JP7602181B2 - Alarm analysis device, alarm analysis method, Bayesian network model, and alarm analysis program - Google Patents

Description

The present invention relates to an alarm analysis device, an alarm analysis method, a Bayesian network model and an alarm analysis program.

Network monitoring operations involve processes that involve constant monitoring to detect changes in the status of equipment and alarms, identifying events such as failures and construction work, analyzing and determining the cause of failures, and implementing (dealing with) failure recovery.

This process is realized by dispatching a local technician to the site when physical work such as repairing or replacing faulty equipment becomes necessary, while the maintenance technician who manages the entire network (remote technician) manages the equipment located throughout the country remotely from a centralized location.

In order to respond to events that occur on the network, it is important for maintenance personnel to understand what event (construction or failure) caused the detected alarms.

Non-patent document 1 describes a technology that correlates multiple alerts generated by a single event by combining network connection configuration information with predefined rules.

"Proposal of an alarm correlation and main cause analysis method using network configuration information", Institute of Electronics, Information and Communication Engineers, Information and Communication Management Research Group (ICM), March 2, 2020

Because an alarm can be generated by multiple devices in response to a single event, and multiple events can occur simultaneously on a nationwide network, a large number of alarms are generated. Maintenance personnel correlate these alarms by event.

Telecommunications carrier networks are multi-layered, consisting of multiple layers, such as the transmission layer made up of transmission equipment and the IP layer made up of NGN mass equipment, so there are a large number of diverse devices and a large number of different types of alarms. Correlating alarms that occur in such networks requires advanced knowledge and experience from maintenance personnel, and places a large burden on them. For this reason, there is a demand to reduce the burden on maintenance personnel who determine alarm correlations and to make it less skilled.

In non-patent document 1, the maintainer must define the rules in advance, and this rule definition requires advanced knowledge and experience on the part of the maintainer, and therefore cannot be fully automated.

The present invention has been made in consideration of the above circumstances, and an object of the present invention is to provide an alarm analysis device, an alarm analysis method, a Bayesian network model, and an alarm analysis program for easily correlating alarms.

In order to achieve the above object, one aspect of the present invention is an alarm analysis device comprising a Bayesian network model, an estimation unit that estimates a first relevance of multiple alarms using the Bayesian network model, and a determination unit that uses the first relevance to group alarms that have occurred due to the same event, wherein the Bayesian network model has multiple type nodes indicating alarm types, and time nodes and location nodes linked to the type nodes, wherein a second relevance is set to the time node according to the difference between the time of occurrence of an alarm of a child node or parent node of the linked type node, and a third relevance is set to the location node according to the difference between the location of occurrence of an alarm of a child node or parent node of the linked type node.

One aspect of the present invention is an alarm analysis method performed by an alarm analysis device, which includes the steps of estimating a first relevance of multiple alarms using a Bayesian network model, and grouping alarms that have occurred due to the same event using the first relevance, wherein the Bayesian network model has multiple type nodes indicating alarm types, and time nodes and location nodes linked to the type nodes, and a second relevance is set to the time node according to the difference between the time of occurrence of an alarm of a child node or parent node of the linked type node, and a third relevance is set to the location node according to the difference between the location of occurrence of an alarm of a child node or parent node of the linked type node.

One aspect of the present invention is an alarm analysis program that causes a computer to function as the above-mentioned alarm analysis device.

According to the present invention, it is possible to provide an alarm analysis device, an alarm analysis method, a Bayesian network model and an alarm analysis program for easily correlating alarms.

1 is a configuration diagram showing a configuration of an alarm analysis device according to an embodiment of the present invention. FIG. 1 is a diagram illustrating an example of a Bayesian NW model. FIG. 11 is a diagram illustrating an example of alarm information. FIG. 11 is a diagram illustrating an example of a determination result. 4 is a flowchart showing an operation of the alarm analysis device. 2 is an example of a hardware configuration.

Below, an embodiment of the present invention is described with reference to the drawings.

