CN101247269A - Method for automatically discovering association rule for judging redundant alarm - Google Patents

Abstract

The present invention provides relating regular method of automatic finding judgment redundant alarm, which includes the following steps: (1) all history alarm is separated into some alarm subclass according to alarm class of all history alarm, each subclass correspond to a alarm class, then corresponding supporting degree and confidence degree of two alarm class is statistical according to random two alarm subclass, until all alarm class completes; (2) after completing all alarm statistical calculation between classes, listing relating alarm class in which supporting degree is bigger than prearranged threshold A and confidence degree is bigger than prearranged threshold B, adding to synthetic net management system, shielding or inhibition redundant alarm automatically. The present invention resolves calculate complexity degree problem of magnanimity history data, and can find relating rules of judging redundant alarm automatically in finite time, so compression rate of synthetic net management is improved greatly.

Description

The method of the correlation rule of redundant alarm is judged in a kind of automatic discovery

Technical field

The present invention relates in the especially national provincial large-scale synthesis webmaster of telecommunicatioin network management to find automatically to judge the method for the correlation rule of redundant alarm by data mining.

Background technology

Integrated Network Management System is based upon on the basis of each professional network management system, by standard interface, realizes the centralized management and the analysis of each professional network management system data.Wherein reflect the activity alarm (Active Alarm) of network element device (NetworkElement) malfunction, need on fault management (FaultManagement) interface, present in real time, so that the attendant carries out corresponding regular maintenance according to these alarms, guarantee the stable operation of communication network.

But owing to reasons such as system designs, activity alarm on each professional webmaster all has certain data scale (the K order of magnitude), concentrate and to converge to behind the comprehensive network management its quantity just quite huge (the W order of magnitude), so many activity alarm both can't show effectively on the interface that the Operation and Maintenance personnel also can't handle.According to the operation experience of reality, the network element device that breaks down is a minority, and real effectively alarm also is a minority, because a network element device when breaking down, can produce the series of activities alarm, but not every movable alarm all shows failure cause.Therefore need carry out correlation analysis to these movable alarms, find out the basic reason that produces fault, the correlation rule that draws according to correlation analysis is alarmed compression then, processing such as the alarm to redundancy just merges, suppresses, abandons, to significantly reduce the movable alarm quantity in the comprehensive network management, the Operation and Maintenance personnel can alarm accurate fault location according to activity in a short period of time, distribute the Trouble ticket related personnel and carry out the network failure processing.

In present network management system, redundant alarm to be filtered on the processing logic or correlation rule that mainly is based upon customization, system analyzes correlation between the alarm according to these predefined correlation rules, filters redundant alarm.In the professional webmaster in the past, these correlation rules mainly are to be formulated according to corresponding business knowledge by the hardware expert, yet, comprehensive network management is managed each professional network element device, simple dependence expert provides correlation rule unrealistic, and workload is big, efficient is low, and regular number is also more limited.Thought according to data mining, effective means are exactly by a large amount of history alarm data that are stored in the database are carried out the association rule mining analysis, automatically find to be used to judge the correlation rule of redundant alarm, confirm that by professional expert typing network management system in back comes into force.The method of this automatic discovery correlation rule has significantly reduced workload, has improved operating efficiency.

But history alarm is a mass data, and data scale is more than hundred million grades mostly, must find a high efficiency analytical method, could finish the mining analysis to these history alarm data in finite time, finds out the correlation rule of decidable redundant alarm.

Summary of the invention

The technical problem to be solved in the present invention provides the method that the correlation rule of redundant alarm is judged in a kind of automatic discovery, utilizes existing magnanimity history alarm data, by data mining, finds to judge the correlation rule of redundant alarm automatically.

