD, USB (Universal Serial Bus) memory, CD (Compact Disc), DVD (Digital Versatile Disc), etc.
  • HDD High Densable Disc
  • DVD Digital Versatile Disc
  • Alarm analysis device 11 Acquisition unit 12: Estimation unit 13: Judgment unit 14: Alarm information DB 15: Model storage unit 16: Configuration information DB

Landscapes

  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An alarm analysis device 1, provided with: a Bayesian network model; an estimation unit 12 for estimating a first relevance of a plurality of alarms by using the Bayesian network model; and, an assessment unit 13 for using the first relevance to perform grouping of alarm groups that have occurred in the same event. The Bayesian network model has: a plurality of type nodes that indicate alarm type; and, a time node and a location node that are linked to each type node. The time node is set with a second relevance that corresponds to the difference from the time of occurrence of an alarm in a child node or a parent node of a linked type node. The location node is set with a third relevance that corresponds to the difference from the location of occurrence of an alarm in a child node or a parent node of a linked type node.

Description

警報解析装置、警報解析方法、ベイジアンネットワークモデルおよび警報解析プログラムAlarm analysis device, alarm analysis method, Bayesian network model and alarm analysis program
 本発明は、警報解析装置、警報解析方法、ベイジアンネットワークモデルおよび警報解析プログラムに関する。 The present invention relates to an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program.
 ネットワーク監視運用業務には、常時監視により装置の状態変化および警報を検出し、故障や工事等の事象の把握、故障要因の切り分け等を分析・判断し、故障回復を実施(対処)するプロセスが存在する。 Network monitoring and operation work includes the process of detecting equipment status changes and alarms through constant monitoring, understanding events such as failures and construction work, analyzing and judging the isolation of failure factors, and implementing (handling) failure recovery. exist.
 当該プロセスは、ネットワーク全体を管理する保守者(リモート作業者)が、現地での故障装置の修理・交換等の物理作業が必要になった場合に、現地作業者を現地に派遣することで実現している。保守者は、全国に配置される装置の管理を、集約拠点からリモートで実施する。 This process is realized by dispatching local workers to the site when maintenance personnel (remote workers) who manage the entire network need to perform physical work such as repairing or replacing faulty devices on-site. is doing. A maintenance person remotely manages the devices located all over the country from a centralized location.
 ネットワークで発生した事象に対処するために、保守者は、検出した警報群がどのような事象(工事や故障)によって発生したかを把握することが重要である。 In order to deal with events that occur on the network, it is important for maintenance personnel to understand what events (construction or failure) caused the detected alarm groups.
 非特許文献1には、ネットワーク接続構成情報と事前定義したルールを組み合わせることで、一つの事象で発生する複数の警報をコリレーションする技術が記載されている。 Non-Patent Document 1 describes a technique for correlating multiple alarms generated by a single event by combining network connection configuration information and predefined rules.
 警報は一つの事象によって複数の装置から発生し、かつ、全国のネットワークでは同時に複数の事象が発生するため、警報は大量に発生する。保守者は、この警報群を事象毎にコリレーション(関連付け)を行っている。 A large number of alarms occur because a single event can generate an alarm from multiple devices, and a nationwide network can generate multiple events at the same time. The maintenance person correlates (associates) this alarm group for each event.
 通信事業者ネットワークは、伝送装置で構成される伝送レイヤや、NGNマス装置で構成されるIPレイヤといった、複数のレイヤによって構成されるマルチレイヤであるため、多様な装置が大量に存在し、警報も様々な種類が大量に混在している。このようなネットワークにおいて発生する警報の関連付けは、保守者に高度な知識や経験が求められ、負担も大きい。このため、警報の関連性を見極める保守者の負荷軽減やスキルレス化が求められている。 Telecommunications carrier networks are multi-layered, consisting of multiple layers, such as a transmission layer made up of transmission equipment and an IP layer made up of NGN mass equipment. There are many different types mixed together. Correlation of alarms generated in such a network requires advanced knowledge and experience on the part of maintenance personnel, and places a heavy burden on them. For this reason, there is a need to reduce the burden on maintenance personnel who determine the relevance of alarms and eliminate the need for skills.
 非特許文献1では、保守者が事前にルールを定義する必要があり、このルール定義には保守者の高度な知識や経験が求められ、全て自動化できるわけではない。 In Non-Patent Document 1, it is necessary for the maintainer to define the rules in advance, and this rule definition requires the maintainer's advanced knowledge and experience, and cannot be fully automated.
 本発明は、上記事情に鑑みてなされたものであり、本発明の目的は、警報の相関付けを容易に行うための警報解析装置、警報解析方法、ベイジアンネットワークモデルおよび警報解析プログラムを提供することにある。 The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program for easily correlating alarms. It is in.
 上記目的を達成するため、本発明の一態様は警報解析装置であって、ベイジアンネットワークモデルと、複数の警報の第1関連度を、前記ベイジアンネットワークモデルを用いて推定する推定部と、前記第1関連度を用いて、同じ事象で発生した警報群をグルーピングする判定部と、を備え、前記ベイジアンネットワークモデルは、警報種別を示す複数の種別ノードと、各種別ノードにリンクされた時刻ノードおよび場所ノードとを有し、前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた第2関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた第3関連度が設定される。 In order to achieve the above object, one aspect of the present invention is an alarm analysis apparatus comprising a Bayesian network model, an estimation unit that estimates a first degree of relevance of a plurality of alarms using the Bayesian network model, and the first a determination unit that groups alarm groups generated by the same event using 1 relevance, and the Bayesian network model includes a plurality of type nodes indicating alarm types, a time node linked to each type node, and and a location node, wherein the time node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node includes the link A third degree of relevance is set according to the difference from the child node of the identified type node or the alarm generation location of the parent node.
 本発明の一態様は、警報解析装置が行う警報解析方法であって、複数の警報の第1関連度を、ベイジアンネットワークモデルを用いて推定するステップと、前記第1関連度を用いて、同じ事象で発生した警報群をグルーピングするステップと、を行い、前記ベイジアンネットワークモデルは、警報種別を示す複数の種別ノードと、各種別ノードにリンクされた時刻ノードおよび場所ノードとを有し、前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた第2関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた第3関連度が設定される。 One aspect of the present invention is an alarm analysis method performed by an alarm analysis device, comprising a step of estimating a first degree of relevance of a plurality of alarms using a Bayesian network model; grouping event-generated alarms, wherein the Bayesian network model has a plurality of type nodes indicating alarm types, and time and place nodes linked to each type node; A node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node is set to the child node or parent of the linked type node. A third degree of relevance is set according to the difference from the node's warning occurrence location.