Figure 1 is a configuration diagram showing the configuration of the alarm analysis device 1 of this embodiment. A group of alarms occurring due to the same event occurs almost simultaneously from multiple devices with physical or logical connections. Therefore, if the time and place (area) of the alarm occurrence are close, it can be estimated that there is a high possibility that the alarms occurred due to the same event. In this embodiment, if the time and place of alarm occurrence, and the type of alarm occurring due to one event, among multiple newly occurring alarms, are close to the Bayesian NW model, it is determined that the group of alarms occurred due to the same event.

The illustrated alarm analysis device 1 includes an acquisition unit 11, an estimation unit 12, a judgment unit 13, an alarm information DB 14, a model memory unit 15, and a configuration information DB 16.

The acquisition unit 11 acquires alarm information 101 (alarm list) issued from multiple devices and stores it in the alarm information DB 15. The alarm information 101 includes multiple alarms. The alarms include an alarm type, an occurrence time, an occurrence location, an apparatus identifier, etc.

For example, the acquisition unit 11 acquires alarm information from at least one OpS (Operation Support System). General telecommunications carrier equipment (e.g., network equipment) is monitored by the OpS. The OpS provides maintenance personnel with functions such as collecting alarm information from the equipment and displaying the alarm on a screen. The acquisition unit 11 acquires the alarm information stored by the OpS at a predetermined timing, stores the alarm information in the alarm information DB 15, and sends it to the estimation unit 12.

The estimation unit 12 estimates the relevance of multiple alerts contained in the alert information using a Bayesian NW model.

The determination unit 13 uses the relevance to group alarms that have occurred due to the same event. Specifically, the determination unit 13 determines whether a certain alarm (first alarm) and another alarm (second alarm) have occurred due to the same event based on the relevance, and groups the alarms by event.

A Bayesian network model (hereinafter referred to as the "Bayesian NW model") is pre-stored in the model memory unit 15.

Figure 2 is a diagram showing an example of a Bayesian network model of this embodiment. The Bayesian network model is one of the probabilistic models with a graph structure. In the Bayesian network model, each event is represented by a node, and the nodes are connected by one-way links (arrows) that indicate dependencies. Each node is assigned a conditional probability (CPT: Conditional Probability Table).

The Bayesian network model shown in the figure has multiple type nodes A, B, and C that indicate alarm types (ALM types), and time nodes A1, B1, B3, and C1 and location nodes A2, B2, B4, and C2 linked to the type nodes. The type nodes are main nodes, and the time nodes and location nodes are subnodes. Note that the Bayesian network model in Figure 2 is just an example and is not limited to the model in Figure 2. For example, the Bayesian network model may have two type nodes or four or more type nodes.

For each time node, a relevance (second relevance) is set according to the difference between the time when the alarm occurred for the child node or parent node of the linked type node. For each location node, a relevance (third relevance) is set according to the difference between the location when the alarm occurred for the child node or parent node of the linked type node.

Specifically, type node A is an event indicating the occurrence of an alarm of alarm type A, type node B is an event indicating the occurrence of an alarm of alarm type B, and type node C is an event indicating the occurrence of an alarm of alarm type C. The dependency relationship between type nodes A, B, and C can be expressed as type node A → type node B → type node C.

The node at the end of the link is the child node, and the node at the start of the link is the parent node. In the case of type node A → type node B, type node A is the parent node and type node B is the child node. A conditional probability is set for each type node A, B, and C. The conditional probability is set to the probability of occurrence based on the difference between the time of occurrence of the alarm and the difference between the occurrence location and the child node or parent node of the type node.

Figure 2 shows the conditional probability 201 of type node A, which is the starting point. Although not shown here, the conditional probability of type node B is set to an occurrence probability that depends on the difference between the time and location of the alarm occurrence of the parent node and the difference between the time and location of the alarm occurrence of the child node. The conditional probability of type node C is set to an occurrence probability that depends on the difference between the time and location of the alarm occurrence of the parent node.

In the conditional probability 201 shown in the figure, the probability of an alarm occurring is set according to the difference in occurrence time and the difference in occurrence location of the alarm of the child node (type node B) of type node A. For example, when there is no difference in the occurrence location (i.e., when the alarm occurs on the same device) and the difference in occurrence time is less than ±5 seconds, the probability of an alarm of alarm type A occurring is defined as "0.9" and the probability of it not occurring is defined as "0.1". Also, when there is no difference in the occurrence location and the difference in occurrence time is ±5 seconds or more, the probability of an alarm of alarm type A occurring is defined as "0.8" and the probability of it not occurring is defined as "0.2".

In addition, when the difference in the occurrence location is within the same building and the difference in the occurrence time is less than ±5 seconds, the probability of an alarm of alarm type A occurring is defined as "0.8" and the probability of it not occurring is defined as "0.2." In addition, when the difference in the occurrence location is within the same building and the difference in the occurrence time is ±5 seconds or more, the probability of an alarm of alarm type A occurring is defined as "0.7" and the probability of it not occurring is defined as "0.3."

In the conditional probability 201 shown in the figure, the difference in occurrence time is divided into less than 5 seconds and 5 seconds or more, and two probabilities are set, but it is also possible to divide it into three or more and set the probability to be higher as the difference in occurrence time is smaller.

In addition, in the conditional probability 201 shown in the figure, the difference in the location of occurrence is divided into same device with no difference, within the same building, within the same prefecture, and others (different prefectures), and is set so that the smaller the difference in the location of occurrence, the higher the probability, but the difference in the location of occurrence may be classified in other ways.

In the Bayesian network model of this embodiment, time nodes and location nodes that link to type nodes A, B, and C are defined. For example, type node B has time nodes B1 and B3 and location nodes B2 and B4 defined. Time node B1 is a node related to the difference in occurrence time with the parent node (type node A in this case), and time node B3 is a node related to the difference in occurrence time with the child node (type node C in this case). Location node B2 is a node related to the difference in occurrence location with the parent node, and location node B4 is a node related to the difference in occurrence location with the child node. Each of these nodes B1 to B4 is assigned a conditional probability.

For example, the conditional probability 202 of time node B1 has a relevance of "0.9" when the difference in occurrence time with the alarm of the parent node (type node A) is less than ±5 seconds, and a relevance of "0.1" when the difference in occurrence time is ±5 seconds or more.

For the conditional probability 203 of location node B2, the relevance is set to "0.5" if the alarm occurred on the same device as the parent node (type node A), "0.3" if the alarm occurred on a device in the same building as the parent node alarm device, "0.15" if the alarm occurred on a device in the same prefecture as the parent node alarm device, and "0.05" otherwise (if the alarm occurred on a device in a different prefecture than the parent node alarm device).

In this way, a higher relevance level (second relevance level) is set for a time node the smaller the difference in occurrence time, and a higher relevance level (third relevance level) is set for a location node the smaller the difference in occurrence location.

Similar conditional probabilities are defined for other time nodes A1, B3, C1 and other location nodes A2, B4, C2, although they are omitted in Figure 2.

In this embodiment, for alerts that occur at similar times and locations, a Bayesian network model is used to calculate a high relevance (first relevance), and alerts that occur due to the same event are grouped.

Below, we will explain in detail the process in which the estimation unit 12 and the judgment unit 13 group alerts using a Bayesian NW model.

Figure 3 shows an example of alarm information (alarm list) input to the alarm analysis device 1. The alarm information includes multiple alarms. Each alarm shown has an alarm identifier, an occurrence time (occurrence date and time), an alert type (ALM type), a prefecture, a building, and an equipment identifier. This alarm information shows that each alarm has occurred in order starting with the alarm with alarm identifier 1.

Examples of alarm types include types indicating equipment failure (e.g., Eqp failure alarm) and types indicating an abnormality related to the device's interface (e.g., Link down alarm). The prefecture, building, and equipment identifier are information that indicates the location where the alarm occurred.

Figure 4 shows an example of a judgment result for each alarm in the alarm information shown in Figure 3. In the judgment result, a group number is set for each alarm (alarm identification information).

The estimation unit 12 sequentially reads out each warning in the warning information and estimates the degree of relevance of the warning to the warning read before it, and the determination unit 13 uses the degree of relevance to group warnings that have occurred due to the same event.

(1) Alarm with alarm identifier 1 [ALM type B]
The estimation unit 12 reads out an alarm with an [ALM type B] and an alarm identifier 1 from the alarm information 101 shown in Fig. 3. Since there is no alarm that occurred before the alarm identifier 1, the estimation unit 12 does not estimate the relevance of the alarm identifier 1, and the determination unit 13 sets a predetermined group number for the alarm. In the determination result shown in Fig. 4, the determination unit 13 sets the group number to "1".

