Alarm management method, device, apparatus and storage medium

Abstract

The disclosure provides an alarm management method, which can be applied to the technical field of information security. The alarm management method comprises the following steps: receiving access data and alarm information of a first time period, wherein the access data and the alarm information are for M alarm nodes, and M is a positive integer; establishing a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph of the M alarm nodes; selecting special nodes in the M alarm nodes of the directed graph, wherein the special nodes comprise K categories, and K is a positive integer; and disposing the special nodes according to a preset disposal logic, wherein the preset disposal logic comprises sub-logics corresponding to the K categories one by one. The disclosure further provides an alarm management device, equipment and storage medium.

Description

Technical Field

[0001] This disclosure relates to the field of information security technology, and specifically to an alarm management method, apparatus, device, and storage medium. Background Technology

[0002] Enterprises monitor and handle incidents related to the operation of equipment in production and disaster recovery environments by establishing centralized monitoring and alarm systems and event management platforms. The centralized monitoring and alarm system collects equipment alarm information using protocols such as Syslog and Trap, and then aggregates and presents it uniformly. Alarm information typically includes elements such as the time of occurrence, a brief description of the alarm, and its severity level. Fault-related alarms must be managed as production events, requiring monitoring personnel to create event tickets within a specified time and notify relevant maintenance personnel. Typically, monitoring personnel rely on experience to first verify which alarm information needs to be merged into event tickets on the monitoring and alarm system, and then log into the event management platform to create event tickets sequentially. For alarm information with a significant impact, such as those involving external services, business operations, or sensitive customer systems, monitoring personnel must immediately notify the business departments for coordinated emergency response. After all incidents have been processed, monitoring personnel must manually confirm the alarm clearance within a specified time and sequentially close the alarm information to archive it.

[0003] In actual production and operation monitoring, the large number and high repetition of various alarm messages may lead to alarm message accumulation, untimely processing, and other problems affecting operation and maintenance efficiency. Summary of the Invention

[0004] In view of the above problems, this disclosure provides alarm management methods, devices, equipment and storage media to improve the timeliness of operation and maintenance.

[0005] According to a first aspect of this disclosure, an alarm management method is provided, comprising: receiving access data and alarm information for a first time period, wherein the access data and alarm information are for M alarm nodes, where M is a positive integer; establishing a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph of the M alarm nodes; selecting special nodes from the M alarm nodes of the directed graph, wherein the special nodes include K types, where K is a positive integer; and processing the special nodes according to a preset processing logic, wherein the preset processing logic includes sub-logic corresponding one-to-one with the K types.

[0006] According to an embodiment of this disclosure, the step of establishing a directed graph based on the access data and the alarm information includes: establishing access relationships between the M alarm nodes based on the access data and the alarm information, wherein the alarm information includes an alarm order; and calculating the standard directedness of the M alarm nodes based on the alarm order using a depth-first traversal algorithm through the access relationships.

[0007] According to an embodiment of this disclosure, establishing the access relationship between the M alarm nodes based on the access data and the alarm information includes: determining the access relationship between the M alarm nodes according to the alarm order, wherein for any alarm node, outgoing edges and incoming edges are determined, wherein for the outgoing edge, if the adjacent alarm nodes of the current alarm node satisfy the outgoing edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the outgoing edge, the outgoing edge rule includes: the adjacent alarm node has visited the current alarm node, or the adjacent alarm node is the front-end node of the current alarm node; for the incoming edge, if the adjacent alarm nodes of the current alarm node satisfy the incoming edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the incoming edge, the incoming edge rule includes: the current alarm node has visited the adjacent alarm node, or the adjacent alarm node is the back-end node of the current alarm node.

[0008] According to an embodiment of this disclosure, the step of calculating the standard directional degree of the M alarm nodes based on the alarm order and using a depth-first traversal algorithm through the access relationship includes: for any alarm node, starting from the current alarm node, visiting the neighboring alarm nodes of the current alarm node until all neighboring alarm nodes of the alarm node have been visited; calculating the standard directional degree from the alarm node to all neighboring alarm nodes; and if all neighboring alarm nodes of the current alarm node have been visited, then the last visited neighboring alarm node is taken as the next alarm node.

[0009] According to an embodiment of this disclosure, the calculation of the standard directional degree from the alarm node to all adjacent alarm nodes includes: calculating the directed edge risk assignment of the alarm node; and calculating the standard directional degree of the alarm node based on the directed edge risk assignment.

[0010] According to an embodiment of this disclosure, the alarm node includes an alarm node risk assignment, and the calculation of the directed edge risk assignment of the alarm node includes: summing the alarm node risk assignment of the current alarm node and the alarm node risk assignment of the adjacent alarm nodes to obtain the directed edge risk assignment from the current alarm node to the adjacent alarm nodes.

[0011] According to an embodiment of this disclosure, the step of calculating the standard directional degree of an alarm node based on the directed edge risk assignment includes: calculating the standard directional degree based on all directed edge risk assignments of the current alarm node.

[0012] According to embodiments of this disclosure, the standard directional dimension includes outgoing edge standard directional dimension and incoming edge standard directional dimension. The step of selecting a special node from the M alarm nodes of the directed graph includes: selecting the alarm node with the largest outgoing edge standard directional dimension among the M alarm nodes as the critical fault node; and selecting the alarm node with the largest incoming edge standard directional dimension among the M alarm nodes as the most severely affected node.

[0013] According to an embodiment of this disclosure, the special node is handled according to a preset handling logic, the preset handling logic including sub-logic corresponding one-to-one with the K types, including: generating an emergency handling instruction for the most severely affected node, the emergency handling instruction being used to notify the relevant responsible persons to handle the most severely affected node; and establishing an event ticket related to the critical fault node for the critical fault node, the event ticket being used to continuously monitor the critical fault node related to the event ticket.

[0014] According to an embodiment of this disclosure, the method further includes: receiving alarm information in a second time period; determining whether the directed graph generated in the first time period is valid in the second time period; and using the directed graph generated in the first time period if it is valid, wherein the determination method includes: determining whether the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period; and using the directed graph generated in the first time period if the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period.

