User configurable message anomaly scoring to identify unusual activity in information technology systems

US 10,169,719 B2
Filed: 10/20/2015
Issued: 01/01/2019
Est. Priority Date: 10/20/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:

receiving, by a processing device, a message stream for the IT system;

selecting a plurality of status messages from the message stream that correspond to an interval of time;

determining a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment;

calculating, by the processing device, an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval;

determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received by the processing device as an input from a system expert during training of a model of a historical message stream;

upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and

upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval;

identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and

generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

Citations

9 Claims

1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
- receiving, by a processing device, a message stream for the IT system;
  
  selecting a plurality of status messages from the message stream that correspond to an interval of time;
  
  determining a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment;
  
  calculating, by the processing device, an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval;
  
  determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received by the processing device as an input from a system expert during training of a model of a historical message stream;
  
  upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and
  
  upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval;
  
  identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and
  
  generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the model of the historical message stream is trained by:
    - dividing a plurality of historical status messages into a number of groups based on the default message anomaly score of each of the plurality of historical status messages;
      
      identifying a specific status message from the plurality of historical status messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 3. The method of claim 2, wherein determining whether the default message anomaly score of the status message corresponds to the message anomaly group includes determining whether each one of the plurality of the status messages is a member of the custom scoring group.

4. A computer program product for identifying unusual activity in an IT system based on user configurable message anomaly scoring, the computer program product comprising:
- a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  receiving a message stream for the IT system;
  
  selecting a plurality of status messages from the message stream that correspond to an interval of time;
  
  determining default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment;
  
  calculating an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval;
  
  determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received as an input from a system expert during training of a model of a historical message stream;
  
  upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and
  
  upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval;
  
  identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and
  
  generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert.
- View Dependent Claims (5, 6)
- - 5. The computer program product of claim 4, wherein the model of the historical message stream is trained by:
    - dividing a plurality of historical status messages into a number of groups based on the default message anomaly score of each of the plurality of historical status messages;
      
      identifying a specific status message from the plurality of historical status messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 6. The computer program product of claim 5, wherein determining whether the default message anomaly score of the status message corresponds to the message anomaly group includes determining whether each one of the plurality of the status messages is a member of the custom scoring group.

7. A system for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, comprising:
- a processor in communication with one or more types of memory, the processor configured to;
  
  receive a message stream for the IT system;
  
  select a plurality of status messages from the message stream that correspond to an interval of time;
  
  determine a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment;
  
  calculate an interval anomaly score for the interval at least performing the following for each status message of the plurality of status messages of the interval;
  
  determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received as an input from a system expert during training of a model of a historical message stream;
  
  upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and
  
  upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval;
  
  identify a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs; and
  
  generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the model of the historical message stream is trained by:
    - dividing a plurality of historical status messages into a number of groups based on the default message anomaly score of each of the plurality of historical status messages;
      
      identifying a specific status message from the plurality of historical status messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 9. The system of claim 8, wherein determining whether the default message anomaly score of the status message corresponds to the message anomaly group includes determining whether each one of the plurality of the messages is a member of the custom scoring group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Caffrey, James M.
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/887,355
Publication Number

US 20170111378A1
Time in Patent Office

1,169 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/025   Extracting rules from data

H04L 41/069   using logs of notifications...

H04L 41/142   using statistical or mathem...

H04L 63/1408   by monitoring network traff...

User configurable message anomaly scoring to identify unusual activity in information technology systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

User configurable message anomaly scoring to identify unusual activity in information technology systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links