USER CONFIGURABLE MESSAGE ANOMALY SCORING TO IDENTIFY UNUSUAL ACTIVITY IN INFORMATION TECHNOLOGY SYSTEMS

US 20170111378A1
Filed: 10/20/2015
Published: 04/20/2017
Est. Priority Date: 10/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:

receiving, by a processing device, a message stream for the IT system;

selecting a plurality of messages from the message stream that correspond to an interval;

determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score;

calculating, by the processing device, an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and

identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

33 Citations

View as Search Results

20 Claims

1. A method for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, the method comprising:
- receiving, by a processing device, a message stream for the IT system;
  
  selecting a plurality of messages from the message stream that correspond to an interval;
  
  determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score;
  
  calculating, by the processing device, an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and
  
  identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining the message anomaly score for each of the plurality of the messages further comprises calculating the default message anomaly score based on a statistical analysis of a historical message stream for the IT system.
  - 3. The method of claim 1, wherein the determination that the message anomaly score for each of the plurality of the messages is one of the default message anomaly score and the custom message anomaly score is based on a model of a historical message stream.
  - 4. The method of claim 3, wherein the model of the historical message stream is created by:
    - dividing a plurality of historical messages into a number of groups based on the default message anomaly score of each of the plurality of historical messages;
      
      identifying a specific message from the plurality of historical messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 5. The method of claim 4, wherein determining the message anomaly score for each of the plurality of the messages includes determining whether each one of the plurality of the messages is a member of the custom scoring group.
  - 6. The method of claim 5, wherein the determination that the message anomaly score of one of the plurality of the messages is the custom message anomaly score is based on the one of the plurality of the messages being part of the custom scoring group.
  - 7. The method of claim 1, wherein the default message anomaly score is included in the status message received from a piece of IT equipment.

8. A computer program product for identifying unusual activity in an IT system based on user configurable message anomaly scoring, the computer program product comprising:
- a non-transitory storage medium readable by a processing circuit and storing instructions for execution by the processing circuit for performing a method comprising;
  
  receiving a message stream for the IT system;
  
  selecting a plurality of messages from the message stream that correspond to an interval;
  
  determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score;
  
  calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and
  
  identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein determining the message anomaly score for each of the plurality of the messages further comprises calculating the default message anomaly score based on a statistical analysis of a historical message stream for the IT system.
  - 10. The computer program product of claim 8, wherein the determination that the message anomaly score for each of the plurality of the messages is one of the default message anomaly score and the custom message anomaly score is based on a model of a historical message stream.
  - 11. The computer program product of claim 10, wherein the model of the historical message stream is created by:
    - dividing a plurality of historical messages into a number of groups based on the default message anomaly score of each of the plurality of historical messages;
      
      identifying a specific message from the plurality of historical messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 12. The computer program product of claim 11, wherein determining the message anomaly score for each of the plurality of the messages includes determining whether each one of the plurality of the messages is a member of the custom scoring group.
  - 13. The computer program product of claim 12, wherein the determination that the message anomaly score of one of the plurality of the messages is the custom message anomaly score is based on the one of the plurality of the messages being part of the custom scoring group.
  - 14. The computer program product of claim 8, wherein the default message anomaly score is included in the status message received from a piece of IT equipment.

15. A system for identifying unusual activity in an information technology (IT) system based on user configurable message anomaly scoring, comprising:
- a processor in communication with one or more types of memory, the processor configured to;
  
  receive a message stream for the IT system;
  
  select a plurality of messages from the message stream that correspond to an interval;
  
  determine a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score;
  
  calculate an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages; and
  
  identify a priority level of the interval by comparing the interval anomaly score to one or more thresholds.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein determining the message anomaly score for each of the plurality of the messages further comprises calculating the default message anomaly score based on a statistical analysis of a historical message stream for the IT system.
  - 17. The system of claim 15, wherein the determination that the message anomaly score for each of the plurality of the messages is one of the default message anomaly score and the custom message anomaly score is based on a model of a historical message stream.
  - 18. The system of claim 17, wherein the model of the historical message stream is created by:
    - dividing a plurality of historical messages into a number of groups based on the default message anomaly score of each of the plurality of historical messages;
      
      identifying a specific message from the plurality of historical messages; and
      
      identifying the group containing the specific message as custom scoring group.
  - 19. The system of claim 18, wherein determining the message anomaly score for each of the plurality of the messages includes determining whether each one of the plurality of the messages is a member of the custom scoring group.
  - 20. The system of claim 19, wherein the determination that the message anomaly score of one of the plurality of the messages is the custom message anomaly score is based on the one of the plurality of the messages being part of the custom scoring group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
CAFFREY, JAMES M.

Granted Patent

US 10,169,719 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/025   Extracting rules from data

H04L 41/069   using logs of notifications...

H04L 41/142   using statistical or mathem...

H04L 63/1408   by monitoring network traff...

USER CONFIGURABLE MESSAGE ANOMALY SCORING TO IDENTIFY UNUSUAL ACTIVITY IN INFORMATION TECHNOLOGY SYSTEMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER CONFIGURABLE MESSAGE ANOMALY SCORING TO IDENTIFY UNUSUAL ACTIVITY IN INFORMATION TECHNOLOGY SYSTEMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links