 本発明の一態様は、上記警報解析装置として、コンピュータを機能させる警報解析プログラムである。 One aspect of the present invention is an alarm analysis program that causes a computer to function as the alarm analysis device.
 本発明によれば、警報の相関付けを容易に行うための警報解析装置、警報解析方法、ベイジアンネットワークモデルおよび警報解析プログラムを提供することができる。 According to the present invention, it is possible to provide an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program for easily correlating alarms.
本発明の本実施形態の警報解析装置の構成を示す構成図である。1 is a configuration diagram showing the configuration of an alarm analysis device according to an embodiment of the present invention; FIG. ベイジアンNWモデルの一例を示す図である。It is a figure which shows an example of a Bayesian NW model. 警報情報の一例を示す図である。It is a figure which shows an example of alarm information. 判定結果の一例を示す図である。It is a figure which shows an example of a determination result. 警報解析装置の動作を示すフローチャートである。It is a flow chart which shows operation of an alarm analysis device. ハードウェア構成例である。It is a hardware configuration example.
 以下、本発明の実施の形態について、図面を参照して説明する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
 図1は、本実施形態の警報解析装置1の構成を示す構成図である。同一事象で発生する警報群は、ほぼ同時に、物理的接続または論理的接続をもつ複数の装置から発生する。したがって、警報の発生時刻及び警報の発生場所(発生エリア)が近ければ、同一事象で発生した警報である可能性が高いと推定できる。本実施形態では、新たに発生した複数の警報の中で、警報の発生時刻と発生場所、および、1つの事象で発生する警報の種類が、ベイジアンNWモデルと近い場合に、同一事象で発生した警報群であると判定する。 FIG. 1 is a configuration diagram showing the configuration of the alarm analysis device 1 of this embodiment. Groups of alarms that occur on the same event originate from multiple devices that have physical or logical connections at approximately the same time. Therefore, if the alarm occurrence time and the alarm occurrence location (issue area) are close, it can be estimated that there is a high possibility that the alarms are caused by the same event. In this embodiment, among the multiple alarms that have newly occurred, if the time and place of occurrence of the alarm, and the type of alarm that occurs in one event are close to the Bayesian NW model, the same event occurred It is judged to be an alarm group.
 図示する警報解析装置1は、取得部11と、推定部12と、判定部13と、警報情報DB14と、モデル記憶部15と、構成情報DB16とを備える。 The illustrated alarm analysis device 1 includes an acquisition unit 11, an estimation unit 12, a determination unit 13, an alarm information DB 14, a model storage unit 15, and a configuration information DB 16.
 取得部11は、複数の装置から発出される警報情報101(警報リスト)を取得し、警報情報DB15に記憶する。警報情報101には、複数の警報が含まれる。警報には、警報種別、発生時刻、発生場所、装置識別子等を有する。 The acquisition unit 11 acquires alarm information 101 (alarm list) issued from a plurality of devices and stores it in the alarm information DB 15. The alert information 101 includes multiple alerts. An alarm has an alarm type, time of occurrence, place of occurrence, device identifier, and the like.
 例えば、取得部11は、少なくとも1つのOpS(Operation Support System)から、警報情報を取得する。一般的な通信事業者の装置(例えば、ネットワーク装置)は、OpSで監視されている。OpSは、装置からの警報情報の収集、警報の画面表示などの機能を保守者向けに提供する。取得部11は、OpSが保存する警報情報を所定のタイミングで取得し、当該警報情報を警報情報DB15に格納するとともに、推定部12に送出する。 For example, the acquisition unit 11 acquires alarm information from at least one OpS (Operation Support System). Common carrier equipment (eg, network equipment) is OpS monitored. OpS provides maintenance personnel with functions such as collecting alarm information from equipment and displaying alarms on the screen. The acquisition unit 11 acquires alarm information stored by the OpS at a predetermined timing, stores the alarm information in the alarm information DB 15 , and sends the information to the estimation unit 12 .
 推定部12は、警報情報に含まれる複数の警報の関連度を、ベイジアンNWモデルを用いて推定する。 The estimation unit 12 uses a Bayesian NW model to estimate the relevance of multiple alarms included in the alarm information.
 判定部13は、関連度を用いて、同じ事象で発生した警報群をグルーピングする。具体的には、判定部13は、関連度に基づいてある警報(第1警報)と他の警報(第2警報)とが同じ事象で発生した警報か否かを判定し、事象毎に警報をグルーピングする。 The determination unit 13 uses the degree of relevance to group alarm groups generated by the same event. Specifically, the determination unit 13 determines whether or not a certain alarm (first alarm) and another alarm (second alarm) are caused by the same event based on the degree of association, and issues an alarm for each event. to group.
 モデル記憶部15には、ベイジアンネットワークモデル(以下、「ベイジアンNWモデル」)が、あらかじめ記憶されている。 A Bayesian network model (hereinafter referred to as "Bayesian NW model") is stored in the model storage unit 15 in advance.
 図2は、本実施形態のベイジアンNWモデルの一例を示す図である。ベイジアンNWモデルは、グラフ構造をもつ確率モデルの一つである。ベイジアンNWモデルでは、各イベントがノードで示され、ノード同士が依存関係を示す一方向のリンク(矢印)で接続されている。各ノードには、条件付確率(CPT:Conditional Probability Table)が付されている。 FIG. 2 is a diagram showing an example of the Bayesian NW model of this embodiment. A Bayesian NW model is one of probabilistic models with a graph structure. In the Bayesian NW model, each event is represented by a node, and the nodes are connected by unidirectional links (arrows) that indicate dependencies. Each node is assigned a conditional probability (CPT: Conditional Probability Table).
 図示するベイジアンNWモデルは、警報種別(ALM種別)を示す複数の種別ノードA、B、Cと、各種別ノードにリンクされた時刻ノードA1、B1、B3、C1および場所ノードA2、B2、B4、C2とを有する。種別ノードは、メインノードで、時刻ノードおよび場所ノードはサブノードである。なお、図2のベイジアンNWモデルは一例であって、図2のモデルに限定されるものではない。例えばベイジアンNWモデルは、種別ノードが2つでも、4以上でもよい。 The illustrated Bayesian NW model has multiple type nodes A, B, C indicating alarm types (ALM types), time nodes A1, B1, B3, C1 and location nodes A2, B2, B4 linked to each type node. , C2. The type node is the main node, and the time node and location node are subnodes. Note that the Bayesian NW model in FIG. 2 is an example, and is not limited to the model in FIG. For example, a Bayesian NW model may have two type nodes or four or more.
 各時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた関連度(第2関連度)が設定される。各場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた関連度(第3関連度)が設定される。 Each time node is set with a degree of relevance (second degree of relevance) according to the difference from the alarm generation time of the child node or parent node of the linked type node. Each location node is set with a degree of relevance (third degree of relevance) corresponding to the difference from the child node of the linked type node or the alarm generation location of the parent node.
 具体的には、種別ノードAは、警報種別Aの警報の発生を示すイベントであり、種別ノードBは、警報種別Bの警報の発生を示すイベントであり、種別ノードCは警報種別Cの警報の発生を示すイベントである。種別ノードA、B、Cの依存関係は、種別ノードA→種別ノードB→種別ノードCと表すことができる。 Specifically, type node A is an event indicating the occurrence of an alarm of type A, type node B is an event indicating the occurrence of an alarm of type B, and type node C is an event indicating the occurrence of an alarm of type C. is an event that indicates the occurrence of The dependency relationship among kind nodes A, B, and C can be expressed as kind node A→kind node B→kind node C.
