Ankur Mahida,

DOI: https://doi.org/10.47363/jeast/2023(5)230

2023-12-31

Journal of Engineering and Applied Sciences Technology

Abstract:Identifying the root cause analysis is the key to the timely detection of errors in massive, multiple-functional software systems. Meanwhile, network development will become more intricate and non-transparent, leaving the human algorithm behind. The paper dedicates its resources to discussing ways to automate root cause analysis based on observability data, such as logs, metrics, and traces. Technologies including causal inference, anomaly detection, and pattern recognition are specialized techniques that allow us to identify the breach in the background of thousands of connected events. Data-driven tools in research and industry that consume observability data as input, uncover anomalies, model system topology, and rank probable root causes use these technologies. This should give the customer a shorter mean repair time, higher reliability, and security. Deeper adoption is perfect for chain management and the performance gains of individual developers. The coverage includes strategies of algorithmic and implementation of root cause analysis with the observability data. Related topics like service maps and anomalous numbers are also discussed where necessary. Scaling out the automatic diagnosis entity is investigated as an automated means to replace the manual ones faced with elaborate models.

Chao Liu,Kin Gwn Lore,Soumik Sarkar

DOI: https://doi.org/10.1109/cdc.2017.8264527

2017-01-01

Abstract:Modern distributed cyber-physical systems encounter a large variety of anomalies and in many cases, they are vulnerable to catastrophic fault propagation scenarios due to strong connectivity among the sub-systems. In this regard, root-cause analysis becomes highly intractable due to complex fault propagation mechanisms in combination with diverse operating modes. This paper presents a new data-driven framework for root-cause analysis for addressing such issues. The framework is based on a spatiotemporal feature extraction scheme for distributed cyber-physical systems built on the concept of symbolic dynamics for discovering and representing causal interactions among subsystems of a complex system. We present two approaches for root-cause analysis, namely the sequential state switching (S-3, based on free energy concept of a Restricted Boltzmann Machine, RBM) and artificial anomaly association (A(3), a multi-class classification framework using deep neural networks, DNN). Synthetic data from cases with failed pattern(s) and anomalous node are simulated to validate the proposed approaches, then compared with the performance of vector autoregressive (VAR) model-based root-cause analysis. Real dataset based on Tennessee Eastman process (TEP) is also used for validation. The results show that: (1) S-3 and A(3) approaches can obtain high accuracy in root-cause analysis and successfully handle multiple nominal operation modes, and (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy.

Qun-Xiong Zhu,Yi Luo,Yan-Lin He

DOI: https://doi.org/10.1021/acs.iecr.9b02963

2019-11-04

Abstract:Process monitoring and alarm systems play an important role in production safety. Distributed alarm systems have been utilized to effectively reduce the burden of data calculations, contributing to fast-track root causes of alarms. However, the traditional distributed contribution analysis method cannot be well applied to online monitoring in time. In addition, the correlation-based variable reconstruction method cannot accurately explain the actual process. To solve this problem, a novel distributed alarm analysis model based on multicorrelation blocks and an improved contribution graph is proposed. The proposed multicorrelation blocks are based on partial least squares. The computational burden is reduced, but accuracy is ensured by multicorrelation block partial least squares. In addition, an improved alarm analysis strategy using the contribution value is adopted, so that the results of the distributed contribution analysis method can be used for essential variable analysis online. Simulation results of a case study using the Tennessee Eastman process verify the effectiveness and practicability of the proposed method and indicate that the online analysis performance in terms of actual industrial process monitoring and root cause analysis is improved.

engineering, chemical

Chao Liu,Kin Gwn Lore,Soumik Sarkar

2016-01-01

Abstract:Modern distributed cyber-physical systems encounter a large variety of anomalies and in many cases, they are vulnerable to catastrophic fault propagation scenarios due to strong connectivity among the sub-systems. In this regard, root-cause analysis becomes highly intractable due to complex fault propagation mechanisms in combination with diverse operating modes. This paper presents a new data-driven framework for root-cause analysis for addressing such issues. The framework is based on a spatiotemporal feature extraction scheme for multivariate time series built on the concept of symbolic dynamics for discovering and representing causal interactions among subsystems of a complex system. We propose sequential state switching ($S^3$) and artificial anomaly association ($A^3$) methods to implement root-cause analysis in an unsupervised and semi-supervised manner respectively. Synthetic data from cases with failed pattern(s) and anomalous node are simulated to validate the proposed approaches, then compared with the performance of vector autoregressive (VAR) model-based root-cause analysis. The results show that: (1) $S^3$ and $A^3$ approaches can obtain high accuracy in root-cause analysis and successfully handle multiple nominal operation modes, and (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy.

