Anomaly detection for database systems
First Claim
1. A method for detecting anomalies for a database system, comprising:
- extracting one or more workload features from a query optimizer based on a query workload of legitimate database queries, the workload features including numerical, categorical, Boolean and set-valued features appearing in the legitimate database queries;
generating a submodel for each of the one or more extracted workload features;
extracting values of the workload features from the query optimizer based on a database query instance; and
comparing a value of each workload feature of the database query instance to prediction values of the submodel to produce a decision being one of legitimate and suspicious for each workload feature and reporting an anomaly based on an overall decision that is based on decisions for all of the workload features before the database query instance is applied to the database system.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems and computer program products for detecting anomalies for a database system are provided. A method may include extracting workload features from a query optimizer based on a query workload and generating feature models for the extracted workload features. The method may also include extracting instance features from the query optimizer based on a query instance. Instance feature values may be obtained. The method may further include applying a query instance to the workload feature models to produce a prediction value for each workload feature. Anomalies may be reported based on a comparison of each instance feature value with a corresponding prediction value. A system for detecting anomalies for a database system may include a query optimizer, a feature modeler and an anomaly detector.
64 Citations
20 Claims
-
1. A method for detecting anomalies for a database system, comprising:
-
extracting one or more workload features from a query optimizer based on a query workload of legitimate database queries, the workload features including numerical, categorical, Boolean and set-valued features appearing in the legitimate database queries; generating a submodel for each of the one or more extracted workload features; extracting values of the workload features from the query optimizer based on a database query instance; and comparing a value of each workload feature of the database query instance to prediction values of the submodel to produce a decision being one of legitimate and suspicious for each workload feature and reporting an anomaly based on an overall decision that is based on decisions for all of the workload features before the database query instance is applied to the database system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting anomalies for a database system, comprising:
at least one processor configured to process; a query optimizer configured to execute queries; a feature modeler configured to; extract one or more workload features from the query optimizer based on a query workload of legitimate database queries, the workload features including numerical, categorical, Boolean and set-valued features appearing in the legitimate database queries; generate a submodel for each of the one or more extracted workload features; and extract values of the workload features from the query optimizer based on a database query instance; and an anomaly detector configured to; compare a value of each workload feature of the database query instance to prediction values of the submodel to produce a decision being one of legitimate and suspicious for each workload feature and report an anomaly based on an overall decision that is based on decisions for all of the workload features before the database query instance is applied to the database system. - View Dependent Claims (13, 14, 15, 16, 17)
-
18. A non-transitory computer readable medium having control logic stored therein, the control logic enabling a processor to perform operations to detect anomalies for a database system, the operations comprising:
-
extracting one or more workload features from a query optimizer based on a query workload of legitimate database queries, the workload features including numerical, categorical, Boolean and set-valued features appearing in the legitimate database queries; generating a submodel for each of the one or more extracted workload features; extracting values of the workload features from the query optimizer based on a database query instance; and comparing a value of each workload feature of the database query instance to prediction values of the submodel to produce a decision being one of legitimate and suspicious for each workload feature and reporting an anomaly based on an overall decision that is based on decisions for all of the workload features before the query instance is applied to the database system. - View Dependent Claims (19, 20)
-
Specification