Multi-tier aggregation for complex event correlation in streams
First Claim
1. A method for detecting anomalous activity, the method comprising:
- collecting data from a plurality of data sources, wherein each data source generates a data stream;
harmonizing each data stream using a computer processor so that the harmonized data is in a common format;
generating behavior models based on the harmonized data using the computer processor;
analyzing the harmonized data at a first level using the behavior models and the computer processor to identify meta-events, wherein the meta-events represent anomalous behavior and analyzing the harmonized data at the first level identifies a meta-event based on a pre-defined set of anomalous activities;
analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued, wherein;
the second level is a higher level of operation than the first level and encompasses the meta-events identified by analyzing the harmonized data at the first level, andanalyzing the meta-events at the second level includes determining whether an alert should be issued based on multiple meta-events; and
when an alert should be issued, displaying the alert.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for detecting anomalous activity, the method includes collecting data from a plurality of data sources, wherein each data source generates a data stream; harmonizing each data stream using a computer processor so that the harmonized data is in a common format; generating behavior models based on the harmonized data using the computer processor; analyzing the harmonized data at a first level using the behavior models and the computer processor to generate meta-events, wherein the meta-events represent anomalous behavior; analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued; and when an alert should be issued, displaying the alert is disclosed.
-
Citations
22 Claims
-
1. A method for detecting anomalous activity, the method comprising:
-
collecting data from a plurality of data sources, wherein each data source generates a data stream; harmonizing each data stream using a computer processor so that the harmonized data is in a common format; generating behavior models based on the harmonized data using the computer processor; analyzing the harmonized data at a first level using the behavior models and the computer processor to identify meta-events, wherein the meta-events represent anomalous behavior and analyzing the harmonized data at the first level identifies a meta-event based on a pre-defined set of anomalous activities; analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued, wherein; the second level is a higher level of operation than the first level and encompasses the meta-events identified by analyzing the harmonized data at the first level, and analyzing the meta-events at the second level includes determining whether an alert should be issued based on multiple meta-events; and when an alert should be issued, displaying the alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting anomalous activity, the system comprising:
-
a computer-readable storage device configured to store computer-executable instructions; a hardware computer processor configured to execute the computer-executable instructions, the computer-executable instructions comprising; collecting data from a plurality of data sources, wherein each data source generates a data stream; harmonizing each data stream using the computer processor so that the harmonized data is in a common format; generating behavior models based on the harmonized data using the computer processor; analyzing the harmonized data at a first level using the behavior models and the computer processor to identify meta-events, wherein the meta-events represent anomalous behavior and analyzing the harmonized data at the first level identifies a meta-event based on a pre-defined set of anomalous activities; analyzing the meta-events at a second level using the computer processor to determine if an alert should be issued, wherein; the second level is a higher level of operation than the first level and encompasses the meta-events identified by analyzing the harmonized data at the first level, and analyzing the meta-events at the second level includes determining whether an alert should be issued based on multiple meta-events; and a display configured to display the alert. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification