Cross-feature analysis

US 20050283511A1
Filed: 09/09/2003
Published: 12/22/2005
Est. Priority Date: 09/09/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of automatically identifying anomalous situations during system operations, said method comprising:

recording actions performed by said system as features in a history file;

automatically creating a model for each feature only from normal data in said history file;

performing training by calculating anomaly scores of said features;

establishing a threshold to evaluate whether features are abnormal;

automatically identifying abnormal actions of said system based on said anomaly scores and said threshold; and

periodically repeating said training process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method of automatically identifying anomalous situations during computerized system operations that records actions performed by the computerized system as features in a history file, automatically creates a model for each feature only from normal data in the history file, performs training by calculating anomaly scores of the features, establishes a threshold to evaluate whether features are abnormal, automatically identifies abnormal actions of the computerized system based on the anomaly scores and said threshold, and periodically repeats the training process.

26 Citations

View as Search Results

26 Claims

1. A method of automatically identifying anomalous situations during system operations, said method comprising:
- recording actions performed by said system as features in a history file;
  
  automatically creating a model for each feature only from normal data in said history file;
  
  performing training by calculating anomaly scores of said features;
  
  establishing a threshold to evaluate whether features are abnormal;
  
  automatically identifying abnormal actions of said system based on said anomaly scores and said threshold; and
  
  periodically repeating said training process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 12)
- - 2. The method in claim 1, wherein said process of creating a model for each feature comprises:
    - establishing relationships that exist between said features for normal system operations;
      
      selecting a labeled feature from said features;
      
      mathematically rearranging said relationships from the point of view of said labeled feature to create a solution for said labeled feature, wherein said solution comprises a model for said labeled feature;
      
      selecting different features as said labeled feature and repeating said process of mathematically rearranging said relationships to produce solutions from the point of view of each remaining feature as models for the remaining features.
  - 3. The method in claim 2, wherein said solution comprises a mathematical statement of what said labeled feature equals in terms of the relationships between the remaining features.
  - 4. The method in claim 2, wherein said normal system operations comprise said features in said history file at the time said models are created.
  - 5. The method in claim 1, wherein said training comprises:
    - predicting the likelihood that each feature will be normal when one or more of the other features are abnormal, using said model of each of said features;
      
      repeating said predicting using different presumptions about other features being normal and abnormal to produce a trained file of a plurality of anomaly scores for each of said features.
  - 6. The method in claim 5, wherein said trained file provides an normally score for each of said features for each of a plurality of different possible abnormalities.
  - 7. The method in claim 5, wherein said process of identifying abnormal actions comprises:
    - determining values of said features for a given operation of said system;
      
      referring to said trained file to retrieve and anomaly score for each of said features;
      
      comparing said anomaly score for each of said features with said threshold to determine whether each anomaly score exceeds said threshold.
  - 12. The method in claim 11, wherein said trained file provides an normally score for each of said features for each of a plurality of different possible abnormalities.

8. A method of automatically identifying anomalous situations during system operations, said method comprising:
- recording actions performed by said system as features in a history file;
  
  automatically creating a model for each feature only from normal data in said history file;
  
  performing training by calculating anomaly scores of said features;
  
  establishing a threshold to evaluate whether features are abnormal;
  
  automatically identifying abnormal actions of said system based on said anomaly scores and said threshold; and
  
  periodically repeating said training process, wherein said process of creating a model for each feature comprises;
  
  establishing relationships that exist between said features for normal system operations;
  
  selecting a labeled feature from said features;
  
  mathematically rearranging said relationships from the point of view of said labeled feature to create a solution for said labeled feature, wherein said solution comprises a model for said labeled feature;
  
  selecting different features as said labeled feature and repeating said process of mathematically rearranging said relationships to produce solutions from the point of view of each remaining feature as models for the remaining features.
- View Dependent Claims (9, 10, 11, 13)
- - 9. The method in claim 8, wherein said solution comprises a mathematical statement of what said labeled feature equals in terms of the relationships between the remaining features.
  - 10. The method in claim 8, wherein said normal system operations comprise said features in said history file at the time said models are created.
  - 11. The method in claim 8, wherein said training comprises:
    - predicting the likelihood that each feature will be normal when one or more of the other features are abnormal, using said model of each of said features;
      
      repeating said predicting using different presumptions about other features being normal and abnormal to produce a trained file of a plurality of anomaly scores for each of said features.
  - 13. The method in claim 11, wherein said process of identifying abnormal actions comprises:
    - determining values of said features for a given operation of said system;
      
      referring to said trained file to retrieve and anomaly score for each of said features;
      
      comparing said anomaly score for each of said features with said threshold to determine whether each anomaly score exceeds said threshold.

14. A method of automatically identifying anomalous situations during system operations, said method comprising:
- recording actions performed by said system as features in a history file;
  
  automatically creating a model for each feature only from normal data in said history file;
  
  performing training by calculating anomaly scores of said features;
  
  establishing a threshold to evaluate whether features are abnormal;
  
  automatically identifying abnormal actions of said system based on said anomaly scores and said threshold; and
  
  periodically repeating said training process, wherein said training comprises;
  
  predicting the likelihood that each feature will be normal when one or more of the other features are abnormal, using said model of each of said features;
  
  repeating said predicting using different presumptions about other features being normal and abnormal to produce a trained file of a plurality of anomaly scores for each of said features.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method in claim 14, wherein said process of creating a model for each feature comprises:
    - establishing relationships that exist between said features for normal system operations;
      
      selecting a labeled feature from said features;
      
      mathematically rearranging said relationships from the point of view of said labeled feature to create a solution for said labeled feature, wherein said solution comprises a model for said labeled feature;
      
      selecting different features as said labeled feature and repeating said process of mathematically rearranging said relationships to produce solutions from the point of view of each remaining feature as models for the remaining features.
  - 16. The method in claim 15, wherein said solution comprises a mathematical statement of what said labeled feature equals in terms of the relationships between the remaining features.
  - 17. The method in claim 15, wherein said normal system operations comprise said features in said history file at the time said models are created.
  - 18. The method in claim 14, wherein said trained file provides a normally score for each of said features for each of a plurality of different possible abnormalities.
  - 19. The method in claim 14, wherein said process of identifying abnormal actions comprises:
    - determining values of said features for a given operation of said system;
      
      referring to said trained file to retrieve and anomaly score for each of said features;
      
      comparing said anomaly score for each of said features with said threshold to determine whether each anomaly score exceeds said threshold.

20. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform a method of automatically identifying anomalous situations during system operations, said method comprising:
- recording actions performed by said system as features in a history file;
  
  automatically creating a model for each feature only from normal data in said history file;
  
  performing training by calculating anomaly scores of said features;
  
  establishing a threshold to evaluate whether features are abnormal;
  
  automatically identifying abnormal actions of said system based on said anomaly scores and said threshold; and
  
  periodically repeating said training process.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The program storage device in claim 20, wherein said method further comprises a process of creating a model for each feature comprises:
    - establishing relationships that exist between said features for normal system operations;
      
      selecting a labeled feature from said features;
      
      mathematically rearranging said relationships from the point of view of said labeled feature to create a solution for said labeled feature, wherein said solution comprises a model for said labeled feature;
      
      selecting different features as said labeled feature and repeating said process of mathematically rearranging said relationships to produce solutions from the point of view of each remaining feature as models for the remaining features.
  - 22. The program storage device in claim 21, wherein said method further comprises a mathematical statement of what said labeled feature equals in terms of the relationships between the remaining features.
  - 23. The program storage device in claim 21, wherein said normal system operations comprise said features in said history file at the time said models are created.
  - 24. The program storage device in claim 20, wherein said training method further comprises:
    - predicting the likelihood that each feature will be normal when one or more of the other features are abnormal, using said model of each of said features;
      
      repeating said predicting using different presumptions about other features being normal and abnormal to produce a trained file of a plurality of anomaly scores for each of said features.
  - 25. The program storage device in claim 24, wherein said trained file provides an normally score for each of said features for each of a plurality of different possible abnormalities.
  - 26. The program storage device in claim 24, wherein said process of identifying abnormal actions further comprises:
    - determining values of said features for a given operation of said system;
      
      referring to said trained file to retrieve and anomaly score for each of said features;
      
      comparing said anomaly score for each of said features with said threshold to determine whether each anomaly score exceeds said threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Yu, Philip Shi-Iung, Fan, Wei

Application Number

US10/658,623
Publication Number

US 20050283511A1
Time in Patent Office

Days
Field of Search
US Class Current

708/306
CPC Class Codes

G06F 11/008 Reliability or availability...

Cross-feature analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-feature analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links