Importance of relatively complicated systems (or components constituting the systems), such as various plants and social infrastructures, have increases in recent years. These systems are required to be stably operated and managed. Accordingly, there is a demand for a technique capable of monitoring an operation status or an operating status of these systems and detecting an anomaly occurring in these systems.
With regard to the technique for detecting an anomaly in a system to be managed, following patent literatures are known.
In PTL 1 (Japanese Patent No. 5267684), a technique relating to an operation management apparatus and the like for monitoring an operating status of a system is described. An apparatus disclosed in PTL 1 acquires, from a plurality of monitored apparatuses, measured values of a plurality of performance indicators (metrics) and generates a correlation model for two different metrics. The apparatus detects an anomaly item, based on a result of a comparison between an estimated value for a certain metric, which is calculated by using the correlation model, and an observed value of the metric. The apparatus calculates, for each of the monitored apparatuses, an anomaly score by using a total number of combinations of two metrics and the number of the detected anomaly items, and specifies, as an anomaly source, a metric with the anomaly score being high. In the technique disclosed in PTL 1, common anomaly items are excluded in the plurality of monitored apparatuses present in the same layer, thereby eliminating an effect caused by extension of an anomaly between layers.
In PTL 2 (Japanese Unexamined Patent Application Publication No. 2009-199533) a technique relating to an operation management apparatus and the like for detecting a sign of occurrence of a failure and specifying an occurrence point of the failure is described. The apparatus disclosed in PTL 2 acquires, from a plurality of monitored apparatuses, a plurality of pieces of performance information (corresponding to the above-mentioned metrics), and generates a correlation model representing a correlation function for two different pieces of performance information. The apparatus uses the correlation model to determine whether or not newly detected performance information destroys the correlation. The apparatus calculates an anomaly score, based on the determination result, thereby analyzing occurrence of the anomaly. The apparatus deletes a correlation model representing the correlation, when the correlation is steadily destroyed.
In PTL 3 (International Publication No. 2013/027562), a technique relating to an operation management apparatus and the like for detecting occurrence of a failure in a system is described. The apparatus disclosed in PTL 3 generates a correlation model related to a performance indicator (metric) of a monitored apparatus (a monitored system) and detects an anomaly (state) in the correlation, similarly to the above-mentioned patent literatures. The apparatus calculates an anomaly score, based on the detected anomaly in the correlation and a degree of continuation of the anomaly. In the technique disclosed in PTL 3, a performance indicator with a high anomaly score (i.e., the degree of anomaly is large, or the degree of continuation of anomaly is large) is specified to analyze the anomaly occurring in the system.
In PTL 4 (International Publication No. 2013/136739) a technique relating to an operation management apparatus and the like for detecting occurrence of a failure in a system is described. The apparatus disclosed in PTL 4 generates a correlation model related to a performance indicator (metric) of a monitored apparatus (a monitored system) and detects an anomaly (state) in the correlation, similarly to the above-mentioned patent literatures. Upon detecting a change in a configuration of the system, the apparatus regenerates a correlation model, based on a measured value of a metric obtained after the configuration is changed. The apparatus changes a pattern for detecting destruction of the correlation in accordance with the changed configuration. Thus, the technique disclosed in PTL 4 enables to appropriately analyze a failure occurring in a monitored apparatus (a monitored system) even when a change occurs in a configuration of the system.