Jili Wang,Cheng Peng,Liyan Xu,Yichuan Sha

DOI: https://doi.org/10.1109/psgec62376.2024.10721013

2024-01-01

Abstract:With the changes in the architecture of new power systems and the increase in system scale, functions and complexity, the difficulty of system operation and maintenance has increased significantly. This paper proposes an anomaly detection and root cause location method. By detecting anomalies in the total time-consuming of a business call and the time-consuming of key services, the fault time and fault service can be detected. Then use the root cause location algorithm to analyze the monitoring metrics of the server where the fault service is located, and locate metrics related to the cause of the fault. The effectiveness of the method was verified on dispatching and control systems in East and Northwest China.

Min Li,Mengyuan Yang,Pengfei Chen

DOI: https://doi.org/10.3389/fcomp.2023.1211739

2023-07-06

Frontiers in Computer Science

Abstract:With the growing demand for data computation and communication, the size and complexity of communication networks have grown significantly. However, due to hardware and software problems, in a large-scale communication network (e.g., telecommunication network), the daily alarm events are massive, e.g., millions of alarms occur in a serious failure, which contains crucial information such as the time, content, and device of exceptions. With the expansion of the communication network, the number of components and their interactions become more complex, leading to numerous alarm events and complex alarm propagation. Moreover, these alarm events are redundant and consume much effort to resolve. To reduce alarms and pinpoint root causes from them, we propose a data-driven and unsupervised alarm analysis framework, which can effectively compress massive alarm events and improve the efficiency of root cause localization. In our framework, an offline learning procedure obtains results of association reduction based on a period of historical alarms. Then, an online analysis procedure matches and compresses real-time alarms and generates root cause groups. The evaluation is based on real communication network alarms from telecom operators, and the results show that our method can associate and reduce communication network alarms with an accuracy of more than 91%, reducing more than 62% of redundant alarms. In addition, we validate it on fault data coming from a microservices system, and it achieves an accuracy of 95% in root cause location. Compared with existing methods, the proposed method is more suitable for operation and maintenance analysis in communication networks.

Keli Zhang,Marcus Kalander,Min Zhou,Xi Zhang,Junjian Ye

DOI: https://doi.org/10.1007/978-3-030-76352-7_16

2021-01-01

Abstract:Alarm root cause analysis is a significant component in the day-to-day telecommunication network maintenance, and it is critical for efficient and accurate fault localization and failure recovery. In practice, accurate and self-adjustable alarm root cause analysis is a great challenge due to network complexity and vast amounts of alarms. A popular approach for failure root cause identification is to construct a graph with approximate edges, commonly based on either event co-occurrences or conditional independence tests. However, considerable expert knowledge is typically required for edge pruning. We propose a novel data-driven framework for root cause alarm localization, combining both causal inference and network embedding techniques. In this framework, we design a hybrid causal graph learning method (HPCI), which combines Hawkes Process with Conditional Independence tests, as well as propose a novel Causal Propagation-Based Embedding algorithm (CPBE) to infer edge weights. We subsequently discover root cause alarms in a real-time data stream by applying an influence maximization algorithm on the weighted graph. We evaluate our method on artificial data and real-world telecom data, showing a significant improvement over the best baselines.

Wang Jiandong,Wang Zhen,Yang Zijiang,Zhou Donghua

2019-01-01

Abstract:The invention discloses a Bayesian network-based logic alarm root analysis method and system, wherein an alarm state and a non-alarm state are respectively represented by binary system 1 and binary system 0. The method comprises the following steps: when the root analysis is performed online, updating the Bayesian network probability parameter set from an observation sample in a recursive mode, and estimating the probability parameter set by adopting a maximum value function; and updating the posterior probability in an online manner according to a Bayesian calculation rule and a chain rule, expressing the posterior conditional probability in a vector form and arranging the posterior conditional probability in a descending order when an alarm occurs, and determining a root cause accordingto the position of the maximum posterior probability. According to the method, the influence of random noise is reduced by a Bayesian network logic analysis method, and the correctness of root analysis is ensured; and multiple coexisting root causes can be analyzed, and the concern only for the root cause that occurs initially is avoided.

