CN113268370B - Root cause alarm analysis method, system, equipment and storage medium - Google Patents

Abstract

The invention discloses a root cause alarm analysis method, system, equipment and storage medium, including: preprocessing the alarm data, mining the alarm data based on the SR-ASM algorithm, obtaining the alarm sequence, and converting the alarm sequence into an alarm relationship Figure; according to the alarm relationship diagram and the characteristics of the alarm itself, the root cause alarm identification model SGC-RAI is used to identify the root cause alarm, and the identified root cause alarm is recommended. The method, system, device and storage medium can efficiently identify the root cause Because of alarms, and low operation and maintenance costs.

Description

A root cause alarm analysis method, system, device and storage medium

Technical Field

The present invention belongs to the field of alarm analysis and relates to a root cause alarm analysis method, system, equipment and storage medium.

Background Art

Tens of thousands of alarm logs constitute an alarm flood. Among these alarms, some alarms occur frequently and are repeatedly reported, and some alarms have complex correlations. If the alarms are not processed and compressed, and the alarm logs are directly pushed to the management personnel, the processing efficiency of each alarm will be very low, and the processing effect is positively correlated with the experience of the management personnel. Therefore, the most important task of network alarm analysis is to use algorithms to significantly reduce the amount of alarms presented to the operation and maintenance personnel of the management center, and only push the root cause alarms. In the past root cause analysis research, a lot of work was done by studying the correlation and causal relationship of alarms, and then compressing alarms, locating root causes, and predicting alarms based on this. The methods in this area are mainly divided into two categories: alarm correlation analysis and root cause analysis. Alarm correlation analysis is mainly implemented through data mining related algorithms, mainly clustering, frequent item mining, time series relationship mining and other algorithms. There are many different methods for alarm root cause analysis, among which the rule-based root cause analysis system is more commonly used in applications. The rules in such systems are the crystallization of expert experience and have the characteristics of being concise and precise. However, in the context of increasingly complex network systems, such methods require a lot of cost in terms of rule formulation, maintenance, and updating. With the development of big data technology and data mining technology, some scholars have proposed the concept of "intelligent operation and maintenance", applying machine learning algorithms to root cause and fault analysis tasks, improving the accuracy of root cause location and effectively reducing operation and maintenance costs. Such methods are the main development trend in the future, but the specific operation process is not given at this stage.

Summary of the invention

The purpose of the present invention is to overcome the shortcomings of the above-mentioned prior art and provide a root cause alarm analysis method, system, device and storage medium, which can efficiently identify root cause alarms and have low operation and maintenance costs.

To achieve the above object, the root cause alarm analysis method of the present invention comprises:

Preprocess the alarm data, use the SR-ASM algorithm to mine the alarm data, obtain the alarm sequence, and convert the alarm sequence into an alarm relationship diagram;

According to the alarm relationship diagram, the root cause alarm is identified using the root cause alarm identification model SGC-RAI, and the identified root cause alarm is recommended.

It also includes: further determining the bidirectional edges in the alarm relationship graph and assigning weights to each pair of relationships in the graph according to the confidence and the improvement.

The process of preprocessing the alarm data is: deduplication, sorting, and grouping the alarm data by network element and time window.

According to the alarm relationship diagram and alarm characteristics, the specific operation process of using the root cause alarm identification model SGC-RAI to perform root cause alarm analysis is as follows:

For a set of alarm sequences of root cause alarms to be analyzed, the text features of the alarms are vectorized to obtain the features of each alarm. The relational features of the alarms are extracted according to the alarm relationship graph. The root cause alarm identification model SGC-RAI is supervised trained using the alarm's own features and relational features. Then, the trained root cause alarm identification model SGC-RAI is used to identify the root cause alarms.

The alarm group is deduplicated, and the text information of all alarms is used as a corpus to train the GloVe model and the TF-IDF model. For an alarm log, the word segmentation of the alarm name is input into the trained GloVe model to obtain the word vector features of the alarm name segmentation. The trained TF-IDF model is then used to weight the word vector features to obtain the features of the alarm itself, and the associated information of the alarm is obtained according to the alarm relationship graph.

The root cause alarm identification model SGC-RAI includes two layers of spatial graph convolution layers, a pooling layer and a fully connected layer. Among them, the two layers of spatial graph convolution layers are used to aggregate local information, and the pooling layer uses element-wise maximum pooling operation to extract all fault information, and the fault information is injected into the alarm to obtain a new representation of the alarm. Finally, the alarm feature is converted into a value through a shared fully connected layer, and Softmax normalization is used to obtain the root cause score of the alarm. The alarm with the largest root cause score is taken as the root cause alarm.

The operation process of the two-layer spatial domain graph convolution layer (inspired by relational graph convolution) is:

为第k层的输出，

为获取的邻域信息，

为可学习的线性变换。N₁(v)和N₂(v) 分别代表节点v的两类邻居组成的集合。N₁)v)中的节点与节点v有边相连，且边的方向由节点v指向邻居节点，N₂(v)中的节点与节点v有边相连，且边的方向由邻居节点指向节点v。w(v,u)表示告警关联图中节点v 到邻居节点u的边的对应先验权重，w(u,v)表示告警关联图中邻居节点u 到节点v的边的对应先验权重。Among them, v is the alarm in the alarm sequence, and k is the kth layer.

is the output of the kth layer,

To obtain the neighborhood information,

is a learnable linear transformation. _{N 1} (v) and N ₂ (v) represent the sets of two types of neighbors of node v. The nodes in N ₁ (v) are connected to node v by edges, and the direction of the edges is from node v to the neighbor nodes. The nodes in N ₂ (v) are connected to node v by edges, and the direction of the edges is from the neighbor nodes to node v. w(v,u) represents the corresponding prior weight of the edge from node v to neighbor node u in the alarm association graph, and w(u,v) represents the corresponding prior weight of the edge from neighbor node u to node v in the alarm association graph.

The operations for aggregating global information are:

Among them, G is the association graph composed of the entire alarm sequence:

The root cause alarm prediction calculation is:

A root cause alarm analysis system, comprising:

The mining module is used to pre-process the alarm data, mine the alarm data using the SR-ASM algorithm, obtain the alarm sequence, and convert the alarm sequence into an alarm relationship diagram;

The identification module is used to identify the root cause alarm according to the alarm relationship diagram and the text features of the alarm itself, and recommend the identified root cause alarm using the root cause alarm identification model SGC-RAI. A computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the root cause alarm analysis method when executing the computer program.

A computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the steps of the root cause alarm analysis method are implemented.

The present invention has the following beneficial effects:

During specific operation, the root cause alarm analysis method, system, device and storage medium described in the present invention mine alarm data based on increasing credibility and SR-ASM algorithm to obtain an alarm sequence, convert the alarm sequence into an alarm relationship diagram, avoid missing valuable alarm association information, and improve recognition accuracy. Then, the root cause alarm recognition model SGC-RAI is used to identify the root cause alarm, effectively reducing the dependence on expert experience, reducing operation and maintenance costs, and improving recognition efficiency. According to experiments, the accuracy of the training set and the test set in the present invention are very high. At the same time, the microF1 and macroF1 of the present invention are higher than the prior art, that is, when the distribution of faults is uneven, the present invention has a stronger ability to identify different types of root causes, and can be widely used in the tasks of alarm compression and root cause location in the telecommunications field.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a logic diagram for judging pattern growth in the SR-ASM algorithm;

FIG2 is a flow chart of alarm correlation mining in the present invention;

FIG3 is a framework diagram of root cause alarm identification in the present invention;

FIG4 is a schematic diagram of a root cause alarm identification model in the present invention;

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the scheme of the present invention, the technical scheme in the embodiment of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiment of the present invention. Obviously, the described embodiment is only an embodiment of a part of the present invention, not all embodiments, and is not intended to limit the scope of the present invention. In addition, in the following description, the description of well-known structures and technologies is omitted to avoid unnecessary confusion of the concepts disclosed in the present invention. Based on the embodiments in the present invention, all other embodiments obtained by ordinary technicians in this field without making creative work should fall within the scope of protection of the present invention.

The root cause alarm analysis method of the present invention comprises the following steps:

1) Discover the association between alarms based on sequence pattern mining;

Based on the SR-ASM algorithm, the alarm data is mined to obtain an alarm sequence, which is then converted into an alarm relationship graph. The directions of the bidirectional edges in the alarm relationship graph are further determined, and each pair of relationships is weighted according to the confidence and lift.

