News Column

Patent Issued for Detecting Anomalous Process Behavior

May 20, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent by the inventors El-Rafei, Sherif M. (Nasr, EG); Farahat, Ahmed K. (Mabouseen, EG); Hassan, Hany M. (Cairo, EG); Mahfouz, Tamer A. (Cairo, EG), filed on July 10, 2008, was published online on May 6, 2014, according to news reporting originating from Alexandria, Virginia, by VerticalNews correspondents.

Patent number 8719190 is assigned to International Business Machines Corporation (Armonk, NY).

The following quote was obtained by the news editors from the background information supplied by the inventors: "As companies need to streamline and rationalize their business processes, they tend to rely more heavily on specific data processing systems specialized in business process management. Such systems provide specific components such as a scheduler, transaction management facilities, service discovery, etc., to enable task orchestration in a heterogeneous environment. IBM WebSphere Process Server is such a business process management system based on IBM WebSphere Application Server. Based on a process model defined in an associated development environment, such as IBM WebSphere Business Modeler, the process server can then execute workflows and monitor them to gather various statistics on the executed processes.

"Monitoring systems gather statistics on key indicators to provide metrics on a company's processes and performance. An important monitoring activity is to detect faulty or anomalous processes. Traditional monitoring systems provide two approaches for detecting anomalous behavior in a monitored process. In the first approach, users manually employ sophisticated analysis techniques to detect significant situations, investigate their root causes, and then take the appropriate corrective actions. The main problem with this approach is that situations are detected after their occurrence, not while the process is performing. The second approach for anomalous behavior management depends on domain experts to define criteria for the detection of the anomalous behavior. These criteria are usually encoded in terms of condition-action rules which are used by the monitoring system to automatically detect and handle significant situations. The main problem with this approach is that it assumes a priori knowledge of the anomalous behaviors and therefore does not detect hidden, potentially more critical, situations.

"The state of the art technique in situation management involves: (1) the use of sophisticated analysis techniques to manually detect situations and investigate their root causes; and (2) the use of rule-based monitoring to automatically detect predefined situations.

"The first approach allows users to employ sophisticated analysis techniques to detect situations, and investigate their root causes. These techniques include multidimensional analysis, statistical analysis, and other data mining capabilities such as: clustering of data values; determining associations between data elements; discovering repeated sequences of events; classifying data into predefined classes; and predicting the values of data elements. There are two problems with this approach. First, users have to manually inspect a huge amount of events and data. Second, situations are detected after their occurrence, not while the process is performing.

"The second approach for situation detection depends on rule-based monitoring of the running instances. This approach allows domain experts to define criteria for the detection of critical situations. These criteria are encoded in terms of condition-action rules which are used by the system to monitor the running instances. Many inventions have proposed frameworks for defining and managing complex situations. For example, the U.S. patent application US 2005/0267765A1, filed by Jun-Jang Jeng et al., and entitled 'Apparatus and Method for Policy-driven Business Process Exception Handling' provides an exception management framework that allows developers to define exception policies in a declarative manner. Also, U.S. Pat. No. 6,604,093, filed by Opher Etzion et al., and entitled 'Situation Awareness System', provides a method for situation management that allows users to define complex events using event composition operators. The main problem with this approach is that it only covers obvious situations, and does not allow the detection of hidden, potentially more critical, situations. Also, the process of manually defining detection criteria is inefficient, time consuming, and error-prone.

"To solve some of the problems encountered in traditional situation management approaches, U.S patent application US 2003/0149604A1, filed by Fabio Casati et al., and entitled 'Exception Analysis, Prediction, and Prevention Method and System', proposes a method that uses data mining techniques to generate classification rules that identities normal from exceptional process instances. The method is based on a training set of previously 'labeled' process instances. The generated rules can be either investigated by the users to identify the causes of exceptional behavior or stored in a repository and compared with running instances to automatically detect exceptional behaviors. This method has several problems. First, the method depends on labeled process instances to train the classifier and therefore it can only detect previously-known exceptions. Moreover, the classification rules do not encode the dynamic behavior of the process instance (i.e., the change of state). This means that the approach does not detect process instances that exhibit exceptional sequence of states/events."

In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "According to a first aspect of the present invention there is provided a method for learning a behavior model of a workflow, the behavior model being associated with at least one value falling within a first predetermined range, and comprising a first set of paths, wherein a union of the paths form a directed graph corresponding to the workflow, the directed graph comprising a second set of nodes and a third set of transitions, wherein the method comprises: for each path comprised in the behavior model: identifying a fourth set of instances of the workflow among all instances of the workflow, wherein each of the instances to identify is associated with a value falling within the first predetermined range and any of the instances to identify corresponds to the path; computing a likelihood of the path as a function of the number of instances so identified; and assigning a weight to each transition of the third set of transitions as a function of the likelihood of the paths comprising the transition.

"One advantage is that the behavior model can be used for detecting anomalous processes that are either already executed or still running. A further advantage is that the behavior model can be continuously updated based on more recent process instances.

"According to a second aspect of the present invention, there is provided a method for monitoring an instance of a workflow, the instance being associated with a first value and with a first directed graph comprising a first set of nodes and a second set of transitions, the method comprising: identifying a behavior model, so that the first value falls within a predetermined range associated with the behavior model, and wherein the behavior model comprises a path which is a superset of the first directed graph; computing a likelihood of the instance as a function of weights associated with the transitions of the behavior model corresponding to the second set of transitions; and deciding on a normality of the instance as a function of the likelihood so computed and of a threshold.

"One advantage is that both executed and running instances can be analyzed and detected. A further advantage is that no specific rules are necessary to analyze a process and the proposed method can be used for any type of process.

"According to a third aspect of the present invention, there is provided an apparatus for carrying out the method according to the first or second aspect of the invention.

"One advantage is that this apparatus can be obtained very easily, thus making the method easy to execute.

"According to a fourth aspect of the present invention, there is provided a computer readable medium comprising instructions for carrying out the method according to the first or second aspect of the invention.

"One advantage is that this medium can be used to easily install the method on various apparatus.

"Further advantages of the present invention will become clear to the skilled person upon examination of the drawings and detailed description. It is intended that any additional advantages be incorporated herein."

URL and more information on this patent, see: El-Rafei, Sherif M.; Farahat, Ahmed K.; Hassan, Hany M.; Mahfouz, Tamer A.. Detecting Anomalous Process Behavior. U.S. Patent Number 8719190, filed July 10, 2008, and published online on May 6, 2014. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=26&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1292&f=G&l=50&co1=AND&d=PTXT&s1=20140506.PD.&OS=ISD/20140506&RS=ISD/20140506

Keywords for this news article include: Information Technology, Information and Data Mining, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters