CN107171819B - Network fault diagnosis method and device - Google Patents

Abstract

The embodiments of the present invention provide a method and device for diagnosing network faults, which can automatically locate network faults without manual intervention, and can determine the root cause of the fault, thereby realizing automatic fault diagnosis. The method includes: collecting log, alarm, configuration and KPI data of network elements, network management equipment and monitoring equipment, and detecting abnormal network elements and abnormal information according to the collected data; determining a first fault event according to the abnormal information and a pre-stored corresponding relationship; Determine the first fault rule according to the first fault event and the pre-stored fault rule library; collect real-time data of abnormal network elements, and confirm the suspected fault event and the second fault event in the first fault event, according to the suspected fault event, The confirmation result of the second fault event and the fault rule are logically calculated to determine the root cause of the network system fault. The present invention is applicable to the field of computer technology.

Description

A kind of network fault diagnosis method and device

technical field

The present invention relates to the field of computer technology, and in particular, to a network fault diagnosis method and device.

Background technique

With the rapid development of information technology, the scale and complexity of network systems continue to expand, which makes the traditional method of locating network faults by manually viewing system logs no longer applicable.

At present, for the diagnosis of network faults, big data technology can be used to extract relevant features from massive log records, and then machine learning algorithms can be used to perform statistical analysis on these features to quickly detect faults. Since the machine learning algorithm is a probabilistic algorithm, the detected faults are only suspected faults, and manual analysis of the logs is required to confirm the faults. In addition, due to the limitation of length, the information that can be recorded in a single log is limited. For example, events that occur in a certain service are usually recorded, but more detailed information, such as real-time status information of network elements, is often not recorded. The lack of such fine-grained information may lead to failure to find the root cause of network failures. That is to say, manual analysis of logs can only confirm the failure, but cannot guarantee that the root cause of the network failure can be found.

To sum up, the existing network fault diagnosis method requires manual intervention to confirm the fault, and can only confirm the fault but cannot obtain the root cause of the fault.

SUMMARY OF THE INVENTION

To this end, the embodiments of the present invention provide a network fault diagnosis method and device, which can automatically locate network faults without manual intervention, and can determine the root cause of the fault, realize automatic fault diagnosis, and improve fault diagnosis efficiency.

To achieve the above object, the embodiments of the present invention adopt the following technical solutions:

A first aspect provides a method for diagnosing network faults, which is applied to a network system. The network system includes network elements, network management equipment, monitoring equipment, and a network fault diagnosis device. The method includes:

The network fault diagnosis device obtains the log, alarm, configuration and KPI data of network elements, network management equipment and monitoring equipment, and detects abnormal network elements and abnormal information according to the collected data;

The network fault diagnosis device determines the first fault event corresponding to the abnormal information according to the abnormal information and the pre-stored correspondence between the abnormal information and the fault event;

The network fault diagnosis apparatus determines a first fault rule corresponding to the first fault event according to the first fault event and a pre-stored fault rule base, the fault rule base includes at least one fault rule, and each fault rule includes at least two fault events and at least one fault rule. Logical causal relationship between two fault events;

The network fault diagnosis device collects the real-time data of the abnormal network element, and according to the real-time data of the abnormal network element, respectively confirms the suspected fault event and the second fault event in the first fault event, and the second fault event is included in the first fault rule In addition to the first fault event among the at least two fault events, logical calculation is performed according to the confirmation result and the first fault rule to determine the root cause of the failure of the network system.

Preferably, before the network fault diagnosis apparatus collects logs, alarms, configurations and KPI data of network elements, network management equipment and monitoring equipment, it may further include:

The network fault diagnosis device acquires abnormal information that may occur in the network system and fault events included in each fault rule in the pre-stored fault rule base;

The network fault diagnosis device abstracts the possible abnormal information of the network system and the fault events included in each fault rule in the fault rule base, and obtains the fault behavior corresponding to the abnormal information and the fault behavior corresponding to the fault event;

The network fault diagnosis apparatus establishes and stores the corresponding relationship between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

Preferably, after the network fault diagnosis device performs logical calculation according to the suspected fault event, the confirmation result of the second fault event and the fault rule, and determines the root cause of the fault of the network system, it may further include:

The network fault diagnosis device generates a corresponding fault recovery script according to the root cause, and sends the fault recovery script to the abnormal network element or the network management device, so that the abnormal network element or the network management device can repair the fault occurred in the network system according to the fault recovery script.

In this way, after the root cause of the failure is found, a corresponding recovery script is generated for the root cause of the failure, and sent to the relevant equipment to repair the failure, so that the network system can be restored to normal. In this way, the network can be realized without manual intervention. Automatic repair of failures.

Preferably, after the network fault diagnosis device respectively confirms the suspected fault event and the second fault event in the first fault event according to the real-time data of the abnormal network element, it may further include:

The network fault diagnosis device obtains the fault events and historical fault events confirmed in the current fault diagnosis process. According to the fault events and historical fault events confirmed in the current fault diagnosis process, the historical fault events are confirmed by the network fault diagnosis device in the previous fault diagnosis process. The fault events are discovered, new fault rules are mined, and the new fault rules are stored in the fault rule base.