[0015] A second aspect of this disclosure provides an alarm management device, comprising: a receiving module for receiving access data and alarm information for a first time period, wherein the access data and alarm information are for M alarm nodes, where M is a positive integer; a directed graph building module for building a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph of the M alarm nodes; a special node selection module for selecting special nodes from the M alarm nodes of the directed graph, wherein the special nodes include K types, where K is a positive integer; and a processing module for processing the special nodes according to preset processing logic, wherein the preset processing logic includes sub-logic corresponding one-to-one with the K types.

[0016] According to an embodiment of this disclosure, the directed graph establishment module includes an access relationship establishment unit and a depth-first traversal unit. The access relationship establishment unit is used to establish access relationships between the M alarm nodes based on the access data and the alarm information, wherein the alarm information includes an alarm order. The depth-first traversal unit is used to calculate the standard degree of the M alarm nodes based on the alarm order and using a depth-first traversal algorithm through the access relationships.

[0017] According to an embodiment of this disclosure, the access relationship establishment unit includes an access relationship establishment subunit, which is used to determine the access relationship between the M alarm nodes according to the alarm order. For any alarm node, outgoing edges and incoming edges are determined. For the outgoing edge, if the adjacent alarm nodes of the current alarm node satisfy the outgoing edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the outgoing edge. The outgoing edge rule includes: the adjacent alarm node has visited the current alarm node, or the adjacent alarm node is the front-end node of the current alarm node. For the incoming edge, if the adjacent alarm nodes of the current alarm node satisfy the incoming edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the incoming edge. The incoming edge rule includes: the current alarm node has visited the adjacent alarm node, or the adjacent alarm node is the back-end node of the current alarm node.

[0018] According to embodiments of this disclosure, the depth traversal unit includes an access subunit and a standard degree calculation subunit. The access subunit is used to access the neighboring alarm nodes of any alarm node, starting from the current alarm node, until all neighboring alarm nodes of the alarm node have been accessed. The standard degree calculation subunit is used to calculate the standard directional degree from the alarm node to all neighboring alarm nodes. The access subunit is also used to select the last accessed neighboring alarm node as the next alarm node if all neighboring alarm nodes of the current alarm node have been accessed.

[0019] According to an embodiment of this disclosure, the standard degree calculation subunit is further configured to calculate the directed edge risk assignment of the alarm node; and to calculate the standard directional degree of the alarm node based on the directed edge risk assignment.

[0020] According to an embodiment of this disclosure, the alarm node includes an alarm node risk assignment, and the standard degree calculation subunit is further used to sum the alarm node risk assignment of the current alarm node and the alarm node risk assignment of the adjacent alarm nodes to obtain the directed edge risk assignment from the current alarm node to the adjacent alarm nodes.

[0021] According to an embodiment of this disclosure, the standard degree calculation subunit is further configured to calculate the standard directional degree based on the risk assignment of all directed edges of the current alarm node.

[0022] According to embodiments of this disclosure, the standard directional dimension includes outgoing edge standard directional dimension and incoming edge standard directional dimension, and the special node selection module includes a critical fault node selection unit and a most severely affected node selection unit. The critical fault node selection unit is used to select the alarm node with the largest outgoing edge standard directional dimension among M alarm nodes as the critical fault node; and the incoming edge standard directional dimension is used to select the alarm node with the largest incoming edge standard directional dimension among M alarm nodes as the most severely affected node.

[0023] According to an embodiment of this disclosure, the handling module includes a first handling unit and a second handling unit. The first handling unit is used to generate an emergency handling instruction for the most severely affected node, and the emergency handling instruction is used to notify the relevant responsible persons to handle the most severely affected node. The second handling unit is used to establish an event form related to the critical fault node for the critical fault node, and the event form is used to continuously monitor the critical fault node related to the event form.

[0024] According to embodiments of this disclosure, the device further includes: an alarm information judgment module and a directed graph reuse module. The receiving module is further configured to receive alarm information in a second time period. The alarm information judgment module is configured to determine whether the directed graph generated in the first time period is valid in the second time period. The directed graph reuse module is configured to use the directed graph generated in the first time period if it is valid. The judgment method includes: determining whether the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period; and using the directed graph generated in the first time period if the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period.

[0025] A third aspect of this disclosure provides an electronic device comprising: one or more processors; and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors perform the alarm management method described above.

[0026] A fourth aspect of this disclosure also provides a computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, cause the processor to perform the alarm management method described above.

[0027] The fifth aspect of this disclosure also provides a computer program product, including a computer program that, when executed by a processor, implements the above-described alarm management method.

[0028] In the embodiments of this disclosure, to address the technical problem of complex alarm information and low processing efficiency, a directed graph is output by combining access data and alarm information to display the correlation between alarm devices, effectively sorting and filtering alarm nodes with high correlation; then, several special types of alarm nodes are selected and processed according to corresponding handling methods to achieve differentiated processing, effectively ensuring that important alarms can be handled in a timely manner and guaranteeing the overall operation and maintenance efficiency of the system. Attached Figure Description

[0029] The foregoing contents, as well as other objects, features, and advantages of this disclosure, will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0030] Figure 1 This diagram schematically illustrates an application scenario of the alarm management method according to an embodiment of the present disclosure.

[0031] Figure 2 A flowchart illustrating an alarm management method according to an embodiment of the present disclosure is shown schematically.

[0032] Figure 3 A flowchart illustrating a directed graph construction method according to an embodiment of the present disclosure is shown schematically.

[0033] Figure 4 A flowchart illustrating a depth-first traversal method according to an embodiment of the present disclosure is shown schematically.

[0034] Figure 5 A flowchart illustrating a standard directional computation method according to an embodiment of the present disclosure is shown schematically.

[0035] Figure 6 A flowchart illustrating a specific node selection method according to an embodiment of the present disclosure is shown schematically.

[0036] Figure 7 A flowchart illustrating a special node handling method according to an embodiment of the present disclosure is shown schematically;

[0037] Figure 8 A flowchart illustrating another alarm management method according to an embodiment of the present disclosure is shown schematically;

[0038] Figure 9 A schematic diagram of a directed graph according to an embodiment of the present disclosure is shown.