Chao Liu,Kin Gwn Lore,Zhanhong Jiang,Soumik Sarkar

DOI: https://doi.org/10.1016/j.knosys.2020.106527

2021-01-01

Abstract:Performance monitoring, anomaly detection, and root-cause analysis in complex cyber–physical systems (CPSs) are often highly intractable due to widely diverse operational modes, disparate data types, and complex fault propagation mechanisms. This paper presents a new data-driven framework for root-cause analysis, based on a spatiotemporal graphical modeling approach built on the concept of symbolic dynamics for discovering and representing causal interactions among sub-systems of complex CPSs. We formulate the root-cause analysis problem as a minimization problem via the proposed inference based metric and present two approximate approaches for root-cause analysis, namely the sequential state switching (S3, based on free energy concept of a restricted Boltzmann machine, RBM) and artificial anomaly association (A3, a classification framework using deep neural networks, DNN). Synthetic data from cases with failed pattern(s) and anomalous node(s) are simulated to validate the proposed approaches. Real dataset based on Tennessee Eastman process (TEP) is also used for comparison with other approaches. The results show that: (1) S3 and A3 approaches can obtain high accuracy in root-cause analysis under both pattern-based and node-based fault scenarios, in addition to successfully handling multiple nominal operating modes, (2) the proposed tool-chain is shown to be scalable while maintaining high accuracy, and (3) the proposed framework is robust and adaptive in different fault conditions and performs better in comparison with the state-of-the-art methods.

computer science, artificial intelligence

Chang Tian,Chunhui Zhao,Haidong Fan,Zhenwei Zhang

DOI: https://doi.org/10.1016/j.ifacol.2020.12.858

2020-01-01

IFAC-PapersOnLine

Abstract:In terms of an alarm system, the propagation of a fault is identified as the main reason for low efficiency and the leading cause of dramatic industrial accidents. Thus, tracing the root causes of faulty conditions that lead to alarm floods is necessary. For root cause tracing, a widely accepted method is to characterize the process by causality at first and then trace the root causes. This work focuses on the former part. The conventional techniques to deal with causal analysis of industrial processes have difficulty in handling the nonlinearity of variables, obtaining accurate probability density and time lag, etc. In this work, a novel causal network construction method based on convergent cross mapping (CCM) that accurately describe process causality was proposed to deal with the above problems. First, the original monitoring variables were determined by a maximum Lyapunov method to determine whether they were chaotic time series, which aims to judge whether the application conditions of CCM can be satisfied. Then, some characteristic variables are selected from original variables through data preprocessing and descending dimension methods, which are defined as nodes that constitute the causal network. Second, the CCM-based methods are used to identify the causal direction and indirect causal relationship between variables, so as to construct the structure of the causal network. Since the CCM based on deterministic systems theory, it can handle nonlinearity and does not rely on the sample distribution. Finally, the weight of the edges in the graph is calculated to obtain the causal network which describes the process causality and serves as the basis for subsequent root causes tracing of alarms. The effectiveness of the proposed method is illustrated via a real industrial case study.

Kai Wang,Junghui Chen,Zhihuan Song

DOI: https://doi.org/10.1109/tase.2018.2865628

IF: 6.636

2019-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Most data-driven process monitoring approaches consider the fault detection as a binary classification issue: normal or abnormal. All deviations from the nominal operating condition can trigger the same alarms. They fail to distinguish different fluctuation patterns and locate the positions of anomalies, such as the normal deviations in operating conditions, sensors faults, actuator faults, and process faults. A new process monitoring strategy based on orthogonal decomposition (OD) is proposed for the concurrent detection and location of different deviation patterns. OD is performed to discriminate the dynamics of data driven by measured disturbances and unmeasured disturbances in the same control system. This way, the original variable space is decomposed into the deterministic subspace and stochastic subspace. A dynamic principal component analysis-based subspace identification technique is used to construct the monitoring indices in the deterministic and stochastic subspaces, respectively. Two case studies show the validity of the OD-based process monitoring approach. Note to Practitioners—Fault diagnosis based on process data models always focused on analyzing variables’ contributions to the anomaly in the past practice. But it is frequently difficult to decide the root causes just using the variables’ contributions because different faults may induce a similar variation of the same variable. This paper provides a new scheme to locate the faulty components, including the sensor faults, actuator faults, process faults, and disturbance variations. It is more pertinent to learn about the fault locations than variables’ contributions. Moreover, by locating faults first and then figuring out variables’ contributions to a specific location, more detailed and precise diagnosis conclusions can be drawn when being compared with the results of using the variables’ contributions in a global system. This new method is purely data driven and it has no demand for complex process knowledge.