Based on the above solution, the experience of each fault diagnosis can be accumulated, and then the fault rules not covered by the current fault rule base can be found according to the accumulated experience, so the purpose of improving the accuracy of fault location and expanding the breadth of fault location can be achieved.

In a second aspect, a network fault diagnosis apparatus is provided. The network fault diagnosis apparatus is applied to a network system. The network system further includes network elements, network management equipment, and monitoring equipment. The network fault diagnosis apparatus includes: a data acquisition module, a fault discovery module, and an event mapping. module and fault diagnosis module;

The data acquisition module is used to acquire the log, alarm, configuration and KPI data of network elements, network management equipment and monitoring equipment;

The fault discovery module is used to detect abnormal network elements and abnormal information according to the log, alarm, configuration and KPI data;

The event mapping module is used to obtain the first fault event corresponding to the abnormal information according to the abnormal information and the pre-stored corresponding relationship, and the pre-stored corresponding relationship is the corresponding relationship between the abnormal information and the fault event;

A fault diagnosis module, configured to determine a first fault rule corresponding to the first fault event according to the first fault event and a pre-stored fault rule base; wherein the fault rule base includes at least one fault rule, and each fault rule includes at least two The fault event and the logical relationship between at least two fault events;

The data collection module is also used to collect real-time data of abnormal network elements;

The fault diagnosis module is also used to confirm the suspected fault event and the second fault event in the first fault event respectively according to the real-time data of the abnormal network element, and according to the confirmation result of the suspected fault event and the second fault event and the fault rule A logical calculation is performed to determine the root cause of the failure of the network system, wherein the second failure event is a failure event other than the first failure event among the at least two failure events included in the first failure rule.

In a third aspect, a network fault diagnosis device is provided, including:

The processor is configured to execute the network fault diagnosis method provided by the first aspect.

The existing network fault diagnosis methods require manual intervention to confirm the fault, and because the information that can be recorded in a single log is limited, a single log often does not record fine-grained information, so the root cause of the network failure may not be found. Based on the method and device for diagnosing network faults provided by the embodiments of the present invention, by collecting logs, alarms, configurations, and KPI data of related equipment in the network system, abnormal network elements and abnormal information are detected according to the collected data, and according to the abnormal information and pre-stored data, abnormal network elements and abnormal information are detected. The corresponding relationship determines the first fault event corresponding to each abnormal information, and then determines the fault rule according to the first fault event and the pre-stored fault rule library, and collects the real-time data of the abnormal network element, and uses the real-time data of the abnormal network element to compare the relevant information. The suspected fault events are confirmed, and logical calculation is performed according to the fault rules, so as to determine the root cause of the network system failure. The detected abnormal information can be automatically mapped to the relevant fault events through the corresponding relationship between the abnormal information and the fault events. The fault event is confirmed, and then logical calculation is carried out according to the confirmation result and the relevant fault rules to eliminate the false alarm fault, and at the same time, the root cause of the real fault can be located. It can be seen that, based on the network fault diagnosis method and device provided by the embodiments of the present invention, automatic network fault location can be realized without manual intervention, and the root cause of the fault can be determined, thereby realizing automatic fault diagnosis and improving fault diagnosis efficiency.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

FIG. 1 is a schematic structural diagram of a network system in an embodiment of the present invention;

FIG. 2 is a schematic flowchart of a network fault diagnosis method according to an embodiment of the present invention;

3 is a schematic diagram of the composition of a fault rule provided by an embodiment of the present invention;

FIG. 4 is a schematic flowchart of another network fault diagnosis method provided by an embodiment of the present invention;

FIG. 5 is a schematic flowchart of still another network fault diagnosis method provided by an embodiment of the present invention;

6 is a schematic flowchart of still another network fault diagnosis method provided by an embodiment of the present invention;

FIG. 7 is a schematic diagram of a method for establishing a correspondence between abnormal information and fault events according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a network fault diagnosis apparatus according to an embodiment of the present invention;

FIG. 9 is a schematic structural diagram of another network fault diagnosis apparatus provided by an embodiment of the present invention;

FIG. 10 is a schematic structural diagram of still another network fault diagnosis apparatus provided by an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of a network fault diagnosis apparatus according to an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

It should be noted that, in order to clearly describe the technical solutions of the embodiments of the present invention, in the following embodiments of the present invention, words such as "first" and "second" are used to describe the same items or items with basically the same functions and functions. Similar items are distinguished, and those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and execution order.

In addition, it should also be noted that the embodiments of the present application and the features of the embodiments may be combined with each other in the case of no conflict. Those of ordinary skill in the art can understand that the examples shown in the embodiments of the present application are schematic descriptions of the present invention for the convenience of readers' understanding, and do not constitute a limitation of the present invention.

First, in order to facilitate the understanding of the following network fault diagnosis methods in the embodiments of the present invention, the application environment-network system is briefly introduced as follows:

FIG. 1 is an architecture diagram of the network system. Referring to FIG. 1 , the network system 10 includes a network element 101 , a network management device 102 , a monitoring device 103 and a network fault diagnosis apparatus 104 . Among them, the network element 101 refers to a network device or entity that can independently perform one or several functions, such as routers, switches, etc.; the network management device 102 is mainly used to comprehensively manage the network element 101. Quickly and automatically search for network elements 101, and display the link relationship and running status of network resources in real time, and monitor the core parameters of network elements 101 in real time, such as monitoring the port traffic of routers and switches, port usage, memory usage, routing table, etc. Monitoring the running status, startup status, memory, disk, process, service and other indicators of the server; and the monitoring device 103 is mainly used to monitor the network application system and the operating status of the application system; the network fault diagnosis device is used to implement the present invention. Embodiments The following network fault diagnosis method is used to diagnose the network system, which may be a device configured on the network element 101 or the network management device 102, or may be independent of the network element 101 and the network management device 102, and connected to the network. The device 101, the network management device 102, and the monitoring device 103 can communicate with each other, as shown in FIG. 1, which is not specifically limited in this embodiment of the present invention.

Based on the network system 10 shown in FIG. 1 , an embodiment of the present invention provides a network fault diagnosis method, which is applied to the network system 10 shown in FIG. 1 , as shown in FIG. 2 , including:

S201. The network fault diagnosis apparatus 104 acquires the log, alarm, configuration and key performance indicator (Key Performance Indicator, KPI) data of the network element 101, the network management device 102 and the monitoring device 103, and detects abnormality according to the log, alarm, configuration and KPI data NE and exception information.

Among them, it should be noted that the log, alarm, configuration and KPI data can be collected periodically through the network element 101, the network management equipment 102 and the monitoring equipment 103, and the collected data can be actively reported to the network fault diagnosis device 104 to realize data acquisition .

In addition, it should be noted that the abnormal network element refers to the network element with abnormal log, alarm, configuration or KPI data, and the abnormal information refers to the abnormality of the abnormal network element, which may specifically include the abnormal network element. Name or IP address, network element type, time when an exception occurs, corresponding service, etc., which are not specifically limited in this embodiment of the present invention.

Those of ordinary skill in the art can understand that, since the realization of a certain service in the network system usually requires multiple network elements 101 to complete cooperatively, and at the same time, a single network element 101 may have multiple services, so when a certain network element 101 in the network system fails Afterwards, other related network elements 101 in the network system or some parameters of the system will also be affected and abnormal. For example, when NE A that implements the Open Shortest Path First (OSPF) routing protocol service fails, NE B that cooperates to implement the OSPF routing protocol service may be affected and behave abnormally. Another service of A, a virtual private network (Virtual Private Network, VPN) service, may also be affected and behave abnormally. Therefore, the abnormal network elements detected by the network fault diagnosis apparatus 104 according to the collected data in step S201 usually include multiple network elements, and the abnormal information also includes multiple pieces of information.

S202. The network fault diagnosis apparatus 104 determines a first fault event corresponding to the abnormal information according to the abnormal information and the pre-stored corresponding relationship.

The pre-stored corresponding relationship is the corresponding relationship between the abnormal information and the fault event in the fault rule, and the abnormal event can be converted into the fault event in the fault rule through the corresponding relationship, so as to facilitate subsequent fault diagnosis and repair.

Specifically, the corresponding relationship between the abnormal information and the fault event can be described as the following Table 1, wherein the first column is the abnormal information, and the second column is the fault event corresponding to the abnormal information. For example, when the abnormal information is detected as OSPF traffic drop, the corresponding fault event is OSPF traffic drop.

Table 1

It is easy to understand that since there are usually multiple pieces of abnormal information detected in step S201, there are also multiple first fault events determined according to the abnormal information.

S203. The network fault diagnosis apparatus 104 determines a first fault rule corresponding to the first fault event according to the first fault event and a pre-stored fault rule library.

The fault rule base includes at least one fault rule, and each fault rule includes a logical causal relationship between at least two fault events. Exemplarily, the fault rule may specifically be a fault tree, a decision book, or a Bayesian network, etc., which is not specifically limited in this embodiment of the present invention.

Those skilled in the art can easily understand that there may be one or more fault rules corresponding to a fault event. For example, a fault event that occurs on a certain network element may only appear in fault tree A, or may appear in both In fault tree A, it appears in fault tree B again. Therefore, in step S203, the determined fault rule may be one or a group. At the same time, since there are multiple fault events obtained in step S202, the fault rules determined in step S203 are often a group.

S204. The network fault diagnosis device 104 collects the real-time data of the abnormal network element, and according to the real-time data of the abnormal network element, respectively confirms the suspected fault event and the second fault event in the first fault event, and according to the suspected fault event, the second fault event The confirmation result of the fault event and the fault rule are logically calculated to determine the root cause of the network system fault.

It should be noted that the second fault event is a fault event other than the first fault event among the N fault events. The real-time data may specifically be real-time status or performance data of network elements, and for specific fault events to be confirmed, the real-time data of network elements can be collected by sending relevant query commands to corresponding abnormal network elements.

In addition, it should be noted that those of ordinary skill in the art can understand that the machine learning algorithm used in detecting abnormal information is a probabilistic algorithm, which detects abnormal information through a preset sensitivity threshold. Therefore, if the sensitivity threshold is set to If the sensitivity threshold is set too low, it may cause false alarm failures. Therefore, the fault event determined according to the detected abnormal information belongs to the suspected fault. Of course, for some special fault events, such as a decrease in business traffic and an increase in hardware memory usage, there is no possibility of false positives, so they are not suspected fault events. In this embodiment of the present invention, some of the first fault events determined according to the abnormal information may be false alarm faults caused by the detection algorithm sensitivity threshold being too low, and therefore need to be confirmed according to the real-time status or performance data of the network element 101 Whether this part of the fault event is indeed a real fault.

It is easy to understand that if there is only one fault rule determined in step S203, it is only necessary to perform logical calculation in combination with the fault rule according to the confirmation result of the suspected fault event and the second fault event in the first fault event; If there are multiple fault rules determined in S203, according to the suspected fault event in the first fault event and the confirmation result of the second fault event, logical calculation should be performed in combination with each fault rule in turn to determine the failure of the network system. 's root cause. It should be noted that those of ordinary skill in the art can easily think that, in order to simplify the diagnosis process and improve the diagnosis speed, only the fault rule with a large number of corresponding first fault events may be selected for logical calculation, which is not specified in this embodiment of the present invention. limited.

Specifically, if the fault tree is used as the fault rule, the logical calculation can be performed according to the principle of top-down or bottom-up.

Exemplarily, the following will take the principle of self-direction as an example, combined with the fault tree shown in FIG. 3, to briefly describe the specific process of logic calculation:

Start from the top event T1 to search down the events T2, T3 and T8 associated with the top event T1 through the logic gate. If the events T2, T3 and T8 are searched (that is, it is confirmed that the events T2, T3 and T8 are all established), then continue down Search for other fault events associated with events T2, T3 and T8 through logic gates until the bottom event is searched, and all bottom events found are the root cause of the fault. For example, assuming that events T4, T5 and T7 are searched down, the root cause of the failure is the events T4, T5, T7 and the last searched event T8. Among them, the so-called bottom event refers to an event that no other fault event is associated with it through a logic gate, such as event T4 in Figure 3, under event T4, no other event is associated with event ST4 through a logic gate, so event T4 is the bottom event.

Specifically, as shown in FIG. 4 , in the network fault diagnosis method provided by the embodiment of the present invention, the network fault diagnosis apparatus 104 determines to detect abnormal network elements and abnormal information according to logs, alarms, configurations, and KPI data (ie, S202 ). include:

S202a, the network fault diagnosis apparatus 104 parses the log, alarm, configuration and KPI data into structured data, and extracts characteristic values of the structured data.

S202b, the network fault diagnosis apparatus 104 uses a machine learning algorithm to perform feature statistics on the feature values of the structured data to obtain a statistical result.

S202c, the network fault diagnosis apparatus 104 determines the abnormal network element and the abnormal information according to the statistical result.

Exemplarily, two characteristics of the frequency and periodicity of the collected data can be extracted, and the frequency and periodic characteristics of the data can be statistically analyzed through a related machine learning algorithm to determine abnormal network elements and abnormal information, which is based on: frequency of occurrence. The lower, less periodic data, the more likely it is fault-related data.

Further, as shown in FIG. 5 , in the network fault diagnosis method provided by the embodiment of the present invention, the network fault diagnosis device 104 performs logical calculation according to the suspected fault event, the confirmation result of the second fault event, and the fault rule, and determines that the occurrence of the network system is caused. After the root cause of the failure, it can also include:

S205. The network fault diagnosis apparatus 104 generates a corresponding fault recovery script according to the root cause, and sends the fault recovery script to the abnormal network element or the network management device 102, so that the abnormal network element or the network management device 102 can repair the fault that occurs in the network system according to the fault recovery script .

That is, after the root cause of the failure is found, a corresponding recovery script is generated for the root cause of the failure, and sent to the relevant devices to repair the failure, so that the network system can be restored to normal.

Preferably, in the network fault diagnosis method provided by the embodiment of the present invention, after the network fault diagnosis apparatus 104 confirms the suspected fault event and the second fault event in the first fault event respectively according to the real-time data of the abnormal network element, the Further includes:

The network fault diagnosis device 104 obtains the fault events and historical fault events confirmed in the current fault diagnosis process, mines new fault rules according to the fault events and historical fault events confirmed in the current fault diagnosis process, and stores the new fault rules in the fault diagnosis process. in the rule base.

The historical fault events are the fault events confirmed in the previous fault diagnosis process. Those skilled in the art can easily understand that the new fault rule is a fault rule not covered by the fault rule base.