[0039] Figure 10 A schematic diagram of another directed graph according to an embodiment of the present disclosure is shown;

[0040] Figure 11 A schematic block diagram of an alarm management device according to an embodiment of the present disclosure is shown; and

[0041] Figure 12 A block diagram schematically illustrates an electronic device suitable for implementing an alarm management method according to an embodiment of the present disclosure. Detailed Implementation

[0042] The embodiments of the present disclosure will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of the disclosure. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of the present disclosure for ease of explanation. However, it will be apparent that one or more embodiments may be practiced without these specific details. Furthermore, descriptions of well-known structures and techniques are omitted in the following description to avoid unnecessarily obscuring the concepts of the present disclosure.

[0043] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit this disclosure. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0044] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0045] When using expressions such as "at least one of A, B, and C", they should generally be interpreted in accordance with the meaning that is commonly understood by a person skilled in the art (e.g., "a system having at least one of A, B, and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B, and C, etc.).

[0046] Before detailing the embodiments of this disclosure, the key technical terms present in the embodiments of this disclosure will be explained one by one, as follows:

[0047] Centrality algorithms: These algorithms are used to understand the role of a specific node in a graph and its impact on the network. They can help us understand group dynamics, such as trustworthiness, accessibility, the speed of event propagation, and the "bridges" between groups.

[0048] Degree centrality algorithm: can be used as a benchmark for connectivity. It measures the number of out-degrees and in-degrees of a node; a high degree indicates the popularity of a node.

[0049] To address the technical problems existing in the prior art, embodiments of this disclosure provide an alarm management method, which includes receiving access data and alarm information for a first time period, wherein the access data and alarm information are for M alarm nodes, where M is a positive integer; establishing a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph of the M alarm nodes; selecting special nodes from the M alarm nodes in the directed graph, wherein the special nodes include K types, where K is a positive integer; and processing the special nodes according to preset processing logic, wherein the preset processing logic includes sub-logic corresponding one-to-one with the K types.

[0050] In the embodiments of this disclosure, to address the technical problem of complex alarm information and low processing efficiency, a directed graph is output by combining access data and alarm information to display the correlation between alarm devices, effectively sorting and filtering alarm nodes with high correlation; then, several special types of alarm nodes are selected and processed according to corresponding handling methods to achieve differentiated processing, effectively ensuring that important alarms can be handled in a timely manner and guaranteeing the overall operation and maintenance efficiency of the system.

[0051] Figure 1 The diagram illustrates an application scenario of the alarm management method according to an embodiment of the present disclosure.

[0052] like Figure 1 As shown, application scenario 100 according to this embodiment may include terminal devices 101, 102, and 103, network 104, and server 105. Network 104 is used as a medium to provide a communication link between terminal devices 101, 102, and 103 and server 105. Network 104 may include various connection types, such as wired or wireless communication links or fiber optic cables, etc.

[0053] Users can use terminal devices 101, 102, and 103 to interact with server 105 via network 104 to receive or send messages, etc. Various communication client applications can be installed on terminal devices 101, 102, and 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social media platform software, etc. (for example only).

[0054] Terminal devices 101, 102, and 103 can be various electronic devices with displays and web browsing capabilities, including but not limited to smartphones, tablets, laptops, and desktop computers.

[0055] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using terminal devices 101, 102, and 103 (for example only). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.

[0056] It should be noted that the alarm management method provided in this embodiment can generally be executed by server 105. Correspondingly, the alarm management device provided in this embodiment can generally be located in server 105. The alarm management method provided in this embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105. Correspondingly, the alarm management device provided in this embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105.

[0057] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0058] The following will be based on Figure 1 The described scene, through Figures 2 to 10 The alarm management method of the disclosed embodiments is described in detail.

[0059] Figure 2 A flowchart illustrating an alarm management method according to an embodiment of the present disclosure is shown schematically.

[0060] like Figure 2 As shown, the alarm management method of this embodiment includes operations S210 to S240, which can be executed by the server 105.

[0061] In operation S210, access data and alarm information for a first time period are received, wherein the access data and alarm information are for M alarm nodes, and M is a positive integer.

[0062] The access data includes network traffic logs and application node information in the configuration management system. One alarm node corresponds to one or more hardware devices.

[0063] It should be noted that the embodiments disclosed herein are applicable to various monitoring and alarm information, including common monitoring scenarios such as applications, databases, and security.

[0064] Specifically, during time period T, alarm information, network traffic logs, and application node information from the configuration management system (or configuration management data) are received. Preprocessing such as data cleaning and standardization is performed on the alarm information, network traffic logs, and application node information from the configuration management system to retain key fields for subsequent analysis. The network traffic logs and configuration management data are shown in Tables 1 and 2 below:

[0065]

[0066] Table 1

[0067]

[0068] Table 2

[0069] Among them, network traffic logs contain temporary access relationships between nodes, while configuration management data reflects fixed access relationships between application nodes.

[0070] In operation S220, a directed graph is established based on the access data and the alarm information. The directed graph is a directed graph with M alarm nodes.

[0071] Specifically, the networkx library in Python can be used to select the device nodes that generate alarm information during time period T and draw a directed graph.

[0072] In operation S230, a special node is selected from the M alarm nodes of the directed graph. The special node includes K types, where K is a positive integer.

[0073] In operation S240, the special node is processed according to the preset processing logic, which includes sub-logic corresponding one-to-one with the K types.

[0074] Specifically, special nodes with high urgency and criticality among these alarm nodes are selected. These special nodes are also divided into multiple categories, each reflecting different levels of urgency and criticality. Different processing logics are used to process the node devices corresponding to the alarm information for different categories.

[0075] It is understood that the embodiments of this disclosure are intended to use network traffic logs and application configuration management information to determine the correlation of monitoring alarm devices, so as to realize the automatic centralized processing of alarm information and help improve the timeliness and convenience of monitoring personnel in handling alarm information and production events.

[0076] In the embodiments of this disclosure, to address the technical problem of complex alarm information and low processing efficiency, a directed graph is output by combining access data and alarm information to display the correlation between alarm devices, effectively sorting and filtering alarm nodes with high correlation; then, several special types of alarm nodes are selected and processed according to corresponding handling methods to achieve differentiated processing, effectively ensuring that important alarms can be handled in a timely manner and guaranteeing the overall operation and maintenance efficiency of the system.

[0077] Next, the method for establishing a directed graph according to the embodiments of this disclosure will be disclosed in detail as follows:

[0078] Figure 3 A flowchart illustrating a directed graph construction method according to an embodiment of the present disclosure is shown schematically.

[0079] like Figure 3 As shown, the directed graph construction method of this embodiment includes operations S310 to S320, and operations S310 to S320 can at least partially execute the above-mentioned operation S220.

[0080] In operation S310, based on the access data and the alarm information, an access relationship is established between the M alarm nodes, wherein the alarm information includes the alarm sequence.

[0081] Specifically, the access relationship is the access relationship between different alarm nodes. Taking alarm node A among M alarm nodes as an example, the access relationship of alarm node A includes outgoing direction and incoming direction. The outgoing direction is from alarm node A to other alarm nodes, and the incoming direction is from other alarm nodes to alarm node A.

[0082] According to an embodiment of this disclosure, establishing the access relationship between the M alarm nodes based on the access data and the alarm information includes: determining the access relationship between the M alarm nodes according to the alarm order, wherein for any alarm node, outgoing edges and incoming edges are determined, wherein for the outgoing edge, if the adjacent alarm nodes of the current alarm node satisfy the outgoing edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the outgoing edge, the outgoing edge rule includes: the adjacent alarm node has visited the current alarm node, or the adjacent alarm node is the front-end node of the current alarm node; for the incoming edge, if the adjacent alarm nodes of the current alarm node satisfy the incoming edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the incoming edge, the incoming edge rule includes: the current alarm node has visited the adjacent alarm node, or the adjacent alarm node is the back-end node of the current alarm node.

[0083] For example, for outgoing branches: sorted by time, select the first device node that triggers a monitoring alarm as V1, and create a new vertex V if the following two conditions are met. i Mark the event summary and IP, and from vertex V1 to vertex V i Draw a directed line segment E 1i Condition 1: Query the network traffic logs; if V i During this period, V1 was accessed, or V was listed in the configuration information table. i It is the front-end node of V1, that is, V1 to V i Provide data. Condition 2: V i An alarm has been triggered.

[0084] For example, for an incoming branch: a new vertex V is created if the following two conditions are met. j Mark the event summary and IP, and from vertex V j Draw a directed line segment E to vertex V1. j1 Condition 1: Query the network traffic logs; if V1 accessed V during this period... j Or in the configuration information table V j It is the backend node of V1, i.e., V j Provide data to V1. Condition 2: V j An alarm has been triggered.

[0085] In operation S320, based on the alarm order, a depth-first traversal algorithm is used to calculate the standard directional degree of the M alarm nodes through the access relationship.

[0086] Specifically, the depth-first traversal algorithm follows a depth-first traversal. It selects an unvisited vertex as the starting vertex and marks it as visited. Then, it searches all other adjacent vertices of that vertex and determines whether these vertices have been visited. If they have not been visited, it selects a vertex to continue visiting and repeats the previous steps until all adjacent vertices of a given vertex have been visited. In this case, it backtracks to a vertex with unvisited adjacent vertices and continues the depth-first traversal until all nodes have been visited.

[0087] For example, using the depth-first traversal algorithm, select a vertex V that is adjacent to V1. x Perform the visit, and compute its standard directional degree simultaneously. Similarly, from V... x Repeat the above operation. If all adjacent vertices of the currently visited vertex have been visited, backtrack to the last vertex in the sequence of visited vertices that has an unvisited adjacent vertex. y From V v Start by traversing the graph using the method described above until all vertices in the graph have been visited, thus obtaining the standard directional degree of each vertex.

[0088] Iterate through each event alarm message within time period T, repeating operations S310 to S320 to draw all vertices and directed line segments, forming a directed graph of alarm nodes.

[0089] Of course, during the access process for vertices (or nodes), it is also necessary to calculate certain parameter values ​​of the vertex. These parameter values ​​can effectively measure whether the alarm node is a special node. The depth-first traversal method is as follows:

[0090] Figure 4 A flowchart illustrating a depth-first traversal method according to an embodiment of the present disclosure is shown schematically.

[0091] like Figure 4 As shown, the depth traversal method of this embodiment includes operations S410 to S430, and operations S410 to S430 can at least partially execute the above-mentioned operation S320.

[0092] In operation S410, for any alarm node, starting from the current alarm node, the adjacent alarm nodes of the current alarm node are visited until all adjacent alarm nodes of the alarm node have been visited.

[0093] The aforementioned starting point refers to the alarm node with the current alarm node as the reference, and the access to adjacent alarm nodes in the inbound direction and the access to adjacent alarm nodes in the outbound direction.

[0094] Specifically, the current alarm node refers to the alarm nodes that are accessed based on the current alarm node. This process includes access in the inbound direction as well as access in the outbound direction. For the alarm node that serves as the reference, all its neighboring nodes must be accessed before the access logic for the next alarm node that serves as the reference can be started.

[0095] In operation S420, the standard directional degree from the alarm node to all adjacent alarm nodes is calculated.

[0096] Specifically, standard directional is directional, measuring the importance of an alarm node in a directed graph in terms of outbound and inbound access relationships with other alarm nodes.

[0097] Figure 5 A flowchart illustrating a standard directional computation method according to an embodiment of the present disclosure is shown schematically.

[0098] like Figure 5 As shown, the standard directional calculation method of this embodiment includes operations S510 to S520, which can at least partially perform the above-mentioned operation S420.

[0099] In operation S510, the directed edge risk assignment of the alarm node is calculated.

[0100] According to an embodiment of this disclosure, the alarm node includes an alarm node risk assignment, and the calculation of the directed edge risk assignment of the alarm node includes: for any alarm node, summing the alarm node risk assignment of the current alarm node and the alarm node risk assignment of the adjacent alarm nodes to obtain the directed edge risk assignment from the current alarm node to the adjacent alarm nodes.