Jiandong Wang,Zijiang Yang,Jianjun Su,Yan Zhao,Song Gao,Xiangkun Pang,Donghua Zhou

DOI: https://doi.org/10.1016/j.ijepes.2018.05.029

IF: 5.659

2018-01-01

International Journal of Electrical Power & Energy Systems

Abstract:The paper proposes a method to analyze root causes of occurring alarms, for a special type of alarm variables in thermal power plants, where alarms are arisen from binary-valued root-cause variables. A Bayesian network with one child node and multiple parent nodes is used to describe the relationship between an alarm variable and root-cause variables. Probability parameters in the network are updated recursively. Root causes of occurring alarms are determined from the parent node set with the largest posterior conditional probability. The proposed method can remove negative effects of false and missing alarms in the nodes, handle the co-existence of multiple root causes, and detect the incompleteness of known root causes. Industrial examples are provided to illustrate the effectiveness of the proposed method.

Lei Zan,Charles K. Assaad,Emilie Devijver,Eric Gaussier,Ali Aït-Bachir

2024-07-29

Abstract:This paper introduces a new structural causal model tailored for representing threshold-based IT systems and presents a new algorithm designed to rapidly detect root causes of anomalies in such systems. When root causes are not causally related, the method is proven to be correct; while an extension is proposed based on the intervention of an agent to relax this assumption. Our algorithm and its agent-based extension leverage causal discovery from offline data and engage in subgraph traversal when encountering new anomalies in online data. Our extensive experiments demonstrate the superior performance of our methods, even when applied to data generated from alternative structural causal models or real IT monitoring data.

Artificial Intelligence

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Jianan Mu,Wenchuan Wu,Hongbin Sun,Qinglai Guo,Yang Zhang,Boming Zhang

DOI: https://doi.org/10.1109/pesgm.2012.6345528

2012-01-01

Abstract:Large amounts of alarms coming into control center when faults occur have harassed operators for a long time, especially when there are false alarms, missing alarms or multiple faults. An online intelligent alarm-processing system based on abductive reasoning network (ARN) is developed to deal with the alarms automatically. Models and real-time data of the power system are collected from both supervisory control and data acquisition system / energy management system (SCADA/EMS) and fault information system, including primary and secondary models. First, when alarms arrive, rules reflecting cause-effect relationship between faults and alarms and between alarms themselves are established automatically, and the whole abductive reasoning network is constructed. Then, all the coming alarms are located on the network and traced back to the roots. Third, possible diagnoses are sifted and picked out according to their false alarm rate and missing alarm rate. At last, the diagnosis results are presented to the operators in several friendly manners. The system has been applied to the district control center of Jiaxing, China and is functioning well.

Xilin Ji,Xiaodan Shi,Jinxi Han,Yonghua Huo,Yang Yang

DOI: https://doi.org/10.1007/978-981-15-3753-0_25

2020-07-01

Abstract:Due to the long data transmission distance and the highly dynamic changes of communication nodes, the transmission loss and the link error rate of information are significantly increased during transmission. In this paper, based on the features of the communication network, an alarm feature analysis algorithm is proposed. By analyzing the original alarm data with repetition, redundancy and noise, it is finally converted into multiple alarm transaction sets. In the design process, the improved affinity propagation clustering algorithm is proposed and the entropy weight method is used to process the alarm data, which improves the efficiency of extracting alarm transactions. This paper also proposes a method for processing delayed alarm data, which is quickly analyzed under the premise that the delay information is not discarded. Experiments show that the algorithm designed in this paper can effectively improve the efficiency of analyzing alarm information.

