USER CONFIGURABLE MESSAGE ANOMALY SCORING TO IDENTIFY UNUSUAL ACTIVITY IN INFORMATION TECHNOLOGY SYSTEMS
First Claim
1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
- receiving, by a processing device, a message stream for the IT system;
selecting a plurality of messages from the message stream that correspond to an interval;
determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score;
calculating, by the processing device, an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and
identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
-
Citations
20 Claims
-
1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
-
receiving, by a processing device, a message stream for the IT system; selecting a plurality of messages from the message stream that correspond to an interval; determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score; calculating, by the processing device, an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for identifying unusual activity in an IT system based on user configurable message anomaly scoring, the computer program product comprising:
a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising; receiving a message stream for the IT system; selecting a plurality of messages from the message stream that correspond to an interval; determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score; calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A system for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, comprising:
a processor in communication with one or more types of memory, the processor configured to; receive a message stream for the IT system; select a plurality of messages from the message stream that correspond to an interval; determine a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score; calculate an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and identify a priority level of the interval by comparing the interval anomaly score to one or more thresholds. - View Dependent Claims (16, 17, 18, 19, 20)
Specification