In order to address the above problem, the invention provides the method that the correlation rule of redundant alarm is judged in a kind of automatic discovery, may further comprise the steps:

(1) according to the Alarm Classification that exists in all history alarms, all history alarms are split into some alarm subclass, the corresponding a kind of Alarm Classification of each subclass, count the support and the confidence level of corresponding two kinds of Alarm Classifications again according to any two alarm subclass, until having added up all Alarm Classifications;

(2) after the statistical computation of finishing between all Alarm Classifications, list support greater than default thresholding A and confidence level greater than the related Alarm Classification of default thresholding B, add in the Integrated Network Management System, automatically shielding or suppress redundant alarm;

Further, in the described step (1), the described support that draws accounts for the percentage of all history alarm quantity for the alarm quantity that belongs to described two kinds of Alarm Classifications;

Further, in the described step (1), obtain the support of described any two kinds of Alarm Classifications, specifically may further comprise the steps:

(a), all history alarms are split into some subclass of independently alarming, the corresponding a kind of Alarm Classification of each subclass according to the Alarm Classification that exists in all history alarms;

(b) described all history alarm quantity of statistics, and count the alarm quantity in any two alarm subclass in the step (a) respectively, described two subclass are corresponding Alarm Classification x and y respectively;

(c) calculate support between described Alarm Classification x and y, be the alarm quantity sum in described two subclass and the ratio of all history alarm quantity;

Further, in the described step (1), the described confidence level that draws, gather the ratio P1 that interior alarm quantity accounts for the alarm quantity of wherein a kind of Alarm Classification x for the relevant alarm of any two kinds of Alarm Classification x and y, account for the ratio P2 of all history alarm quantity divided by the alarm quantity of this Alarm Classification x;

Further, obtain P1, specifically may further comprise the steps:

(i) according to the time of origin of all history alarms, all history alarms are split into some set A of independently alarming_i, each set comprises the whole history alarms that occur in the different period i respectively;

(ii) according to the Alarm Classification that exists in all history alarms, with each alarm set A_iSplit into some alarm subclass, the corresponding a kind of Alarm Classification of each subclass;

(iii), construct two relevant alarm set of alarming subclass in the selected period, and count the alarm quantity in the described relevant alarm set according to two alarm subclass of (ii) middle corresponding Alarm Classification x respectively of step and y;

(iv) count the interior alarm quantity of alarm subclass of corresponding Alarm Classification x;

(v) calculate P1 in the current period, ratio for the alarm quantity in the alarm subclass of the alarm quantity in the described relevant alarm set and corresponding Alarm Classification x, return step and (iii) carry out,, carry out next step until having added up all Alarm Classification and records in the selected period;

(vi) the statistics of all Alarm Classifications adds up in the day part to record, obtains a total P1;

Further, described step (iii) in, when constructing described relevant alarm set, at first travel through all alarms in the alarm subclass of corresponding x, be the alarm x of current period if wherein there is generation time_j, and in the alarm subclass of corresponding y, also have corresponding alarm y_k, make described two alarm x_jAnd y_kOccur on the same network element, the absolute value of time of origin difference and checkout time difference is less than factor T correlation time, then with x_jPut into relevant alarm set, and the alarm quantity in the alarm set of will being correlated with adds 1;

Further, obtain P2, specifically may further comprise the steps:

(I), all history alarms are split into some subclass of independently alarming, the corresponding a kind of Alarm Classification of each alarm subclass according to the Alarm Classification that exists in all history alarms;

(II) statistics obtains described all history alarm quantity, and the quantity of the interior alarm of alarm subclass of corresponding Alarm Classification x in the step (I);

(III) calculate P2, be the ratio of the alarm quantity in the alarm subclass of corresponding Alarm Classification x in the step (II) and all history alarm quantity.

Compared with prior art, the method of the invention has solved the computation complexity problem of mass historical data, can be in finite time (several hrs), automatically find out to judge the correlation rule of redundant alarm, largely improve the alarm compression ratio of comprehensive network management.

Description of drawings

Fig. 1 is a method flow diagram of finding the alarm association rule in the embodiment of the invention automatically.

Embodiment

The present invention is in order to solve the drawback that conventional solution exists, further set forth the method that the correlation rule of redundant alarm is judged in a kind of automatic discovery of the present invention by following specific embodiment, below embodiment is described in detail, but not as a limitation of the invention.

The core thinking of the technical solution adopted in the present invention:

(1) according to the Alarm Classification that exists in all history alarms, all history alarms are split into some alarm subclass, the corresponding a kind of Alarm Classification of each subclass, count the support and the confidence level of corresponding two kinds of Alarm Classifications again according to any two alarm subclass, until having added up all Alarm Classifications;

(2) after the statistical computation of finishing between all Alarm Classifications, list support greater than thresholding A and confidence level greater than the related Alarm Classification of thresholding B, add in the Integrated Network Management System, automatically shielding or suppress redundant alarm.