[0101] Specifically, the alarm level is proportional to the risk assignment (denoted as S). The risk value for a given alarm node is preset; what needs to be calculated is the directed edge wind direction assignment between the alarm node and its neighboring alarm nodes. For example, vertex V... i The risk assignment value is the risk value corresponding to the highest alarm level on that node, and it is marked as S at the vertex. i It is necessary to combine the risk assignment of different adjacent alarm nodes to realize the directed edge risk assignment calculation.

[0102] For example, regarding the risk assignment for calculating directed edges: starting from vertex V1, calculate the directed edge E 1i Risk assignment, calculation of incoming edge E j1 Risk assignment. Among them, outgoing edge E 1i The calculation method for the risk assignment is shown in Equation 1 below, with the incoming edge E j1 The risk assignment is shown in Equation 2 below:

[0103] S 1i =S1+S i Formula 1

[0104] S j1 =S1+S j Formula 2

[0105] In operation S520, the standard directional degree of the alarm node is calculated based on the risk assignment of the directed edge.

[0106] According to an embodiment of this disclosure, the step of calculating the standard directional degree of an alarm node based on the directed edge risk assignment includes: for any alarm node, calculating the standard directional degree based on the directed edge risk assignments of all current alarm nodes.

[0107] Specifically, based on the outgoing edge risk assignment and incoming edge risk assignment obtained above, the outgoing edge standard directional and incoming edge standard directional are calculated respectively. The standard directional of the edge in different directions is obtained by averaging the risk assignments of the corresponding directions.

[0108] For example, to calculate the standard directional degree of a vertex: starting from vertex V1, calculate the standard out-direction C of vertex V1. 1出Similarly, calculate the standard in-degree C of vertex V1. 1入 Among them, the standard outgoing direction C 1出 The calculation method is shown in Equation 3 below, where the standard angle C is... 1入 The calculation method is shown in Equation 4 below:

[0109] C 1出 =∑s 1i / N 1出 Formula 3

[0110] C 1入 =∑s j1 / N 1入 Formula 4

[0111] Among them, S li This indicates a path starting from vertex V1 and pointing to vertex V. i The risk value of a directed edge is N1, where N1 represents the number of outgoing branches from vertex V1.

[0112] In operation S430, if all neighboring alarm nodes of the current alarm node have been visited, the last neighboring alarm node visited will be taken as the next alarm node.

[0113] That is, in the next round of alarm node standard directional calculation, it starts from the last accessed node in this round.

[0114] Figure 6 A flowchart illustrating a specific node selection method according to an embodiment of the present disclosure is shown schematically.

[0115] like Figure 6 As shown, the special node selection method of this embodiment includes operations S610 to S620, which can at least partially perform the above-mentioned operation S230.

[0116] According to embodiments of this disclosure, the standard directional includes outgoing edge standard directional and incoming edge standard directional.

[0117] In operation S610, the alarm node with the largest outgoing edge standard directional degree among the M alarm nodes is selected as the critical fault node.

[0118] In operation S620, the alarm node with the largest standard directional degree of the incoming edge among the M alarm nodes is selected as the node most severely affected.

[0119] For example, the vertex with the largest standard directional degree and its label are shown in Table 3 below:

[0120] Table 3

[0121] Among them, the highest alarm level of the outgoing edge is 4, corresponding to a centrality of 6.5, so the corresponding alarm node is selected as the critical fault node. The highest alarm level of the incoming edge is 6, corresponding to a centrality of 6.3, so the corresponding alarm node is selected as the node most affected.

[0122] Figure 7 A flowchart illustrating a special node handling method according to an embodiment of the present disclosure is shown schematically.

[0123] like Figure 7 As shown, the special node handling method of this embodiment includes operations S710 to S720, which can at least partially perform the above-mentioned operation S240.

[0124] In operation S710, an emergency response instruction is generated for the most severely affected node. This instruction is used to notify relevant personnel to handle the most severely affected node. Specifically, based on the applications deployed on the most severely affected node, relevant business departments are notified to closely monitor the situation and cooperate in the emergency response.

[0125] In operation S720, for the critical fault node, an event ticket related to the critical fault node is established, and the event ticket is used to continuously monitor the critical fault node related to the event ticket.

[0126] Specifically, fault-solving monitoring is implemented for critical fault nodes. This step is executed after an event ticket is created. After each node's fault is resolved, its alarm information will no longer be displayed or added. After all monitoring alarms for a node in the directed graph stop during time period T, the corresponding vertex of that node in the directed graph is grayed out. After an event ticket is created, a depth-first search algorithm is used to iterate through all vertices in the graph, checking whether they can be grayed out. Once all vertices in the graph are grayed out, the associated event ticket can be confirmed as closed.

[0127] For example, the application and responsible person of the device are designated as the lead application and lead handler for the event, while the applications and responsible persons of other vertices in the graph coordinate the handling. All monitoring alarm information in the directed graph is associated with this event order, thereby achieving alarm information aggregation and sharing of event orders. The risk level of the event can be determined based on the highest alarm level of the key node. Based on the most severely affected node in the output (as shown in Table 3 above), relevant business departments are notified to closely monitor the business impact caused by the application on this node and prepare business emergency measures. If multiple events are found to be related during the troubleshooting process, multiple event orders can be linked to establish a master-slave relationship. The event order is closed in two ways based on the fault troubleshooting monitoring results: First, if the event ends within the emergency time, the event management platform is linked to automatically close the corresponding event order and automatically close and archive the corresponding monitoring alarm information; second, if monitoring alarms are still not automatically closed after the emergency handling time or close to the emergency handling time cutoff point, the monitoring personnel are prompted to pay attention to the event handling status. For event orders with a master-slave relationship, the master event order is closed only after all sub-event orders are closed.

[0128] Understandably, setting up event tickets improves the efficiency of monitoring and alarm management. In daily monitoring and alarm management, maintenance personnel log into the monitoring and alarm system to view each piece of information, manually determining whether an event ticket needs to be created and which monitoring alarms can be merged into one event ticket. After the event is processed, the corresponding monitoring and alarm message needs to be manually closed and archived. This system automates the aggregation of alarm messages, the creation and closure of event tickets, and the archiving of alarm information. Simultaneously, it can promptly remind monitoring personnel to pay attention to alarm messages and corresponding events that have not been processed in a timely manner, greatly improving the efficiency of monitoring and alarm processing.

