Computer-implemented system and method for detecting anomalies using sample-based rule identification

US 10,140,576 B2
Filed: 08/10/2014
Issued: 11/27/2018
Est. Priority Date: 08/10/2014
Status: Active Grant

First Claim

Patent Images

1. A system for detecting anomalies using sample-based rule identification with the aid of a digital computer, comprising:

a non-transitory computer readable storage medium comprising program code and further comprising;

a database comprising a data set for data analytics, the data set comprising a plurality of data points; and

a set of anomaly rules;

a computer processor and memory with the computer processor coupled to the storage medium, wherein the computer processor is configured to execute the program code to perform steps to;

statistically identify one or more of the data points in the data set comprised in the database as one or more potential anomalies, comprising calculating a statistics for each of the data points;

label each of the identified data points as at least one of anomaly and non-anomaly based on verification by a domain expert;

adjust the set of anomaly rules comprised in the database based on at least one of the labeled anomalies, comprising creating an additional anomaly rule and adding the rule to the set, further comprising;

determine an entropy of at least a portion of a different data set, the different data set comprising the statistics of all of the data points, the at least the portion comprising the statistics for the at least one anomaly;

use the entropy to set a threshold; and

set the additional anomaly rule to label one or more of the data points other than the at least one labeled anomaly as one or more additional anomalies upon the statistics for these data points exceeding the threshold;

detect and classify as the one or more additional anomalies the one or more data points other than the at least one labeled anomaly comprised in the database by applying the adjusted set of anomaly rues comprised in the database to the statistics for the data points; and

control manipulative malicious activities in at least one of the fields of social welfare, credit card, transportation systems, the Internet networks, and healthcare systems based on the labeled anomalies and the additional anomalies.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for detecting anomalies using sample-based rule identification is provided. Data for data is maintained analytics in a database. A set of anomaly rules is defined. A rare pattern in the data is statistically identified. The identified rare pattern is labeled as at least one of anomaly and non-anomaly based on verification by a domain expert. The set of anomaly rules is adjusted based on the labeled anomaly. Other anomalies in the data are detected and classified by applying the adjusted set of anomaly rules to the data.

34 Citations

View as Search Results

13 Claims

1. A system for detecting anomalies using sample-based rule identification with the aid of a digital computer, comprising:
- a non-transitory computer readable storage medium comprising program code and further comprising;
  
  a database comprising a data set for data analytics, the data set comprising a plurality of data points; and
  
  a set of anomaly rules;
  
  a computer processor and memory with the computer processor coupled to the storage medium, wherein the computer processor is configured to execute the program code to perform steps to;
  
  statistically identify one or more of the data points in the data set comprised in the database as one or more potential anomalies, comprising calculating a statistics for each of the data points;
  
  label each of the identified data points as at least one of anomaly and non-anomaly based on verification by a domain expert;
  
  adjust the set of anomaly rules comprised in the database based on at least one of the labeled anomalies, comprising creating an additional anomaly rule and adding the rule to the set, further comprising;
  
  determine an entropy of at least a portion of a different data set, the different data set comprising the statistics of all of the data points, the at least the portion comprising the statistics for the at least one anomaly;
  
  use the entropy to set a threshold; and
  
  set the additional anomaly rule to label one or more of the data points other than the at least one labeled anomaly as one or more additional anomalies upon the statistics for these data points exceeding the threshold;
  
  detect and classify as the one or more additional anomalies the one or more data points other than the at least one labeled anomaly comprised in the database by applying the adjusted set of anomaly rues comprised in the database to the statistics for the data points; and
  
  control manipulative malicious activities in at least one of the fields of social welfare, credit card, transportation systems, the Internet networks, and healthcare systems based on the labeled anomalies and the additional anomalies.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system according to claim 1, wherein the computer processor is further configured to execute the program code to perform steps to:
    - recognize one of the identified data points as the labeled non-anomaly; and
      
      modify the set of anomaly rules based on the recognition.
  - 3. A system according to claim 1, wherein the set of the rules are adjusted based on a plurality of the anomalies, and the statistics comprises a ratio along at least two dimensions.
  - 4. A system according to claim 1, wherein the computer processor is further configured to execute the program code to perform steps to:
    - select a classification algorithm; and
      
      modify the classification algorithm wherein the computer processor is further configured to execute the program code to perform steps to at least one of;
      
      modify criteria of fit; and
      
      modify a regularization term.
  - 5. A system according to claim 1, further comprising:
    - the non-transitory computer readable storage medium further comprising;
      
      an anomaly threshold comprised in the set of anomaly rules; and
      
      a score of the labeled non-anomaly;
      
      wherein the computer processor is further configured to execute the program code to perform steps to;
      
      refine the set of anomaly rules by comparing the score of the labeled non-anomaly to the anomaly threshold and raising the anomaly threshold if the score of the labeled non-anomaly is below the anomaly threshold.
  - 6. A system according to claim 1, wherein the computer processor is further configured to execute the program code to perform steps to at least one of:
    - statistically detect incidents in the data set comprised in the database that occur less frequently than the rest of the population in the data set comprised in the database;
      
      statistically detect trends in the data set comprised in the database with regard to time; and
      
      statistically detect a correlation between one or more events in the data set comprised in the database.

7. A method for detecting anomalies using sample-based rule identification with the aid of a digital computer, comprising the steps of:
- maintaining a data set for data analytics comprised in a storage medium, the data set comprising a plurality of data points;
  
  statistically identifying with a computer processor and memory with the computer processor coupled to the non-transitory computer readable storage medium one or more of the data points in the data set comprised in the database as one or more potential anomalies, comprising calculating a statistics for each of the data points;
  
  labeling each of the identified data points with the computer processor as at least one of anomaly and non-anomaly based on verification by a domain expert;
  
  defining a set of anomaly rules comprised in the storage medium based on at least one of the labeled anomalies, comprising creating one of the anomaly rules and adding the rue to the set, further comprising;
  
  determining an entropy of at least a portion of a different data set, the different data set comprising the statistics of all of the data points, the at least the portion comprising the statistics for the at least one anomaly;
  
  using the entropy to set a threshold; and
  
  setting the additional anomaly rule to label one or more of the data points other than the at least one labeled anomaly as one or more additional anomalies upon the statistics for these data points exceeding the threshold;
  
  detecting and classifying as the one or more additional anomalies the one or more data points other than the at least one labeled anomaly in the data comprised in the database with the computer processor by applying the set of anomaly rules to the statistics for the data points; and
  
  controlling manipulative malicious activities in at least one of the fields of social welfare, credit card, transportation systems, the Internet networks, and healthcare systems based on the labeled anomalies and the additional anomalies.

8. A method for detecting anomalies using sample-based rule identification with the aid of a digital computer, comprising the steps of:
- maintaining a data set for data analytics in a database comprised in a non-transitory computer readable storage medium, the data set comprising a plurality of data points;
  
  defining a set of anomaly rules comprised in the database comprised in the storage medium;
  
  statistically identifying with a computer processor and memory with the computer processor coupled to the non-transitory computer readable storage medium one or more of the data points in the data set comprised in the database as one or more potential anomalies, comprising calculating a statistics for each of the data points;
  
  labeling the identified data points with the computer processor as at least one of anomaly and non-anomaly based on verification by a domain expert;
  
  adjusting the set of anomaly rules comprised in the database with the computer processor based on the labeled anomalies, comprising creating an additional anomaly rule and adding the additional rule to the set, further comprising;
  
  determining an entropy of at least a portion of a different data set the different data set comprising the statistics of all of the data points, the at least the portion comprising the statistics for the at least one anomaly;
  
  using the entropy to set a threshold; and
  
  setting the additional anomaly rule to label one or more of the data points other than the at least one labeled anomaly as one or more additional anomalies upon the statistics for these data points exceeding the threshold;
  
  detecting and classifying as the one or more additional anomalies the data points other than the at least one labeled anomaly comprised in the database with the computer processor by applying the adjusted set of anomaly rules comprised in the database to the data set statistics for the data points; and
  
  controlling manipulative malicious activities in at least one of the fields of social welfare, credit card, transportation systems, the Internet networks, and healthcare systems based on the labeled anomalies and the additional anomalies.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. A method according to claim 8, further comprising:
    - recognizing one of the identified data points with the computer processor as the labeled non-anomaly; and
      
      modifying the set of anomaly rules with the computer processor based on the recognition.
  - 10. A method according to claim 8, wherein the set of the rules are adjusted based on a plurality of the anomalies, and the statistics comprises a ratio along at least two dimensions.
  - 11. A method according to claim 8, further comprising:
    - selecting with the computer processor a classification algorithm; and
      
      modifying the classification algorithm with the computer processor comprising at least one of;
      
      modifying with the computer processor criteria of fit; and
      
      modifying with the computer processor a regularization term.
  - 12. A method according to claim 8, further comprising:
    - defining an anomaly threshold with the computer processor comprised in the set of anomaly rules;
      
      defining with the computer processor a score of the labeled non-anomaly; and
      
      refining the set of anomaly rules with the computer processor by comparing the score of the labeled non-anomaly to the anomaly threshold with the computer processor and raising the anomaly threshold with the computer processor if the score of the labeled non-anomaly is below the anomaly threshold.
  - 13. A method according to claim 8, further comprising at least one of:
    - statistically detecting incidents in the data set comprised in the database with the computer processor that occur less frequently than the rest of the population in the data comprised in the database;
      
      statistically detecting trends in the data set comprised in the database with the computer processor with regard to time; and
      
      statistically detecting a correlation between one or more events in the data set comprised in the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Palo Alto Research Center, Inc. (Xerox Holdings Corp.)
Inventors
Eldardiry, Hoda, Kallur Palli Kumar, Sricharan, Greene, Daniel H., Price, Robert
Primary Examiner(s)
Sitiriche, Luis A

Application Number

US14/455,933
Publication Number

US 20160042287A1
Time in Patent Office

1,570 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 5/025   Extracting rules from data

G06Q 50/00   Information and communicati...

G06Q 50/22   Social work or social welfa...

G16H 50/70   for mining of medical data,...

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Computer-implemented system and method for detecting anomalies using sample-based rule identification

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-implemented system and method for detecting anomalies using sample-based rule identification

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links