An open source code platform cross-system intelligent exception positioning method and system

By uniformly collecting and aligning multi-source heterogeneous observation data from a massive open-source code storage platform, constructing time-series features and knowledge graph representations, and utilizing a hybrid learning anomaly detection model for cross-system causal association reasoning, the shortcomings of existing technologies in anomaly detection and localization are addressed, achieving efficient root cause localization and interpretable remediation suggestions.

CN122173383APending Publication Date: 2026-06-09INST OF SOFTWARE - CHINESE ACAD OF SCI

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INST OF SOFTWARE - CHINESE ACAD OF SCI
Filing Date
2026-03-04
Publication Date
2026-06-09

Smart Images

  • Figure CN122173383A_ABST
    Figure CN122173383A_ABST
Patent Text Reader

Abstract

The application discloses an open source code platform cross-system intelligent abnormality positioning method and system. The method is as follows: acquiring index time series data, event sequence, configuration and topology metadata and component interaction link records in the open source code platform; calculating dynamic load characteristics, system state characteristics and event statistical characteristics according to the index time series data, the event sequence, the configuration and the topology metadata, generating a time series feature tensor; and extracting a knowledge graph incremental triple set from the event and the topology; training an abnormality detection model by using the time series feature tensor; inputting the performance health score, the abnormal event set and the key feature contribution degree obtained by using the time series feature tensor of the to-be-processed multi-source data into the trained abnormality detection model to construct a cross-system causal correlation graph; and obtaining a root cause candidate set based on the cross-system causal correlation graph. The application can generate an interpretable positioning explanation and repair suggestion.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer software and distributed system operation and maintenance technology, specifically involving a cross-system intelligent anomaly localization method and system for massive open-source code storage platforms, which can identify, correlate and analyze performance anomalies among diverse heterogeneous storage and data service components and achieve root cause localization. Background Technology

[0002] Massive open-source code storage platforms typically consist of components such as object storage, document / metadata databases, graph databases, search indexes, caches, and message queues. They support business functions such as code repository management, dependency resolution, code retrieval, access control, and continuous integration. In cloud-native environments, these platforms exhibit characteristics such as multi-tenancy, mixed load balancing, elastic scaling, and frequent version iterations.

[0003] In actual operation, different storage systems (such as object storage, document databases, graph databases, etc.) have different consistency protocols, data layouts, concurrency control, and resource bottlenecks. The call chain on the platform side spans multiple systems and network paths, and abnormal behavior often has characteristics such as "cross-system propagation", "separation of symptoms and root causes", and "coupling of multiple indicators".

[0004] Existing technologies for anomaly detection and localization typically suffer from the following shortcomings: 1) They rely on static thresholds or single indicators, making it difficult to adapt to dynamic load and data distribution changes; 2) They only analyze logs or indicators for a single system, lacking cross-system global correlation capabilities; 3) They lack unified modeling of operational knowledge such as topology, configuration, and data layout, making it difficult to form interpretable root cause localization and actionable remediation suggestions. These problems lead to increased false alarms and false negatives, time-consuming fault localization, and impact on platform stability and service quality. Summary of the Invention

[0005] To address the problems existing in the prior art, the purpose of this invention is to provide a cross-system intelligent anomaly localization method and system for open-source code platforms.

[0006] This invention unifies the collection and alignment of multi-source heterogeneous observation data, constructs temporal features and knowledge graph representations, uses a hybrid learning anomaly detection model to output performance health scores and abnormal events, and obtains root cause candidates and propagation paths based on cross-system causal association reasoning. It can also optionally combine knowledge graphs and large-scale language models to generate interpretable localization descriptions and repair suggestions.