 リンクの先に来るノードを子ノード、リンクの元にあるノードを親ノードとする。種別ノードA→種別ノードBでは、種別ノードAが親ノードで、種別ノードBが子ノードとなる。各種別ノードA、B、Cには、条件付確率が設定される。条件付確率には、種別ノードの子ノードまたは親ノードの警報の発生時刻との差分および発生場所との差分に応じた発生確率が設定される。 The node at the end of the link is the child node, and the node at the origin of the link is the parent node. From type node A to type node B, type node A is the parent node and type node B is the child node. Conditional probabilities are set for each type of node A, B, and C. For the conditional probability, an occurrence probability is set according to the difference from the occurrence time and the difference from the occurrence location of the alarm of the child node or parent node of the type node.
 図2には、始点となる種別ノードAの条件付確率201を示す。ここでは省略するが、種別ノードBの条件付確率には、親ノードの警報の発生時刻および発生場所との差分、および、子ノードの警報の発生時刻および発生場所との差分に応じた発生確率が設定される。種別ノードCの条件付確率には、親ノードの警報の発生時刻および発生場所との差分に応じた発生確率が設定される。 FIG. 2 shows the conditional probability 201 of type node A, which is the starting point. Although omitted here, the conditional probability of type node B includes the difference between the alarm occurrence time and location of the parent node, and the occurrence probability corresponding to the difference between the alarm occurrence time and location of the child node. is set. For the conditional probability of the type node C, an occurrence probability corresponding to the difference from the time and place of occurrence of the alarm of the parent node is set.
 図示する条件付確率201には、種別ノードAの子ノード(種別ノードB)の警報の発生時刻との差分および発生場所との差分に応じた発生確率が設定される。例えば、発生場所の差分が無い場合(すなわち、警報が同一装置で発生した場合)で、発生時刻の差分が±5秒未満の場合に、警報種別Aの警報が発生する確率を「0.9」とし、未発生の確率を「0.1」と定義している。また、発生場所の差が無い場合で、発生時刻の差分が±5秒以上の場合に、警報種別Aの警報が発生する確率を「0.8」とし、未発生の確率を「0.2」と定義している。 In the conditional probability 201 shown in the figure, an occurrence probability is set according to the difference between the alarm occurrence time and the occurrence location of the child node (type node B) of the type node A. For example, if there is no difference in occurrence location (i.e., if the alarm occurs on the same device), and the difference in occurrence time is less than ±5 seconds, the probability of an alert of type A occurring is set to "0.9". , the probability of non-occurrence is defined as "0.1". Also, if there is no difference in occurrence location and the difference in occurrence time is ±5 seconds or more, the probability that an alarm of type A will occur is defined as "0.8" and the probability that it will not occur is defined as "0.2". ing.
 また、発生場所の差分が同一ビル内の場合で、発生時刻の差分が±5秒未満の場合に、警報種別Aの警報が発生する確率を「0.8」とし、未発生の確率を「0.2」と定義している。また、発生場所の差分が同一ビルの場合で、発生時刻の差分が±5秒以上の場合に、警報種別Aの警報が発生する確率を「0.7」とし、未発生の確率を「0.3」と定義している。 If the difference in location is within the same building and the difference in time is less than ±5 seconds, the probability that an alarm of type A will occur is 0.8, and the probability that it will not occur is 0.2. defined as If the difference in occurrence location is the same building and the difference in occurrence time is ±5 seconds or more, the probability that an alarm of type A will occur is set to "0.7" and the probability that it will not occur is set to "0.3". Define.
 なお、図示する条件付確率201では、発生時刻の差分を、5秒未満と5秒以上に分けて2つの確率を設定しているが、3つ以上に分けて発生時刻の差分が小さいほど、高い確率となるように設定してもよい。 In the conditional probability 201 shown in the figure, the difference in occurrence time is divided into less than 5 seconds and 5 seconds or more, and two probabilities are set. You may set so that it may become a high probability.
 また、図示する条件付確率201では、発生場所の差分を、差分なしの同一装置、同一ビル内、同一都道府県内、それ以外(異なる都道府県)に分けて発生場所の差分が小さいほど、高い確率となるように設定しているが、これ以外の方法で発生場所の差分を分類してしてもよい。 In addition, in the conditional probability 201 shown in the figure, the difference in the occurrence location is divided into the same device without difference, in the same building, in the same prefecture, and other (different prefectures), and the smaller the difference in the occurrence location, the higher the probability. It is set to be the probability, but the difference of the occurrence location may be classified by a method other than this.
 本実施形態のベイジアンNWモデルでは、各種別ノードA、B、Cにリンクする時刻ノードおよび場所ノードを定義する。例えば、種別ノードBには、時刻ノードB1、B3と、場所ノードB2、B4とが定義されている。時刻ノードB1は親ノード(ここでは、種別ノードA)との発生時刻の差分に関するノードであり、時刻ノードB3は子ノード(ここでは、種別ノードC)との発生時刻の差分に関するノードである。場所ノードB2は親ノードとの発生場所の差分に関するノードであり、場所ノードB4は子ノードとの発生場所の差分に関するノードである。これらのノードB1~B4には、それぞれ条件付確率が付されている。 In the Bayesian NW model of this embodiment, time nodes and place nodes linked to each type of node A, B, and C are defined. For example, for type node B, time nodes B1 and B3 and location nodes B2 and B4 are defined. The time node B1 is a node relating to the difference in occurrence time from the parent node (here, type node A), and the time node B3 is a node relating to the difference in occurrence time from the child node (here, type node C). The location node B2 is a node relating to the difference in occurrence location from the parent node, and the location node B4 is a node relating to the difference in occurrence location from the child node. Each of these nodes B1-B4 is assigned a conditional probability.
 例えば、時刻ノードB1の条件付確率202には、親ノード(種別ノードA)の警報との発生時刻の差分が±5秒未満の場合の関連度を「0.9」とし、発生時刻の差分が±5秒以上の場合の関連度を「0.1」とする。 For example, in the conditional probability 202 of the time node B1, the degree of relevance is set to "0.9" when the difference in occurrence time from the alarm of the parent node (type node A) is less than ±5 seconds, and the difference in occurrence time is ± The degree of relevance in the case of 5 seconds or more is set to "0.1".
 場所ノードB2の条件付確率203には、親ノード(種別ノードA)の警報と同一装置で発生していた場合の関連度を「0.5」とし、親ノードの警報の装置と同一ビルの装置で発生していた場合の関連度を「0.3」とし、親ノードの警報の装置と同一都道府県の装置で発生していた場合の関連度を「0.15」とし、それ以外(親ノードの警報の装置と異なる都道府県の装置で発生した場合)の関連度を「0.05」とする。 In the conditional probability 203 of the location node B2, the degree of relevance is set to "0.5" when the alarm occurs in the same device as the parent node (type node A). The degree of relevance is set to "0.3" if it has occurred, and the degree of relevance is set to "0.15" if it has occurred on a device in the same prefecture as the parent node's alarm device, and otherwise (parent node's alarm device If it occurs on a device in a prefecture different from
 このように、時刻ノードには、発生時刻の差分が小さいほど高い関連度(第2関連度)が設定され、場所ノードには、発生場所の差分が小さいほど高い関連度(第3関連度)が設定される。 In this way, the smaller the difference in occurrence time, the higher the degree of relevance (second degree of relevance) set to the time node, and the smaller the difference in the place of occurrence, the higher degree of relevance (third degree of relevance) is set to the location node. is set.
 他の時刻ノードA1、B3、C1および他の場所ノードA2、B4、C2は、図2では省略されているが同様の条件付確率が定義されている。 Although other time nodes A1, B3, C1 and other location nodes A2, B4, C2 are omitted in FIG. 2, similar conditional probabilities are defined.