In a possible implementation manner of the embodiment of the present invention, the fault event confirmed this time may be stored in a database in each fault diagnosis process to form a historical fault event database. In this way, when mining new fault rules, the data in the historical fault event database can be directly read to obtain confirmed fault events.

In the prior art, since the machine does not understand the semantics of the information, it cannot infer the causal relationship between the fault information according to the semantics of the information like a technician. The fault rules are used for subsequent fault diagnosis, so the existing network fault diagnosis methods often do not make full use of the experience gained in the fault diagnosis process. The network fault diagnosis method provided by the embodiment of the present invention, by accumulating the experience of each fault diagnosis, and then discovering the fault rules not covered by the current fault rule base according to the accumulated experience, thus can improve the accuracy of fault location and expand the breadth of fault location. .

Preferably, as shown in FIG. 6 , in the network fault diagnosis method provided by the embodiment of the present invention, before the network fault diagnosis apparatus 104 collects the log, alarm, configuration and KPI data of the network element 101 , the network management device 102 and the monitoring device 103 , the Can include:

S206 , the network fault diagnosis apparatus 104 acquires abnormal information that may occur in the network system and all fault events included in all fault rules in the pre-stored fault rule base.

S207. The network fault diagnosis device 104 abstracts the abnormal information that may occur in the network system, obtains the fault behavior corresponding to the abnormal information, and abstracts the fault events included in each fault rule in the pre-stored fault rule base, and obtains The fault behavior corresponding to the fault event.

S208. The network fault diagnosis apparatus 104 establishes and stores the corresponding relationship between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

For example, abnormal information and fault events can be abstracted into the following four types of fault behaviors: (1) Service: that is, the service function displayed by the network element, such as VPN service, OSPF routing protocol service, etc.; (2) System: that is, network The non-service functions of the element can specifically be the basic functions provided by the hardware of the lower layer for the services of the upper layer, such as alarm management, clock management, etc.; (3) Hardware: the physical device of the network element, such as the central processing unit (Central Processing Unit) Processing Unit, CPU), network port, main control board, etc. Further, each of the above-mentioned fault behaviors can be concretely abstracted into the following three sub-categories: (1) Performance: such as business traffic drops, hardware CPU usage increases, etc.; (2) events: such as business protocol oscillations , the system clock source is lost, etc.; (3) Configuration: For example, VPN service encapsulation types are inconsistent. In this way, the mapping relationship between the abnormal information and the fault event can be established by the intermediary of the fault behavior, that is, the corresponding relationship between the abnormal information and the fault event.

Exemplarily, referring to FIG. 7 , it is assumed that abnormal information that may occur in the network system includes: OSPF traffic drop exceeds a threshold, OSPF_Nbr_UP or OSPF_Nbr_Down frequently occurs, and the encapsulation types configured on two network elements are inconsistent. The fault rules in the fault rule base include: The following three fault events are: OSPF traffic drop, protocol flapping, and inconsistent neighbor configuration. By abstracting the abnormal information and fault events into the fault behavior shown in the middle of Figure 7, the corresponding relationship between abnormal information and fault events can be established through the fault behavior. ,As shown in Table 1.

The existing network fault diagnosis methods require manual intervention to confirm the fault, and because the information that can be recorded in a single log is limited, a single log often does not record fine-grained information, so the root cause of the network failure may not be found. The method for diagnosing network faults provided by the embodiments of the present invention collects logs, alarms, configurations, and KPI data of related equipment in the network system, detects abnormal network elements and abnormal information according to the collected data, and determines the abnormal information and pre-stored corresponding relationships. The first fault event corresponding to each abnormal information, and then determine the fault rule according to the first fault event and the pre-stored fault rule database, and collect the real-time data of the abnormal network element, and use the real-time data of the abnormal network element to analyze the related suspected faults. The event is confirmed, and the logic calculation is performed according to the fault rule, so that the root cause of the network system failure can be determined. The detected abnormal information can be automatically mapped to the relevant fault events through the corresponding relationship between the abnormal information and the fault events. The fault event is confirmed, and then logical calculation is carried out according to the confirmation result and the relevant fault rules to eliminate the false alarm fault, and at the same time, the root cause of the real fault can be located. It can be seen that the network fault diagnosis method provided by the embodiment of the present invention can realize automatic location of network fault without manual intervention, and can determine the root cause of the fault, realize automatic fault diagnosis, and improve the efficiency of fault diagnosis.

Based on the above method, an embodiment of the present invention provides a network fault diagnosis apparatus 104, which is applied to the network system 10 shown in FIG. 1, and as shown in FIG. 8, including: a data acquisition module 1041, a fault discovery module 1042, and an event mapping module 1043 and a fault diagnosis module 1044.

Among them, the data acquisition module 1041 is used to collect the log, alarm, configuration and KPI data of the network element 101 , the network management device 102 and the monitoring device 103 .

The fault finding module 1042 is configured to detect abnormal network elements and abnormal information according to log, alarm, configuration and KPI data.