Specifically, considering that the occurrence frequencies of different alarms vary greatly, it is easy to miss valuable alarm-related information if only the support index is used to mine the alarm data. Therefore, the present invention modifies the traditional frequent sequence pattern mining algorithm PrefixSpan, and proposes the concept of increasing credibility and the alarm sequence mining algorithm SR-ASM to mine valuable alarm sequences in alarm data. The SR-ASM algorithm takes the alarm sequence database as input and outputs valuable alarm sequences.

2) Identify root cause alarms based on graph networks.

According to the alarm relationship diagram, the root cause alarm identification model SGC-RAI is used to perform root cause alarm analysis.

Specifically, the present invention uses a graph neural network method to extract the features of the alarm and identify the root cause alarm. The present invention applies the idea of spatial graph convolution and pooling, and proposes a root cause alarm identification model SGC-RAI, wherein the SGC-RAI model enables each alarm to aggregate local and global information, thereby obtaining more discriminative features, and finally transforms and normalizes the features to obtain the root cause score. The present invention adopts a supervised training method to achieve a very high root cause alarm recognition rate.

Referring to FIG1 , the core details of SR-ASM, SR-ASM is an algorithm proposed based on PrefixSpan, and also adopts the prefix pattern growth method to mine all valuable alarm sequences. When the prefix grows, the present invention proposes the concept of growth credibility GR, wherein, given a prefix α, a new sequence s formed by combining the prefix α with the item b is formed to form the credibility of the valuable prefix, and the following is obtained:

The original PrefixSpan algorithm only uses support to determine pattern growth. If the minimum support requirement is reached, the prefix continues to grow. When the prefix grows, the present invention takes into account both support and growth credibility, and proposes a prefix growth judgment logic as shown in Figure 1. The present invention uses support and growth credibility GR together to determine whether the pattern continues to grow. If either of the two indicators is met, the pattern can continue to grow.

SR-ASM Algorithm Idea

Similar to the PrefixSpan algorithm, SR-ASM continuously increases the prefix through a recursive method. Specifically, it starts mining from the 1-prefix (k=1), and for each 1-prefix, it projects to obtain a database consisting of all suffixes, and counts the support of each item b in the database.

When the support of b is greater than or equal to the minimum support, the prefix is further increased to a (k+1)-prefix, and then recursive mining is performed;

When the support of b is less than the minimum support, the growth credibility GR is calculated. If GR≥min_GR, the prefix is further increased to (k+1)-prefix, and then recursive mining is performed. Otherwise, the growth is stopped.

And so on, the process continues recursively until the projected database is empty or the sequence length constraint is reached.

At the beginning of the program, the prefix is empty and needs to be specially processed in the SR-ASM algorithm. The present invention sets the support lower bound t. When the support of an item in the initial database reaches t, it is 1-prefix.

FIG2 is a flowchart of the alarm correlation mining process used in the present invention, and the specific process is as follows:

1a) Build an alarm sequence database:

Massive and discrete alarm records are grouped, sorted, deduplicated and serialized. The input of this link is the original alarm log record, and the output is the constructed alarm sequence database S.

2a) Mining valuable alarm sequences:

Taking the database S as input, the SR-ASM algorithm is executed to obtain valuable alarm sequences and their support.

3a) Generate alarm relationship network:

The alarm sequence obtained in step 2a) is used as a network graph to represent the relationship between alarms, with the alarm as a node on the network graph and the sequence as a path on the network graph. If there are bidirectional edges on the constructed graph, and the support in one direction is more than twice the support in the other direction, the side with lower support is deleted, otherwise both edges are deleted.

