SYSTEMS AND/OR METHODS FOR EVENT STREAM DEVIATION DETECTION
First Claim
1. A deviation detection method for use with a processing system including at least one processor, the method comprising:
- (a) receiving at least one stream of event data at the processing system, the event data including at least one attribute;
(b) updating, via the at least one processor, a long-term statistic corresponding to a first estimate of a probability density function (PDF) of at least one monitored attribute in the at least one stream of event data over a first time window;
(c) updating, via the at least one processor, a short-term statistic corresponding to a second estimate of the PDF of the at least one monitored attribute in the at least one stream of event data over a second time window, the second time window being of a shorter duration than the first time window;
(d) computing, via the at least one processor, first and second distances between an ideal density distribution and the long- and short-term statistics, respectively;
(e) computing, via the at least one processor, a current deviation based at least in part on the first and second distances;
(f) comparing the current deviation to a threshold value; and
(g) repeating (a)-(f) as further monitored events are provided by the at least one stream of event data.
1 Assignment
0 Petitions
Accused Products
Abstract
Certain example embodiments described herein relate to systems and/or methods for event stream deviation detection. More particularly, certain example embodiments described herein relate to maintaining short and long-term statistics of an incoming stream of event data. In certain example embodiments, a deviation is calculated based at least in part on the long-term and short-term statistics. The deviation may then be compared to a threshold value. In certain example embodiments, the estimations required for the statistics are done with Kernel Density Estimators (KDEs).
57 Citations
20 Claims
-
1. A deviation detection method for use with a processing system including at least one processor, the method comprising:
-
(a) receiving at least one stream of event data at the processing system, the event data including at least one attribute; (b) updating, via the at least one processor, a long-term statistic corresponding to a first estimate of a probability density function (PDF) of at least one monitored attribute in the at least one stream of event data over a first time window; (c) updating, via the at least one processor, a short-term statistic corresponding to a second estimate of the PDF of the at least one monitored attribute in the at least one stream of event data over a second time window, the second time window being of a shorter duration than the first time window; (d) computing, via the at least one processor, first and second distances between an ideal density distribution and the long- and short-term statistics, respectively; (e) computing, via the at least one processor, a current deviation based at least in part on the first and second distances; (f) comparing the current deviation to a threshold value; and (g) repeating (a)-(f) as further monitored events are provided by the at least one stream of event data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
-
-
11. A deviation detection method for use with a processing system including at least one processor, the method comprising:
-
receiving at least one stream of event data at the processing system; maintaining, over a first time period, a short-term kernel density estimator (KDE) for at least one monitored event in the at least one stream of event data; maintaining, over a second time period, a long-term KDE for the at least one monitored event in the at least one stream of event data; calculating a deviation from at least one predefined probability density function (PDF) in dependence on the short- and long-term KDEs; and comparing the deviation to a threshold to detect a deviation in the at least one stream of event data.
-
-
12. A deviation detection system for event processing, comprising:
-
an adapter configured to receive at least one stream of event data; at least one processor configured to; calculate a long-term statistic corresponding to a first estimate of a probability density function (PDF) of at least one monitored attribute in the at least one stream of event data over a first time window; calculate a short-term statistic corresponding to a second estimate of the PDF of the at least one monitored attribute in the at least one stream of event data over a second time window, the second time window being of a shorter duration than the first time window; compute first and second distances between an ideal density distribution and the long- and short-term statistics, respectively; compute a current deviation based at least in part on the first and second distances; compare the current deviation to a threshold value; and repeat the calculating, computing, and comparing as further monitored events are received in the at least one stream of event data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification