Intelligent Operations: AI‑Driven Anomaly Detection, Alarm Compression, and Log Analysis Techniques

Traditional operations suffer from inefficient monitoring, manual fault detection, and high reliance on human expertise, leading to low data collection accuracy and slow incident resolution.

The proposed key technologies address three major pain points—low fault‑handling efficiency, inaccurate problem localization, and high labor cost—by integrating artificial intelligence into operations. Machine‑learning‑driven decision support replaces manual judgments, enabling proactive fault avoidance and smarter, more accurate data collection.

Metric Anomaly Detection Technology

Metric anomaly detection processes both single‑metric and multi‑metric scenarios. Single‑metric detection focuses on KPI spikes or drops using statistical thresholds (e.g., 3‑sigma) or predictive models such as ARIMA. Multi‑metric detection examines relationships among multiple KPIs, employing two strategies: decomposing multi‑metric series into single‑metric streams for independent analysis, or directly analyzing the multi‑dimensional series with clustering or shape‑based methods. The latter preserves inter‑metric correlations but incurs higher computational cost.

Offline Process

Metrics are clustered using SBD‑based DBSCAN to reduce analysis complexity, grouping similar time‑series together.

Within each cluster, pairwise SARIMAX models capture invariant relationships between metrics, representing time‑invariant dependencies (e.g., sinusoidal relationships).

Online Process

Anomaly detection computes residual scores between metric pairs; scores exceeding a threshold indicate broken invariants, flagging the associated metric as anomalous.

Visualization of invariant relationship graphs aids in interpreting detection results.

Alarm Event Compression and Denoising Technology

Massive alarm storms overwhelm operators. The compression technique mines association relationships among alarms, suppressing redundant messages while preserving core alarm information.

The underlying algorithm leverages supervised Apriori association‑rule mining. Frequent itemsets are extracted from transaction databases, and rules meeting user‑defined support and confidence thresholds are generated. The Apriori property (anti‑monotonicity) ensures efficient pruning of non‑frequent candidates.

Log Anomaly Detection Technology

SwissLog employs a two‑stage pipeline (offline and online) using LSTM‑based deep neural networks. Logs are first parsed and templated, then encoded via BERT or Word2Vec embeddings combined with timestamp features. A Bi‑LSTM with attention learns normal log patterns; deviations trigger anomaly alerts.

Key steps include:

Log parsing and template extraction.

Sentence embedding (BERT/Word2Vec) plus temporal embedding.

Attention‑enhanced Bi‑LSTM training on normal logs.

Online inference to detect abnormal sequences.

Intelligent Analysis Technology

Beyond detection, intelligent analysis seeks to answer what the problem is, why it occurred, and how to resolve it. By constructing an expanded fault‑tree that incorporates business call‑chains, cloud‑network resource topology, and physical infrastructure, the system performs joint analysis of detected anomalies, important alarms, and log events.

Graph‑based algorithms and machine‑learning models infer root causes, prioritize remediation actions, and present engineers with concise fault‑origin recommendations, thereby accelerating fault resolution and reducing loss.