Anomaly detection methods, devices, computer equipment, and storage media
By acquiring long-term, short-term, and offline reference values, combining weighted summation to calculate the relative value of anomalies, and utilizing a classification model, the problem of misjudgment in anomaly detection in intelligent operation and maintenance is solved, achieving more accurate and efficient anomaly handling.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- PING AN TECH (SHENZHEN) CO LTD
- Filing Date
- 2023-06-16
- Publication Date
- 2026-06-30
AI Technical Summary
Existing intelligent operation and maintenance technologies suffer from high error rates in anomaly detection methods, making it difficult to flexibly and accurately classify anomalies based on indicator data. This leads to increased system operation and maintenance costs and a reduced patient experience.
By acquiring long-term, short-term, and offline reference values of preset indicators, and combining them with weights to determine the target reference value, the abnormal relative value of the indicator data is calculated, and the abnormal relative value is accumulated within a time window. The anomaly type is then determined using a classification model, and an alarm is output.
It improves the rationality and accuracy of anomaly detection, reduces misjudgments, and enhances operational efficiency and the speed of anomaly handling.
Smart Images

Figure CN116702006B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of intelligent operation and maintenance, and in particular to an anomaly determination method, device, computer equipment, and storage medium. Background Technology
[0002] With the development of operation and maintenance (O&M) technologies, intelligent O&M based on artificial intelligence is gradually replacing some traditional manual O&M. However, existing intelligent O&M technologies typically use fixed thresholds for indicator data. If the indicator data exceeds this threshold, it is considered abnormal. This standard for anomaly identification is subjective, prone to misjudgment, and difficult to categorize based on indicator data. For example, in the field of intelligent healthcare, failure to detect anomalies in a timely and accurate manner can lead to system paralysis, resulting in a poor patient experience and even economic losses. Conversely, misjudging anomalies during normal operation and prompting O&M personnel to investigate and repair increases the labor costs of healthcare system maintenance. Therefore, a more flexible and accurate anomaly detection method is urgently needed. Summary of the Invention
[0003] The main objective of this application is to provide an anomaly detection method, apparatus, device, and computer storage medium, which aims to improve the rationality of anomaly detection, prevent misjudgments, and improve the accuracy of anomaly detection.
[0004] Firstly, this application provides an anomaly determination method, which includes the following steps:
[0005] Obtain the long-term reference value, short-term reference value and offline reference value corresponding to the preset indicator;
[0006] Based on the preset target reference value determination rules, the target reference value of the indicator data is determined according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0007] Based on the indicator data corresponding to the preset indicator and the target reference value, determine the abnormal relative value of the indicator data;
[0008] Obtain the cumulative value of the relative value of the anomaly within a preset time window;
[0009] If the cumulative value within the time window is greater than or equal to a preset threshold, the anomaly type is determined based on the preset classification model and the relative anomaly value within the preset time window.
[0010] Output an anomaly alert based on the anomaly type.
[0011] Secondly, this application also provides an anomaly determination device, the anomaly determination device comprising:
[0012] The data acquisition module is used to acquire long-term reference values, short-term reference values, and offline reference values corresponding to preset indicators;
[0013] The reference value determination module is used to determine the target reference value of the indicator data based on the preset target reference value determination rules, according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator;
[0014] The relative value determination module is used to determine the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value;
[0015] The cumulative value determination module is used to obtain the cumulative value of the relative value of the anomaly within a preset time window;
[0016] An anomaly classification module is used to determine the anomaly type based on a preset classification model and the relative anomaly value within the preset time window if the cumulative value within the time window is greater than or equal to a preset threshold.
[0017] The anomaly alarm module is used to output anomaly alarms based on the anomaly type.
[0018] Thirdly, this application also provides a computer device, the computer device including a processor, a memory, and a computer program stored in the memory and executable by the processor, wherein when the computer program is executed by the processor, it implements the above-described exception determination method.
[0019] Fourthly, this application also provides a computer-readable storage medium storing a computer program, wherein when the computer program is executed by a processor, it implements the above-described exception determination method.