[0129] Figure 8 A flowchart illustrating another alarm management method according to an embodiment of this disclosure is shown schematically.

[0130] like Figure 8 As shown, another alarm management method in this embodiment includes operations S810 to S830, which are performed after operation S240.

[0131] During operation of S810, alarm information for the second time period is received.

[0132] In operation S820, it is determined whether the directed graph generated in the first time period is valid in the second time period. The determination method includes: determining whether the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period; and if the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period, then the directed graph generated in the first time period is used.

[0133] In operation S830, if the directed graph generated in the first time period is valid, the directed graph generated in the first time period is used.

[0134] Specifically, the second time period follows the first time period. The second time period and the first time period can be continuous or discontinuous. If an alarm is received in a future time period, and the alarm information indicates that everything is consistent with the first time period, then the directed graph generated in the first time period is used to reduce computational costs.

[0135] For example, if the directed graph established during time period T is still in effect, meaning that the nodes corresponding to the vertices in the graph still have alarm information that has not been closed, the alarm information generated during time period T+N will be handled according to the following rules: if the device generating the alarm and the alarm information are exactly the same as those during time period T, then no new graph will be created, and the directed graph of time period T will be used; otherwise, a new graph will be created. The graph creation rules for the second time period are shown in Table 4 below:

[0136]

[0137]

[0138] Table 4

[0139] As shown in Table 4, the directed graph for time period T is used only when the device generating the alarm and the alarm information content are exactly the same as those in time period T. However, in cases where "the device generating the alarm is the same as the device in time period T, but its alarm information is different from that in time period T," "the device generating the alarm is different from the device in time period T, but it interacts with the device that triggered the alarm in time period T," and "the device generating the alarm has no interaction with any device in time period T," a new directed graph needs to be created.

[0140] Figure 9 A schematic diagram of a directed graph according to an embodiment of the present disclosure is shown.

[0141] like Figure 9 As shown, there are 6 alarm nodes in the first time period. The relationships between these alarm nodes are as follows: V1 points to V2, V2 points to V3 and V4 respectively, V5 points to V4 and V6 respectively, and V6 points to V4. Among them, the risk value of V1 is 2, the risk value of V2 is 4, the risk value of V3 is 1, the risk value of V4 is 3, the risk value of V5 is 4, and the risk value of V6 is 2.

[0142] Figure 10 A schematic diagram of another directed graph according to an embodiment of the present disclosure is shown.

[0143] like Figure 10 As shown, after the logical processing based on the above calculation of the in-direction standardization and the out-direction standardization, C is obtained.出max V5 vertices and C for 6.5 入max For node V4 (6.3), the vertex with the largest outward degree is the critical fault node, and the vertex with the largest inward degree is the most severely affected node. Therefore, V5 is the critical fault node, and V4 is the most severely affected node. Different processing logics are applied to these two types of nodes. Labeling V5 and V4 in the diagram helps monitoring and operations personnel to more intuitively understand the occurrence and handling of faults and the status of risk mitigation, improving the user experience.

[0144] Based on the above alarm management method, this disclosure also provides an alarm management device. The following will be combined with... Figure 11 The device is described in detail.

[0145] Figure 11 A schematic block diagram of an alarm management device according to an embodiment of the present disclosure is shown.

[0146] like Figure 11 As shown, the alarm management device 1100 of this embodiment includes a receiving module 1110, a directed graph establishment module 1120, a special node selection module 1130, and a processing module 1140.

[0147] The receiving module 1110 is used to receive access data and alarm information for a first time period, wherein the access data and alarm information are for M alarm nodes, where M is a positive integer. In one embodiment, the receiving module 1110 can be used to perform the operation S210 described above, which will not be repeated here.

[0148] The directed graph building module 1120 is used to build a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph with M alarm nodes. In one embodiment, the directed graph building module 1120 can be used to perform the operation S220 described above, which will not be repeated here.

[0149] The special node selection module 1130 is used to select special nodes from the M alarm nodes of the directed graph. The special nodes include K types, where K is a positive integer. In one embodiment, the special node selection module 1130 can be used to perform the operation S230 described above, which will not be repeated here.

[0150] The processing module 1140 is used to process the special node according to preset processing logic, which includes sub-logic corresponding one-to-one with the K types. In one embodiment, the processing module 1140 can be used to execute the operation S240 described above, which will not be repeated here.

[0151] In the embodiments of this disclosure, to address the technical problem of complex alarm information and low processing efficiency, a directed graph is output by combining access data and alarm information to display the correlation between alarm devices, effectively sorting and filtering alarm nodes with high correlation; then, several special types of alarm nodes are selected and processed according to corresponding handling methods to achieve differentiated processing, effectively ensuring that important alarms can be handled in a timely manner and guaranteeing the overall operation and maintenance efficiency of the system.

[0152] According to an embodiment of this disclosure, the directed graph establishment module includes an access relationship establishment unit and a depth-first traversal unit. The access relationship establishment unit is used to establish access relationships between the M alarm nodes based on the access data and the alarm information, wherein the alarm information includes an alarm order. The depth-first traversal unit is used to calculate the standard degree of the M alarm nodes based on the alarm order and using a depth-first traversal algorithm through the access relationships.

[0153] According to an embodiment of this disclosure, the access relationship establishment unit includes an access relationship establishment subunit, which is used to determine the access relationship between the M alarm nodes according to the alarm order. For any alarm node, outgoing edges and incoming edges are determined. For the outgoing edge, if the adjacent alarm nodes of the current alarm node satisfy the outgoing edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the outgoing edge. The outgoing edge rule includes: the adjacent alarm node has visited the current alarm node, or the adjacent alarm node is the front-end node of the current alarm node. For the incoming edge, if the adjacent alarm nodes of the current alarm node satisfy the incoming edge rule, the direction from the current alarm node to the adjacent alarm node is determined as the incoming edge. The incoming edge rule includes: the current alarm node has visited the adjacent alarm node, or the adjacent alarm node is the back-end node of the current alarm node.

