CN-122021938-A - Multi-mode anomaly identification and alarm information generation method based on AI large model

Abstract

The invention discloses a multi-mode anomaly identification and alarm information generation method based on an AI large model, which comprises the steps of carrying out association merging and segment segmentation on platform interface image data, operation record text and equipment state data of the same monitoring object to form an event segment set, completing unified convergence of multi-source anomaly clues, reducing anomaly mismatch caused by heterogeneous data dispersion, extracting monitoring object identification, occurrence sequence identification and anomaly change characteristics, and carrying out aggregation on continuous event segments to form an evidence cluster set, improving the integrity of anomaly evidence organization, completing front and back check of an anomaly triggering relationship and a state transfer relationship by constructing a causal check sequence, reducing irrelevant segment misunion, outputting anomaly judgment results and generating alarm information by a multi-mode anomaly inference model, and improving anomaly identification accuracy and alarm semantic integrity.

Inventors

• LIN WEI
• XIE ZHAOFEI

Assignees

• 南京联成科技发展股份有限公司

Dates

Publication Date

20260512

Application Date

20260403

Claims (10)

1. 1. A multimode anomaly identification and alarm information generation method based on an AI large model is characterized by comprising the following steps: Collecting platform interface image data, operation record text and equipment state data belonging to the same monitoring object in a digital operation management platform, and carrying out association merging and segment segmentation on the platform interface image data, the operation record text and the equipment state data to generate an event segment set; Extracting monitoring object identifiers, occurrence sequence identifiers and abnormal change characteristics from each event fragment in the event fragment set, and aggregating event fragments with consistent monitoring object identifiers, continuous occurrence sequence and continuous abnormal change characteristics to generate an evidence cluster set; Sequencing the event fragments in each evidence cluster according to the event trigger precedence relationship and the state change transfer relationship of each event fragment in the evidence cluster set to generate a causal check sequence; Inputting the evidence cluster set, the causal check sequence and the anomaly candidate result into a multi-mode anomaly inference model deployed in a digital operation management platform inference server, outputting an anomaly judgment result, determining alarm semantics according to the anomaly judgment result and event fragments in the evidence cluster, and generating alarm information according to the alarm semantics.
2. 2. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 1, wherein performing association merging and segment segmentation on the platform interface image data, the operation record text, and the device state data includes: According to the page object name in the platform interface image data, the operation object name in the operation record text and the equipment name in the equipment state data, carrying out homonymous comparison on the platform interface image data, the operation record text and the equipment state data, and determining the data with the same name as the data item belonging to the same monitoring object; Performing object association processing on data items belonging to the same monitoring object, wherein the page object names in the platform interface image data and the operation object names in the operation record text are subjected to name association, the operation object names in the operation record text and the equipment names in the equipment state data are subjected to name association, and the data items subjected to name association twice are combined into the same monitoring object association unit to generate a monitoring object association set; The method comprises the steps of arranging the occurrence sequence of each monitoring object association unit in the monitoring object association set, sequentially combining the monitoring object association units which are adjacent front and back and have the same monitoring object to generate an event association section, ending the current event association section and generating the next event association section when the monitoring objects of the two adjacent monitoring object association units are different or the operation actions are different or the equipment state change directions are different; Performing boundary check on platform interface image data, operation record text and equipment state data in each event-related segment, determining the forefront positions of a platform interface change starting point, an operation action starting point and an equipment state change starting point as segment starting points, determining the last positions of a platform interface change end point, an operation action end point and an equipment state change end point as segment end points, and cutting the event-related segment according to the segment starting points and the segment end points to generate an event segment set.
3. 3. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 2, wherein extracting monitoring object identifiers, occurrence sequence identifiers, and anomaly change features for each event segment in the set of event segments comprises: Each event fragment in the event fragment set is subjected to fragment numbering, and the monitoring object name, the fragment arrangement position, the platform interface change, the operation action change and the equipment state change of each event fragment are respectively extracted to generate an event fragment attribute set; And determining a monitoring object identifier according to the monitoring object name of each event fragment in the event fragment attribute set, determining an occurrence sequence identifier according to the front and back positions of each event fragment in the event fragment set, and determining an abnormal change characteristic according to the platform interface change, the operation action change and the equipment state change in each event fragment.