The Alarm Classification set that exists in the supposing the system is K={k₁, k₂, k₃..., k_n, at first carry out following processing:

1, calculates all and alarm total C;

2, mass alarm according to Alarm Classification K={k₁, k₂, k₃..., k_nBeing divided into the littler history alarm set of data volume, each gathers corresponding a kind of Alarm Classification;

3, travel through the alarm set of all Alarm Classification correspondences, calculate the alarm sum of each Alarm Classification: C_K1, C_K2, C_K3..., C_Kn

Any two Alarm Classification k_xk_yAssociation analysis relate to the calculating of following two index supports and confidence level, need to prove that support does not have strict sequencing with the calculating of degree of writing, in practical operation, handle earlier which can:

1, support support (k_xThe k of==＞_y)=P (k_x∪ k_y): k in the expression history alarm_x, k_yThe percentage that the alarm of two classes is shared, its value too little (as being lower than 1%) expression k_xk_yThe alarm frequency of occurrences is very little, can not determine both correlation degrees;

It is calculated as follows:

The corresponding Alarm Classification k that obtains according to statistics_xHistory alarm quantity C in the corresponding alarm set_x, and corresponding Alarm Classification k_yAlarm set in alarm quantity C_y, calculate support (k_xThe k of==＞_y)=P (k_x∪ k_y)=(C_x+ C_y)/C.

2, confidence level confidence (k_xThe k of==＞_y)=P (k_y| k_x): represent to have k on the same network element_xUnder the condition of alarm, there is k simultaneously_yThe conditional probability of alarm, its value is big more, and k is described_xk_yDegree of correlation is strong more, if exist on same network element and simultaneously, just can use k_xAlarm shield or inhibition k_yAlarm;

Two simultaneous criterions of alarm: the absolute value of the absolute value of time of origin difference and checkout time difference, less than factor T correlation time (specifying default value 1 minute according to concrete system situation).

Below, according to the countable additivity of conditional probability, if A₁, A₂, A₃... A_i... be the disjoint in twos incidents of row, then have:

$P\left(\underset{i=1}{\overset{\∞}{\∪}}{A}_i\right|B)=\underset{i=1}{\overset{\∞}{\mathrm{\Σ}}}P\left(A_i\right|B)=\underset{i=1}{\overset{\∞}{\mathrm{\Σ}}}P(A_i\∩B)/P\left(B\right)$

Therefore, for reducing algorithm complex, history alarm is split as the less history alarm set A of a plurality of data volumes by time of origin₁, A₂, A₃... A_i..., A_m(A_iRepresent a fixedly interior history alarm set that takes place of period i);

Therefore, confidence level confidence (k_xThe k of==＞_y)=P (k_y| k_x) can do following conversion:

$P\left(k_y\right|k_x)=\underset{i=1}{\overset{m}{\mathrm{\Σ}}}P\left(k_{y,i}\right|k_x)=\underset{i=1}{\overset{m}{\mathrm{\Σ}}}P(k_{y,i}\∩k_x)/P\left(k_x\right)$

Wherein: k_{Y, i}Expression is the interior k of period i fixedly_yThe alarm set.

The calculating of confidence level just is converted into and calculates P (k respectively_x) and P (k_{Y, i}∩ k_x).

1) P (k_x) be calculated as follows: P (k_x)=C_x/ C.

2) the fixing P (k in the period i_{Y, i}∩ k_x) calculation procedure is as follows:

I) by time of origin all history alarms are split as the less history alarm set A of a plurality of data volumes₁, A₂, A₃... A_i..., A_m(A_iRepresent a fixedly set of the interior history alarm that takes place of period i);

Ii) press Alarm Classification K={k₁, k₂, k₃..., k_nThe set A of the history alarm that takes place in the fixing period i_iBe split as the less alarm subclass A of a plurality of data volumes_{I, 1}, A_{I, 2}, A_{I, 3}..., A_{I, n}(A_{I, j}Representing the interior Alarm Classification of current period i is k_jHistory alarm set), the corresponding a kind of Alarm Classification of each subclass;

Iii) according to alarm subclass A_{I, x}={ x₁, x₂, x₃, x₄..., A_{I, y}={ y₁, y₂, y₃, y₄..., construct k in the current period i_xk_yRelevant alarm set A_{I, y|x}, and calculate this k_xk_yRelevant alarm set quantity C_{I, y|x}:

