User configurable message anomaly scoring to identify unusual activity in information technology systems
First Claim
1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
- receiving, by a processing device, a message stream for the IT system;
selecting a plurality of status messages from the message stream that correspond to an interval of time;
determining a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment;
calculating, by the processing device, an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval;
determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received by the processing device as an input from a system expert during training of a model of a historical message stream;
upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and
upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval;
identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and
generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
-
Citations
9 Claims
-
1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
-
receiving, by a processing device, a message stream for the IT system; selecting a plurality of status messages from the message stream that correspond to an interval of time; determining a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment; calculating, by the processing device, an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval; determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received by the processing device as an input from a system expert during training of a model of a historical message stream; upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval; identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert. - View Dependent Claims (2, 3)
-
-
4. A computer program product for identifying unusual activity in an IT system based on user configurable message anomaly scoring, the computer program product comprising:
a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising; receiving a message stream for the IT system; selecting a plurality of status messages from the message stream that correspond to an interval of time; determining default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment; calculating an interval anomaly score for the interval by at least performing the following for each status message of the plurality of status messages of the interval; determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received as an input from a system expert during training of a model of a historical message stream; upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval; identifying a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs, wherein the one or more priority level cutoffs are established based on the trained model; and generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert. - View Dependent Claims (5, 6)
-
7. A system for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, comprising:
-
a processor in communication with one or more types of memory, the processor configured to; receive a message stream for the IT system; select a plurality of status messages from the message stream that correspond to an interval of time; determine a default message anomaly score for each status message of the plurality of the status messages of the interval, wherein the default message anomaly scores are generated by IT equipment of the IT system and are included in the plurality of status messages received from the IT equipment; calculate an interval anomaly score for the interval at least performing the following for each status message of the plurality of status messages of the interval; determining whether the default message anomaly score of the status message corresponds to a message anomaly group comprising a custom scoring group having a custom message anomaly score, wherein the custom message anomaly score of the message anomaly group is received as an input from a system expert during training of a model of a historical message stream; upon determining that the default message anomaly score of the status message corresponds to the message anomaly group having the custom message anomaly score, adding the custom message anomaly score to an interval anomaly score for the interval; and upon determining that the default message anomaly score of the status message does not correspond to the message anomaly group having the custom message anomaly score, adding the default message anomaly score of the status message to the interval anomaly score for the interval; identify a priority level of the interval by comparing the interval anomaly score to one or more priority level cutoffs; and generating an alert for the selected plurality of status messages of the interval only when the identified priority level of the interval meets the one or more priority level cutoffs based on the comparison, wherein the alert flags the interval such that only the selected plurality of status message of the message stream are transmitted to the system expert. - View Dependent Claims (8, 9)
-
Specification