DETECTION METHOD AND INFORMATION PROCESSING DEVICE

US 20170097863A1
Filed: 10/03/2016
Published: 04/06/2017
Est. Priority Date: 10/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an anomaly in a computer system, the method comprising:

generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in the computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series;

clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity;

generating transition probabilities between each pair of the plurality of clusters; and

determining the anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series, clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity, generating transition probabilities between each pair of the plurality of clusters, and determining an anomaly in the computer system based on the transition probability.

Citations

20 Claims

1. A method for detecting an anomaly in a computer system, the method comprising:
- generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in the computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series;
  
  clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity;
  
  generating transition probabilities between each pair of the plurality of clusters; and
  
  determining the anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of clusters as a transition source among all pairs of the plurality of clusters.
  - 3. The method according to claim 1, further comprising:
    - calculating an evaluation value from a plurality of transition probabilities, each of the plurality of transition probabilities being the transition probability from each respective first duster in each of a plurality of first unit periods of time in the time series to a second duster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the determining determines the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities.
  - 4. The method according to claim 3, wherein the calculating of the evaluation value uses a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller.
  - 5. The method according to claim 1, wherein the plurality of pieces of correlation information and the plurality of clusters are stored as learned information in a preliminary learning mode.
  - 6. The method according to claim 5, further comprising:
    - updating the learned information based on a new piece of correlation information obtained during an online mode.
  - 7. The method according to claim 6,wherein the clustering calculates a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met for the clustering to include the new piece of correlation information into one of the plurality of clusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters.

8. A non-transitory computer readable medium storing a computer-executable program causing a computer to execute a process, the process comprising:
- generating a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series;
  
  clustering the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity;
  
  generating transition probabilities between each pair of the plurality of clusters; and
  
  determining an anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable medium according to claim 8, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of clusters as a transition source among all pairs of the plurality of clusters.
  - 10. The non-transitory computer readable medium according to claim 8, the process further comprising:
    - calculating an evaluation value from a plurality of transition probabilities each of the plurality of transition probabilities being the transition probability from each respective first cluster in each of a plurality of first unit periods of time in the time series to a second cluster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the determining determines the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities.
  - 11. The non-transitory computer readable medium according to claim 10, wherein the calculating of the evaluation value uses a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller.
  - 12. The non-transitory computer readable medium according to claim 8, wherein the plurality of pieces of correlation information and the plurality of clusters are stored as learned information in a preliminary learning mode.
  - 13. The non-transitory computer readable medium according to claim 12, the process further comprising:
    - updating the learned information based on a new piece of correlation information obtained during an online mode.
  - 14. The non-transitory computer readable medium according to claim 13,wherein the clustering calculates a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met for the clustering to include the new piece of correlation information into one of the plurality of clusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters.

15. An information processing device comprising:
- a memory; and
  
  a processor coupled to the memory and configured to;
  
  generate a plurality of pieces of correlation information based on correlations between changes in each item in each of different pairs of items in a plurality of items per unit period of time in a time series, each item relating to at least one of an operation, a performance, or a load in a computer system, each of the plurality of pieces of correlation information being generated for the plurality of items in one unit period of time in the time series,cluster the plurality of pieces of correlation information into a plurality of clusters, each cluster representing a state of the computer system and including a subset of the plurality of pieces of correlation information meeting a threshold for similarity,generate transition probabilities between each pair of the plurality of clusters, anddetermine an anomaly in the computer system based on the transition probability from one of the plurality of clusters in a first unit period of time to another one of the plurality of clusters in a second unit period of time.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The information processing device according to claim 15, wherein each of the transition probabilities is a ratio of a number of times of generation of one of the clusters in a pair of the plurality of clusters as a transition destination to a total number of times of generation of the other one of the clusters in the pair of the plurality of dusters as a transition source among all pairs of the plurality of clusters.
  - 17. The information processing device according to claim 15,wherein the processor is further configured to calculate an evaluation value from a plurality of transition probabilities, each of the plurality of transition probabilities being the transition probability from each respective first cluster in each of a plurality of first unit periods of time in the time series to a second cluster in the second unit period of time, the second unit period of time being later than the plurality of first unit periods of time, andwherein the processor is configured to determine the anomaly in the computer system using the evaluation value calculated from the plurality of transition probabilities.
  - 18. The information processing device according to claim 17, wherein the processor is configured to calculate the evaluation value using a weighting for each of the plurality of transition probabilities, the weighting being a higher weighting when a time difference between one of the plurality of first unit periods of time and the second unit period of time is smaller.
  - 19. The information processing device according to claim 15,wherein the memory stores the plurality of pieces of correlation information and the plurality of clusters as learned information in a preliminary learning mode of the computer system, andwherein the processor is further configured to update the learned information based on a new piece of correlation information obtained during an online mode of the computer system.
  - 20. The information processing device according to claim 19,wherein the processor is configured to duster by calculating a representative value for each of the plurality of clusters based on at least one piece of correlation information included in the cluster, andwherein the threshold for similarity is met to include the new piece of correlation information into one of the plurality of dusters whose representative value does not change upon addition of the new piece of correlation information into the one of the plurality of clusters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Ishii, Hiroaki, Omura, Shinichi, Oiwa, Shoshin, Sumiya, Michiaki, Ikegami, Jiro, Takeuchi, Rie

Granted Patent

US 9,753,801 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0754   by exceeding limits

G06F 11/0778   Dumping, i.e. gathering err...

G06F 11/079   Root cause analysis, i.e. e...

G06F 16/285   Clustering or classification

DETECTION METHOD AND INFORMATION PROCESSING DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION METHOD AND INFORMATION PROCESSING DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links