[0020] This application provides an anomaly detection method, apparatus, device, and computer storage medium. The method involves: acquiring long-term, short-term, and offline reference values corresponding to preset indicators; determining a target reference value for the indicator data based on preset target reference value determination rules, according to the long-term, short-term, and offline reference values; determining the relative anomaly value of the indicator data based on the indicator data corresponding to the preset indicators and the target reference value; acquiring the cumulative value of the relative anomaly value within a preset time window; if the cumulative value within the time window is greater than or equal to a preset threshold, determining the anomaly type based on a preset classification model and the relative anomaly value within the preset time window; and outputting an anomaly alarm based on the anomaly type. This method can be applied to anomaly detection in medical systems. By comprehensively considering the long-term, short-term, and offline reference values of indicators to determine whether indicator data is abnormal, the rationality and accuracy of anomaly detection are improved. Attached Figure Description
[0021] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0022] Figure 1 A flowchart illustrating an anomaly determination method provided in an embodiment of this application;
[0023] Figure 2 This is a usage scenario diagram of an anomaly determination method provided in an embodiment of this application;
[0024] Figure 3 A schematic block diagram of an anomaly determination device provided in an embodiment of this application;
[0025] Figure 4 This is a schematic block diagram of the structure of a computer device according to an embodiment of this application. Detailed Implementation
[0026] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0027] The flowchart shown in the attached diagram is for illustrative purposes only and does not necessarily include all content and operations / steps, nor does it necessarily have to be performed in the order described. For example, some operations / steps can be broken down, combined, or partially merged, so the actual execution order may change depending on the actual situation.
[0028] This application provides an anomaly determination method, apparatus, computer device, and computer-readable storage medium.
[0029] The following detailed description of some embodiments of this application is provided in conjunction with the accompanying drawings. Unless otherwise specified, the following embodiments and features can be combined with each other.
[0030] Please refer to Figure 1 , Figure 1This is a flowchart illustrating an anomaly determination method provided in an embodiment of this application. This anomaly determination method can be used in a medical system, which can be configured in a terminal or server to accurately and reasonably determine whether there are anomalies in various indicator data of the intelligent operation and maintenance of the medical system. The terminal can be an electronic device such as a mobile phone, tablet, laptop, desktop computer, personal digital assistant, or wearable device; the server can be a standalone server, a server cluster, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms.
[0031] Please refer to Figure 2 , Figure 2 This is a usage scenario diagram provided by an embodiment of this application. For example... Figure 2 As shown, the target server performs anomaly detection on the indicator data of a medical system configured on a server or terminal (not shown). Specifically, the target server continuously acquires indicator data from the medical system, determines long-term reference values, short-term reference values, and offline reference values based on the indicator data, and performs anomaly detection on the real-time acquired indicator data based on the long-term reference values, short-term reference values, and offline reference values. If the target server determines that the indicator data is abnormal, it outputs an anomaly alarm based on the anomaly type.
[0032] Of course, this is not the only possibility. Long-term reference values, short-term reference values, and offline reference values can also be determined by the medical system and sent to the target server. Figure 2 The illustrated use case diagram is only for illustrating the exception detection method provided in this solution and does not limit the implementation process of the method.
[0033] like Figure 1 As shown, the anomaly determination method includes steps S101 to S106.
[0034] Step S101: Obtain the long-term reference value, short-term reference value and offline reference value corresponding to the preset indicator.
[0035] For example, in related technologies, to determine anomalies in preset indicators, a fixed threshold or range is typically set for each indicator. When the indicator data exceeds this threshold or falls outside the range, the indicator data is determined to be abnormal and an alarm is triggered. However, this method of anomaly determination lacks flexibility, cannot adjust the criteria for anomaly determination according to actual conditions, and is prone to misjudgment due to its overly simplistic criteria, thus reducing the accuracy of anomaly determination and operational efficiency.
[0036] For example, the anomaly determination method provided in this application obtains long-term reference values, short-term reference values and offline reference values corresponding to preset indicators at different time periods, so as to determine the judgment criteria for subsequent anomaly determination based on the long-term reference values, short-term reference values and offline reference values, thereby improving the flexibility and accuracy of anomaly determination.