Yong Yang,Yifan Wu,Karthik Pattabiraman,Long Wang,Ying Li

DOI: https://doi.org/10.1109/ISSRE5003.2020.00015

2020-01-01

Abstract:Anomaly detection in distributed systems has been a fertile research area, and a range of anomaly detectors have been proposed for distributed systems. Unfortunately, there is no systematic quantitative study of the efficacy of different anomaly detectors, which is of great importance to reveal the deficiencies of existing anomaly detectors and shed light on future research directions. In this paper, we investigate how various anomaly detectors behave on anomalies of different types and the reasons for the same, by extensively injecting software faults into three widely-used distributed systems. We use a statementlevel fault injection method to observe the anomalies, characterize these anomalies, and analyze the detection results from anomaly detectors of three categories. We find that: (1) the distributed systems' own error reporting mechanisms are able to report most of the anomalies (from 82.1% to 92.8%) but they incur a high false alarm rate of 26.6%. (2) State-of-the-art anomaly detectors are able to detect the existence of anomalies with 99.08% precision and 90.60% recall, but there is still a long way to go to pinpoint the accurate location of the detected anomalies, and (3) Log-based anomaly detection techniques outperform other anomaly detection techniques, but not for all anomaly types.

Zhongmin Wang,Rui Gao,Cong Gao,Yanping Chen,Fengwei Wang,Gao, Rui

DOI: https://doi.org/10.1007/s11277-024-10930-w

IF: 2.017

2024-03-21

Wireless Personal Communications

Abstract:Wireless sensor devices are affected by internal constraints and the external environment, generating abnormal data. Currently, many anomaly detection schemes ignore the correlation between screening nodes, wasting resources due to excessive communication. Therefore, this paper proposes a distributed anomaly detection scheme based on adaptive grouping using the correlation between nodes in wireless sensor networks. Limiting the scope of collaboration between nodes can reduce the waste of resources due to excessive communication. Since the computing resources of sensor nodes are limited, an edge-cloud framework is established. The scheme uses Spatio-temporal correlation and graph theory for wireless sensor networks to determine node groups with solid correlations on the cloud server. Based on the grouping results, anomaly detection is implemented locally. A Bayesian network model is constructed at the node within the group, and outlier detection is realized by inference on nodes. A correlation consistency evaluation method is proposed to improve anomaly detection accuracy to check the data consistency on the cluster head. The proposed scheme is verified by a generated data set and the real data of Intel Berkeley Research Lab. The effectiveness of the proposed method is verified by comparing it with three existing algorithms. Experimental results show that the method improves detection accuracy and reduces false detection.

telecommunications

Jinfa WANG,Siyuan JIA,Hai ZHAO,Jiuqiang XU,Chuan LIN

DOI: https://doi.org/10.1587/transcom.2017ebp3392

2018-12-01

IEICE Transactions on Communications

Abstract:Detecting anomalies, such as network failure or intentional attack in Internet, is a vital but challenging task. Although numerous techniques have been developed based on Internet traffic, detecting anomalies from the perspective of Internet topology structure is going to be possible because the anomaly detection of structured datasets based on complex network theory has become a focus of attention recently. In this paper, an anomaly detection method for the large-scale Internet topology is proposed to detect local structure crashes caused by the cascading failure. In order to quantify the dynamic changes of Internet topology, the network path changes coefficient (NPCC) is put forward which highlights the Internet abnormal state after it is attacked continuously. Furthermore, inspired by Fibonacci Sequence, we proposed the decision function that can determine whether the Internet is abnormal or not. That is the current Internet is abnormal if its NPCC is out of the normal domain calculated using the previous k NPCCs of Internet topology. Finally the new Internet anomaly detection method is tested against the topology data of three Internet anomaly events. The results show that the detection accuracy of all events are over 97%, the detection precision for three events are 90.24%, 83.33% and 66.67%, when k=36. According to the experimental values of index F1, larger values of k offer better detection performance. Meanwhile, our method has better performance for the anomaly behaviors caused by network failure than those caused by intentional attack. Compared with traditional anomaly detection methods, our work is more simple and powerful for the government or organization in items of detecting large-scale abnormal events.

telecommunications,engineering, electrical & electronic