Method and system for detecting change in data streams
First Claim
1. A method of detecting a target event based on a data stream, the data stream representing events accessed with a computerized monitoring system, the method being implemented on a computer or a network of computers having a memory and one or more processors, the method comprising:
- maintaining a short term distribution that models the data stream in the memory, wherein the short term distribution is updated when input data is received;
maintaining a long term distribution that models the data stream in the memory, wherein the long term distribution is updated when the input data is received;
determining a distribution difference with the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution;
applying a statistical measure to the distribution difference with the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and
generating an alert when the measure of the difference exceeds a threshold using one or more of the processors, the alert indicating an occurrence of a target event to a person or a machine,wherein when the alert is generated the short term distribution in the memory is returned to a state just before it was updated to include an input that caused the alert, and the long term distribution is returned to a state just before the long term distribution was updated to include the input that caused the alert.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for detecting change in a data stream comprising a distribution maintenance engine, a difference determining means and an alert generation engine is disclosed. The system detects change in the alert stream by the distribution maintenance engine maintaining a short term distribution that models the data stream and maintaining a long term distribution that models the data stream. The difference determining means determines the difference between the short term distribution and the long term distribution. The alert generation engine applies a statistical measure to the difference and generates an alert if the measure of the difference exceeds a threshold.
15 Citations
30 Claims
-
1. A method of detecting a target event based on a data stream, the data stream representing events accessed with a computerized monitoring system, the method being implemented on a computer or a network of computers having a memory and one or more processors, the method comprising:
-
maintaining a short term distribution that models the data stream in the memory, wherein the short term distribution is updated when input data is received; maintaining a long term distribution that models the data stream in the memory, wherein the long term distribution is updated when the input data is received; determining a distribution difference with the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution; applying a statistical measure to the distribution difference with the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and generating an alert when the measure of the difference exceeds a threshold using one or more of the processors, the alert indicating an occurrence of a target event to a person or a machine, wherein when the alert is generated the short term distribution in the memory is returned to a state just before it was updated to include an input that caused the alert, and the long term distribution is returned to a state just before the long term distribution was updated to include the input that caused the alert. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system configured to detect a target event of a computerized monitoring system, the system comprising:
-
a memory configured to store a short term distribution that models a data stream and a long term distribution that models the data stream, the data stream representing events accessed with the computerized system; and a processing module configured to update the stored short term distribution and the stored long term distribution when input data is received, wherein the processing module is configured to determine a distribution difference, the distribution difference being based on a difference between the short term distribution and the long term distribution, wherein the processing module is configured to apply a statistical measure to the distribution difference, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference, the processing module being further configured to generate an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of the target event to a person or a machine, and wherein the processing module is configured to return the stored short term distribution and the stored long term distribution to a respective state before being updated by an input that caused the alert to be generated. - View Dependent Claims (24, 25, 26)
-
-
27. A system configured to detect a target event of a computerized monitoring system, the system comprising:
-
means for maintaining a short term distribution that models a data stream, the data stream representing events accessed with the computerized system, wherein the short term distribution is updated when input data is received; means for maintaining a long term distribution that models the data stream, wherein the long term distribution is updated when the input is received; means for determining a distribution difference, the distribution difference being based on a difference between the short term distribution and the long term distribution; means for applying a statistical measure to the difference, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; means for generating an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of the target event to a person or a machine; and means for returning the short term distribution to a state before it was updated by an input that caused the alert and for returning the long term distribution to a state before it was updated by the input that caused the alert.
-
-
28. A method of detecting changes in the properties of a data stream, the data stream representing events occurring within a telecommunications system, the events accessed with a computerized monitoring system having a first memory element, a second memory element, and one or more processors, the method comprising:
-
maintaining a short term distribution in the first memory element that models the data stream, wherein the short term distribution is updated when input data is received; maintaining a long term distribution in the second memory element that models the data stream, wherein the long term distribution is updated when the input data is received; determining a distribution difference using the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution; applying a statistical measure to the distribution difference using the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and generating an alert when the measure of the difference exceeds a threshold using the one or more processors, the alert indicating an occurrence of a target event to a person or a machine, wherein when an alert is generated the short term distribution in the first memory element is returned to a state just before it was updated to include an input that caused the alert, and wherein when an alert is generated the long term distribution in the second memory element is returned to a state just before the long term distribution was updated to include the input that caused the alert. - View Dependent Claims (29)
-
-
30. A method of detecting changes in the properties of a data stream, the data stream representing events accessed with a computerized monitoring system having a first memory element, a second memory element, and one or more processors, the method comprising:
-
maintaining a short term distribution that models the data stream in the first memory element, wherein the short term distribution is updated when input data is received; maintaining a long term distribution that models the data stream in the second memory element, wherein the long term distribution is updated when the input data is received; determining a distribution difference using the one or more processors, the distribution difference being based on a difference between the short term distribution and the long term distribution; applying a statistical measure to the distribution difference using the one or more processors, the statistical measure comprising both an average of the distribution difference and an average difference between the distribution difference and the average of the distribution difference; and generating an alert when the measure of the difference exceeds a threshold, the alert indicating an occurrence of a target event to a person or a machine, wherein when an alert is generated the short term distribution in the first memory element is returned to a state just before it was updated to include an input that caused the alert, wherein when an alert is generated the long term distribution in the second memory element is returned to a state just before it was updated to include the input that caused the alert, and wherein the accessed events occur within one of; a telecommunications system and the target event comprises telecommunications fraud; a credit card system and the target event comprises credit card fraud; a computer network security system and the target event comprises a security concern; an environmental monitoring system and the target event comprises an environmental change; and a health monitoring system and the target event comprises a change in a health condition of a patient.
-
Specification