The event mapping module 1043 is configured to determine the first fault event corresponding to the abnormal information according to the abnormal information and the pre-stored corresponding relationship.

The fault diagnosis module 1044 is configured to determine a fault rule corresponding to the first fault event according to the first fault event and a pre-stored fault rule library.

The data acquisition module 1041 is further configured to collect real-time data of abnormal network elements.

The fault diagnosis module 1044 is further configured to confirm the suspected fault event and the second fault event in the first fault event respectively according to the real-time data of the abnormal network element, and according to the confirmation result of the suspected fault event and the second fault event and the fault The rules perform logical calculations to determine the root cause of the failure of the network system.

Wherein, the corresponding relationship is the corresponding relationship between abnormal information and fault events; the fault rule base includes at least one fault rule, and each fault rule includes at least two fault events and logical causality between the at least two fault events relationship; the second failure event is a failure event other than the first failure event among the at least two failure events included in the N first failure rule.

Specifically, in the network fault diagnosis apparatus 104 provided by the embodiment of the present invention, the fault discovery module 1042 may be specifically used for:

Parse log, alarm, configuration and KPI data into structured data, and extract feature values of structured data;

Use machine learning algorithms to perform feature statistics on the eigenvalues of structured data, and obtain statistical results:

According to the statistical result, the abnormal network element and abnormal information are determined.

Further, as shown in FIG. 9 , the network fault diagnosis apparatus 104 provided by the embodiment of the present invention may further include: a policy generation module 1045 .

The strategy generation module 1045 is used for the fault diagnosis module 1044 to perform logical calculation according to the suspected fault event, the confirmation result of the second fault event and the fault rule, and after determining the root cause of the network system failure, generate the corresponding fault recovery according to the root cause and send the fault recovery script to the abnormal network element or the network management device 102, so that the abnormal network element or the network management device 102 can repair the fault occurred in the network system according to the fault recovery script.

Preferably, as shown in FIG. 10 , the network fault diagnosis apparatus 104 provided by the embodiment of the present invention may further include: a fault rule mining module 1046 .

The fault rule mining module 1046 is used for, after the fault diagnosis module 1044 respectively confirms the suspected fault event and the second fault event in the first fault event according to the real-time data of the abnormal network element, obtains the current fault diagnosis of the fault diagnosis module 1044. For the fault events and historical fault events confirmed in the process, new fault rules are mined according to the fault events and historical fault events confirmed by the fault diagnosis module 1044 in the current fault diagnosis process, and the new fault rules are stored in the fault rule database.

The historical fault events are the fault events confirmed by the fault diagnosis module 1044 in the previous fault diagnosis process.

Preferably, in the network fault diagnosis apparatus 104 provided in the embodiment of the present invention, the event mapping module 1043 may also be used for:

Before the data acquisition module 1041 collects the log, alarm, configuration and KPI data of the network element, the network management device 102 and the monitoring device 103, it acquires the abnormal information that may occur in the network system and the information included in each fault rule in the pre-stored fault rule base. failure event;

Abstract the abnormal information that may appear in the network system to obtain the fault behavior corresponding to the abnormal information, and abstract all the fault events included in all the fault rules in the pre-stored fault rule base to obtain the fault behavior corresponding to the fault event ;

According to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event, the corresponding relationship between the abnormal information and the fault event is established and stored.

Since the network fault diagnosis apparatus 104 provided in this embodiment can be used to execute the above network fault diagnosis method, the technical effect that can be obtained can also be referred to the description of the above method embodiment, which is not repeated here.

In addition, an embodiment of the present invention further provides a network fault diagnosis apparatus. As shown in FIG. 11 , the network fault diagnosis apparatus 110 includes a processor 1101 .

The processor 1101 is configured to execute the network fault diagnosis method provided by the embodiment of the present invention.

Since the network fault diagnosis apparatus 110 in this embodiment can be used to execute the above network fault diagnosis method, the technical effect that can be obtained can also be referred to the description of the above method embodiment, which will not be repeated here.

In addition, an embodiment of the present invention further provides a computer-readable medium (or medium), including computer-readable instructions for performing the operations of the network fault diagnosis apparatus 110 in the foregoing method embodiment:

In addition, a computer program product is also provided, comprising the above-mentioned computer-readable medium.

It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, rather than the embodiments of the present invention. implementation constitutes any limitation.

Those skilled in the art can clearly understand that, for the convenience and brevity of the description, the above-described device is only illustrated by the division of the above-mentioned functional modules. The function module is completed, that is, the internal structure of the device is divided into different function modules, so as to complete all or part of the functions described above. For the specific working processes of the systems, devices and units described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described herein again.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the device embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be Incorporation may either be integrated into another system, or some features may be omitted, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes.