(2) Alarm with alarm identifier 2 [ALM type A]
Next, the estimation unit 12 reads out the alarm with the alarm identifier 2 [ALM type A], and estimates the degree of association with an alarm on the child node side (alarm identifier 1 [ALM type B]) that occurred before the read alarm. That is, the estimation unit 12 estimates the degree of association between the alarm identifiers 2-1 by using a Bayesian NW model.

As shown in Figure 3, the difference in occurrence time between the warnings with warning identifiers 1 and 2 is 5 seconds, and the difference in occurrence location is other (different prefectures). Therefore, the estimation unit 12 estimates the degree of association to be "0.3", the probability that the difference in occurrence location in the conditional probability 201 in Figure 2 is other and the difference in occurrence time is 5 seconds or more.

P(ALM type A = occurrence | time difference = ±5s or more, location difference = other) = 0.3
Because the relevance level "0.3" is less than a predetermined threshold value (e.g., 0.5), the determination unit 13 determines that the warnings with warning identifier 2 and warning identifier 1 belong to different groups. The determination unit 13 sets group number "2", which is different from group number "1" of warning identifier 1, to the warnings with warning identifier 2.

If some information about the alarm is missing, the estimation unit 12 uses the conditional probability of time node A1 and location node A2. For example, if the occurrence time of [ALM type A] of alarm identifier 2 cannot be obtained and is missing, there is no evidence (condition) of "difference in occurrence time". In this case, the following formula is obtained, and the estimation unit 12 uses the conditional probability of location node A2 to calculate probabilistic inference using only the evidence of "difference in occurrence location".

P(ALM type A = occurrence | location difference = other) = 0.48
In the Bayesian NW model, even if all the evidence is not known, it is possible to calculate the probability of occurrence of a state of interest using probabilistic inference based on the available evidence.

(3) Alarm with alarm identifier 3 [ALM type B]
Next, the estimation unit 12 reads out the alarm with alarm identifier 3 [ALM type B], and among the alarms that occurred before the alarm, the alarm with alarm identifier 1 has the same ALM type, so the estimation unit 12 does not estimate the degree of association, but estimates the degree of association with the alarm on the parent node side (alarm identifier 2 [ALM type A]). That is, the estimation unit 12 estimates the degree of association between alarm identifiers 3 and 2 using a Bayesian NW model.

As shown in Figure 3, the difference in occurrence time between the warnings with warning identifiers 3 and 2 is 1 second, and the difference in occurrence location is the same prefecture. The estimation unit 12 calculates the degree of association between warning identifiers 3 and 2 using the conditional probability 202 of time node B1 in Figure 2, location nodes B2 and 203, and the conditional probability of type node B (not shown).

For example, the estimation unit 12 calculates the degree of association between the alarm identifiers 3-2 by using probabilistic inference to determine the probability that ALM type B will occur from the conditional probability 202 of "0.9," the conditional probability 203 of "0.15," and the corresponding probability of the conditional probability of type node B (not shown). The calculated degree of association is assumed to be "0.8" here.

P(ALM type B = occurrence | time difference = less than ±5s, location difference = same prefecture) = 0.8
Because the degree of association "0.8" is equal to or greater than a predetermined threshold (e.g., 0.5), the determination unit 13 determines that the alarms with alarm identifier 3 and alarm identifier 2 belong to the same group. In other words, the determination unit 13 associates the alarms with alarm identifier 3 and alarm identifier 2 as a group of alarms that occurred due to the same event. Therefore, the determination unit 13 sets the group number "2", which is the same as the group number "2" of alarm identifier 2, to the alarm with alarm identifier 3.

(4) Alarm with alarm identifier 4 [ALM type A] Next, the estimation unit 12 reads out the alarm with alarm identifier 4 [ALM type A], and estimates the degree of association with the alarms on the child node side (alarm identifier 1 [ALM type B], alarm identifier 3 [ALM type B]) that occurred before the alarm.