[0154] According to embodiments of this disclosure, the depth traversal unit includes an access subunit and a standard degree calculation subunit. The access subunit is used to access the neighboring alarm nodes of any alarm node, starting from the current alarm node, until all neighboring alarm nodes of the alarm node have been accessed. The standard degree calculation subunit is used to calculate the standard directional degree from the alarm node to all neighboring alarm nodes. The access subunit is also used to select the last accessed neighboring alarm node as the next alarm node if all neighboring alarm nodes of the current alarm node have been accessed.

[0155] According to an embodiment of this disclosure, the standard degree calculation subunit is further configured to calculate the directed edge risk assignment of the alarm node; and to calculate the standard directional degree of the alarm node based on the directed edge risk assignment.

[0156] According to an embodiment of this disclosure, the alarm node includes an alarm node risk assignment, and the standard degree calculation subunit is further used to sum the alarm node risk assignment of the current alarm node and the alarm node risk assignment of the adjacent alarm nodes to obtain the directed edge risk assignment from the current alarm node to the adjacent alarm nodes.

[0157] According to an embodiment of this disclosure, the standard degree calculation subunit is further configured to calculate the standard directional degree based on the risk assignment of all directed edges of the current alarm node.

[0158] According to embodiments of this disclosure, the standard directional dimension includes outgoing edge standard directional dimension and incoming edge standard directional dimension, and the special node selection module includes a critical fault node selection unit and a most severely affected node selection unit. The critical fault node selection unit is used to select the alarm node with the largest outgoing edge standard directional dimension among M alarm nodes as the critical fault node; and the incoming edge standard directional dimension is used to select the alarm node with the largest incoming edge standard directional dimension among M alarm nodes as the most severely affected node.

[0159] According to an embodiment of this disclosure, the handling module includes a first handling unit and a second handling unit. The first handling unit is used to generate an emergency handling instruction for the most severely affected node, and the emergency handling instruction is used to notify the relevant responsible persons to handle the most severely affected node. The second handling unit is used to establish an event form related to the critical fault node for the critical fault node, and the event form is used to continuously monitor the critical fault node related to the event form.

[0160] According to embodiments of this disclosure, the device further includes: an alarm information judgment module and a directed graph reuse module. The receiving module is further configured to receive alarm information in a second time period. The alarm information judgment module is configured to determine whether the directed graph generated in the first time period is valid in the second time period. The directed graph reuse module is configured to use the directed graph generated in the first time period if it is valid. The judgment method includes: determining whether the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period; and using the directed graph generated in the first time period if the alarm information and the device corresponding to the alarm information in the second time period are consistent with those in the first time period.

[0161] According to embodiments of this disclosure, any plurality of modules among the receiving module 1110, the directed graph establishment module 1120, the special node selection module 1130, and the processing module 1140 may be combined into one module, or any one of these modules may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of other modules and implemented in one module. According to embodiments of this disclosure, at least one of the receiving module 1110, the directed graph establishment module 1120, the special node selection module 1130, and the processing module 1140 may be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), a programmable logic array (PLA), a system-on-a-chip, a system-on-a-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging the circuitry, or implemented in software, hardware, or firmware, or in any one of the three implementation methods or a suitable combination of any of them. Alternatively, at least one of the receiving module 1110, the directed graph building module 1120, the special node selection module 1130, and the processing module 1140 may be implemented at least partially as a computer program module, which can perform corresponding functions when the computer program module is run.

[0162] Figure 12 A block diagram schematically illustrates an electronic device suitable for implementing an alarm management method according to an embodiment of the present disclosure.

[0163] like Figure 12 As shown, an electronic device 1200 according to an embodiment of the present disclosure includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1202 or a program loaded from a storage portion 1208 into a random access memory (RAM) 1203. The processor 1201 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 1201 may also include onboard memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of the present disclosure.

[0164] RAM 1203 stores various programs and data required for the operation of electronic device 1200. Processor 1201, ROM 1202, and RAM 1203 are interconnected via bus 1204. Processor 1201 performs various operations of the method flow according to embodiments of the present disclosure by executing programs in ROM 1202 and / or RAM 1203. It should be noted that the programs may also be stored in one or more memories other than ROM 1202 and RAM 1203. Processor 1201 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in said one or more memories.

[0165] According to embodiments of this disclosure, the electronic device 1200 may further include an input / output (I / O) interface 1205, which is also connected to the bus 1204. The electronic device 1200 may also include one or more of the following components connected to the I / O interface 1205: an input section 1206 including a keyboard, mouse, etc.; an output section 1207 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1208 including a hard disk, etc.; and a communication section 1209 including a network interface card such as a LAN card, modem, etc. The communication section 1209 performs communication processing via a network such as the Internet. A drive 1210 is also connected to the I / O interface 1205 as needed. A removable medium 1211, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 1210 as needed so that computer programs read from it can be installed into the storage section 1208 as needed.

[0166] This disclosure also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs that, when executed, implement the method according to the embodiments of this disclosure.

[0167] According to embodiments of this disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, such as including, but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this disclosure, the computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this disclosure, the computer-readable storage medium may include ROM 1202 and / or RAM 1203 and / or one or more memories other than ROM 1202 and RAM 1203 described above.

[0168] Embodiments of this disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to cause the computer system to implement the item recommendation method provided in the embodiments of this disclosure.

[0169] When the computer program is executed by the processor 1201, it performs the functions defined in the system / apparatus of this disclosure embodiments. According to embodiments of this disclosure, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0170] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and may be downloaded and installed via the communication section 1209, and / or installed from the removable medium 1211. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0171] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 1209, and / or installed from the removable medium 1211. When the computer program is executed by the processor 1201, it performs the functions defined in the system of this disclosure embodiment. According to embodiments of this disclosure, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0172] According to embodiments of this disclosure, program code for executing the computer programs provided in embodiments of this disclosure can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages ​​include, but are not limited to, languages ​​such as Java, C++, Python, "C", or similar programming languages. The program code can execute entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0173] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0174] Those skilled in the art will understand that the features described in the various embodiments and / or claims of this disclosure can be combined or combined in various ways, even if such combinations or combinations are not explicitly described in this disclosure. In particular, the features described in the various embodiments and / or claims of this disclosure can be combined or combined in various ways without departing from the spirit and teachings of this disclosure. All such combinations and / or combinations fall within the scope of this disclosure.