[0037] In some implementations, obtaining the long-term reference value, short-term reference value, and offline reference value corresponding to the preset indicator includes: determining the long-term reference value based on the indicator data within a first preset time period; and determining the short-term reference value based on the indicator data within a second preset time period, wherein the first preset time period is longer than the second preset time period.
[0038] For example, the long-term reference value and the short-term reference value are determined based on indicator data within a first preset time period and a second preset time period, respectively. The first preset time period can be, for example, 24 hours, and the second preset time period can be, for example, 1 hour. However, these are not limited to these; the first and second preset time periods can also be other durations, which are not restricted here. It is understood that the first preset time period is longer than the second preset time period.
[0039] For example, a long-term reference value is determined based on the indicator data of a preset indicator within a first preset time period, such as by using the average value of the indicator data over 24 hours. A short-term reference value is determined based on the indicator data of the preset indicator within a second preset time period, such as by using the average value of the indicator data over 1 hour. However, this is not the only possibility; the long-term and short-term reference values can also be calculated from the indicator data within the corresponding time period using other methods, such as the median of the indicator data within the corresponding time period. This is not a limitation.
[0040] For example, the offline reference value can be determined based on indicator data over a relatively long period of time, such as based on all historical indicator data obtained; or the offline reference value can be preset according to actual needs, such as setting a corresponding offline reference value for each preset indicator, which is not limited here.
[0041] For example, long-term and short-term reference values can reflect reasonable reference values for indicators under the current circumstances. For instance, when indicator data is at a high or low level, the corresponding long-term and short-term reference values will be different, which improves the rationality and flexibility of subsequent target references and also improves the accuracy of the final anomaly judgment.
[0042] Step S102: Based on the preset target reference value determination rules, determine the target reference value of the indicator data according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0043] For example, the target reference value is used to reflect a reasonable value for the indicator data under the current circumstances. Specifically, the target reference value is obtained based on long-term reference values, short-term reference values, and offline reference values.
[0044] In some implementations, determining the target reference value of the indicator data based on the preset target reference value determination rule and according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator includes: weighting and summing the long-term reference value, the short-term reference value and the offline reference value according to the first weight corresponding to the long-term reference value, the second weight corresponding to the short-term reference value and the third weight corresponding to the offline reference value to obtain the target reference value.
[0045] For example, based on the weights corresponding to the long-term reference value, short-term reference value, and offline reference value, the three are weighted and summed to obtain the target reference value used to determine the relative value of abnormal indicator data.
[0046] For example, short-term reference values generally best reflect the current changes in an indicator, therefore they are the most important, followed by long-term reference values, with offline reference values being the least important. Therefore, a weighting order can be set as second weight > first weight > third weight, but this is not a limitation.
[0047] For example, the target reference value can be calculated using the following formula:
[0048] threshold = w1 × threshold long +w2×threshold short +w3×threshold offline
[0049] Where threshold represents the target reference value, threshold long threshold short and threshold offline These represent the long-term reference value, short-term reference value, and offline reference value, respectively, and represent the first weight, second weight, and third weight, respectively.
[0050] For example, since the target reference value is obtained by combining the magnitudes of long-term reference values, short-term reference values, and offline reference values, it can reasonably reflect the approximate value of the indicator, thereby improving the accuracy of the subsequently determined relative abnormal values and the abnormal judgment based on the relative abnormal values.
[0051] In some implementations, determining the target reference value of the indicator data based on the preset target reference value determination rule and according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator includes: determining the target reference value of the indicator data based on the preset reference value update cycle and according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0052] For example, the reference value update cycle can be determined according to actual needs. For instance, the reference value update cycle can be determined as the change cycle of at least one of long-term reference value, short-term reference value, and offline reference value, without any limitation here.
[0053] For example, updating the target reference value according to the reference value update cycle can determine a target reference value that is more in line with the actual situation, thereby improving the rationality of anomaly judgment.
[0054] Step S103: Determine the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value.
[0055] For example, the abnormal relative value is obtained by comparing the indicator data with the target reference value.
[0056] For example, the abnormal relative value is a value obtained after processing the collected indicators, which can objectively and truthfully reflect the degree of abnormality of the indicator data.