 本実施形態では、発生時刻及び発生場所が近い警報については、高い関連度(第1関連度)が算出されるベイジアンNWモデルを用いて、同一事象で発生した警報群をグルーピングする。 In this embodiment, for alarms with similar occurrence times and locations, a Bayesian NW model that calculates a high degree of relevance (first degree of relevance) is used to group alarms generated by the same event.
 以下に、推定部12および判定部13が、ベイジアンNWモデルを用いて、警報をグルーピングする処理を具体的に説明する。 The process of grouping alarms by the estimation unit 12 and the determination unit 13 using the Bayesian NW model will be specifically described below.
 図3は、警報解析装置1に入力される警報情報(警報リスト)の一例を示す。警報情報には、複数の警報が含まれる。図示する各警報は、警報識別子と、発生時刻(発生日時)と、警告種別(ALM種別)と、都道府県と、ビルと、装置識別子とを有する。この警報情報では、警報識別子1の警報から順に各警報が発生したことを示している。 FIG. 3 shows an example of alarm information (alarm list) input to the alarm analysis device 1. FIG. The alert information includes multiple alerts. Each illustrated alarm has an alarm identifier, time of occurrence (date and time of occurrence), type of warning (ALM type), prefecture, building, and device identifier. This alarm information indicates that each alarm has occurred in order from the alarm with the alarm identifier 1.
 警報種別には、例えば、装置故障を示す種別(例:Eqp故障警報)、装置のインタフェース関連の異常を示す種別(例:Link down警報)などがある。都道府県と、ビルと、装置識別子は、警報の発生場所を示す情報である。 Alarm types include, for example, a type that indicates a device failure (eg Eqp failure alarm), a type that indicates an abnormality related to the interface of the device (eg: Link down alarm), and so on. The prefecture, building, and device identifier are information indicating the place where the alarm is issued.
 図4は、図3に示す警報情報の各警報に対する判定結果の一例を示す。判定結果には、各警報(警報識別情報)にグループ番号が設定されている。 FIG. 4 shows an example of determination results for each alarm in the alarm information shown in FIG. A group number is set for each alarm (alarm identification information) in the judgment result.
 推定部12は、警報情報の各警報を順次読み出し、当該警報の前に読み出した警報との関連度を推定し、判定部13は、関連度を用いて同じ事象で発生した警報群をグルーピングする。 The estimating unit 12 sequentially reads out each alarm of the alarm information, estimates the degree of relevance to the alarm read before the relevant alarm, and the determining unit 13 uses the degree of relevance to group alarm groups generated by the same event. .
 (1)警報識別子1[ALM種別B]の警報 
 推定部12は、図3に示す警報情報101から警報識別子1の[ALM種別B]の警報を読み出す。推定部12は、 警報識別子1より前に発生した警報は存在しないため、警報識別子1の関連度の推定を行わず、判定部13は、当該警報に対し、所定のグループ番号を設定する。図4に示す判定結果では、判定部13は、グループ番号として「1」を設定する。 (1) Alarm with alarm identifier 1 [ALM type B]
The estimating unit 12 reads the [ALM type B] alarm with the alarm identifier 1 from the alarm information 101 shown in FIG. The estimation unit 12 does not estimate the degree of relevance of the alarm identifier 1 because there is no alarm generated before the alarm identifier 1, and the determination unit 13 sets a predetermined group number for the alarm. In the determination result shown in FIG. 4, the determination unit 13 sets "1" as the group number.
 (2)警報識別子2[ALM種別A]の警報 
 次に、推定部12は、警報識別子2の[ALM種別A]の警報を読み出し、当該警報より前に発生した子ノード側の警報(警報識別子1[ALM種別B])との関連度を推定する。すなわち、推定部12は、警報識別子2-1間の関連度を、ベイジアンNWモデルを用いて推定する。 (2) Alarm with alarm identifier 2 [ALM type A]
Next, the estimation unit 12 reads out the [ALM type A] alarm with the alarm identifier 2, and estimates the degree of relevance to the child node side alarm (alarm identifier 1 [ALM type B]) that occurred before the alarm. do. That is, the estimation unit 12 estimates the degree of association between the alarm identifiers 2-1 using the Bayesian NW model.
 図3に示すように、警報識別子1、2の警報間の発生時刻の差分は5秒であり、発生場所の差分はそれ以外(異なる都道府県)である。そのため、推定部12は、図2の条件付確率201の発生場所の差分がその他で、発生時刻の差分が5秒以上で発生する確率「0.3」を、関連度として推定する。 As shown in Fig. 3, the difference in time of occurrence between alarm identifiers 1 and 2 is 5 seconds, and the difference in location is other than that (different prefectures). Therefore, the estimating unit 12 estimates, as the degree of relevance, the probability “0.3” that the difference in occurrence location of the conditional probability 201 in FIG.
  P(ALM種別A =発生 | 時刻差= ±5s以上, 場所差= それ以外)=0.3
 判定部13は、関連度「0.3」が所定の閾値(例えば0.5)未満であるため、警報識別子2と警報識別子1の警報は、別のグループと判定する。判定部13は、警報識別子1のグループ番号「1」とは異なるグループ番号「2」を、警報識別子2の警報に設定する。 P (ALM type A = occurrence | time difference = ±5s or more, location difference = other) = 0.3
Since the degree of association "0.3" is less than a predetermined threshold value (for example, 0.5), the determining unit 13 determines that the alarms with the alarm identifiers 2 and 1 belong to different groups. The determination unit 13 sets the group number “2” different from the group number “1” of the alarm identifier 1 to the alarm of the alarm identifier 2 .
 なお、警報の一部の情報が欠損している場合に、推定部12は、時刻ノードA1と場所ノードA2の条件付確率を使用する。例えば、警報識別子2の[ALM種別A]の発生時刻が取得できずに欠損している場合、「発生時刻の差分」というエビデンス(条件)が存在しない。この場合、以下の式となり、推定部12は、場所ノードA2の条件付確率を用いて「発生場所の差分」というエビデンスのみを用いた確率推論の計算を行う。 It should be noted that the estimation unit 12 uses the conditional probabilities of the time node A1 and the location node A2 when part of the alarm information is missing. For example, if the occurrence time of [ALM type A] of alarm identifier 2 cannot be obtained and is missing, there is no evidence (condition) of "difference in occurrence time". In this case, the following formula is obtained, and the estimating unit 12 uses the conditional probability of the location node A2 to perform probabilistic inference calculation using only the evidence of the “difference of the location of occurrence”.
  P(ALM種別A =発生 | 場所差= それ以外)=0.48
 ベイジアンNWモデルでは、全てのエビデンスが分からなくても、得られたエビデンスを元に確率推論により、着目したい状態の発生確率を算出することができる。 P(ALM type A = occurrence | location difference = other) = 0.48
With the Bayesian NW model, even if all the evidence is not known, the occurrence probability of the state of interest can be calculated by probabilistic inference based on the obtained evidence.
 (3)警報識別子3[ALM種別B]の警報 
 次に、推定部12は、警報識別子3の[ALM種別B]の警報を読み出し、当該警報より前に発生した警報のうち、警報識別子1はALM種別が同一のため関連度の推定は行わず、親ノード側の警報(警報識別子2[ALM種別A])との関連度を推定する。すなわち、推定部12は、警報識別子3-2間の関連度を、ベイジアンNWモデルを用いて推定する。 (3) Alarm with alarm identifier 3 [ALM type B]
Next, the estimating unit 12 reads the [ALM type B] alarm with the alarm identifier 3, and does not estimate the degree of relevance for the alarm identifier 1 among the alarms that occurred before the alarm because the ALM type is the same. , the degree of relevance to the alarm (alarm identifier 2 [ALM type A]) on the parent node side is estimated. That is, the estimation unit 12 estimates the degree of association between the alarm identifiers 3-2 using the Bayesian NW model.