[0007] The technical solution of this invention is as follows: A method for cross-system intelligent anomaly localization on an open-source code platform, comprising the following steps: Acquire time-series data of metrics, event sequences, configuration and topology metadata, and records of interaction links between components from the open-source code platform; Based on time-series data of indicators, event sequences, configuration and topology metadata, calculate dynamic load characteristics, system state characteristics and event statistical characteristics, generate time-series feature tensors; and extract a set of incremental triples of knowledge graph from events and topology. Train an anomaly detection model using temporal feature tensors; Generate a temporal feature tensor of the multi-source data to be processed and input it into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. Based on performance health scores, abnormal event sets, and key feature contributions, quantifiable abnormal evidence is generated within each component; a cross-system causal relationship graph is constructed by combining interaction link records, configuration, and topology metadata; the level-specific abnormal evidence is mapped and assigned as an abnormal weight attribute to the corresponding node of the cross-system causal relationship graph; a root cause candidate set is obtained based on the knowledge graph incremental triple set and the cross-system causal relationship graph, thereby achieving cross-system intelligent anomaly localization.

[0008] Preferably, the multi-source data in the open-source code platform is preprocessed to obtain unified and aligned time-series data of indicators, event sequences, configuration and topology metadata, and records of interaction links between components; wherein, the multi-source data in the open-source code platform includes monitoring indicator data, structured / semi-structured logs, call link / synchronization logs, and configuration and topology metadata of each component in the open-source code platform; the component is an independent service or storage system instance in the open-source code platform; the object is a locatable management unit within the component, including but not limited to nodes, container instances, buckets, collections / shards, graph partitions, and index shards.

[0009] Preferably, the nodes of the cross-system association graph are objects / components, and the edges represent relationships such as invocation, data synchronization, dependency, and shared resources.

[0010] Preferably, the temporal feature tensors are labeled to obtain labeled samples, and the anomaly detection model is trained in a supervised manner using the labeled samples; unsupervised reconstruction or self-supervised learning is performed on the anomaly detection model using unlabeled temporal feature tensors.

[0011] Preferably, causal reasoning or shortest explanation path search is performed on the cross-system causal relationship graph to obtain a root cause candidate set and output the anomaly propagation path topology.

[0012] Preferably, based on the root cause candidate set and the anomaly propagation path topology retrieval knowledge graph incremental triple set, the component knowledge, configuration item meaning, historical faults and repair actions related to the root cause are obtained; under security constraints, a large language model is called to generate interpretable text, and the suggestions are structured into executable items.

[0013] Preferably, the anomaly detection model employs a time-series deep learning structure.

[0014] An open-source code platform cross-system intelligent anomaly localization system is characterized by comprising a data acquisition and preprocessing module, a feature extraction module, an anomaly detection module, and a correlation and localization module. The acquisition and preprocessing module is used to acquire time-series data of indicators, event sequences, configuration and topology metadata, and inter-component interaction link records from the open-source code platform. The feature extraction module is used to calculate dynamic load features, system state features, and event statistical features based on indicator time-series data, event sequences, configuration and topology metadata, and generate a time-series feature tensor; and to extract a set of knowledge graph incremental triples from events and topology. The anomaly detection module is used to train an anomaly detection model using a time-series feature tensor; and to input the time-series feature tensor of the multi-source data to be processed into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. The association and localization module is used to generate quantifiable anomaly evidence within each component based on performance health scores, anomaly event sets, and key feature contributions; construct a cross-system causal relationship graph by combining interaction link records, configuration, and topology metadata; map the anomaly evidence as anomaly weight attributes to the corresponding nodes of the cross-system causal relationship graph; and obtain a root cause candidate set based on the knowledge graph incremental triple set and the cross-system causal relationship graph to achieve cross-system intelligent anomaly localization.

[0015] A computing device, characterized in that it includes a processor and a memory storing a computer program, wherein the computer program, when run by the processor, executes the method described above.

[0016] A computer-readable storage medium, characterized in that it stores instructions that, when executed on a computer, cause the computer to perform the above-described method.