[0057] In some implementations, determining the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value includes: determining the abnormal relative value based on the ratio of the target difference to the target reference value, wherein the target difference is the difference between the target reference value and the current indicator data.
[0058] For example, abnormal relative values can reflect the current difference between the indicator data and the target reference value. If the difference between the indicator data and the target reference value is too large, it indicates that the indicator is currently abnormal.
[0059] For example, the relative value of anomalies can be determined using the following formula:
[0060]
[0061] Where R represents the abnormal relative value, value represents the indicator data, and ε represents the preset constant used to prevent the denominator from being 0.
[0062] For example, using outlier relative values to represent the difference between indicator data and target reference values can more objectively reflect the degree of anomaly in the indicator data.
[0063] Step S104: Obtain the cumulative value of the relative value of the anomaly within a preset time window.
[0064] For example, a specific time window can be set according to the actual situation, such as a 5-minute time window. The abnormal relative values of the indicator within the 5 minutes preceding the current moment are analyzed to determine the cumulative value of the abnormal relative values of the indicator data within this time window. Specifically, this involves integrating the abnormal relative values within the time window to obtain the cumulative value.
[0065] For example, anomaly detection is based on the cumulative value of the relative anomalies to prevent misjudgments caused by data fluctuations. Anomaly alerts are only issued when the relative anomalies are at a high level over a period of time, which further improves the accuracy of anomaly detection.
[0066] Step S105: If the cumulative value within the time window is greater than or equal to a preset threshold, the anomaly type is determined based on the preset classification model and the relative anomaly value within the preset time window.
[0067] For example, an anomaly relative value is determined using a pre-defined classification model. Specifically, anomaly types are set according to actual needs, such as CPU load anomaly, CPU spike anomaly, memory consumption anomaly, process termination anomaly, disk space consumption anomaly, network packet loss anomaly, duplicate network resource packet transmission anomaly, and network resource packet corruption anomaly. The classification model is trained based on the pre-defined anomaly types and the anomaly relative values of various indicators when different anomaly types occur, resulting in a classification model used to determine the anomaly type based on the anomaly relative values of indicators. The classification model could be, for example, the XGBoost model.
[0068] For example, by using a pre-defined classification model to determine the anomaly type based on the abnormal relative value of the indicator, the manpower cost for anomaly type analysis is reduced and the efficiency of anomaly determination is improved.
[0069] Step S106: Output an anomaly alarm according to the anomaly type.
[0070] For example, an anomaly alert can be output based on the anomaly type determined by the classification model, so that relevant personnel can quickly identify the root cause of the anomaly and handle it.
[0071] In some implementations, the step of outputting an anomaly alarm based on the anomaly type includes: when the cumulative value within multiple time windows is greater than or equal to a preset threshold within a third preset time period, merging the anomaly alarms corresponding to the multiple time windows into the same anomaly alarm.
[0072] In some implementations, the step of outputting anomaly alarms based on the anomaly type includes: if two or more monitored objects have anomaly alarms of the same anomaly type within a fourth preset time period, merging the anomaly alarms of the same anomaly type into a high-priority anomaly alarm.
[0073] For example, multiple anomalies of the same type to the same object within a third preset time period, or anomalies of the same type to multiple monitored objects within a fourth preset time period, are merged to avoid the intelligent operation and maintenance system generating a large number of anomaly alarms at once due to the same root cause in a short period of time, thereby improving the efficiency of operation and maintenance personnel in handling system anomalies.
[0074] The anomaly determination method provided in the above embodiments obtains long-term reference values, short-term reference values, and offline reference values corresponding to preset indicators; determines the target reference value of the indicator data based on preset target reference value determination rules, according to the long-term reference values, short-term reference values, and offline reference values corresponding to the indicators; determines the relative anomaly value of the indicator data based on the indicator data corresponding to the preset indicators and the target reference value; obtains the cumulative value of the relative anomaly value within a preset time window; if the cumulative value within the time window is greater than or equal to a preset threshold, determines the anomaly type based on a preset classification model, according to the relative anomaly value within the preset time window; and outputs an anomaly alarm based on the anomaly type. This method can improve the rationality of anomaly determination in intelligent operation and maintenance systems, prevent misjudgments, and improve the accuracy of anomaly determination.
