Machine-learning based anomaly detection for heterogenous data sources
First Claim
1. An anomaly detection computing system, the system comprising:
- a host application computing system including one or more hardware processors and in electronic communication with an anomaly detection server, the one or more hardware processors of the host application computing system configured to execute computer-readable instructions that configure the host application computing system to execute and host instances of a game application and establish gameplay sessions with a plurality of users;
a host data store configured to store host application data associated with operation of the host application computing system, wherein the host application data comprises a plurality of data sets, wherein individual data sets of the plurality of data sets are associated with operations executed by the host application computing system for operation of aspects of the game application;
the anomaly detection server comprising one or more hardware processors and in electronic communication with the host application computing system, the one or more hardware processors of the anomaly detection server configured to execute computer-readable instructions that configure the anomaly detection server to;
communicate with the host application computing system and aggregate the host application data received from the host application computing system, wherein the host application data comprises a data table including the plurality of data sets associated with one or more aspects of operation of the host application computing system;
for each data set of the plurality of data sets within the data table,identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node;
determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set;
determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each data set of the plurality of data sets within the data table;
determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; and
in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event, and generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of an automated anomaly detection system are disclosed that can detect anomalous data from heterogeneous data sources. The anomaly detection system can provide an automated system that identifies data anomalies within data sets received from application host systems. The anomaly detection system may identify patterns using machine learning based on data set characteristics associated with the each data set. The anomaly detection system may generate a model that can be applied to existing data sets received from the application host systems in order to automatically identify anomalous data sets. The anomaly detection system may automatically identify the anomalous data sets and implement appropriate actions based on the determination.
124 Citations
20 Claims
-
1. An anomaly detection computing system, the system comprising:
-
a host application computing system including one or more hardware processors and in electronic communication with an anomaly detection server, the one or more hardware processors of the host application computing system configured to execute computer-readable instructions that configure the host application computing system to execute and host instances of a game application and establish gameplay sessions with a plurality of users; a host data store configured to store host application data associated with operation of the host application computing system, wherein the host application data comprises a plurality of data sets, wherein individual data sets of the plurality of data sets are associated with operations executed by the host application computing system for operation of aspects of the game application; the anomaly detection server comprising one or more hardware processors and in electronic communication with the host application computing system, the one or more hardware processors of the anomaly detection server configured to execute computer-readable instructions that configure the anomaly detection server to; communicate with the host application computing system and aggregate the host application data received from the host application computing system, wherein the host application data comprises a data table including the plurality of data sets associated with one or more aspects of operation of the host application computing system; for each data set of the plurality of data sets within the data table, identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node; determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set; determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each data set of the plurality of data sets within the data table; determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; and in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event, and generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An anomaly detection method comprising:
-
communicating with a host application computing system, wherein the host application computing system is configured to execute and host instances of a game application and establish gameplay sessions with a plurality of users; aggregating host application data received from the host application computing system, wherein the host application data comprises a data table including a first plurality of data sets associated with one or more aspects of operation of the host application computing system; for each data set of the first plurality of data sets within the data table, identifying a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the first plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node; determining an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set; determining an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each of the first plurality of data sets within the data table; determining whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generating an anomaly event; and generating instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory computer readable medium comprising computer-executable instructions for anomaly detection that, when executed by a computing system, cause the computing system to:
-
communicate with a host application computing system, wherein the host application computing system configured to execute and host instances of a game application and establish gameplay sessions with a plurality of users; aggregate host application data received from the host application computing system, wherein the host application data comprises a data table including a first plurality of data sets associated with one or more aspects of operation of the host application computing system; for each data set of the first plurality of data sets within the data table, identify a first anomaly detection node of a hierarchical anomaly detection model for analysis of a data set of the first plurality of data sets, wherein the hierarchical anomaly detection model is generated based, at least in part on, historical data associated with the host application computing system, the hierarchical anomaly detection model comprises a base detection model and a plurality of data set specific models, each data set specific model generated from the base detection model for a specific data set, each data set specific model having a plurality of anomaly detection nodes, wherein each detection node is associated with one or more conditional modifiers, wherein the first anomaly detection node is identified based at least in part on a presence of conditional data matching the one or more conditional modifiers associated with the first anomaly detection node; determine an anomaly detection score associated with the data set based, at least in part, on an application of the first anomaly detection node of the hierarchical anomaly detection model to the data set; determine an aggregate anomaly detection score for the data table based at least in part on the anomaly detection scores associated with each of the first plurality of data sets within the data table; determine whether the aggregate anomaly detection score exceeds an anomaly detection threshold, wherein the anomaly detection threshold is determined based, at least in part, on a trust level associated with the host application computing system; in response to determining that the aggregate anomaly detection score exceeds the anomaly detection threshold, generate an anomaly event; and
generate instructions to perform an anomaly event action for the anomaly event associated with the anomaly detection threshold. - View Dependent Claims (18, 19, 20)
-
Specification