 図3に示すように、警報識別子3、2の警報間の発生時刻の差分は1秒であり、発生場所の差分は同一都道府県である。推定部12は、図2の時刻ノードB1の条件付確率202と、場所ノードB2および203と、図示しない種別ノードBの条件付確率とを用いて、警報識別子3-2間の関連度を算出する。 As shown in Fig. 3, the difference in time of occurrence between alarms with alarm identifiers 3 and 2 is 1 second, and the difference in location is the same prefecture. The estimation unit 12 uses the conditional probability 202 of the time node B1 in FIG. 2, the location nodes B2 and 203, and the conditional probability of the type node B (not shown) to calculate the degree of association between the alarm identifiers 3-2. do.
 例えば、推定部12は、条件付確率202の「0.9」と、条件付確率203の「0.15」と、図示しない種別ノードBの条件付確率の対応する確率から、ALM種別Bが発生する確率を、確率推論により求めることで、警報識別子3-2間の関連度を算出する。算出される関連度は、ここでは「0.8」とする。 For example, the estimating unit 12 calculates the probability that ALM type B occurs from the conditional probability 202 of "0.9", the conditional probability 203 of "0.15", and the corresponding probability of the conditional probability of type node B (not shown). , and probabilistic inference to calculate the degree of relevance between the alarm identifiers 3-2. The calculated degree of association is assumed to be "0.8" here.
   P(ALM種別B =発生 | 時刻差= ±5s未満, 場所差= 同一都道府県)=0.8
 判定部13は、関連度「0.8」が所定の閾値(例えば0.5)以上であるため、警報識別子3と警報識別子2の警報は、同一グループと判定する。すなわち、判定部13は、警報識別子3と警報識別子2の警報を、同じ事象で発生した警報群として関連付ける。したがって、判定部13は、警報識別子2のグループ番号「2」と同じグループ番号「2」を、警報識別子3の警報に設定する。 P (ALM type B = occurrence | time difference = less than ±5s, location difference = same prefecture) = 0.8
The determination unit 13 determines that the alarms with the alarm identifiers 3 and 2 belong to the same group because the degree of association "0.8" is equal to or greater than a predetermined threshold value (for example, 0.5). That is, the determination unit 13 associates the alarms with the alarm identifiers 3 and 2 as an alarm group generated by the same event. Therefore, the determination unit 13 sets the group number "2", which is the same as the group number "2" of the alarm identifier 2, to the alarm of the alarm identifier 3.
 (4)警報識別子4[ALM種別A]の警報
 次に、推定部12は、警報識別子4の[ALM種別A]の警報を読み出し、当該警報より前に発生した警報のうち、子ノード側の警報(警報識別子1[ALM種別B]、警報識別子3[ALM種別B])との関連度を推定する。 (4) Alarm with alarm identifier 4 [ALM type A] Next, the estimating unit 12 reads the alarm with alarm identifier 4 [ALM type A], Estimate the degree of relevance with the alarm (alarm identifier 1 [ALM type B], alarm identifier 3 [ALM type B]).
 まず、推定部12は、警報識別子4-1間の関連度を、ベイジアンNWモデルを用いて推定する。図3に示すように、警報識別子4、1の警報間の発生時刻の差分は5秒以上であり、発生場所の差分は同一ビルである。そのため、推定部12は、図2の種別ノードAの条件付確率201の発生場所の差分が同一ビルで、子ノードAとの差分が5秒以上で発生する確率「0.7」を、関連度として推定する。 First, the estimation unit 12 estimates the degree of association between the alarm identifiers 4-1 using the Bayesian NW model. As shown in FIG. 3, the difference in time of occurrence between the alarms with alarm identifiers 4 and 1 is 5 seconds or more, and the difference in location is the same building. Therefore, the estimating unit 12 sets the probability "0.7" that the difference in the occurrence location of the conditional probability 201 of the type node A in FIG. presume.
   P(ALM種別A =発生 | 時刻差= ±5s以上, 場所差= 同一ビル)=0.7
 そして、推定部12は、警報識別子4-3間の関連度を、ベイジアンNWモデルを用いて推定する。図3に示すように、警報識別子4、3の警報間の発生時刻の差分は5未満であり、発生場所の差分はそれ以外である。そのため、推定部12は、図2の種別ノードAの条件付確率201の発生場所の差分がそれ以外で、子ノードAとの差分が5秒未満で発生する確率「0.5」を、関連度として推定する。 P (ALM type A = occurrence | time difference = ±5s or more, location difference = same building) = 0.7
Then, the estimation unit 12 estimates the degree of association between the alarm identifiers 4-3 using the Bayesian NW model. As shown in FIG. 3, the difference in time of occurrence between alarms with alarm identifiers 4 and 3 is less than 5, and the difference in place of occurrence is otherwise. Therefore, the estimating unit 12 sets the probability "0.5" that the difference in the occurrence location of the conditional probability 201 of the type node A in FIG. presume.
   P(ALM種別A =発生 | 時刻差= ±5s未満, 場所差= それ以外)=0.5
 判定部13は、どちらも関連度は0.5以上であるが、より関連度の高い警報識別子1と4の警報を同一グループと判定し、警報識別子1のグループ番号「1」と同じグループ番号「1」を、警報識別子4の警報に設定する。 P(ALM type A = occurrence | time difference = less than ±5s, location difference = other) = 0.5
The determination unit 13 determines that the alarms with alarm identifiers 1 and 4, which both have a degree of relevance of 0.5 or more, are in the same group, and assigns the group number "1", which is the same as the group number "1" of the alarm identifier 1. ” to the alarm with alarm identifier 4.
 推定部12および判定部13は、警報識別子5以降の警報についても同様にグループ番号を設定し、警報をグルーピングする。 The estimation unit 12 and determination unit 13 similarly set group numbers for alarms with an alarm identifier of 5 or later, and group the alarms.
 例えば、ALM種別CとALM種別Bとの関連度を算出する場合、読み出した警報がALM種別C の場合、推定部12は、種別ノードC、時刻ノードC1および場所ノードC2の条件付確率を用いる。なお、発生時刻の差分および発生場所の差分が分かる場合は、推定部12は、種別ノードCの条件付確率のみで関連度を算出する。一方、読み出した警報がALM種別Bの場合は、種別ノードB、時刻ノードB3および場所ノードB4の条件付確率を用いる。ALM種別CとALM種別Aとの関連度については、種別ノードCと種別ノードAとはノードが2つ以上離れているため、推定部12は、関連度を算出しない。 For example, when calculating the degree of association between ALM type C and ALM type B, if the read alarm is ALM type C, the estimation unit 12 uses the conditional probabilities of type node C, time node C1, and location node C2. . Note that when the difference in occurrence time and the difference in occurrence location are known, the estimation unit 12 calculates the degree of association based only on the conditional probability of the type node C. FIG. On the other hand, when the read alarm is of ALM type B, the conditional probabilities of type node B, time node B3 and location node B4 are used. Regarding the degree of association between ALM type C and ALM type A, the estimation unit 12 does not calculate the degree of association because type node C and type node A are separated by two or more nodes.
 このように、本実施形態の警報解析装置1は、発生時刻及び発生場所が近い警報については算出される関連度を高くするベイジアンNWモデルを用いて、新たに発生した複数の警報の中で、警報の発生時刻、発生場所および警報種類が、ベイジアンNWモデルと近い場合に、同一事象で発生した警報群である判定することができる。 As described above, the alarm analysis device 1 of the present embodiment uses a Bayesian NW model that increases the calculated degree of relevance for alarms whose occurrence times and locations are close to each other, among a plurality of newly generated alarms, When the alarm generation time, generation location, and alarm type are close to those of the Bayesian NW model, it can be determined that the alarm group is generated by the same event.