[0075] Please see Figure 3 , Figure 3 This is a schematic diagram of an anomaly determination device provided in an embodiment of this application. The anomaly determination device can be configured in a server or terminal to execute the aforementioned anomaly determination method.
[0076] like Figure 3 As shown, the anomaly determination device includes: a data acquisition module 110, a reference value determination module 120, a relative value determination module 130, a cumulative value determination module 140, an anomaly classification module 150, and an anomaly alarm module 160.
[0077] Data acquisition module 110 is used to acquire long-term reference values, short-term reference values and offline reference values corresponding to preset indicators;
[0078] The reference value determination module 120 is used to determine the target reference value of the indicator data based on the preset target reference value determination rules and according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0079] The relative value determination module 130 is used to determine the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value;
[0080] The cumulative value determination module 140 is used to obtain the cumulative value of the abnormal relative value within a preset time window;
[0081] An anomaly classification module 150 is used to determine the anomaly type based on a preset classification model and the relative anomaly value within the preset time window if the cumulative value within the time window is greater than or equal to a preset threshold.
[0082] The anomaly alarm module 160 is used to output an anomaly alarm according to the anomaly type.
[0083] For example, the data acquisition module 110 also includes a long-term reference value acquisition module and a short-term reference value acquisition module.
[0084] The short-term reference value acquisition module is used to determine the long-term reference value based on the indicator data within a first preset time period.
[0085] The long-term reference value acquisition module is used to determine the short-term reference value based on the indicator data within a second preset time period, wherein the first preset time period is longer than the second preset time period.
[0086] For example, the reference value determination module 120 also includes a reference value calculation module.
[0087] The reference value calculation module is used to perform a weighted summation of the long-term reference value, the short-term reference value, and the offline reference value according to the first weight corresponding to the long-term reference value, the second weight corresponding to the short-term reference value, and the third weight corresponding to the offline reference value, to obtain the target reference value.
[0088] For example, the relative value determination module 130 also includes a relative value calculation module.
[0089] The relative value calculation module is used to determine the abnormal relative value based on the ratio of the target difference to the target reference value, wherein the target difference is the difference between the target reference value and the current indicator data.
[0090] For example, the anomaly alarm module 160 also includes: a first merging module and a second merging module.
[0091] The first merging module is used to merge the abnormal alarms corresponding to the multiple time windows into the same abnormal alarm when the cumulative value in multiple time windows within a third preset time period is greater than or equal to a preset threshold.
[0092] The second merging module is used to merge the abnormal alarms of the same abnormal type into a high-priority abnormal alarm if two or more monitored objects have abnormal alarms of the same abnormal type within a fourth preset time period.
[0093] For example, the reference value determination module 120 also includes a reference value update module.
[0094] The reference value update module is used to determine the target reference value of the indicator data based on the long-term reference value, short-term reference value and offline reference value corresponding to the indicator, according to the preset reference value update cycle.
[0095] It should be noted that those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the above-described apparatus and its modules and units can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0096] The methods and apparatus of this application can be used in a wide variety of general-purpose or special-purpose computing system environments or configurations. Examples include: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics devices, network PCs, minicomputers, mainframe computers, and distributed computing environments including any of the above systems or devices. This application can be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform specific tasks or implement specific abstract data types. This application can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0097] For example, the above-described method and apparatus can be implemented as a computer program, which can be used in, for example... Figure 4 It runs on the computer device shown.
[0098] Please see Figure 4 , Figure 4 This is a schematic block diagram illustrating the structure of a computer device provided in an embodiment of this application. The computer device may be a server or a terminal.
[0099] like Figure 4 As shown, the computer device includes a processor, a memory, and a network interface connected via a system bus, wherein the memory may include a storage medium and internal memory.
[0100] The storage medium may store the operating system and computer programs. The computer programs include program instructions that, when executed, cause the processor to perform any exception handling method.
[0101] The processor provides computing and control capabilities, supporting the operation of the entire computer device.
[0102] Internal memory provides an environment for the execution of computer programs stored in the storage medium. When the computer program is executed by the processor, it enables the processor to perform any kind of exception handling method.