[0017] The advantages of this invention are as follows: 1) Improve the robustness of anomaly detection and reduce false alarms by aligning multi-source data and fusing features; 2) By establishing cross-system causal relationships, the system can automatically locate the root cause from the symptoms, thus shortening the fault recovery time. 3) Enhance the interpretability of localization results and generate actionable remediation suggestions through knowledge graphs and optional large models. Attached Figure Description

[0018] Figure 1 This is a flowchart of the method of the present invention.

[0019] Figure 2 This is a flowchart of one embodiment.

[0020] Figure 3 This is a system diagram of the present invention. Detailed Implementation

[0021] The present invention will now be described in further detail with reference to the accompanying drawings. The examples given are only for explaining the present invention and are not intended to limit the scope of the present invention.

[0022] For ease of description, in this article, "component" refers to an independent service or storage system instance in the platform; "object" refers to a locatable management unit within a component, including but not limited to nodes, container instances, buckets, collections / shards, graph partitions, index shards, etc.; "time window W" refers to a fixed or adaptive time period for aligning and statistically analyzing observed data.

[0023] Metric data may include CPU utilization, memory utilization, disk I / O latency, disk throughput, network bandwidth utilization, network packet loss rate, request QPS, P99 latency, error rate, queue backlog length, etc.; the event sequence consists of events such as log parsing, alarms, retries, timeouts, master-slave switching, rebalancing, scaling up and down, data migration, etc.

[0024] like Figure 1 As shown, the cross-system intelligent anomaly localization method for open-source code platforms of the present invention includes at least the following steps: Acquire time-series data of metrics, event sequences, configuration and topology metadata, and records of interaction links between components from the open-source code platform; Based on time-series data of indicators, event sequences, configuration and topology metadata, calculate dynamic load characteristics, system state characteristics and event statistical characteristics, generate time-series feature tensors; and extract a set of incremental triples of knowledge graph from events and topology. Train an anomaly detection model using temporal feature tensors; Generate a temporal feature tensor of the multi-source data to be processed and input it into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. Based on performance health scores, abnormal event sets, and key feature contributions, quantifiable abnormal evidence is generated within each component; a cross-system causal relationship graph is constructed by combining interaction link records, configuration, and topology metadata; the level-specific abnormal evidence is mapped and assigned as an abnormal weight attribute to the corresponding node of the cross-system causal relationship graph; a root cause candidate set is obtained based on the knowledge graph incremental triple set and the cross-system causal relationship graph, thereby achieving cross-system intelligent anomaly localization.

[0025] An optional embodiment of the present invention provides a cross-system intelligent anomaly localization method for open-source code platforms, the steps of which include: S1 Multivariate Heterogeneous Data Acquisition and Preprocessing: Inputs include monitoring metrics data from various platform components, structured / semi-structured logs, call chain / synchronization logs, and configuration and topology metadata (C). Configuration information in the configuration and topology metadata (C) mainly includes: version, number of replicas, erasure coding parameters, etc. (usually referring to the settings of system or component operating parameters). Topology information mainly includes: node roles, shard distribution, etc. (usually referring to the connection and distribution relationships of the system's physical or logical architecture).

[0026] Processing: Timestamp unification, windowing alignment, missing value handling, noise reduction and normalization of multi-source data; log parsing and event extraction; standardized modeling of configuration and topology.

[0027] Output: Unified aligned time-series data of metrics M(t), event sequence E(t), configuration and topology metadata C, and inter-component interaction link records L.

[0028] S2 Feature Extraction and Feature Sequence Construction: Input: M(t), E(t), C, output from step S1.

[0029] Processing: Calculate dynamic load features F_load(W), system state features F_state(W), and event statistics features F_event(W) within a time window W; map and align features of objects of different granularities (nodes, instances, buckets, shards, etc.) according to topological relationships; construct a temporal feature tensor that can be used for training and inference.

[0030] Output: A temporal feature tensor X (a sequence of feature vectors arranged in window order), a labeled sample set Y (optional, for supervised learning), an unlabeled sample set U (optional, for unsupervised / semi-supervised learning), and a set of knowledge graph update triples G extracted from events and topology. The labeled sample set Y is formed by labeling a portion of the data in the temporal feature tensor X using the label set, and the unlabeled data in the temporal feature tensor X forms the unlabeled sample set U.

[0031] S3 Access Performance Anomaly Detection Model Construction and Inference: Input: X, Y (if they exist) and U (if they exist) output from step S2.

[0032] Processing: Construct a hybrid learning anomaly detection model: Perform supervised training on labeled samples to identify abnormal / normal or anomaly types; perform unsupervised reconstruction or self-supervised learning on unlabeled samples to improve the ability to identify unknown anomalies; output a health score and locate the abnormal time period and key feature contributions during the inference phase.

[0033] Outputs: Performance Health Score (PHS), A set of abnormal events (A) (including abnormal time windows, involved components and metrics, etc.), and Key Feature Contribution (K) (used to indicate the main metrics / events driving the abnormality).

[0034] S4 Cross-System Anomaly Correlation and Root Cause Localization: Inputs: A and K output from step S3, and the interactive link record L, configuration and topology metadata C output from step S1.

[0035] Processing: Quantifiable anomalous evidence is generated within each component based on A and K; a cross-system causal relationship graph is constructed by combining L and C; root causes are ranked through causal reasoning or graph search, and anomalous propagation paths are characterized.

[0036] Output: Root cause candidate set R and its confidence, anomaly propagation path topology P (used to explain the propagation chain of the anomaly from its source to symptoms).

[0037] S5 Knowledge Graph and Large Model Fusion: Localization Explanation and Repair Suggestions Input: R and P output from step S4, as well as relevant metrics, log fragments, and knowledge graph increment G output from step S2.

[0038] Processing: Retrieve component knowledge, configuration item meanings, historical faults and repair actions related to the root cause through incremental G retrieval of the knowledge graph; under security constraints, call a large language model to generate interpretable text, and structure the suggestions into executable items.

[0039] Output: Location explanation and repair suggestions S; in embodiments where large models are not enabled, output structured template suggestions.

[0040] The present invention also provides a system corresponding to the above method, which includes: a data acquisition and preprocessing module, a feature extraction and feature sequence construction module, an anomaly detection module, a cross-system correlation and root cause localization module, and an optional explanation and suggestion module; the data flow between each module is performed in the input-output order of steps S1 to S5.

[0041] In one embodiment, a massive open-source code storage platform includes: an object storage subsystem for storing code packages, artifacts, and large files; a document-oriented database subsystem for storing repository metadata, permissions, and index metadata; a graph database subsystem for storing dependencies, call relationships, or knowledge relationships; and application layer services, gateway and authentication services, caching, and message queues. These subsystems interact via network and RPC / HTTP protocols, and a unified monitoring and operation system collects metrics, logs, and link information.

[0042] The system of this invention is deployed on the platform side and can be implemented in a centralized or distributed manner: the data collection end can be deployed as an Agent / Sidecar, the model training and inference can be deployed as an independent service, and the knowledge graph storage and retrieval can be deployed in a graph database or a dedicated graph storage.

[0043] In one embodiment, the goal of step S1 is to transform observation data across systems, granularities, and sampling frequencies into a unified data representation that is alignable, computable, and traceable, providing stable input for subsequent feature construction and model inference.

[0044] Input data includes, but is not limited to: 1) monitoring metrics streams for each component; 2) application and storage component logs (including error logs, slow query logs, GC logs, etc.); 3) inter-component interaction link records L (including call relationships, request IDs, retry and timeout information); 4) configuration and topology metadata C (including version, node role, number of replicas, erasure coding parameters, shard distribution, etc.).

