Machine-learning based anomaly detection for heterogenous data sources

US 10,459,827 B1
Filed: 03/22/2016
Issued: 10/29/2019
Est. Priority Date: 03/22/2016
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection computing system, the system comprising:

a host application computing system including one or more hardware processors and in electronic communication with an anomaly detection server, the one or more hardware processors of the host application computing system configured to execute computer-readable instructions that configure the host application computing system to execute and host instances of a game application and establish gameplay sessions with a plurality of users;

a host data store configured to store host application data associated with operation of the host application computing system, wherein the host application data comprises a plurality of data sets, wherein individual data sets of the plurality of data sets are associated with operations executed by the host application computing system for operation of aspects of the game application;

the anomaly detection server comprising one or more hardware processors and in electronic communication with the host application computing system, the one or more hardware processors of the anomaly detection server configured to execute computer-readable instructions that configure the anomaly detection server to;

communicate with the host application computing system and aggregate the host application data received from the host application computing system, wherein the host application data comprises a data table including the plurality of data sets associated with one or more aspects of operation of the host application computing system;

for each data set of the plurality of data sets within the data table,identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node;

determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set;

determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each data set of the plurality of data sets within the data table;

determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; and

in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event, and generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of an automated anomaly detection system are disclosed that can detect anomalous data from heterogeneous data sources. The anomaly detection system can provide an automated system that identifies data anomalies within data sets received from application host systems. The anomaly detection system may identify patterns using machine learning based on data set characteristics associated with the each data set. The anomaly detection system may generate a model that can be applied to existing data sets received from the application host systems in order to automatically identify anomalous data sets. The anomaly detection system may automatically identify the anomalous data sets and implement appropriate actions based on the determination.

124 Citations

View as Search Results

20 Claims

1. An anomaly detection computing system, the system comprising:
- a host application computing system including one or more hardware processors and in electronic communication with an anomaly detection server, the one or more hardware processors of the host application computing system configured to execute computer-readable instructions that configure the host application computing system to execute and host instances of a game application and establish gameplay sessions with a plurality of users;
  
  a host data store configured to store host application data associated with operation of the host application computing system, wherein the host application data comprises a plurality of data sets, wherein individual data sets of the plurality of data sets are associated with operations executed by the host application computing system for operation of aspects of the game application;
  
  the anomaly detection server comprising one or more hardware processors and in electronic communication with the host application computing system, the one or more hardware processors of the anomaly detection server configured to execute computer-readable instructions that configure the anomaly detection server to;
  
  communicate with the host application computing system and aggregate the host application data received from the host application computing system, wherein the host application data comprises a data table including the plurality of data sets associated with one or more aspects of operation of the host application computing system;
  
  for each data set of the plurality of data sets within the data table,identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node;
  
  determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set;
  
  determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each data set of the plurality of data sets within the data table;
  
  determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; and
  
  in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event, and generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The anomaly detection computing system of claim 1, wherein the anomaly event action is to transmit an anomaly event report to at least one subscriber associated with the data set, wherein the anomaly event report comprises the anomaly detection score and data associated with the anomaly event.
  - 3. The anomaly detection computing system of claim 2, wherein the anomaly event report comprises predictive information identifying one or more likely problems that caused the anomaly event, wherein the predictive information is based at least in part on historical information.
  - 4. The anomaly detection computing system of claim 1, wherein the computer-readable instructions of the anomaly detection server are further configured to identify a category associated with the anomaly event.
  - 5. The anomaly detection computing system of claim 1, wherein the computer-readable instructions of the anomaly detection server are further configured to provide instructions to a user computing device for generation of a graphical user interface configured to display information associated with anomaly detection analysis.
  - 6. The anomaly detection computing system of claim 5, wherein the graphical user interface comprises at least one user interface element configured to receive feedback from a user indicating whether the anomaly event was correctly identified.
  - 7. The anomaly detection computing system of claim 1, wherein the hierarchical anomaly detection model identified for a first data set of the plurality of data sets is different than a second anomaly detection model identified for a second data set of the plurality of data sets.
  - 8. The anomaly detection computing system of claim 1, wherein the first anomaly detection node of the hierarchical anomaly detection model is identified based, at least in part, on contextual information associated with the data set, wherein the contextual information identifies one or more conditional identifiers associated with the data set.
  - 9. The anomaly detection computing system of claim 1, wherein the hierarchical anomaly detection model is generated using machine learning techniques.
  - 10. The anomaly detection computing system of claim 1, wherein the computer-readable instructions of the anomaly detection server are further configured to communicate with the application host computing system using a first application programming interface, and communicate with an application host computing system using a second application programming interface.

11. An anomaly detection method comprising:
- communicating with a host application computing system, wherein the host application computing system is configured to execute and host instances of a game application and establish gameplay sessions with a plurality of users;
  
  aggregating host application data received from the host application computing system, wherein the host application data comprises a data table including a first plurality of data sets associated with one or more aspects of operation of the host application computing system;
  
  for each data set of the first plurality of data sets within the data table,identifying a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the first plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node;
  
  determining an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set;
  
  determining an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each of the first plurality of data sets within the data table;
  
  determining whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system;
  
  in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold,generating an anomaly event; and
  
  generating instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The anomaly detection method of claim 11, wherein performing the anomaly event action comprises transmitting an anomaly event report to at least one subscriber associated with the data set, wherein the anomaly event report comprises the anomaly detection score and data associated with the anomaly event.
  - 13. The anomaly detection method of claim 12, wherein the anomaly event report comprises predictive information identifying one or more likely problems that caused the anomaly event, wherein the predictive information is based at least in part on historical information.
  - 14. The anomaly detection method of claim 11 further comprising providing instructions to a user computing device for generation of a graphical user interface configured to display information associated with anomaly detection analysis.
  - 15. The anomaly detection method of claim 14 further comprising receiving feedback through the graphical user interface indicating whether the anomaly event was correctly identified.
  - 16. The anomaly detection system of claim 11, wherein identifying the first anomaly detection node of the hierarchical anomaly detection model is further based, at least in part, on contextual information associated the data set, wherein the contextual information identifies one or more conditional identifiers associated with the data set.

17. A non-transitory computer readable medium comprising computer-executable instructions for anomaly detection that, when executed by a computing system, cause the computing system to:
- communicate with a host application computing system, wherein the host application computing system configured to execute and host instances of a game application and establish gameplay sessions with a plurality of users;
  
  aggregate host application data received from the host application computing system, wherein the host application data comprises a data table including a first plurality of data sets associated with one or more aspects of operation of the host application computing system;
  
  for each data set of the first plurality of data sets within the data table,identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the first plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node;
  
  determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set;
  
  determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each of the first plurality of data sets within the data table;
  
  determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system;
  
  in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event; and
  
  generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable medium of claim 17, wherein the computer-executable instructions further configure the computing system to provide instructions to a user computing device for generation of a graphical user interface configured to display information associated with anomaly detection analysis.
  - 19. The non-transitory computer readable medium of claim 18, wherein the computer-executable instructions further configure the computing system to receive feedback through the graphical user interface indicating whether the anomaly event was correctly identified.
  - 20. The non-transitory computer readable medium of claim 17, wherein the computer-executable instructions further configure the computing system to transmit an anomaly alert to one or more subscribers associated with the data table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronic Arts Incorporated
Original Assignee
Electronic Arts Incorporated
Inventors
Aghdaie, Navid, Kolen, John, Mattar, Mohamed Marwan, Sardari, Mohsen, Xue, Su, Zaman, Kazi Atif-Uz
Primary Examiner(s)
Kang, Insun

Application Number

US15/077,791
Time in Patent Office

1,316 Days
Field of Search

None
US Class Current
CPC Class Codes

A63F 13/67   adaptively or by learning f...

A63F 13/70   Game security or game manag...

A63F 2300/535   for monitoring, e.g. of use...

G06F 11/0751   Error or fault detection no...

G06F 11/0766   Error or fault reporting or...

G06F 11/3006   where the computing system ...

G06F 11/3055   Monitoring arrangements for...

G06F 11/3409   for performance assessment

G06F 11/3672   Test management

G06F 2201/81   Threshold

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/047   Probabilistic or stochastic...

G06N 5/01   Dynamic search techniques; ...

G06N 5/025   Extracting rules from data

G06N 7/01   Probabilistic graphical mod...

Machine-learning based anomaly detection for heterogenous data sources

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

124 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Machine-learning based anomaly detection for heterogenous data sources

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

124 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links