[0103] This network interface is used for network communication, such as sending assigned tasks. Those skilled in the art will understand that... Figure 4 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0104] It should be understood that the processor can be a Central Processing Unit (CPU), but it can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. Among these, a general-purpose processor can be a microprocessor or any conventional processor.
[0105] In one embodiment, the processor is configured to run a computer program stored in memory to perform the following steps:
[0106] Obtain the long-term reference value, short-term reference value and offline reference value corresponding to the preset indicator;
[0107] Based on the preset target reference value determination rules, the target reference value of the indicator data is determined according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0108] Based on the indicator data corresponding to the preset indicator and the target reference value, determine the abnormal relative value of the indicator data;
[0109] Obtain the cumulative value of the relative value of the anomaly within a preset time window;
[0110] If the cumulative value within the time window is greater than or equal to a preset threshold, the anomaly type is determined based on the preset classification model and the relative anomaly value within the preset time window.
[0111] Output an anomaly alert based on the anomaly type.
[0112] In one embodiment, when the processor acquires the long-term reference value, short-term reference value, and offline reference value corresponding to the preset indicator, it is configured to:
[0113] The long-term reference value is determined based on the indicator data within a first preset time period;
[0114] The short-term reference value is determined based on the indicator data within a second preset duration, wherein the first preset duration is longer than the second preset duration.
[0115] In one embodiment, when the processor determines the target reference value of the indicator data based on a preset target reference value determination rule and according to the long-term reference value, short-term reference value, and offline reference value corresponding to the indicator, it is configured to:
[0116] The target reference value is obtained by weighting and summing the long-term reference value, the short-term reference value, and the offline reference value according to the first weight corresponding to the long-term reference value, the second weight corresponding to the short-term reference value, and the third weight corresponding to the offline reference value.
[0117] In one embodiment, when the processor determines the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value, it is configured to:
[0118] The abnormal relative value is determined based on the ratio of the target difference to the target reference value, wherein the target difference is the difference between the target reference value and the current indicator data.
[0119] In one embodiment, when implementing the output of an exception alarm based on the exception type, the processor is configured to:
[0120] When the cumulative value within multiple time windows is greater than or equal to a preset threshold within a third preset time period, the abnormal alarms corresponding to the multiple time windows are merged into a single abnormal alarm.
[0121] In one embodiment, when implementing the output of an exception alarm based on the exception type, the processor is configured to:
[0122] If two or more monitored objects in the intelligent operation and maintenance system have the same type of abnormal alarm within the fourth preset time period, the abnormal alarms of the same type will be merged into a high-priority abnormal alarm.
[0123] In one embodiment, when the processor determines the target reference value of the indicator data based on the preset target reference value determination rule and according to the long-term reference value, short-term reference value, and offline reference value corresponding to the indicator, it is configured to:
[0124] Based on a preset reference value update cycle, the target reference value of the indicator data is determined according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
[0125] It should be noted that those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process of anomaly determination described above can be referred to the corresponding process in the aforementioned anomaly determination and control method embodiments, and will not be repeated here.
[0126] This application also provides a computer-readable storage medium storing a computer program, the computer program including program instructions, and the method implemented when the program instructions are executed can refer to various embodiments of the anomaly determination method of this application.
[0127] The computer-readable storage medium may be an internal storage unit of the computer device described in the foregoing embodiments, such as the hard disk or memory of the computer device. The computer-readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, SmartMedia Card (SMC), Secure Digital (SD) card, or Flash Card equipped on the computer device.
[0128] It should be understood that the terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the scope of the application. As used in this specification and the appended claims, the singular forms “a,” “an,” and “the” are intended to include the plural forms unless the context clearly indicates otherwise.
[0129] It should also be understood that the term "and / or" as used in this specification and the appended claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, herein, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or system that includes that element.