[0045] The preprocessing process includes: indicator resampling and time alignment, handling of outliers and missing values, and normalization of different indicator units; parsing logs into structured fields and extracting events E(t); standardizing the encoding of topology and configuration and maintaining version evolution. Step S1 outputs the unified aligned indicator time-series data M(t), event sequence E(t), configuration and topology metadata C, and inter-component interaction link records L.

[0046] In one embodiment, step S2 takes the output of step S1 as input and constructs a feature representation that can be used for anomaly detection and root cause reasoning over a time window W. For any object o, the following dynamic load features are calculated within window W: (e.g., request volume, read / write ratio, concurrency, hotspot level), system status characteristics (e.g., resource utilization, replication / sharding status, queue and lock contention), event statistics characteristics (e.g., error code count, timeout count, retries, master-slave switch flag).

[0047] The above features are concatenated to obtain a window-level feature vector. Form a sequence of the same object according to the window order. For multi-object scenarios, the temporal feature tensor X can be obtained by stacking the object sets. Step S2 simultaneously outputs: a label set Y (which can come from historical fault tickets, manual annotations, or rule validations, as optional inputs), unlabeled samples U (for unsupervised / semi-supervised learning), and a set of incremental triples G of the knowledge graph extracted from the event sequence E(t) and configuration and topology metadata C (e.g., <component, occurrence, event>, <object, dependency, object>, <object, configuration as, value>, etc.).

[0048] In one embodiment, the goal of step S3 is to generate a quantitative assessment of the performance state based on X, the output of step S2, and to identify the time period and key driving factors for the anomaly. The model may employ time-series deep learning architectures (e.g., temporal convolutional networks, recurrent neural networks, attention mechanism networks, or combinations thereof) to model long-term dependencies and mutation patterns.

[0049] In one embodiment, model training employs a hybrid learning strategy: 1) Supervised learning: an anomaly classifier or regressor is trained using a labeled sample set Y, outputting anomaly probability or anomaly type; 2) Unsupervised learning: an autoencoder is trained on an unlabeled sample set U, enabling it to learn normal patterns and using reconstruction error to represent the degree of deviation; 3) Inference fusion: the temporal feature tensor X of the multi-source data to be processed is input into the trained anomaly detection model. The model calculates the weighted sum of reconstruction error and classification probability through network forward propagation, mapping it to a performance health score (PHS) representing the degree of health. When the PHS is lower than a set normal health threshold, the model extracts the corresponding time period to trigger an anomaly, thereby generating an anomalous event set A; simultaneously, the model calculates the contribution of each input feature to the anomaly determination result through attention weights or gradient backpropagation, extracting the key feature contribution K.

[0050] The output of step S3 includes: PHS (normalizable to the [0,1] interval to represent health status; this score will serve as the basis for calculating component-level anomaly evidence in step S4), anomaly event set A (recording anomaly windows, object and component affiliations, main anomaly indicators, etc.), and key feature contribution K. To reduce false positives, the threshold can be obtained through offline calibration (e.g., based on ROC / PR curves of historical data) or online adaptation (e.g., dynamically adjusted according to quantiles).

[0051] In one embodiment, step S4 uses the performance health score PHS, the set of abnormal events A, and the contribution K output from step S3 as core inputs, and combines them with the interaction link L and configuration and topology metadata C output from step S1 to form a cross-system causal association reasoning process. The key lies in mapping local abnormal evidence to a cross-system causal association graph and ranking root cause candidates.

[0052] In one embodiment, component-level anomaly evidence is first calculated for each component. The anomaly evidence is generated by aggregating the performance health score (PHS) of a specific component, the set of anomalous events (A) belonging to that component, and the corresponding feature contribution (K) output in step S3. Then, a cross-system causal relationship graph is constructed based on the inter-component interaction link record (L) and the configuration and topology metadata (C). (Nodes represent objects / components, and edges represent relationships such as invocation, data synchronization, dependencies, and shared resources), and the aforementioned component-level anomaly evidence will be... Assigned as anomaly weight attributes to the corresponding nodes in the cross-system causal relationship graph; finally, in Perform causal reasoning or shortest explanation path search to obtain the root cause candidate set R, and output the anomaly propagation path topology P.