At first traversal is alarmed subclass A_{I, x}All the alarm x_jIf, x_jThe ground generation time is in the current period i;

And at A_{I, y}In also have y_k, make x_jy_kTwo alarms are on same network element and have (simultaneous judgment principle as previously mentioned, the absolute value of time of origin difference and checkout time difference is less than factor T correlation time) simultaneously, so x_jPut into set A_{I, y|x}, and with k in the current period i_xk_yAlarm quantity C in the relevant alarm set_{I, y|x}Add 1;

Iv) travel through corresponding Alarm Classification k_xAlarm subclass A_{I, x}All interior history alarms, statistics k_xAlarm quantity C_x

V) calculate P (k_{Y, i}∩ k_x)=C_{I, y|x}/ C_x

3) according to last method, add up all Alarm Classifications in the current period i, add up all periods again, the statistics of day part is added up gather, obtain k_xk_yTotal associated confidence:

$\mathrm{confidence}(k_x\⇒k_y)=\underset{i=1}{\overset{m}{\mathrm{\Σ}}}P(k_{y,i}\∩k_x)/P\left(k_x\right)$

After the statistical computation of finishing between all Alarm Classifications, list support greater than certain thresholding (as: 1%) and confidence level related Alarm Classification greater than certain thresholding (as: 80%), add in the Integrated Network Management System and come into force, automatically shielding or inhibition redundant alarm.

Can see, support is that process is to finishing processing after the different fractionation of whole history alarms with the calculating of degree of writing, but do not need to be respectively these two kinds of method for splitting prepare codes in the practical operation, the unified use earlier split by the time, press the method that Alarm Classification splits again, unification at last just gathers and can finish, and below in conjunction with accompanying drawing and specific implementation method the present invention is described in further detail.

As shown in Figure 1: find that automatically the alarm association rule is realized by following steps, fixedly period i is that unit adds up with the sky:

Step S01: history alarm is put into tables of data HisAlarm, carry out data scrubbing then, mainly remove the alarm data of unusual alarm data of time of origin and repetition;

Step S02: create the analysis result day table Out_[yymmdd that is used to preserve statistic analysis result on the same day], this table is made of following field:

Class_x (Alarm Classification x)

Class_y (Alarm Classification y)

Count_x (the alarm sum of x)

Count_y|x (following the x alarm sum of y alarm)

Support_y|x (x, the related support of y)

Confidence_y|x (x, y associated confidence)

Step S03: from history alarm, search time of origin for the statistics alarm on day same day (need increase time range), generate alarm day table HisAlarm_[yymmdd] according to the time factor T in the algorithm;

Step S04: the alarm day of adding up day same day is shown HisAlarm_[yymmdd according to Alarm Classification] split into and a plurality of Alarm Classification day show HisAlarm_[yymmdd] _ [class], promptly travel through all Alarm Classifications, create tables of data according to all alarms that should classify in the alarm day table;

Step S05: the HisAlarm_[yymmdd of statistics Alarm Classification x correspondence] _ x, the statistics generation time is the statistics alarm sum C on day same day_x, be kept at Out_[yymmdd] the Count_x field;

Step S06: according to the corresponding HisAlarm_[yymmdd of Alarm Classification x] _ the corresponding HisAlarm_[yymmdd of x, Alarm Classification y] _ y, statistics x, the related alarm of y number C_Y|x, be kept at Out_[yymmdd] the Count_y|x field, concrete grammar is as follows:

Traversal HisAlarm_[yymmdd] _ all alarm record (supposing Record_x_i) among the x, if Record_x_i satisfies following two judgements, then count C_X|yAdd 1, otherwise constant:

1) whether the Record_x_i generation time is the statistics day same day;

2) at HisAlarm_[yymmdd] _ y search exist satisfy below the alarm (Record_y_j) of two conditions:

I.Record_x_i and Record_y_j are on same network element position;

The absolute value of ii.Record_x_i and Record_y_j time of origin difference is less than factor T correlation time;

Step S07: remove all middle table, comprising: show alarm day, show Alarm Classification day; Gather all analysis result day table and obtain final analysis table (field with analysis result day epiphase with) as a result, then according to Count_x, Count_y|x calculating Confidence_y|x, Support_y|x

The Class_x in the record of all Support_y|x＞=designated values (as: 1%) and Confidence_y|x＞=designated value (as: 80%) and the Alarm Classification x of Class_y correspondence, y has correlation, can correspondingly generate the alarm association rule.

Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.

Claims (7)

1, the method for the correlation rule of redundant alarm is judged in a kind of automatic discovery, it is characterized in that, may further comprise the steps:

(1) according to the Alarm Classification that exists in all history alarms, all history alarms are split into some alarm subclass, the corresponding a kind of Alarm Classification of each subclass, count the support and the confidence level of corresponding two kinds of Alarm Classifications again according to any two alarm subclass, until having added up all Alarm Classifications;

(2) after the statistical computation of finishing between all Alarm Classifications, list support greater than default thresholding A and confidence level greater than the related Alarm Classification of default thresholding B, add in the Integrated Network Management System, automatically shielding or suppress redundant alarm.

2, the method for claim 1 is characterized in that, in the described step (1), the described support that draws accounts for the percentage of all history alarm quantity for the alarm quantity that belongs to described two kinds of Alarm Classifications.

3, method as claimed in claim 2 is characterized in that, in the described step (1), obtains the support of described any two kinds of Alarm Classifications, specifically may further comprise the steps:

(a), all history alarms are split into some subclass of independently alarming, the corresponding a kind of Alarm Classification of each subclass according to the Alarm Classification that exists in all history alarms;

(b) described all history alarm quantity of statistics, and count the alarm quantity in any two alarm subclass in the step (a) respectively, described two subclass are corresponding Alarm Classification x and y respectively;

(c) calculate support between described Alarm Classification x and y, be the alarm quantity sum in described two subclass and the ratio of all history alarm quantity.

4, method as claimed in claim 3, it is characterized in that, in the described step (1), the described confidence level that draws, gather the ratio P1 that interior alarm quantity accounts for the alarm quantity of Alarm Classification x for the relevant alarm of any two kinds of Alarm Classification x and y, account for the ratio P2 of all history alarm quantity divided by the alarm quantity of this Alarm Classification x.

5, method as claimed in claim 4 is characterized in that, obtains P1, specifically may further comprise the steps:

(i) according to the time of origin of all history alarms, all history alarms are split into some set A of independently alarming_i, each set comprises the whole history alarms that occur in the different period i respectively;

(ii) according to the Alarm Classification that exists in all history alarms, with each alarm set A_iSplit into some alarm subclass, the corresponding a kind of Alarm Classification of each subclass;

(iii), construct two relevant alarm set of alarming subclass in the selected period, and count the alarm quantity in the described relevant alarm set according to two alarm subclass of (ii) middle corresponding Alarm Classification x respectively of step and y;

(iv) count the interior alarm quantity of alarm subclass of corresponding Alarm Classification x;

(v) calculate P1 in the current period, ratio for the alarm quantity in the alarm subclass of the alarm quantity in the described relevant alarm set and corresponding Alarm Classification x, return step and (iii) carry out,, carry out next step until having added up all Alarm Classification and records in the selected period;

(vi) the statistics of all Alarm Classifications adds up in the day part to record, obtains a total P1.

6, method as claimed in claim 5 is characterized in that, described step (iii) in, when constructing described relevant alarm set, at first travel through all alarms in the alarm subclass of corresponding x, be the alarm x of current period if wherein there is generation time_j, and in the alarm subclass of corresponding y, also have corresponding alarm y_k, make described two alarm x_jAnd y_kOccur on the same network element, the absolute value of time of origin difference and checkout time difference is less than factor correlation time, then with x_jPut into relevant alarm set, and the alarm quantity in the alarm set of will being correlated with adds 1.

7, method as claimed in claim 4 is characterized in that, obtains P2, specifically may further comprise the steps:

(I), all history alarms are split into some subclass of independently alarming, the corresponding a kind of Alarm Classification of each alarm subclass according to the Alarm Classification that exists in all history alarms;

(II) statistics obtains described all history alarm quantity, and the quantity of the interior alarm of alarm subclass of corresponding Alarm Classification x in the step (I);

(III) calculate P2, be the ratio of the alarm quantity in the alarm subclass of corresponding Alarm Classification x in the step (II) and all history alarm quantity.

Images