Method and system for detecting change in data streams

US 7,620,533 B2
Filed: 01/18/2007
Issued: 11/17/2009
Est. Priority Date: 04/24/2002
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a target event based on a data stream, the data stream representing events accessed with a computerized monitoring system, the method being implemented on a computer or a network of computers having a memory and one or more processors, the method comprising:

maintaining a short term distribution that models the data stream in the memory, wherein the short term distribution is updated when input data is received;

maintaining a long term distribution that models the data stream in the memory, wherein the long term distribution is updated when the input data is received;

determining a distribution difference with the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution;

applying a statistical measure to the distribution difference with the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and

generating an alert when the measure of the difference exceeds a threshold using one or more of the processors, the alert indicating an occurrence of a target event to a person or a machine,wherein when the alert is generated the short term distribution in the memory is returned to a state just before it was updated to include an input that caused the alert, and the long term distribution is returned to a state just before the long term distribution was updated to include the input that caused the alert.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting change in a data stream comprising a distribution maintenance engine, a difference determining means and an alert generation engine is disclosed. The system detects change in the alert stream by the distribution maintenance engine maintaining a short term distribution that models the data stream and maintaining a long term distribution that models the data stream. The difference determining means determines the difference between the short term distribution and the long term distribution. The alert generation engine applies a statistical measure to the difference and generates an alert if the measure of the difference exceeds a threshold.

15 Citations

View as Search Results

30 Claims

1. A method of detecting a target event based on a data stream, the data stream representing events accessed with a computerized monitoring system, the method being implemented on a computer or a network of computers having a memory and one or more processors, the method comprising:
- maintaining a short term distribution that models the data stream in the memory, wherein the short term distribution is updated when input data is received;
  
  maintaining a long term distribution that models the data stream in the memory, wherein the long term distribution is updated when the input data is received;
  
  determining a distribution difference with the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution;
  
  applying a statistical measure to the distribution difference with the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and
  
  generating an alert when the measure of the difference exceeds a threshold using one or more of the processors, the alert indicating an occurrence of a target event to a person or a machine,wherein when the alert is generated the short term distribution in the memory is returned to a state just before it was updated to include an input that caused the alert, and the long term distribution is returned to a state just before the long term distribution was updated to include the input that caused the alert.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. A method according to claim 1, wherein the short term distribution is a model of probability distributions that describe the data stream.
  - 3. A method according to claim 1, wherein the long term distribution is a model of probability distributions that describe the data stream.
  - 4. A method according to claim 1, wherein the short term distribution is a recursively estimated weighted distribution of all the data received thus far.
  - 5. A method according to claim 1, wherein the long term distribution is a recursively estimated weighted distribution of all of the data received thus far.
  - 6. A method according to claim 1, wherein the short term distribution weights recent information more heavily than the long term distribution.
  - 7. A method according to claim 1, wherein an alert is generated when the distribution difference exceeds an adaptive alert threshold.
  - 8. A method according to claim 7, wherein the adaptive alert threshold is a function of the short term and long term distributions and previous values of the alert threshold.
  - 9. A method according to claim 7, wherein the adaptive alert threshold is formed from a predictability measure and a variability measure.
  - 10. A method according to claim 9, wherein the predictability measure is a moving average of the difference between the short term distribution and the long term distribution.
  - 11. A method according to claim 9, wherein the variability measure is a moving average of the absolute difference between the difference between the short term distribution and the long term distribution and the predictability measure.
  - 12. A method according to claim 9, wherein the predictability and variability measures are not updated when the difference between the short term distribution and the long term distribution exceeds a function of the variability measure.
  - 13. A method according to claim 7, wherein the generated alert includes information in the data stream and/or a function of information in the data stream.
  - 14. A method according to claim 13, wherein the generated alert includes a propensity measure as an indication of a severity of change.
  - 15. A method according to claim 14, wherein the propensity measure is calculated by dividing the difference between the difference between the short term distribution and the long term distribution and the alert threshold by the variability measure.
  - 16. A method according to claim 1, further comprising maintaining an estimate of amounts by which a sensitivity to the alert threshold would be needed to have been adjusted in order to not have generated an alert that turned out not to be caused by an event of interest since the last time the sensitivity to the alert threshold was instructed to adapt.
  - 17. A method according to claim 16, wherein the sensitivity adjustment estimate is increased by an additive constant each time an alert is generated and decays exponentially with each input received.
  - 18. A method according to claim 1, wherein a lead period may be provided during which alerts cannot be generated and the short term distribution and the long term distribution are adapted to all inputs within that period.
  - 19. A method according to claim 1, wherein alerts may be suppressed from being generated by inputs that are above a configurable lower percentile or below a configurable upper percentile.
  - 20. A method according to claim 19, wherein the lower percentile and upper percentile are both estimated from the long term distribution.
  - 21. A method according to claim 1, wherein the short term and long term distributions model discrete values.
  - 22. A method according to claim 1, wherein the short term and long term distributions model continuous values.