4. 4. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 3, wherein the evidence cluster set generation method comprises: First-round aggregation is carried out on event fragments which are identical in monitoring object identification and are connected before and after occurrence sequence identification to generate a candidate fragment group, and when the abnormal change characteristics of two adjacent event fragments belong to the same change category and the change directions are continuous, the two event fragments are reserved in the same candidate fragment group; Checking event fragments in each candidate fragment group, separating the event fragments from the current candidate fragment group when the monitoring object in the candidate fragment group is switched, the change category is interrupted, or the continuous relation among the platform interface change, the operation action change and the equipment state change is interrupted, and dividing the separated event fragments into the next candidate fragment group; and determining each checked candidate segment group as an evidence cluster, and forming an evidence cluster set by all the evidence clusters.
5. 5. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 1, wherein the causal verification sequence generation method comprises: Respectively extracting the segment arrangement position, the operation action change and the equipment state change of each event segment in the evidence cluster for each evidence cluster in the evidence cluster set to generate evidence cluster sequencing information; Determining event triggering sequence relation according to the segment arrangement positions of the event segments in the evidence cluster ordering information, and determining state change transfer relation according to the front-back connection condition between the equipment state change of the former event segment and the equipment state change of the latter event segment; And sequentially arranging event fragments in each evidence cluster according to the event triggering sequence relationship and the state change transfer relationship, and determining the arranged event fragment sequence as a causal check sequence.
6. 6. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 5, wherein the anomaly candidate result generation method comprises: checking adjacent event fragments in the causal check sequence, and determining that a trigger association relationship exists between the previous event fragment and the next event fragment when the operation action change of the previous event fragment causes the equipment state change of the next event fragment and the equipment state change of the previous event fragment is accepted before and after the equipment state change of the next event fragment; And determining the evidence cluster as an abnormal candidate result when the trigger incidence relation and the state change transfer relation continuously exist in the same causal check sequence.
7. 7. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 1, wherein the anomaly determination result output method comprises: inputting the evidence cluster set, the cause and effect check sequence and the abnormal candidate result into the multi-mode abnormal reasoning model deployed in the digital operation management platform reasoning server, and performing consistency check by the multi-mode abnormal reasoning model according to the sequence of event fragments, platform interface change, operation action change and equipment state change of each abnormal candidate result in the evidence cluster; outputting an abnormal result when the sequence of the event fragments is consistent with the causal verification sequence and the platform interface change, the operation action change and the equipment state change are consistent with the evidence clusters; Outputting a normal result when the sequence of the event fragments is inconsistent with the causal verification sequence, or the platform interface change, the operation action change and the equipment state change are inconsistent with the evidence clusters; And determining an abnormal category of the evidence cluster which is output as an abnormal result according to the combination type of the platform interface change, the operation action change and the equipment state change, and determining the abnormal result and the abnormal category as an abnormal judgment result.
8. 8. The AI-large-model-based multi-modal anomaly identification and alert information generation method of claim 7, wherein the alert information generation method comprises: extracting the names of the monitoring objects, the interface changes of the platform, the operation action changes and the equipment state changes from the evidence clusters according to the abnormality judgment result, and generating an alarm semantic element set; Sequentially combining the alarm semantic element sets according to the names of the monitoring objects, the types of the anomalies, the occurrence sequence of the anomalies, the interface change of the platform, the operation action change and the equipment state change to determine alarm semantics; Generating alarm information according to the alarm semantics, and sending the alarm information to an alarm display interface and an alarm disposal interface of a digital operation management platform.
9. 9. A computer device, comprising: one or more processors; A memory storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising the flow of the AI-large model-based multimodal anomaly identification and alert information generation method of any one of claims 1-8.
10. 10. A computer-readable medium storing software, wherein the software includes instructions executable by one or more computers, the instructions causing the one or more computers to perform operations comprising the flow of the AI-large-model-based multimodal anomaly identification and alert information generation method of any one of claims 1-8.

Description

Multi-mode anomaly identification and alarm information generation method based on AI large model Technical Field The invention relates to the technical field of multi-mode anomaly identification and intelligent alarm generation in an artificial intelligence and digital operation management platform, in particular to a multi-mode anomaly identification and alarm information generation method based on an AI large model. Background With the continuous deployment of a digital operation management platform in scenes such as industrial production, energy operation and maintenance, data center management, intelligent manufacturing and comprehensive service management and control, a platform side abnormality recognition mode is gradually developed from a mode of early relying on single log retrieval, threshold alarming and rule matching to a multi-source joint analysis mode of fusing platform interface image data, operation record text and equipment state data, in the prior art, parameter monitoring is focused on the equipment state data, abnormality is judged through fluctuation threshold value, trend analysis or state mode comparison, or analysis is focused on the operation record text, risk events are positioned through operation instructions, execution paths and abnormal logs, and in recent years, with the enhancement of the capability of a large model technology in terms of semantic understanding, cross-modal correlation and complex context reasoning, related research and engineering application gradually try to introduce a large model into an abnormality recognition and alarm generation process so as to improve the recognition capability of complex abnormal scenes, composite fault scenes and unstructured alarm scenes, thereby promoting the development of an abnormality recognition technology in the digital operation management platform from single-point monitoring to multi-mode association analysis directions. However, the prior art still has the prominent limitations that firstly, the prior art carries out result level splicing after respectively processing platform interface image data, operation record text and equipment state data, and lacks an intermediate processing structure for carrying out unified organization around the same monitoring object and the same abnormal process, so that abnormal clues from different data sources are difficult to form stable association on the same event level, the problems of abnormal attribution dispersion, evidence breakage or multi-event mixing are easy to occur, secondly, the prior art further emphasizes feature fusion or semantic matching in the multi-mode joint judging process, and the triggering sequence relationship, state change transfer relationship and fore-and-aft bearing logic in the abnormal event are not considered sufficiently, so that fragments which are only close in time but have a real triggering relationship are misjudged to be the same abnormal process, thereby reducing the accuracy and consistency of an abnormal recognition result, thirdly, the prior alarm generating mode is mainly based on abnormal labels or risk levels, the alarm content is lack of structural backtracking between the abnormal judgment result and the original evidence, the mapping relationship between the alarm semantics and specific event fragments is easy to occur, the description cage system, the context is easy to occur, the problem of direct misinformation is difficult to be displayed in the mode, the condition change in the page and the operation state change is difficult to be displayed, and the quality change is difficult to be displayed on the condition of the platform, and the condition change is difficult to be continuously checked. In summary, the multi-mode anomaly identification and alarm generation technology in the existing digital operation management platform has the problems that multi-source data is difficult to uniformly organize around the same anomaly process, anomaly triggering relation is difficult to accurately check, and alarm content and evidence support relation are not clear. Disclosure of Invention This section is intended to summarize some aspects of embodiments of the application and to briefly introduce some preferred embodiments, which may be simplified or omitted in this section, as well as the description abstract and the title of the application, to avoid obscuring the objects of this section, description abstract and the title of the application, which is not intended to limit the scope of this application. The present invention has been made in view of the above-described problems occurring in the prior art. In order to solve the technical problems, the invention provides the following technical scheme: In a first aspect, the invention provides a multi-mode anomaly identification and alarm information generation method based on an AI large model, which comprises the steps of collecting platform interface image data, operation record text and