Detecting anomalous states of machines

US 10,360,093 B2
Filed: 11/18/2015
Issued: 07/23/2019
Est. Priority Date: 11/18/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for implementation by one or more data processors forming part of at least one computing device to facilitate detection and avoidance of undesirable system states of a system, the method comprising:

monitoring, by the one or more data processors, states of the system, the system comprising a plurality of components, the states of the system having state types and determined based on data instances of the plurality of components and/or the system, the data instances comprising machine-log-lines;

receiving, by the one or more data processors, data instance groups representative of the states of the system, the data instance groups comprising one or more data instances associated with a state of the system and having time information;

identifying, by the one or more data processors, a representative data instance for each data instance group;

determining, by the one or more data processors, a sequence of state transitions based on the representative data instances and the time information, wherein each element of the sequence comprises a data instance group identifier and a data instance identifier;

determining, based on the sequence of state transitions, by the one or more data processors, a distribution of state types within the data instance groups to identify infrequent state types;

translating, by the one or more data processors, the sequence of state transitions into feature vectors, wherein the feature vectors comprise a first feature vector indicating a starting state of the sequence and a second feature vector indicating a time for the transition between a first state and a second state of the sequence, wherein each feature vector is associated with one or more feature classes;

calculating, by the one or more data processors, a feature score for each feature vector based on kernel density estimation;

determining, by the one or more data processors, a feature class score for individual feature classes of the one or more feature classes, the feature class score comprising a sum of feature scores having the same feature class;

calculating, by the one or more data processors, a sequence anomaly score based on the feature class scores across the sequence of state transitions, the sequence anomaly score indicating a likelihood of a rare state and/or rare sequence;

identifying, based on sequence anomaly scores, by the one or more data processors, rare states and/or rare sequences, wherein rare sequences include sequences of data instance groups that occur prior to an occurrence of a state having an infrequent state type; and

providing, by the one or more data processors and in response to identifying the rare states and/or rare sequences, a notification of the occurrence of a rare sequence on the system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The state of a system is determined in which data sets are generated that include a plurality of data instances representing states of one or more components of a computer system. The data instances generated by one or more data set sources that are configured to output a data instance in response to a trigger associated with the one or more components. The data instances are normalized by the application of one or more rules. The data instances from individual data set sources are separately collated to generate groups of time-specific collated data instances. State types may be assigned to each of the collated data instance groups. Distributions of state-types across the groups may be determined and a list of infrequent state-types may be generated based on the determined distributions of state-types across the groups.

Citations

19 Claims

1. A computer-implemented method for implementation by one or more data processors forming part of at least one computing device to facilitate detection and avoidance of undesirable system states of a system, the method comprising:
- monitoring, by the one or more data processors, states of the system, the system comprising a plurality of components, the states of the system having state types and determined based on data instances of the plurality of components and/or the system, the data instances comprising machine-log-lines;
  
  receiving, by the one or more data processors, data instance groups representative of the states of the system, the data instance groups comprising one or more data instances associated with a state of the system and having time information;
  
  identifying, by the one or more data processors, a representative data instance for each data instance group;
  
  determining, by the one or more data processors, a sequence of state transitions based on the representative data instances and the time information, wherein each element of the sequence comprises a data instance group identifier and a data instance identifier;
  
  determining, based on the sequence of state transitions, by the one or more data processors, a distribution of state types within the data instance groups to identify infrequent state types;
  
  translating, by the one or more data processors, the sequence of state transitions into feature vectors, wherein the feature vectors comprise a first feature vector indicating a starting state of the sequence and a second feature vector indicating a time for the transition between a first state and a second state of the sequence, wherein each feature vector is associated with one or more feature classes;
  
  calculating, by the one or more data processors, a feature score for each feature vector based on kernel density estimation;
  
  determining, by the one or more data processors, a feature class score for individual feature classes of the one or more feature classes, the feature class score comprising a sum of feature scores having the same feature class;
  
  calculating, by the one or more data processors, a sequence anomaly score based on the feature class scores across the sequence of state transitions, the sequence anomaly score indicating a likelihood of a rare state and/or rare sequence;
  
  identifying, based on sequence anomaly scores, by the one or more data processors, rare states and/or rare sequences, wherein rare sequences include sequences of data instance groups that occur prior to an occurrence of a state having an infrequent state type; and
  
  providing, by the one or more data processors and in response to identifying the rare states and/or rare sequences, a notification of the occurrence of a rare sequence on the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer-implemented method of claim 1, wherein the feature vectors are represented as strings.
  - 3. The computer-implemented method of claim 1 wherein the feature vectors are represented as numerical values.
  - 4. The computer-implemented method of claim 1, wherein the data instance groups include attribute information associated with the state of a machine.
  - 5. The computer-implemented method of claim 1, wherein translating the sequence of state transitions into feature vectors comprises:
    - generating machine-state transition features associated with the sequence of state transitions for inclusion in the feature vectors.
  - 6. The computer-implemented method of claim 5, further comprising:
    - assigning feature scores to the machine-state transition features; and
      
      ,combining feature scores of the machine-state transition features having a same feature class.
  - 7. The computer-implemented method of claim 6, further comprising:
    - generating a model showing a frequency of occurrence of the combined feature scores for one or more feature classes.
  - 8. The computer-implemented method of claim 7, wherein the model is a graphical illustration.
  - 9. The computer-implemented method of claim 5, further comprising:
    - generating a graphical illustration or model showing a frequency of occurrence of the sequence of state transitions.
  - 10. The computer-implemented method of claim 1, wherein the feature vectors include a starting state of the sequence of state transitions.
  - 11. The computer-implemented method of claim 1, wherein the feature vectors include a proportion of a state within a sequence of states.
  - 12. The computer-implemented method of claim 1, wherein the feature vectors include an indication of a time for a transition between a first state and a second state of the sequence of state transitions.
  - 13. The computer-implemented method of claim 1, wherein the feature vectors include an indication of a number of data instance groups required to transition from a first state to a second state.
  - 14. The computer-implemented method of claim 1, where in the data instance groups are generated through a process comprising:
    - receiving data sets that include a plurality of data instances representing states of one or more components of a system, the data instances being generated by one or more separate data set sources that are configured to output a data instance in response to a trigger associated with the one or more components and having associated time information;
      
      normalizing the data instances of the data sets by applying one or more rules to the data instances; and
      
      ,separately collating the data instances of the data sets from individual data set sources across individual time elements to generate groups of time-element-specific collated data instances.
  - 15. The computer-implemented method of claim 14, wherein normalizing the data instances of the data sets comprises:
    - determining a relationship between observed states and unobserved states of the system.
  - 16. The computer-implemented method of claim 14, wherein the data instance groups include data instances representative of machine-log-lines.
  - 17. The computer-implemented method of claim 14, wherein the data sets include machine logs and the data instances include machine-log-lines.
  - 18. The computer-implemented method of claim 1, wherein the sequence anomaly score is based on the severity of an issue caused by a particular state and/or based on the frequency of a particular state.

19. A system capable of detecting anomalous states of the system, comprising:
- at least one programmable processor; and
  
  ,a non-transitory storage medium readable by at the least one processor and storing instructions which, when executed by the at least one programmable processor, implement operations comprising;
  
  monitoring states of a machine comprising a plurality of components, the states of the machine having state types and determined based on data instances of the plurality of components and/or the system, the data instances comprising machine-log-lines;
  
  receiving data instance groups representative of the states of the system, the data instance groups comprising one or more data instances associated with a state of the system and having time information;
  
  identifying a representative data instance for a data instance group;
  
  determining a sequence of state transitions based on the representative data instances and the time information, wherein an element of the sequence comprises a data instance group identifier and a data instance identifier;
  
  determining, based on the sequence of state transitions, a distribution of state types within the data instance groups to identify infrequent state types;
  
  translating the sequence of state transitions into feature vectors, wherein the feature vectors comprise a first feature vector indicating a starting state of the sequence and a second feature vector indicating a time for the transition between a first state and a second state of the sequence, wherein a feature vector is associated with one or more feature classes;
  
  calculating a feature score for the feature vector based on kernel density estimation;
  
  determining a feature class score for individual feature classes of the one or more feature classes, the feature class score comprising a sum of feature scores having the same feature class;
  
  calculating a sequence anomaly score based on the feature class scores across the sequence of state transitions, the sequence anomaly score indicating a likelihood of a rare state and/or rare sequence;
  
  identifying, based on sequence anomaly scores, rare states and/or rare sequences, wherein rare sequences include sequences of data instance groups that occur prior to an occurrence of a state having an infrequent state type; and
  
  providing, in response to identifying the rare states and/or rare sequences, a notification of the occurrence of a rare sequence on the machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fair Isaac Corporation
Original Assignee
Fair Isaac Corporation
Inventors
Rahman, Shafi Ur, Gupta, Ashish
Primary Examiner(s)
Mehrmanesh, Elmira

Application Number

US14/944,928
Publication Number

US 20170139760A1
Time in Patent Office

1,343 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/008   Reliability or availability...

G06F 11/0709   in a distributed system con...

G06F 11/0751   Error or fault detection no...

G06F 11/0772   Means for error signaling, ...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/3065   Monitoring arrangements det...

G06F 11/3447   Performance evaluation by m...

G06F 11/3495   for systems

G06F 16/285   Clustering or classification

Detecting anomalous states of machines

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting anomalous states of machines

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links