Then calculate the weight of each edge, where the weight of the edge from alarm A to alarm B, Edge(A→B) _weight , is:

Referring to Figure 3, when it is necessary to determine the root cause alarm in a set of alarm sequences, two types of features are used as the input of the recognition model, wherein the two types of features are the text features of the alarm and the correlation features between the alarms, and the output of the recognition model is the root cause alarm. Since the alarm log is in the form of text, the present invention adopts the idea of text vectorization in natural language processing tasks. A method combining the GloVe model and the TF-IDF model is used to represent the alarm. The alarm log is used as a corpus to train the GloVe model and the TF-IDF model. The vector length is 50, and the vector representation of the feature of an alarm is:

Referring to Figure 4, the root cause alarm identification model SGC-RAI takes a set of alarm features ^X∈RN*D and its relationship matrix A∈RN ^*N as input, where N represents the number of alarms in the sequence and D represents the dimension of the alarm features. The root cause alarm identification model SGC-RAI is divided into three parts from left to right. First, two layers of spatial graph convolution are used to aggregate local information, then element-wise maximum pooling operations are used to extract all fault information and inject the fault information into the alarm, and then the node information is updated again. Finally, the alarm features are converted into root cause scores through a shared fully connected layer and normalization operation.

The convolution operation in this invention (inspired by relational graph convolution) is:

为第k层的输出，

为获取的邻域信息，

为可学习的线性变换。N₁(v)和N₂(v) 分别代表节点v的两类邻居组成的集合。N₁(v)中的节点与节点v有边相连，且边的方向由节点v指向邻居节点，N₂(v)中的节点与节点v有边相连，且边的方向由邻居节点指向节点v。w(v,u)表示告警关联图中节点v 到邻居节点u的边的对应先验权重，w(u,v)表示告警关联图中邻居节点u 到节点v的边的对应先验权重。Among them, v is the alarm in the alarm sequence, and k is the kth layer.

is the output of the kth layer,

To obtain the neighborhood information,

is a learnable linear transformation. _{N 1} (v) and N ₂ (v) represent the sets of two types of neighbors of node v. The nodes in N ₁ (v) are connected to node v by edges, and the direction of the edges is from node v to the neighbor nodes. The nodes in N ₂ (v) are connected to node v by edges, and the direction of the edges is from the neighbor nodes to node v. w(v,u) represents the corresponding prior weight of the edge from node v to neighbor node u in the alarm association graph, and w(u,v) represents the corresponding prior weight of the edge from neighbor node u to node v in the alarm association graph.

The operations for aggregating global information are:

Among them, G is the association graph composed of the entire alarm sequence:

The root cause alarm prediction calculation is:

A root cause alarm analysis system, comprising:

The mining module is used to pre-process the alarm data, mine the alarm data using the proposed SR-ASM algorithm, obtain the alarm sequence, and convert the alarm sequence into an alarm relationship graph;

The identification module is used to identify the root cause alarm according to the alarm relationship diagram and the text features of the alarm itself, and recommend the identified root cause alarm using the proposed root cause alarm identification model SGC-RAI. A computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the root cause alarm analysis method when executing the computer program.

A computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the steps of the root cause alarm analysis method are implemented.

Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented in one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that contain computer-usable program code.

The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce computer-implemented processing, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than to limit it. Although the present invention has been described in detail with reference to the above embodiments, ordinary technicians in the relevant field should understand that the specific implementation methods of the present invention can still be modified or replaced by equivalents, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.

Claims (8)

1. A root cause alarm analysis method, characterized by comprising: Preprocess the alarm data, use the SR-ASM algorithm to mine the alarm data, obtain the alarm sequence, and convert the alarm sequence into an alarm relationship diagram; According to the alarm relationship diagram and the characteristics of the alarm itself, the root cause alarm is identified using the root cause alarm identification model SGC-RAI, and the identified root cause alarm is recommended; The root cause alarm identification model SGC-RAI includes two layers of spatial graph convolution layers, a pooling layer, and a fully connected layer. The two layers of spatial graph convolution layers are used to aggregate local information, and the pooling layer uses element-wise maximum pooling operations to extract global fault information, and injects the fault information into the alarm to obtain a new representation of the alarm. Finally, the alarm features are converted into numerical values through a shared fully connected layer, and Softmax normalization is used to obtain the root cause score of the alarm. The alarm with the largest root cause score is taken as the root cause alarm. The operation process of the two-layer spatial domain graph convolution layer is:

Where v is the alarm in the alarm sequence, k is the kth layer,

is the output of the kth layer,

To obtain the neighborhood information,

is a learnable linear transformation, N ₁ (v) and N ₂ (v) represent the sets of two types of neighbors of node v, respectively. The nodes in N ₁ (v) are connected to node v by edges, and the direction of the edges is from node v to the neighbor nodes. The nodes in N ₂ (v) are connected to node v by edges, and the direction of the edges is from the neighbor nodes to node v. w(v,u) represents the corresponding prior weight of the edge from node v to neighbor node u in the alarm association graph, and w(u,v) represents the corresponding prior weight of the edge from neighbor node u to node v in the alarm association graph. The operation of aggregating global information is:

Among them, G is the association graph composed of the entire alarm sequence: The root cause alarm prediction calculation is:

2. The root cause alarm analysis method according to claim 1 is characterized in that it also includes: determining the direction of the bidirectional edges in the alarm relationship graph, and assigning weights to each pair of relationships on the alarm relationship graph according to confidence and improvement. 3. The root cause alarm analysis method according to claim 1 is characterized in that the process of preprocessing the alarm data is: deduplicating, sorting, and grouping the alarm data by network element and time window. 4. The root cause alarm analysis method according to claim 1 is characterized in that, according to the alarm relationship diagram and the characteristics of the alarm itself, the specific operation process of performing root cause alarm analysis using the root cause alarm identification model SGC-RAI is as follows: For a set of alarm sequences of root cause alarms to be analyzed, the text features of the alarms are vectorized to obtain the features of the alarms themselves. The relational features of the alarms are extracted according to the alarm relationship graph. The root cause alarm identification model SGC-RAI is supervisedly trained using the features of the alarms themselves and the relational features, where the label is the root cause alarm. The trained root cause alarm identification model SGC-RAI is then used to identify the root cause alarms. 5. The root cause alarm analysis method according to claim 1 is characterized in that the alarm group is deduplicated, and then the text information of all alarms is used as a corpus to train the GloVe model and the TF-IDF model, wherein for an alarm log, the word segmentation of the alarm name is input into the trained GloVe model to obtain the word vector features of the alarm name segmentation, and then the trained TF-IDF model is used to weight the word vector features to obtain the features of the alarm itself, and the associated information of the alarm is obtained according to the alarm relationship diagram. 6. A root cause alarm analysis system, characterized by comprising: The mining module is used to pre-process the alarm data, mine the alarm data using the SR-ASM algorithm, obtain the alarm sequence, and convert the alarm sequence into an alarm relationship diagram; An identification module, used to identify the root cause alarm according to the alarm relationship diagram and the characteristics of the alarm itself, using the root cause alarm identification model SGC-RAI, and recommend the identified root cause alarm; The root cause alarm identification model SGC-RAI includes two layers of spatial graph convolution layers, a pooling layer, and a fully connected layer. The two layers of spatial graph convolution layers are used to aggregate local information, and the pooling layer uses element-wise maximum pooling operations to extract global fault information, and injects the fault information into the alarm to obtain a new representation of the alarm. Finally, the alarm features are converted into numerical values through a shared fully connected layer, and Softmax normalization is used to obtain the root cause score of the alarm. The alarm with the largest root cause score is taken as the root cause alarm. The operation process of the two-layer spatial domain graph convolution layer is:

Where v is the alarm in the alarm sequence, k is the kth layer,

is the output of the kth layer,

To obtain the neighborhood information,

is a learnable linear transformation, N ₁ (v) and N ₂ (v) represent the sets of two types of neighbors of node v, respectively. The nodes in N ₁ (v) are connected to node v by edges, and the direction of the edges is from node v to the neighbor nodes. The nodes in N ₂ (v) are connected to node v by edges, and the direction of the edges is from the neighbor nodes to node v. w(v,u) represents the corresponding prior weight of the edge from node v to neighbor node u in the alarm association graph, and w(u,v) represents the corresponding prior weight of the edge from neighbor node u to node v in the alarm association graph. The operation of aggregating global information is:

Among them, G is the association graph composed of the entire alarm sequence: The root cause alarm prediction calculation is:

7. A computer device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the root cause alarm analysis method according to any one of claims 1 to 5 when executing the computer program. 8. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the steps of the root cause alarm analysis method according to any one of claims 1 to 5.

Images