First, the estimation unit 12 estimates the relevance between the alarm identifiers 4-1 using a Bayesian NW model. As shown in Fig. 3, the difference in occurrence time between the alarms with alarm identifiers 4 and 1 is 5 seconds or more, and the difference in occurrence location is the same building. Therefore, the estimation unit 12 estimates the relevance as "0.7", the probability that the difference in occurrence location of the conditional probability 201 of type node A in Fig. 2 occurs in the same building and the difference with child node A is 5 seconds or more.

P(ALM type A = occurrence | time difference = ±5s or more, location difference = same building) = 0.7
Then, the estimation unit 12 estimates the relevance between the alarm identifiers 4 and 3 using a Bayesian NW model. As shown in Fig. 3, the difference in occurrence time between the alarms with alarm identifiers 4 and 3 is less than 5, and the difference in occurrence location is other than that. Therefore, the estimation unit 12 estimates the probability "0.5" of the occurrence location difference of the conditional probability 201 of type node A in Fig. 2 being other than that and occurring within less than 5 seconds of the difference with child node A, as the relevance.

P(ALM type A = occurrence | time difference = less than ±5s, location difference = other) = 0.5
Although both have a relevance level of 0.5 or higher, the judgment unit 13 judges that the warnings with warning identifiers 1 and 4, which have the higher relevance level, are in the same group, and sets the warning with warning identifier 4 to the same group number "1" as the group number "1" of warning identifier 1.

The estimation unit 12 and the judgment unit 13 similarly set group numbers for alarms with alarm identifier 5 and onwards and group the alarms.

For example, when calculating the degree of association between ALM type C and ALM type B, if the read alarm is ALM type C, the estimation unit 12 uses the conditional probabilities of type node C, time node C1, and location node C2. If the difference in occurrence time and the difference in occurrence location are known, the estimation unit 12 calculates the degree of association using only the conditional probability of type node C. On the other hand, if the read alarm is ALM type B, the conditional probabilities of type node B, time node B3, and location node B4 are used. As for the degree of association between ALM type C and ALM type A, type node C and type node A are separated by two or more nodes, so the estimation unit 12 does not calculate the degree of association.

In this way, the alarm analysis device 1 of this embodiment uses a Bayesian network model that increases the calculated relevance for alarms that occur close in time and location, and can determine that among multiple newly generated alarms, if the alarm occurrence time, location, and type are close to the Bayesian network model, they are a group of alarms that occurred due to the same event.

In this embodiment, the estimation unit 12 obtains the location of each alarm from the alarm information shown in FIG. 3, but the location may also be obtained from the configuration information DB 16. The configuration information DB 16 is a database that stores information about the network configuration of each device. The information about the network configuration includes the device ID, physical location (building name, prefecture, etc.), logical location (AS number, IP address, IP address subnetwork, etc.), port (IF), and port connection destination information of each device. In this case, the estimation unit 12 may obtain the location of each alarm from the configuration information DB 16 using the device identifier included in the alarm as a key.

In addition, in this embodiment, the difference in physical location (distance) is used as the difference in the location of the alarm, but the difference in the location of the alarm may be the difference in logical location such as an AS number or an IP address subnetwork. In this case, the estimation unit 12 may obtain the logical location of the alarm contained in each alarm, or may obtain the logical location of the alarm from the configuration information DB 16 using a device identifier contained in the alarm as a key.

Figure 5 is a flowchart showing the operation of the alarm analysis device 1. The acquisition unit 11 acquires alarm information issued by each device, for example from an OpS, at a predetermined timing (time interval) (S11). The estimation unit 12 reads out a first alarm included in the alarm information, and estimates the degree of association (first degree of association) with a second alarm read out before the first alarm using a Bayesian NW model (S12).

The determination unit 13 determines whether the first and second alarms are alarms of the same group that occurred due to the same event by comparing the relevance with a predetermined threshold (S13). If it is determined that the first and second alarms are alarms of the same group (S13: YES), the determination unit 13 sets the same group number as the second alarm to the first alarm and groups them (S14). On the other hand, if it is determined that the first and second alarms are in different groups (S13: NO), the determination unit 13 sets a group number different from the second alarm to the first alarm (S15).