[0053] A root cause candidate R may include: root cause components / objects, root cause metrics or configuration items, related evidence, confidence levels, and recommended validation actions. The propagation path P is used to explain how the anomaly spreads from the source to symptom indicators of other components, thereby supporting the confidence level of the location and subsequent treatment.

[0054] In one embodiment, when step S5 is enabled, it takes the R and P output from step S4 as input and combines them with the knowledge graph retrieval results to generate explainable descriptions and remediation suggestions for operations and maintenance personnel. The knowledge graph contains knowledge such as component structure, configuration semantics, historical faults and handling actions, and can be continuously updated through triples G.

[0055] In one embodiment, the explanation and suggestion module converts R and P into structured prompt information (including causal chains, key indicator values, evidence fragments, and configuration items), and under security policy constraints, calls a large language model to generate natural language explanations, while outputting a structured suggestion list (e.g., suggested configuration items to be adjusted, suggested rollback / restart / expansion actions to be performed, suggested verification indicators, and observation windows). In embodiments where the large language model is not enabled, suggestions can be output based solely on knowledge graphs and rule templates.

[0056] Corresponding to the above method, an embodiment of the present invention also provides a system, such as... Figure 3 As shown, it includes: a data acquisition and preprocessing module (corresponding to step S1), a feature extraction module (corresponding to step S2), an anomaly detection module (corresponding to step S3), an association and localization module (corresponding to step S4), and an optional explanation and suggestion module (corresponding to step S5). Each module can be deployed on the same computing node or in a distributed manner, and the step output data is transmitted through a message queue or RPC interface.

[0057] The acquisition and preprocessing module is used to acquire time-series data of indicators, event sequences, configuration and topology metadata, and inter-component interaction link records from the open-source code platform. The feature extraction module is used to calculate dynamic load features, system state features, and event statistical features based on indicator time-series data, event sequences, configuration and topology metadata, and generate a time-series feature tensor; and to extract a set of knowledge graph incremental triples from events and topology. The anomaly detection module is used to train an anomaly detection model using a time-series feature tensor; and to input the time-series feature tensor of the multi-source data to be processed into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. The association and localization module is used to generate quantifiable anomaly evidence within each component based on performance health scores, anomaly event sets, and key feature contributions; construct a cross-system causal relationship graph by combining interaction link records, configuration, and topology metadata; map the anomaly evidence as anomaly weight attributes to the corresponding nodes of the cross-system causal relationship graph; and obtain a root cause candidate set based on the knowledge graph incremental triple set and the cross-system causal relationship graph to achieve cross-system intelligent anomaly localization.

[0058] An optional embodiment of the present invention provides a computing device, characterized in that it includes: a processor and a memory storing a computer program, wherein the computer program is executed by the processor to perform the above-described method.

[0059] An optional embodiment of the present invention provides a computer-readable storage medium, characterized in that it stores instructions that, when executed on a computer, cause the computer to perform the above-described method.

[0060] Although specific embodiments of the invention have been disclosed for illustrative purposes to aid in understanding and implementing the invention, those skilled in the art will understand that various substitutions, variations, and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, the invention should not be limited to the content disclosed in the preferred embodiments, and the scope of protection claimed by the invention is defined by the claims.