 なお、本実施形態の推定部12は、各警報の発生場所を、図3に示す警報情報から取得するが、発生場所を構成情報DB16から取得してもよい。構成情報DB16は、各装置のネットワーク構成に関する情報が格納されたデータベースである。ネットワーク構成に関する情報には、各装置の装置ID、物理的場所(ビル名、都道府県など)、論理的場所(AS番号、IPアドレス、IPアドレスのサブネットワークなど)、ポート(IF)、ポートの接続先情報などが含まれる。この場合、推定部12は、警報に含まれる装置識別子などをキーとして、各警報の発生場所を構成情報DB16から取得してもよい。 Although the estimation unit 12 of the present embodiment acquires the occurrence location of each alarm from the alarm information shown in FIG. 3, the occurrence location may be acquired from the configuration information DB 16. The configuration information DB 16 is a database that stores information regarding the network configuration of each device. Information about the network configuration includes the device ID of each device, physical location (building name, state/province, etc.), logical location (AS number, IP address, subnetwork of IP address, etc.), port (IF), port It includes connection destination information and the like. In this case, the estimating unit 12 may acquire the location of each alarm from the configuration information DB 16 using the device identifier or the like included in the alarm as a key.
 また、本実施形態では、警報の発生場所の差分として、物理的な場所の差分(距離)を用いたが、発生場所の差分は、AS番号、IPアドレスのサブネットワークなどの論理的な場所の差分を用いることとしてもよい。この場合、推定部12は、各警報に含まれる論理的な発生場所を取得してもよく、あるいは、警報に含まれる装置識別子などをキーとして、各警報の論理的な発生場所を構成情報DB16から取得してもよい。 In addition, in this embodiment, the difference in the location of occurrence of the alarm is the difference in the physical location (distance). A difference may also be used. In this case, the estimating unit 12 may acquire the logical occurrence location included in each alarm, or use the device identifier or the like included in the alarm as a key to store the logical occurrence location of each alarm in the configuration information DB 16. may be obtained from
 図5は、警報解析装置1の動作を示すフローチャートである。取得部11は、所定のタイミング(時間間隔)で、例えばOpSなどから各装置が発出した警報情報を取得する(S11)。推定部12は、警報情報に含まれる第1警報を読み出し、第1警報の前に読み出した第2警報との関連度(第1関連度)を、ベイジアンNWモデルを用いて推定する(S12)。 FIG. 5 is a flowchart showing the operation of the alarm analysis device 1. FIG. The acquisition unit 11 acquires alarm information issued by each device from, for example, OpS at a predetermined timing (time interval) (S11). The estimation unit 12 reads the first alarm included in the alarm information, and estimates the degree of relevance (first degree of relevance) with the second alarm read before the first alarm using the Bayesian NW model (S12). .
 判定部13は、第1警報と第2警報とが、同じ事象で発生した、同じグループの警報であるか否かを、関連度と所定の閾値とを比較することで判定する(S13)。同じグループの警報と判定した場合(S13:YES)、判定部13は、第1警報に第2警報と同じグループ番号を設定してグルーピングする(S14)。一方、異なるグループと判定した場合(S13:NO)、判定部13は、第1警報に第2警報とは異なるグループ番号を設定する(S15)。 The determination unit 13 determines whether the first and second alarms are alarms generated by the same event and belonging to the same group by comparing the degree of association with a predetermined threshold (S13). If it is determined that the alarms belong to the same group (S13: YES), the determination unit 13 sets the same group number as the second alarm to the first alarm and groups them (S14). On the other hand, if it is determined that the groups are different (S13: NO), the determination unit 13 sets a group number different from that of the second alarm to the first alarm (S15).
 推定部12は、警報情報に未処理の次の警報がある場合は(S16:YES)、S12に戻り以降の処理を行い、警報情報に次の警報がない場合は(S16:NO)、図4に示すような判定結果を出力し(S17)、処理を終了する。 If there is an unprocessed next alarm in the alarm information (S16: YES), the estimating unit 12 returns to S12 and performs subsequent processing, and if there is no next alarm in the alarm information (S16: NO), 4 is output (S17), and the process is terminated.
 以上説明した本実施形態の警報解析装置1は、ベイジアンネットワークモデルと、複数の警報の第1関連度を、前記ベイジアンネットワークモデルを用いて推定する推定部12と、前記第1関連度を用いて、同じ事象で発生した警報群をグルーピングする判定部13と、を備え、前記ベイジアンネットワークモデルは、警報種別を示す複数の種別ノードと、各種別ノードにリンクされた時刻ノードおよび場所ノードとを有し、前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた第2関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた第3関連度が設定される。 The alarm analysis device 1 of the present embodiment described above uses a Bayesian network model, an estimating unit 12 that estimates the first degree of relevance of a plurality of alarms using the Bayesian network model, and the first degree of relevance. , and a determination unit 13 for grouping alarm groups generated by the same event, and the Bayesian network model has a plurality of type nodes indicating alarm types, and a time node and a place node linked to each type node. The time node is set with a second degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node is set with the type node linked. A third degree of association is set according to the difference from the child node or parent node where the alarm is issued.
 これにより、本実施形態では、警報の相関付け(コリレーション)を容易に行うことができる。具体的には、保守者の負担が大きい警報の相関付けを自動化し、新たに発生した警報情報を入力するだけで効率よく警報をグルーピングすることができる。 As a result, in this embodiment, it is possible to easily correlate alarms. Specifically, it is possible to automate the correlation of alarms, which imposes a heavy burden on maintenance personnel, and efficiently group alarms simply by inputting newly generated alarm information.
 上記説明した警報解析装置1は、例えば、図6に示すような汎用的なコンピュータシステムを用いることができる。図示するコンピュータシステムは、CPU(Central Processing Unit、プロセッサ)901と、メモリ902と、ストレージ903(HDD:Hard Disk Drive、SSD:Solid State Drive)と、通信装置904と、入力装置905と、出力装置906とを備える。メモリ902およびストレージ903は、記憶装置である。このコンピュータシステムにおいて、CPU901がメモリ902上にロードされた所定のプログラムを実行することにより、警報解析装置1の各機能が実現される。 For the alarm analysis device 1 described above, for example, a general-purpose computer system as shown in FIG. 6 can be used. The illustrated computer system includes a CPU (Central Processing Unit, processor) 901, memory 902, storage 903 (HDD: Hard Disk Drive, SSD: Solid State Drive), communication device 904, input device 905, and output device. 906. Memory 902 and storage 903 are storage devices. In this computer system, each function of the alarm analysis device 1 is realized by the CPU 901 executing a predetermined program loaded on the memory 902 .
 また、警報解析装置1は、1つのコンピュータで実装されてもよく、あるいは複数のコンピュータで実装されても良い。また、警報解析装置1は、コンピュータに実装される仮想マシンであっても良い。 Also, the alarm analysis device 1 may be implemented by one computer, or may be implemented by a plurality of computers. Also, the alarm analysis device 1 may be a virtual machine implemented in a computer.
 警報解析装置1用のプログラムは、HDD、SSD、USB(Universal Serial Bus)メモリ、CD (Compact Disc)、DVD (Digital Versatile Disc)などのコンピュータ読取り可能な記録媒体に記憶することも、ネットワークを介して配信することもできる。 The program for the alarm analysis device 1 can be stored in a computer-readable recording medium such as HDD, SSD, USB (Universal Serial Bus) memory, CD (Compact Disc), DVD (Digital Versatile Disc), etc., or can be downloaded via a network. can also be delivered.
 なお、本発明は上記実施形態および変形例に限定されるものではなく、その要旨の範囲内で数々の変形が可能である。 It should be noted that the present invention is not limited to the above embodiments and modifications, and many modifications are possible within the scope of the gist.
 1 :警報解析装置
 11:取得部
 12:推定部
 13:判定部
 14:警報情報DB
 15:モデル記憶部
 16:構成情報DB 1: Alarm analysis device 11: Acquisition unit 12: Estimation unit 13: Judgment unit 14: Alarm information DB
15: Model storage unit 16: Configuration information DB

