Anomaly detection
First Claim
1. ) An anomaly detection system comprising means for monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection system further comprising:
- a plurality of computers providing services associated with said program;
an agent device associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from a program running on another of said plurality of computers; and
an anomaly monitoring server connected to said network, comprising, a transaction collecting section collecting transactions recorded by said agent device from each of said plurality of computers;
a correlation matrix calculating section outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating section calculating an activity vector by solving an eigenequation specific to said node correlation matrix;
a probability estimating section estimating the probability of occurrence of said activity vector; and
a fault detecting section calculating an outlier measure of the activity vector from a probability density estimated by said probability estimating section to automatically detect a fault in the program being run through cooperation between said plurality of computers.
1 Assignment
0 Petitions
Accused Products
Abstract
A system such as a Web-based system in which a plurality of computers interact with each other is monitored to detect online an anomaly. Transactions of a service provided by each of a plurality of computers to another computer are collected, a matrix of correlations between nodes in the system is calculated from the transactions, and a feature vector representing anode activity balance is obtained from the matrix. The feature vector is monitored using a probability model to detect a transition to an anomalous state.
100 Citations
33 Claims
-
1. ) An anomaly detection system comprising means for monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection system further comprising:
-
a plurality of computers providing services associated with said program;
an agent device associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from a program running on another of said plurality of computers; and
an anomaly monitoring server connected to said network, comprising, a transaction collecting section collecting transactions recorded by said agent device from each of said plurality of computers;
a correlation matrix calculating section outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating section calculating an activity vector by solving an eigenequation specific to said node correlation matrix;
a probability estimating section estimating the probability of occurrence of said activity vector; and
a fault detecting section calculating an outlier measure of the activity vector from a probability density estimated by said probability estimating section to automatically detect a fault in the program being run through cooperation between said plurality of computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 31)
-
-
9. ) An anomaly detection system for detecting a fault in a program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection system comprising:
-
a plurality of computers providing services associated with said program;
an agent device associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from a program running on another of said plurality of computers; and
an anomaly monitoring server connected to said network, comprising, a transaction collecting section collecting transactions recorded by said agent device from each of said plurality of computers;
a correlation matrix calculating section outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating section calculating an activity vector by solving an eigenequation specific to said node correlation matrix; and
a fault detecting section providing a notification of a fault in a program being run through cooperation between said plurality of computers, depending on said activity vector. - View Dependent Claims (10, 11, 12, 13, 14, 32)
-
-
15. ) An anomaly detection system comprising means for monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection system further comprising:
-
an agent module having transaction recording means for associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from a program running on another of said plurality of computers; and
an anomaly monitoring server connected to said network, comprising, transaction collecting means for collecting transactions recorded by said agent module from each of said plurality of computers;
correlation matrix calculating means for outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
activity vector calculating means for calculating an activity vector by solving an eigenequation specific to said node correlation matrix;
probability estimating means for estimating the probability of occurrence of said activity vector; and
fault detecting means for calculating an outlier measure of the activity vector from a probability density estimated by said probability estimating means to automatically detect a fault in the program being run through cooperation between said plurality of computers. - View Dependent Claims (16, 17, 18, 33)
-
-
19. ) An anomaly detection method comprising monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection method further comprising:
-
a recording step performed by an agent module of associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from aprogram running on another of said plurality of computers; and
a step performed by an anomaly monitoring server connected to said network, comprising, a transaction collecting step of collecting transactions recorded by said agent, module from each of said plurality of computers;
a correlation matrix calculating step of outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating step of calculating an activity vector by solving an eigenequation specific to said node correlation matrix;
a probability estimating step of estimating the probability of occurrence of said activity vector; and
a fault detecting step of calculating an outlier measure of the activity vector from a probability density estimated in said probability estimating step to automatically detect a fault in the program being run through cooperation between said plurality of computers. - View Dependent Claims (20, 21, 22, 29, 30)
-
-
23. ) An anomaly detection program comprising a step of monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly detection program further comprising:
-
a recording step performed by an agent module of associating and recording transactions with a service, said transactions being processes of said service performed by each of said plurality of computers in response to a call from a program running on another of said plurality of computers; and
a step performed by an anomaly monitoring server connected to said network, comprising, a transaction collecting step of collecting transactions recorded by said agent module from each of said plurality of computers;
a correlation matrix calculating step of outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating step of calculating an activity vector by solving an equation specific to said node correlation matrix;
a probability estimating step of estimating the probability of occurrence of said activity vector; and
a fault detecting step of calculating an outlier measure of the activity vector from a probability density estimated in said probability estimating step to automatically detect a fault in the program being run through cooperation between said plurality of computers. - View Dependent Claims (24, 25, 26, 27)
-
-
28. ) An anomaly monitoring server for monitoring a program for a fault on the basis of a probabilistic model to automatically detect a fault, said program being run through cooperation between computers in a computer system forming a network consisting of a plurality of computers, said anomaly monitoring server comprising:
-
a transaction collecting section collecting transactions which are processes of a service performed by each of said plurality of computers in response to a call froma program running on another of said plurality of computers;
a correlation matrix calculating section outputting a node correlation matrix calculated from said transactions collected from each of said plurality of computers;
an activity vector calculating section calculating an activity vector by solving an eigenequation specific to said node correlation matrix;
a probability estimating section estimating the probability of occurrence of said activity vector; and
a fault detecting section calculating an outlier measure of the activity vector from a probability density estimated by said probability estimating section to automatically detect a fault in the program being run through cooperation between said plurality of computers.
-
Specification