Automated anomaly detection
First Claim
1. A method of anomaly detection incorporating the steps of:
- a) developing a rule set of at least one anomaly characterisation rule from a training data set and any available relevant background knowledge using at least first order logic, a rule covering a proportion of positive anomaly examples of data in the training data set, and b) applying the rule set to test data for anomaly detection therein.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of anomaly detection applicable to telecommunications or retail fraud or software vulnerabilities uses inductive logic programming to develop anomaly characterisation rules from relevant background knowledge and a training data set, which includes positive anomaly samples of data covered by rules. Data samples include 1 or 0 indicating association or otherwise with anomalies. An anomaly is detected by a rule having condition set which the anomaly fu,lfils. Rules are developed by addition of conditions and unification of variables, and are filtered to remove duplicates, equivalents, symmetric rules and unnecessary conditions. Overfitting of noisy data is avoided by an encoding cost criterion. Termination of rule construction involves criteria of rule length, absence of negative examples, rule significance and accuracy, and absence of recent refinement. Iteration of rule construction involves selecting rules with unterminated construction, selecting rule refinements associated with high accuracies, and iterating a rule refinement, filtering and evaluation procedure to identify any refined rule usable to test data. Rule development may use first order logic or Higher Order logic.
58 Citations
39 Claims
-
1. A method of anomaly detection incorporating the steps of:
-
a) developing a rule set of at least one anomaly characterisation rule from a training data set and any available relevant background knowledge using at least first order logic, a rule covering a proportion of positive anomaly examples of data in the training data set, and b) applying the rule set to test data for anomaly detection therein.
-
-
2. An automated method of anomaly detection incorporating using computer apparatus to execute the steps of:
-
a) developing a rule set of at least one anomaly chacterisation rule from a training data set and any available relevant background knowledge using at least first order logic, a rule covering a proportion of positive anomaly examples of data in the training data set, and b) applying the rule set to test data for anomaly detection therein. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. Computer apparatus for anomaly detection programmed to execute the steps of:
-
a) developing a rule set of at least one anomaly characterisation rule from a training data set and any available relevant background knowledge using at least first order logic, a rule covering a proportion of positive anomaly examples of data in the training data set, and b) applying the rule set to test data for anomaly detection therein. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computer software product comprising a computer readable medium containing computer readable instructions for controlling operation of computer apparatus to implement anomaly detection, wherein the computer readable instructions provide a means for controlling the computer apparatus to execute the steps of:
-
a) developing a rule set of at least one anomaly characterisation rule from a training data set and any available relevant background knowledge using at least first order logic, a rule covering a proportion of positive anomaly examples of data in the training data set, and b) applying the rule set to test data for anomaly detection therein. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
-
Specification