The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention. should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (16)

1. A network fault diagnosis method is applied to a network system, the network system comprises a network element, network management equipment, monitoring equipment and a network fault diagnosis device, and the method comprises the following steps:

the network fault diagnosis device acquires logs, alarms, configurations and Key Performance Indicator (KPI) data of the network elements, the network management equipment and the monitoring equipment, and detects abnormal network elements and abnormal information according to the logs, the alarms, the configurations and the KPI data;

the network fault diagnosis device determines a first fault event corresponding to the abnormal information according to the abnormal information and a pre-stored corresponding relationship, wherein the pre-stored corresponding relationship is the corresponding relationship between the abnormal information and the fault event;

the network fault diagnosis device determines a first fault rule corresponding to the first fault event according to the first fault event and a prestored fault rule base; wherein the fault rule base comprises at least one fault rule, each fault rule comprising at least two fault events and a logical causal relationship between the at least two fault events;

the network fault diagnosis device acquires real-time data of the abnormal network element, respectively confirms a suspected fault event and a second fault event in the first fault event according to the real-time data of the abnormal network element, and performs logic calculation according to the suspected fault event, the confirmation result of the second fault event and the first fault rule to determine a root cause causing the network system to have a fault; wherein the second failure event is a failure event other than the first failure event in at least two failure events included in the first failure rule.

2. The method of claim 1, wherein the network fault diagnosis device detects abnormal network elements and abnormal information according to the log, alarm, configuration and KPI data, and comprises:

the network fault diagnosis device analyzes the log, the alarm, the configuration and the KPI data into structured data and extracts characteristic values of the structured data;

the network fault diagnosis device carries out feature statistics on the feature values of the structured data by utilizing a machine learning algorithm to obtain a statistical result;

and the network fault diagnosis device determines abnormal network elements and abnormal information according to the statistical result.

3. The method according to claim 1 or 2, wherein after the network fault diagnosis device performs logical calculation according to the suspected fault event, the confirmation result of the second fault event and the fault rule, and determines a root cause causing the network system to fail, the method further comprises:

and the network fault diagnosis device generates a corresponding fault recovery script according to the root cause and sends the fault recovery script to the abnormal network element or the network management equipment, so that the abnormal network element or the network management equipment repairs the fault of the network system according to the fault recovery script.

4. The method according to claim 1 or 2, wherein after the network fault diagnosis device respectively confirms the suspected fault event and the second fault event in the first fault event according to the real-time data of the abnormal network element, the method further comprises:

the network fault diagnosis device acquires a fault event confirmed in the current fault diagnosis process and a historical fault event, excavates a new fault rule according to the fault event confirmed in the current fault diagnosis process and the historical fault event, and stores the new fault rule into the fault rule base; wherein the historical fault event is a fault event confirmed by the network fault diagnosis device in a previous fault diagnosis process.

5. The method according to claim 3, wherein after the network fault diagnosis device respectively confirms the suspected fault event and the second fault event in the first fault event according to the real-time data of the abnormal network element, the method further comprises:

the network fault diagnosis device acquires a fault event confirmed in the current fault diagnosis process and a historical fault event, excavates a new fault rule according to the fault event confirmed in the current fault diagnosis process and the historical fault event, and stores the new fault rule into the fault rule base; wherein the historical fault event is a fault event confirmed by the network fault diagnosis device in a previous fault diagnosis process.

6. The method according to claim 1, 2 or 5, wherein before the network fault diagnosis device collects log, alarm, configuration and KPI data of the network elements, the network management equipment and the monitoring equipment, the method further comprises:

the network fault diagnosis device acquires abnormal information which may appear in the network system and fault events included in each fault rule in the prestored fault rule base;

the network fault diagnosis device abstracts abnormal information which may appear in the network system to obtain fault behaviors corresponding to the abnormal information, and abstracts fault events included in each fault rule in the prestored fault rule base to obtain fault behaviors corresponding to the fault events;

and the network fault diagnosis device establishes and stores the corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

7. The method according to claim 3, wherein before the network fault diagnosis apparatus collects log, alarm, configuration and KPI data of the network element, the network management equipment and the monitoring equipment, the method further comprises:

the network fault diagnosis device acquires abnormal information which may appear in the network system and fault events included in each fault rule in the prestored fault rule base;

the network fault diagnosis device abstracts abnormal information which may appear in the network system to obtain fault behaviors corresponding to the abnormal information, and abstracts fault events included in each fault rule in the prestored fault rule base to obtain fault behaviors corresponding to the fault events;

and the network fault diagnosis device establishes and stores the corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

8. The method according to claim 4, wherein before the network fault diagnosis apparatus collects log, alarm, configuration and KPI data of the network element, the network management equipment and the monitoring equipment, the method further comprises:

the network fault diagnosis device acquires abnormal information which may appear in the network system and fault events included in each fault rule in the prestored fault rule base;

the network fault diagnosis device abstracts abnormal information which may appear in the network system to obtain fault behaviors corresponding to the abnormal information, and abstracts fault events included in each fault rule in the prestored fault rule base to obtain fault behaviors corresponding to the fault events;

and the network fault diagnosis device establishes and stores the corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