Claims (7)

  1.  ベイジアンネットワークモデルと、
     複数の警報の第1関連度を、前記ベイジアンネットワークモデルを用いて推定する推定部と、
     前記第1関連度を用いて、同じ事象で発生した警報群をグルーピングする判定部と、を備え、
     前記ベイジアンネットワークモデルは、警報種別を示す複数の種別ノードと、各種別ノードにリンクされた時刻ノードおよび場所ノードとを有し、
     前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた第2関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた第3関連度が設定される
     警報解析装置。     Bayesian network model and
    an estimating unit that estimates the first relevance of a plurality of alarms using the Bayesian network model;
    A determination unit that groups alarm groups generated by the same event using the first degree of relevance,
    The Bayesian network model has a plurality of category nodes indicating alarm categories, and time and location nodes linked to each category node;
    The time node is set with a second degree of relevance according to the difference from the child node of the linked type node or the alarm occurrence time of the parent node, and the location node is set as a child node of the linked type node. Alternatively, an alarm analysis device in which a third degree of association is set according to a difference from an alarm generation location of a parent node.
  2.  前記種別ノードには、当該種別ノードの子ノードまたは親ノードの警報の発生時刻との差分および発生場所との差分に応じた発生確率が設定される
     請求項1に記載の警報解析装置。     2. The alarm analyzing apparatus according to claim 1, wherein the type node is set with an occurrence probability corresponding to a difference from an alarm occurrence time and a difference from an alarm occurrence location of a child node or parent node of the type node.
  3.  前記時刻ノードには、発生時刻の差分が小さいほど高い第2関連度が設定され、前記場所ノードには、発生場所の差分が小さいほど高い第3関連度が設定される
     請求項1または2に記載の警報解析装置。     3. The time node is set with a higher second degree of relevance as the difference in occurrence time is smaller, and the place node is set with a third degree of relevance that is higher as the difference in place of occurrence is smaller. An alarm analyzer as described.
  4.  前記発生場所の差分は、警報を出力した装置の物理的位置の差分、または、前記装置の論理的位置の差分である
     請求項1から3のいずれか1項に記載の警報解析装置。     4. The alarm analyzing apparatus according to any one of claims 1 to 3, wherein the difference in occurrence location is a difference in physical position of the device that output the alarm or a difference in logical position of the device.
  5.  警報解析装置が行う警報解析方法であって、
     複数の警報の第1関連度を、ベイジアンネットワークモデルを用いて推定するステップと、
     前記第1関連度を用いて、同じ事象で発生した警報群をグルーピングするステップと、を行い、
     前記ベイジアンネットワークモデルは、警報種別を示す複数の種別ノードと、各種別ノードにリンクされた時刻ノードおよび場所ノードとを有し、
     前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた第2関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた第3関連度が設定される
     警報解析方法。     An alarm analysis method performed by an alarm analysis device,
    estimating a first relevance of a plurality of alerts using a Bayesian network model;
    using the first degree of relevance to group a group of alarms generated by the same event;
    The Bayesian network model has a plurality of category nodes indicating alarm categories, and time and location nodes linked to each category node;
    The time node is set with a second degree of relevance according to the difference from the child node of the linked type node or the alarm occurrence time of the parent node, and the location node is set as a child node of the linked type node. Alternatively, an alarm analysis method in which a third degree of relevance is set according to a difference from an alarm occurrence location of a parent node.
  6.  警報種別を示す複数の種別ノードと、
     各種別ノードにリンクされた時刻ノードおよび場所ノードと、を有し、
     前記時刻ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生時刻との差分に応じた関連度が設定され、前記場所ノードには、リンクされた種別ノードの子ノードまたは親ノードの警報の発生場所との差分に応じた関連度が設定される
     ベイジアンネットワークモデル。     a plurality of type nodes indicating alarm types;
    a time node and a location node linked to each type node;
    The time node is set with a degree of relevance according to the difference from the alarm occurrence time of the child node or parent node of the linked type node, and the location node is set with the child node or parent of the linked type node. A Bayesian network model in which the degree of relevance is set according to the difference between the node's alarm occurrence location.
  7.  請求項1から4のいずれか1項に記載の警報解析装置として、コンピュータを機能させる警報解析プログラム。 An alarm analysis program that causes a computer to function as the alarm analysis device according to any one of claims 1 to 4.
PCT/JP2021/021559 2021-06-07 2021-06-07 Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program WO2022259307A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023527151A JPWO2022259307A1 (en) 2021-06-07 2021-06-07
PCT/JP2021/021559 WO2022259307A1 (en) 2021-06-07 2021-06-07 Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/021559 WO2022259307A1 (en) 2021-06-07 2021-06-07 Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program

