Detection method and information processing device
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-011/00
G06F-011/07
G06F-017/30
출원번호
US-0284128
(2016-10-03)
등록번호
US-9753801
(2017-09-05)
우선권정보
JP-2015-197554 (2015-10-05)
발명자
/ 주소
Ishii, Hiroaki
Omura, Shinichi
Oiwa, Shoshin
Sumiya, Michiaki
Ikegami, Jiro
Takeuchi, Rie
출원인 / 주소
FUJITSU LIMITED
대리인 / 주소
Westerman, Hattori, Daniels & Adrian, LLP
인용정보
피인용 횟수 :
0인용 특허 :
1
초록▼
A method includes generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or
A method includes generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series, clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity, generating transition probabilities between each pair of the plurality of clusters, and determining an anomaly in the computer system based on the transition probability.
대표청구항▼
1. A method for detecting an anomaly in a computer system, the method comprising: generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each
1. A method for detecting an anomaly in a computer system, the method comprising: generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in the computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series;clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity;generating transition probabilities between each pair of the plurality of clusters; anddetermining the anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time. 2. The method according to claim 1, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of clusters as a transition source among all pairs of the plurality of clusters. 3. The method according to claim 1, further comprising: calculating an evaluation value from a plurality of transition probabilities, each of the plurality of transition probabilities being the transition probability from each respective first cluster in each of a plurality of first unit periods of time in the time series to a second cluster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the determining determines the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities. 4. The method according to claim 3, wherein the calculating of the evaluation value uses a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller. 5. The method according to claim 1, wherein the plurality of pieces of correlation information and the plurality of clusters are stored as learned information in a preliminary learning mode. 6. The method according to claim 5, further comprising: updating the learned information based on a new piece of correlation information obtained during an online mode. 7. The method according to claim 6, wherein the clustering calculates a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met for the clustering to include the new piece of correlation information into one of the plurality of clusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters. 8. A non-transitory computer readable medium storing a computer-executable program causing a computer to execute a process, the process comprising: generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series;clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity;generating transition probabilities between each pair of the plurality of clusters; anddetermining an anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time. 9. The non-transitory computer readable medium according to claim 8, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of clusters as a transition source among all pairs of the plurality of clusters. 10. The non-transitory computer readable medium according to claim 8, the process further comprising: calculating an evaluation value from a plurality of transition probabilities each of the plurality of transition probabilities being the transition probability from each respective first cluster in each of a plurality of first unit periods of time in the time series to a second cluster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the determining determines the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities. 11. The non-transitory computer readable medium according to claim 10, wherein the calculating of the evaluation value uses a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller. 12. The non-transitory computer readable medium according to claim 8, wherein the plurality of pieces of correlation information and the plurality of clusters are stored as learned information in a preliminary learning mode. 13. The non-transitory computer readable medium according to claim 12, the process further comprising: updating the learned information based on a new piece of correlation information obtained during an online mode. 14. The non-transitory computer readable medium according to claim 13, wherein the clustering calculates a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met for the clustering to include the new piece of correlation information into one of the plurality of clusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters. 15. An information processing device comprising: a memory; anda processor coupled to the memory and configured to: generate a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series,cluster the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity,generate transition probabilities between each pair of the plurality of clusters, anddetermine an anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time. 16. The information processing device according to claim 15, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of clusters as a transition source among all pairs of the plurality of clusters. 17. The information processing device according to claim 15, wherein the processor is further configured to calculate an evaluation value from a plurality of transition probabilities, each of the plurality of transition probabilities being the transition probability from each respective first cluster in each of a plurality of first unit periods of time in the time series to a second cluster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the processor is configured to determine the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities. 18. The information processing device according to claim 17, wherein the processor is configured to calculate the evaluation value using a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller. 19. The information processing device according to claim 15, wherein the memory stores the plurality of pieces of correlation information and the plurality of clusters as learned information in a preliminary learning mode of the computer system, andwherein the processor is further configured to update the learned information based on a new piece of correlation information obtained during an online mode of the computer system. 20. The information processing device according to claim 19, wherein the processor is configured to cluster by calculating a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met to include the new piece of correlation information into one of the plurality of clusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (1)
Weekley, Richard A.; Goodrich, Robert K.; Cornman, Lawrence B., Feature classification for time series data.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.