If the warning information contains a next unprocessed warning (S16: YES), the estimation unit 12 returns to S12 and performs subsequent processing; if the warning information does not contain a next warning (S16: NO), the estimation unit 12 outputs a judgment result such as that shown in FIG. 4 (S17) and terminates processing.

The alarm analysis device 1 of this embodiment described above comprises a Bayesian network model, an estimation unit 12 that estimates a first relevance of multiple alarms using the Bayesian network model, and a determination unit 13 that uses the first relevance to group alarms that have occurred due to the same event, and the Bayesian network model has multiple type nodes indicating alarm types, and time nodes and location nodes linked to the type nodes, and a second relevance is set to the time node according to the difference between the time of occurrence of an alarm of a child node or parent node of the linked type node, and a third relevance is set to the location node according to the difference between the location of occurrence of an alarm of a child node or parent node of the linked type node.

As a result, in this embodiment, alarm correlation can be easily performed. Specifically, alarm correlation, which is a heavy burden on maintenance personnel, is automated, and alarms can be efficiently grouped simply by inputting newly generated alarm information.

The above-described alarm analysis device 1 can use, for example, a general-purpose computer system as shown in Figure 6. The computer system shown in the figure includes a CPU (Central Processing Unit, processor) 901, a memory 902, a storage 903 (HDD: Hard Disk Drive, SSD: Solid State Drive), a communication device 904, an input device 905, and an output device 906. The memory 902 and the storage 903 are storage devices. In this computer system, the CPU 901 executes a predetermined program loaded on the memory 902, thereby realizing each function of the alarm analysis device 1.

The alarm analysis device 1 may be implemented in one computer or in multiple computers. The alarm analysis device 1 may be a virtual machine implemented in a computer.

The program for the alarm analysis device 1 can be stored on a computer-readable recording medium such as a HDD, SSD, USB (Universal Serial Bus) memory, CD (Compact Disc), or DVD (Digital Versatile Disc), or can be distributed via a network.

The present invention is not limited to the above-described embodiments and variations, and many modifications are possible within the scope of the invention.

1: Alarm analysis device 11: Acquisition unit 12: Estimation unit 13: Judgment unit 14: Alarm information DB
15: Model storage unit 16: Configuration information DB

Claims (7)

Bayesian network model,
an estimation unit that estimates a first relevance degree of a plurality of alarms by using the Bayesian network model;
a determination unit that uses the first relevance degree to group a group of alarms that have occurred due to the same event,
The Bayesian network model has a plurality of type nodes indicating alarm types, and a time node and a location node linked to each type node,
The time node is set with a second relevance degree according to a difference between the time when an alarm occurred at a child node or parent node of the linked type node, and the location node is set with a third relevance degree according to a difference between the location when an alarm occurred at a child node or parent node of the linked type node. The alarm analysis device according to claim 1 , wherein an occurrence probability is set for the type node according to a difference between an occurrence time and an occurrence location of an alarm of a child node or a parent node of the type node. The alarm analysis device according to claim 1 or 2, wherein a higher second relevance level is set for the time node as a difference in occurrence time is smaller, and a higher third relevance level is set for the place node as a difference in occurrence place is smaller. The alarm analysis device according to claim 1 , wherein the difference in the occurrence location is a difference in a physical location of a device that has outputted an alarm, or a difference in a logical location of the device. An alarm analysis method performed by an alarm analysis device, comprising:
estimating a first relevance of the plurality of alarms using a Bayesian network model;
using the first relevance to group a group of alarms generated by the same event;
The Bayesian network model has a plurality of type nodes indicating alarm types, and a time node and a location node linked to each type node,
a second relevance degree is set for the time node according to a difference between the time when an alarm occurred and a child node or parent node of the linked type node, and a third relevance degree is set for the location node according to a difference between the location when an alarm occurred and a child node or parent node of the linked type node. A plurality of type nodes indicating alarm types;
a time node and a place node linked to each type node;
A Bayesian network model in which a relevance level is set for the time node according to a difference between the time when an alarm occurred at a child node or parent node of the linked type node, and a relevance level is set for the location node according to a difference between the location where an alarm occurred at a child node or parent node of the linked type node. An alarm analysis program that causes a computer to function as an alarm analysis device according to any one of claims 1 to 4.

Images