Claims

1. A method for cross-system intelligent anomaly localization on an open-source code platform, comprising the following steps: Acquire time-series data of metrics, event sequences, configuration and topology metadata, and records of interaction links between components from the open-source code platform; Based on the time-series data of indicators, event sequences, configuration and topology metadata, calculate dynamic load characteristics, system state characteristics and event statistical characteristics, and generate a time-series feature tensor. And the set of incremental triples of knowledge graph extracted from events and topology; Train an anomaly detection model using temporal feature tensors; Generate a temporal feature tensor of the multi-source data to be processed and input it into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. Based on performance health scores, sets of anomalous events, and contribution of key features, quantifiable evidence of anomalous behavior is generated within each component. A cross-system causal relationship graph is constructed by combining interaction link records, configuration, and topology metadata; the level anomaly evidence is mapped and assigned to the corresponding node of the cross-system causal relationship graph as anomaly weight attributes; a root cause candidate set is obtained based on the knowledge graph incremental triple set and the cross-system causal relationship graph, thereby realizing cross-system intelligent anomaly localization.

2. The method according to claim 1, characterized in that, The multi-source data in the open-source code platform is preprocessed to obtain unified and aligned time-series data of indicators, event sequences, configuration and topology metadata, and records of interaction links between components. The multi-source data in the open-source code platform includes monitoring indicator data, structured / semi-structured logs, call link / synchronization logs, and configuration and topology metadata of each component in the open-source code platform. The component is an independent service or storage system instance in the open-source code platform. The object is a locatable management unit within the component, including but not limited to nodes, container instances, buckets, collections / shards, graph partitions, and index shards.

3. The method according to claim 2, characterized in that, The nodes of the cross-system association graph are objects / components, and the edges represent relationships such as invocation, data synchronization, dependency, and shared resources.

4. The method according to claim 1, 2, or 3, characterized in that, The temporal feature tensors are labeled to obtain labeled samples, and the anomaly detection model is trained in a supervised manner using the labeled samples; the anomaly detection model is then trained in an unsupervised manner or in a self-supervised manner using unlabeled temporal feature tensors.

5. The method according to claim 1, 2, or 3, characterized in that, Perform causal inference or shortest explanation path search on the cross-system causal relationship graph to obtain a root cause candidate set and output the anomaly propagation path topology.

6. The method according to claim 5, characterized in that, Based on the root cause candidate set and the anomaly propagation path topology, the knowledge graph incremental triple set is retrieved to obtain the component knowledge, configuration item meaning, historical faults and repair actions related to the root cause; under security constraints, a large language model is invoked to generate interpretable text, and the suggestions are structured into executable items.

7. The method according to claim 1, 2, or 3, characterized in that, The anomaly detection model employs a time-series deep learning structure.

8. A cross-system intelligent anomaly location system for an open-source code platform, characterized in that, It includes a data acquisition and preprocessing module, a feature extraction module, an anomaly detection module, and a correlation and localization module; The acquisition and preprocessing module is used to acquire time-series data of indicators, event sequences, configuration and topology metadata, and inter-component interaction link records from the open-source code platform. The feature extraction module is used to calculate dynamic load features, system state features, and event statistical features based on indicator time-series data, event sequences, configuration and topology metadata, and generate a time-series feature tensor. And the set of incremental triples of knowledge graph extracted from events and topology; The anomaly detection module is used to train an anomaly detection model using a time-series feature tensor; and to input the time-series feature tensor of the multi-source data to be processed into the trained anomaly detection model to obtain a performance health score, anomaly event set, and key feature contribution. The association and location module is used to generate quantifiable abnormal evidence within each component based on performance health scores, abnormal event sets, and key feature contribution. A cross-system causal relationship graph is constructed by combining interaction link records, configuration, and topology metadata; the level anomaly evidence is mapped and assigned to the corresponding node of the cross-system causal relationship graph as anomaly weight attributes; a root cause candidate set is obtained based on the knowledge graph incremental triple set and the cross-system causal relationship graph, thereby realizing cross-system intelligent anomaly localization.

9. A computing device, characterized in that, include: A processor, a memory storing a computer program, wherein the computer program, when executed by the processor, performs the method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, A storage instruction that, when executed on a computer, causes the computer to perform the method as described in any one of claims 1 to 7.