[0175] The embodiments of this disclosure have been described above. However, these embodiments are for illustrative purposes only and are not intended to limit the scope of this disclosure. Although various embodiments have been described above, this does not mean that the measures in the various embodiments cannot be used advantageously in combination. The scope of this disclosure is defined by the appended claims and their equivalents. Various substitutions and modifications can be made by those skilled in the art without departing from the scope of this disclosure, and all such substitutions and modifications should fall within the scope of this disclosure.

Claims

1. An alarm management method, comprising: Receive access data and alarm information for the first time period, wherein the access data and alarm information are for M alarm nodes, where M is a positive integer; A directed graph is established based on the access data and the alarm information. The directed graph is a directed graph with M alarm nodes. Select special nodes from the M alarm nodes in the directed graph, where the special nodes include K types, and K is a positive integer; and The special node is processed according to a preset processing logic, which includes sub-logic corresponding one-to-one with the K types. Among them, the special nodes include critical failure nodes and the most severely affected nodes; The sub-logic includes: real-time fault troubleshooting monitoring of the critical fault nodes and generating emergency response instructions for the most severely affected nodes.

2. The method according to claim 1, wherein, The process of establishing a directed graph based on the access data and the alarm information includes: Based on the access data and the alarm information, an access relationship is established between the M alarm nodes, wherein the alarm information includes the alarm sequence; and Based on the alarm order, a depth-first traversal algorithm is used to calculate the standard directional degree of the M alarm nodes through the access relationship.

3. The method according to claim 2, wherein, The step of establishing the access relationship between the M alarm nodes based on the access data and the alarm information includes: Determine the access relationships between the M alarm nodes according to the alarm sequence. in, For any alarm node, determine the outgoing and incoming edges. in, For the outgoing edge, if the adjacent alarm nodes of the current alarm node satisfy the outgoing edge rules, then the direction from the current alarm node to the adjacent alarm node is determined as the outgoing edge. The outgoing edge rules include: the adjacent alarm node has visited the current alarm node, or the adjacent alarm node is the front-end node of the current alarm node. For the incoming edge, if the adjacent alarm nodes of the current alarm node satisfy the incoming edge rules, then the direction from the current alarm node to the adjacent alarm node is determined as the incoming edge. The incoming edge rules include: the current alarm node has visited the adjacent alarm node, or the adjacent alarm node is the backend node of the current alarm node.

4. The method according to claim 2 or 3, wherein, Based on the alarm order, a depth-first traversal algorithm is used to calculate the standard directional degree of the M alarm nodes through the access relationships, including: For any given alarm node, starting from the current alarm node, visit the neighboring alarm nodes of the current alarm node. Until all adjacent alarm nodes of the alarm node have been visited; Calculate the standard directional degree from the alarm node to all adjacent alarm nodes; and If all neighboring alarm nodes of the current alarm node have been visited, the last neighboring alarm node visited will be designated as the next alarm node.

5. The method according to claim 4, wherein, The calculation of the standard directional degree from the alarm node to all neighboring alarm nodes includes: Calculate the directed edge risk assignment for alarm nodes; and Based on the risk assignment of the directed edges, the standard directional degree of the alarm node is calculated.

6. The method according to claim 4, wherein, The alarm node includes an alarm node risk assignment. The calculation of directed edge risk assignment for alarm nodes includes: The risk assignment of the directed edge from the current alarm node to the adjacent alarm node is obtained by summing the alarm node risk assignment of the current alarm node and the alarm node risk assignment of the adjacent alarm nodes.

7. The method according to claim 5, wherein, The calculation of the standard directional degree of the alarm node based on the directed edge risk assignment includes: Based on the risk assignment of all directed edges of the current alarm node, the standard directional degree is calculated.

8. The method according to any one of claims 5-7, wherein, The standard directional features include outgoing edge standard directional features and incoming edge standard directional features. The selection of a special node from the M alarm nodes of the directed graph includes: Select the alarm node with the largest outgoing edge standard directional degree among the M alarm nodes as the critical fault node; and Select the alarm node with the largest directional degree of the incoming edge among the M alarm nodes as the node most severely affected.

9. The method according to claim 8, wherein, The special node is processed according to a preset processing logic, which includes sub-logic corresponding one-to-one with the K types, including: For the most severely affected node, an emergency response instruction is generated, which is used to notify the relevant responsible persons to handle the most severely affected node; For the critical fault nodes, an event ticket related to the critical fault nodes is established, and the event ticket is used to continuously monitor the critical fault nodes related to the event ticket.

10. The method according to claim 1, wherein, The method further includes: Receive alarm information for the second time period; Determine whether the directed graph generated in the first time period is valid in the second time period; and If the directed graph generated in the first time period is valid, then the directed graph generated in the first time period shall be used. The judgment methods include: Determine whether the alarm information and the corresponding device in the second time period are consistent with those in the first time period; and If the alarm information and the corresponding device in the second time period are the same as those in the first time period, then the directed graph generated in the first time period is used.

11. An alarm management device, comprising: The receiving module is used to receive access data and alarm information for a first time period, wherein the access data and alarm information are for M alarm nodes, and M is a positive integer; A directed graph building module is used to build a directed graph based on the access data and the alarm information, wherein the directed graph is a directed graph with M alarm nodes; A special node selection module is used to select special nodes from the M alarm nodes in the directed graph, wherein the special nodes include K types, where K is a positive integer; and The processing module is used to process the special node according to the preset processing logic, which includes sub-logic corresponding one-to-one with the K types; Among them, the special nodes include critical failure nodes and the most severely affected nodes; The sub-logic includes: real-time fault troubleshooting monitoring of the critical fault nodes and generating emergency response instructions for the most severely affected nodes.

12. An electronic device, comprising: One or more processors; Storage device for storing one or more programs. When the one or more programs are executed by the one or more processors, the one or more processors perform the method according to any one of claims 1 to 10.

13. A computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 10.

Images