SYSTEMS AND METHODS FOR DETECTING ANOMALIES

US 20140229414A1
Filed: 12/30/2013
Published: 08/14/2014
Est. Priority Date: 02/08/2013
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented system comprising:

a probe module implemented by one or more processors and configured to execute a plurality of probes on an evolving data set, each probe from the plurality of probes returning a result, the probe module further configured to derive a plurality of property values, each property value from the plurality of property values is derived from a respective result returned by a corresponding probe of the plurality of probes; and

an anomaly detection engine implemented by the one or more processors and configured to;

generate a plurality of surprise scores corresponding to the plurality of property values, each surprise score being generated based on a comparison of a corresponding property value from the plurality of property values and historical property values, the corresponding property value and the historical property values having been derived from results returned from the same probe,access a plurality of historical surprise scores generated by the anomaly detection engine, andresponsive to a comparison between the plurality of surprise scores and the plurality of historical surprise scores, alert a monitoring system of an anomaly regarding the evolving data set.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and method for detecting anomalies in a computer system are disclosed herein. In some embodiments, multiple probes are executed on an evolving data set. Each probe may return a result. Property values are then derived from a respective result returned by a corresponding probe. Surprise scores corresponding to the property values are generated, where each surprise score is generated based on a comparison between a corresponding property value and historical property values. The corresponding property value and the historical property values are derived from results returned from the same probe. Historical surprise scores generated by the anomaly detection engine are accessed. Responsive to a comparison between the plurality of surprise scores and the plurality of historical surprise scores, a monitoring system is alerted of an anomaly regarding the evolving data set.

Citations

20 Claims

1. A computer-implemented system comprising:
- a probe module implemented by one or more processors and configured to execute a plurality of probes on an evolving data set, each probe from the plurality of probes returning a result, the probe module further configured to derive a plurality of property values, each property value from the plurality of property values is derived from a respective result returned by a corresponding probe of the plurality of probes; and
  
  an anomaly detection engine implemented by the one or more processors and configured to;
  
  generate a plurality of surprise scores corresponding to the plurality of property values, each surprise score being generated based on a comparison of a corresponding property value from the plurality of property values and historical property values, the corresponding property value and the historical property values having been derived from results returned from the same probe,access a plurality of historical surprise scores generated by the anomaly detection engine, andresponsive to a comparison between the plurality of surprise scores and the plurality of historical surprise scores, alert a monitoring system of an anomaly regarding the evolving data set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented system of claim 1, wherein the plurality of surprise scores are generated at a first iteration, and the historical surprise scores were generated at one or more past iterations.
  - 3. The computer-implemented system of claim 1, wherein:
    - the probe module is further configured to derive a plurality of additional property values, each additional property value from the plurality of property values are derived from the respective result returned by the corresponding probe of the plurality of probes, the plurality of additional property values relating to a different property than the plurality of property values; and
      
      the anomaly detection engine is further configured to;
      
      generate a plurality of additional surprise scores corresponding to the plurality of additional property values, each additional surprise score being generated based on a comparison of a corresponding additional property value from the plurality of additional property values and additional historical property values, the corresponding additional property value and the additional historical property values having been derived from results returned from the same probe,access a plurality of additional historical surprise scores generated by the anomaly detection engine, andresponsive to a comparison between the plurality of additional surprise scores and the plurality of additional historical surprise scores, alert the monitoring system of an additional anomaly regarding the evolving data set.
  - 4. The computer-implemented system of claim 1, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether the plurality of surprise scores deviate from a historical distribution of the plurality of historical surprise scores.
  - 5. The computer-implemented system of claim 1, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether a number of surprise scores from the plurality of surprise scores deviates from the plurality of historical surprise scores.
  - 6. The computer-implemented system of claim 1, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether a quantile of the plurality of surprise property values deviates from a historical distribution of quantiles derived from the plurality of historical surprise scores.
  - 7. The computer-implemented system of claim 1, wherein the evolving data set relates to data obtained by monitoring a computer system.
  - 8. The computer-implemented system of claim 1, wherein the evolving data set relates to data obtained by monitoring an inventory of items listed in a database.
  - 9. The computer-implemented system of claim 1, wherein the evolving data set relates to data obtained by monitoring a performance metrics of a plurality of servers.
  - 10. The computer-implemented system of claim 9, wherein the plura of property values relate to at least one of:
    - a processor load, a bandwidth consumption, a thread count, a running processes count, a memory usage, a throughput count, a rate of disk seeks, a rate of packets transmitted or received, or a rate of response.

11. A computer-implemented method comprising:
- executing a plurality of probes on an evolving data set, each probe from the plurality of probes returning a result;
  
  deriving a plurality of property values, each property value from the plurality of property values is derived from a respective result returned by a corresponding probe of the plurality of probes;
  
  generating a plurality of surprise scores corresponding to the plurality of property values, each surprise score being generated based on a comparison of a corresponding property value from the plurality of property values and historical property values, the corresponding property value and the historical property values having been derived from results returned from the same probe;
  
  accessing a plurality of historical surprise scores generated by the anomaly detection engine and responsive to a comparison between the plurality of surprise scores and the plurality of historical surprise scores, alerting a monitoring system of an anomaly regarding the evolving data set.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-implemented method of claim 11, wherein the plurality of surprise scores are generated at a first iteration, and the historical surprise scores were generated at one or more past iterations.
  - 13. The computer-implemented method of claim 11, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether the plurality of surprise scores deviate from a historical distribution of the plurality of historical surprise scores.
  - 14. The computer-implemented method of claim 11, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether a number of surprise scores from the plurality of surprise scores deviates from the plurality of historical surprise scores.
  - 15. The computer-implemented method of claim 11, wherein the comparison between the plurality of surprise scores and the plurality of historical surprise scores includes determining whether a quantile of the plurality of surprise property values deviates from a historical distribution of quantiles derived from the plurality of historical surprise scores.
  - 16. The computer-implemented method of claim 11, wherein the evolving data set relates to data obtained by monitoring a computer system.
  - 17. The computer-implemented method of claim 11, wherein the evolving data set relates to data obtained by monitoring an inventory of items listed in a database.
  - 18. The computer-implemented method of claim 11, wherein the evolving data set relates to data obtained by monitoring a performance metrics of a plurality of servers.
  - 19. The computer-implemented method of claim 18, wherein the plurality of property values relate to at least one of:
    - a processor load, a bandwidth consumption, a thread count, a running processes count, a memory usage, a throughput count, a rate of disk seeks, a rate of packets transmitted or received, or a rate of response.

20. A non-transitory computer-readable medium storing executable instructions thereon, which, when executed by a processor, cause the processor to perform operations comprising:
- executing a plurality of probes on an evolving data set, each probe from the plurality of probes returning a result;
  
  deriving a plurality of property values, each property value from the plurality of property values is derived from a respective result returned by a corresponding probe of the plurality of probes;
  
  generating a plurality of surprise scores corresponding to the plurality of property values, each surprise score being generated based on a comparison of a corresponding property value from the plurality of property values and historical property values, the corresponding property value and the historical property values having been derived from results returned from the same probe;
  
  accessing a plurality of historical surprise scores generated by the anomaly detection engine and responsive to a comparison between the plurality of surprise scores and the plurality of historical surprise scores, alerting a monitoring system of an anomaly regarding the evolving data set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Goldberg, David, Shan, Sync

Application Number

US14/143,185
Publication Number

US 20140229414A1
Time in Patent Office

Days
Field of Search
US Class Current

706/46
CPC Class Codes

B63J 4/002   for treating ballast water

C02F 1/001   Processes for the treatment...

C02F 1/008   Control or steering systems...

C02F 1/325   Irradiation devices or lamp...

C02F 2103/008   Originating from marine ves...

C02F 2103/08   Seawater, e.g. for desalina...

C02F 2201/326   Lamp control systems

C02F 2209/005   Processes using a programma...

C02F 2209/02   Temperature

C02F 2209/06   pH

C02F 2209/11   Turbidity

G06F 11/0721   within a central processing...

G06F 11/079   Root cause analysis, i.e. e...

G06N 5/04   Inference or reasoning models

Y02T 70/00   Maritime or waterways trans...

SYSTEMS AND METHODS FOR DETECTING ANOMALIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING ANOMALIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links