23. A system configured to detect a target event of a computerized monitoring system, the system comprising:
- a memory configured to store a short term distribution that models a data stream and a long term distribution that models the data stream, the data stream representing events accessed with the computerized system; and
  
  a processing module configured to update the stored short term distribution and the stored long term distribution when input data is received,wherein the processing module is configured to determine a distribution difference, the distribution difference being based on a difference between the short term distribution and the long term distribution,wherein the processing module is configured to apply a statistical measure to the distribution difference, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference, the processing module being further configured to generate an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of the target event to a person or a machine, andwherein the processing module is configured to return the stored short term distribution and the stored long term distribution to a respective state before being updated by an input that caused the alert to be generated.
- View Dependent Claims (24, 25, 26)
- - 24. A system according to claim 23, further comprising a threshold adaptation module configured to adaptively determine the threshold.
  - 25. A system according to claim 23, wherein the processing module is configured to return the short term distribution to a state just before it was updated, when an alert is generated.
  - 26. A system according to claim 23, wherein the processing module is configured to return the long term distribution to a state just before it was updated, when an alert is generated.

27. A system configured to detect a target event of a computerized monitoring system, the system comprising:
- means for maintaining a short term distribution that models a data stream, the data stream representing events accessed with the computerized system, wherein the short term distribution is updated when input data is received;
  
  means for maintaining a long term distribution that models the data stream, wherein the long term distribution is updated when the input is received;
  
  means for determining a distribution difference, the distribution difference being based on a difference between the short term distribution and the long term distribution;
  
  means for applying a statistical measure to the difference, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference;
  
  means for generating an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of the target event to a person or a machine; and
  
  means for returning the short term distribution to a state before it was updated by an input that caused the alert and for returning the long term distribution to a state before it was updated by the input that caused the alert.

28. A method of detecting changes in the properties of a data stream, the data stream representing events occurring within a telecommunications system, the events accessed with a computerized monitoring system having a first memory element, a second memory element, and one or more processors, the method comprising:
- maintaining a short term distribution in the first memory element that models the data stream, wherein the short term distribution is updated when input data is received;
  
  maintaining a long term distribution in the second memory element that models the data stream, wherein the long term distribution is updated when the input data is received;
  
  determining a distribution difference using the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution;
  
  applying a statistical measure to the distribution difference using the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and
  
  generating an alert when the measure of the difference exceeds a threshold using the one or more processors, the alert indicating an occurrence of a target event to a person or a machine,wherein when an alert is generated the short term distribution in the first memory element is returned to a state just before it was updated to include an input that caused the alert, andwherein when an alert is generated the long term distribution in the second memory element is returned to a state just before the long term distribution was updated to include the input that caused the alert.
- View Dependent Claims (29)
- - 29. The method of claim 28, wherein the target event comprises telecommunications fraud.

30. A method of detecting changes in the properties of a data stream, the data stream representing events accessed with a computerized monitoring system having a first memory element, a second memory element, and one or more processors, the method comprising:
- maintaining a short term distribution that models the data stream in the first memory element, wherein the short term distribution is updated when input data is received;
  
  maintaining a long term distribution that models the data stream in the second memory element, wherein the long term distribution is updated when the input data is received;
  
  determining a distribution difference using the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution;
  
  applying a statistical measure to the distribution difference using the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and
  
  generating an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of a target event to a person or a machine,wherein when an alert is generated the short term distribution in the first memory element is returned to a state just before it was updated to include an input that caused the alert,wherein when an alert is generated the long term distribution in the second memory element is returned to a state just before it was updated to include the input that caused the alert, andwherein the accessed events occur within one of;
  
  a telecommunications system and the target event comprises telecommunications fraud;
  
  a credit card system and the target event comprises credit card fraud;
  
  a computer network security system and the target event comprises a security concern;
  
  an environmental monitoring system and the target event comprises an environmental change; and
  
  a health monitoring system and the target event comprises a change in a health condition of a patient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Neural Technologies Limited
Original Assignee
Cerebrus Solutions Ltd (Neural Technologies Limited)
Inventors
Bolt, George, Manslow, John
Primary Examiner(s)
Rodriguez; Paul L
Assistant Examiner(s)
GUILL, RUSSELL L

Application Number

US11/654,800
Publication Number

US 20070118344A1
Time in Patent Office

1,034 Days
Field of Search

703/2
US Class Current

703/2
CPC Class Codes

G05B 23/0254 based on a quantitative mod...

G06F 18/241 relating to the classificat...

Method and system for detecting change in data streams

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Method and system for detecting change in data streams

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others