Publications (1)

Publication Number Publication Date
WO2022259307A1 true WO2022259307A1 (en) 2022-12-15

Family

ID=84425008

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/021559 WO2022259307A1 (en) 2021-06-07 2021-06-07 Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program

Country Status (2)

Country Link
JP (1) JPWO2022259307A1 (en)
WO (1) WO2022259307A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH01106112A (en) * 1987-10-19 1989-04-24 Yokogawa Electric Corp Method for diagnosing cause of process abnormality
JPH09307550A (en) * 1996-05-10 1997-11-28 Hitachi Ltd Network system monitoring device
JP2000048277A (en) * 1998-03-16 2000-02-18 Kdd Corp Fault place estimating method
JP2019114992A (en) * 2017-12-26 2019-07-11 ココロプラン株式会社 Alert information transmitter

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH01106112A (en) * 1987-10-19 1989-04-24 Yokogawa Electric Corp Method for diagnosing cause of process abnormality
JPH09307550A (en) * 1996-05-10 1997-11-28 Hitachi Ltd Network system monitoring device
JP2000048277A (en) * 1998-03-16 2000-02-18 Kdd Corp Fault place estimating method
JP2019114992A (en) * 2017-12-26 2019-07-11 ココロプラン株式会社 Alert information transmitter

Also Published As

Publication number Publication date
JPWO2022259307A1 (en) 2022-12-15

Similar Documents

Publication Publication Date Title
CN113328872B (en) Fault repairing method, device and storage medium
US9697722B2 (en) Methods, systems, and devices for managing a plurality of alarms
EP2759938B1 (en) Operations management device, operations management method, and program
US8880946B2 (en) Fault detection apparatus, a fault detection method and a program recording medium
US20160378583A1 (en) Management computer and method for evaluating performance threshold value
US8352789B2 (en) Operation management apparatus and method thereof
JP5267749B2 (en) Operation management apparatus, operation management method, and program
JP6097889B2 (en) Monitoring system, monitoring device, and inspection device
JP6280862B2 (en) Event analysis system and method
US10540886B2 (en) Network diagnostic tool for testing and commissioning building systems
EP3239840B1 (en) Fault information provision server and fault information provision method
WO2006117833A1 (en) Monitoring simulating device, method, and program
CN102740112A (en) Method for controlling equipment polling based on video monitoring system
JP4842738B2 (en) Fault management support system and information management method thereof
JP5971395B2 (en) System analysis apparatus and system analysis method
CN112769615B (en) Anomaly analysis method and device
WO2022259307A1 (en) Alarm analysis device, alarm analysis method, bayesian network model, and alarm analysis program
CN110609761B (en) Method and device for determining fault source, storage medium and electronic equipment
WO2014196982A1 (en) Identifying log messages
JP7215574B2 (en) MONITORING SYSTEM, MONITORING METHOD AND PROGRAM
JP7322958B2 (en) Abnormal location estimation device, method and program
JP2022027556A (en) System and method for determining manufacturing plant topology and fault propagation information
WO2022259324A1 (en) Correct answer data generation device, correct answer data generation method, and correct answer data generation program
WO2021249629A1 (en) Device and method for monitoring communication networks
JP5261510B2 (en) Network monitoring apparatus, method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21944988

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023527151

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21944988

Country of ref document: EP

Kind code of ref document: A1