[0130] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments. The above descriptions are merely specific implementations of this application, but the scope of protection of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. An anomaly detection method, characterized in that, The method includes: Obtain the long-term reference value, short-term reference value and offline reference value corresponding to the preset indicator; Based on the preset target reference value determination rules, the target reference value of the indicator data is determined according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator. Based on the indicator data corresponding to the preset indicator and the target reference value, determine the abnormal relative value of the indicator data; Obtain the cumulative value of the relative value of the anomaly within a preset time window; If the cumulative value within the time window is greater than or equal to a preset threshold, the anomaly type is determined based on the preset classification model and the relative anomaly value within the preset time window. Output an anomaly alert based on the anomaly type; The method for determining target reference values based on preset rules, according to the long-term reference value, short-term reference value, and offline reference value corresponding to the indicator, determines the target reference value of the indicator data, including: The target reference value is obtained by weighting and summing the long-term reference value, the short-term reference value, and the offline reference value according to the first weight corresponding to the long-term reference value, the second weight corresponding to the short-term reference value, and the third weight corresponding to the offline reference value, wherein the second weight is greater than the first weight and the first weight is greater than the third weight.
2. The anomaly determination method according to claim 1, characterized in that, The acquisition of the long-term reference value, short-term reference value, and offline reference value corresponding to the preset indicator includes: The long-term reference value is determined based on the indicator data within a first preset time period; The short-term reference value is determined based on the indicator data within a second preset duration, wherein the first preset duration is longer than the second preset duration.
3. The anomaly determination method according to claim 1, characterized in that, The anomaly types include CPU load anomaly, CPU ramp-up anomaly, memory consumption anomaly, process termination anomaly, disk space consumption anomaly, network packet loss anomaly, repeated transmission of network resource packets anomaly, and network resource packet corruption anomaly.
4. The anomaly determination method according to claim 1, characterized in that, The step of determining the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value includes: The abnormal relative value is determined based on the ratio of the target difference to the target reference value, wherein the target difference is the difference between the target reference value and the current indicator data.
5. The anomaly determination method according to any one of claims 1-4, characterized in that, The step of outputting an anomaly alarm based on the anomaly type includes: When the cumulative value within multiple time windows is greater than or equal to a preset threshold within a third preset time period, the abnormal alarms corresponding to the multiple time windows are merged into a single abnormal alarm.
6. The anomaly determination method according to any one of claims 1-4, characterized in that, The step of outputting an anomaly alarm based on the anomaly type includes: If two or more monitored objects have the same type of abnormal alarm within the fourth preset time period, the abnormal alarms of the same type will be merged into a high-priority abnormal alarm.
7. The anomaly determination method according to any one of claims 1-4, characterized in that, The method for determining target reference values based on preset rules, according to the long-term reference value, short-term reference value, and offline reference value corresponding to the indicator, determines the target reference value of the indicator data, including: Based on a preset reference value update cycle, the target reference value of the indicator data is determined according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator.
8. An anomaly detection device, characterized in that, The anomaly detection device includes: The data acquisition module is used to acquire long-term reference values, short-term reference values, and offline reference values corresponding to preset indicators; The reference value determination module is used to determine the target reference value of the indicator data based on the preset target reference value determination rules, according to the long-term reference value, short-term reference value and offline reference value corresponding to the indicator; The relative value determination module is used to determine the abnormal relative value of the indicator data based on the indicator data corresponding to the preset indicator and the target reference value; The cumulative value determination module is used to obtain the cumulative value of the relative value of the anomaly within a preset time window; An anomaly classification module is used to determine the anomaly type based on a preset classification model and the relative anomaly value within the preset time window if the cumulative value within the time window is greater than or equal to a preset threshold. The anomaly alarm module is used to output anomaly alarms according to the anomaly type; The method for determining target reference values based on preset rules, according to the long-term reference value, short-term reference value, and offline reference value corresponding to the indicator, determines the target reference value of the indicator data, including: The target reference value is obtained by weighting and summing the long-term reference value, the short-term reference value, and the offline reference value according to the first weight corresponding to the long-term reference value, the second weight corresponding to the short-term reference value, and the third weight corresponding to the offline reference value, wherein the second weight is greater than the first weight and the first weight is greater than the third weight.
9. A computer device, characterized in that, The computer device includes a processor, a memory, and a computer program stored in the memory and executable by the processor, wherein when the computer program is executed by the processor, it implements the steps of the exception determination method as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, wherein when the computer program is executed by a processor, it implements the steps of the anomaly determination method as described in any one of claims 1 to 7.