9. A network fault diagnosis device is characterized in that the network fault diagnosis device is applied to a network system, the network system further comprises a network element, network management equipment and monitoring equipment, and the network fault diagnosis device comprises: the system comprises a data acquisition module, a fault discovery module, an event mapping module and a fault diagnosis module;

the data acquisition module is used for acquiring logs, alarms, configuration and Key Performance Indicator (KPI) data of the network element, the network management equipment and the monitoring equipment;

the fault finding module is used for detecting abnormal network elements and abnormal information according to the log, the alarm, the configuration and the KPI data;

the event mapping module is used for obtaining a first fault event corresponding to the abnormal information according to the abnormal information and a pre-stored corresponding relationship, wherein the pre-stored corresponding relationship is the corresponding relationship between the abnormal information and the fault event;

the fault diagnosis module is used for determining a first fault rule corresponding to the first fault event according to the first fault event and a prestored fault rule base; wherein the fault rule base comprises at least one fault rule, each fault rule comprising at least two fault events and a logical relationship between the at least two fault events;

the data acquisition module is further used for acquiring real-time data of the abnormal network element;

the failure determination module is further configured to respectively determine a suspected failure event and a second failure event in the first failure event according to the real-time data of the abnormal network element, perform logical calculation according to the suspected failure event, the determination result of the second failure event, and the failure rule, and determine a root cause causing the network system to fail, where the second failure event is a failure event, except for the first failure event, in at least two failure events included in the first failure rule.

10. The apparatus of claim 9, wherein the fault discovery module is specifically configured to:

analyzing the log, the alarm, the configuration and the KPI data into structured data, and extracting characteristic values of the structured data;

performing characteristic statistics on the characteristic value of the structured data by using a machine learning algorithm to obtain a statistical result;

and determining abnormal network elements and abnormal information according to the statistical result.

11. The apparatus of claim 9 or 10, further comprising: a policy generation module;

the policy generation module is configured to, after the failure confirmation module performs logical calculation according to the suspected failure event, the confirmation result of the second failure event, and the failure rule, and determines a root cause causing a failure in the network system, generate a corresponding failure recovery script according to the root cause, and send the failure recovery script to the abnormal network element or the network management device, so that the network element or the network management device repairs the failure in the network system according to the failure recovery script.

12. The apparatus of claim 9 or 10, further comprising: a fault rule mining module;

the fault rule mining module is configured to, after the fault confirmation module confirms the suspected fault event and the second fault event in the first fault event respectively according to the real-time data of the abnormal network element, acquire the fault event and the historical fault event confirmed by the fault confirmation module in the current fault diagnosis process, mine a new fault rule according to the fault event and the historical fault event confirmed by the fault confirmation module in the current fault diagnosis process, and store the new fault rule in the fault rule base;

wherein the historical fault event is a fault event confirmed by the fault confirmation module in a previous fault diagnosis process.

13. The apparatus of claim 11, further comprising: a fault rule mining module;

the fault rule mining module is configured to, after the fault confirmation module confirms the suspected fault event and the second fault event in the first fault event respectively according to the real-time data of the abnormal network element, acquire the fault event and the historical fault event confirmed by the fault confirmation module in the current fault diagnosis process, mine a new fault rule according to the fault event and the historical fault event confirmed by the fault confirmation module in the current fault diagnosis process, and store the new fault rule in the fault rule base;

wherein the historical fault event is a fault event confirmed by the fault confirmation module in a previous fault diagnosis process.

14. The apparatus of claim 9, 10 or 13, wherein the event mapping module is further configured to:

before the data acquisition module acquires the log, alarm, configuration and KPI data of the network element, the network management equipment and the monitoring equipment, acquiring possible abnormal information of the network system and fault events included in each fault rule in the prestored fault rule base;

abstracting abnormal information which may appear in the network system to obtain a fault behavior corresponding to the abnormal information, and abstracting a fault event included in each fault rule in the prestored fault rule library to obtain a fault behavior corresponding to the fault event;

and establishing and storing a corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

15. The apparatus of claim 11, wherein the event mapping module is further configured to:

before the data acquisition module acquires the log, alarm, configuration and KPI data of the network element, the network management equipment and the monitoring equipment, acquiring possible abnormal information of the network system and fault events included in each fault rule in the prestored fault rule base;

abstracting abnormal information which may appear in the network system to obtain a fault behavior corresponding to the abnormal information, and abstracting a fault event included in each fault rule in the prestored fault rule library to obtain a fault behavior corresponding to the fault event;

and establishing and storing a corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

16. The apparatus of claim 12, wherein the event mapping module is further configured to:

before the data acquisition module acquires the log, alarm, configuration and KPI data of the network element, the network management equipment and the monitoring equipment, acquiring possible abnormal information of the network system and fault events included in each fault rule in the prestored fault rule base;

abstracting abnormal information which may appear in the network system to obtain a fault behavior corresponding to the abnormal information, and abstracting a fault event included in each fault rule in the prestored fault rule library to obtain a fault behavior corresponding to the fault event;

and establishing and storing a corresponding relation between the abnormal information and the fault event according to the fault behavior corresponding to the abnormal information and the abstract behavior corresponding to the fault event.

Images