News Column

"Detecting Anomalous Process Behavior" in Patent Application Approval Process

July 1, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- A patent application by the inventors El-Rafei, Sherif M. E. (Nasr City, EG); Farahat, Ahmed K. (Kitchener, CA); Hassan, Hany M. (Redmond, WA); Mahfouz, Tamer A. (Cairo, EG), filed on February 14, 2014, was made available online on June 19, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to International Business Machines Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "As companies need to streamline and rationalize their business processes, they tend to rely more heavily on specific data processing systems specialized in business process management. Such systems provide specific components such as a scheduler, transaction management facilities, service discovery, etc., to enable task orchestration in a heterogeneous environment. IBM WebSphere Process Server is such a business process management system based on IBM WebSphere Application Server. Based on a process model defined in an associated development environment, such as IBM WebSphere Business Modeler, the process server can then execute workflows and monitor them to gather various statistics on the executed processes.

"Monitoring systems gather statistics on key indicators to provide metrics on a company's processes and performance. An important monitoring activity is to detect faulty or anomalous processes. Traditional monitoring systems provide two approaches for detecting anomalous behavior in a monitored process. In the first approach, users manually employ sophisticated analysis techniques to detect significant situations, investigate their root causes, and then take the appropriate corrective actions. The main problem with this approach is that situations are detected after their occurrence, not while the process is performing. The second approach for anomalous behavior management depends on domain experts to define criteria for the detection of the anomalous behavior. These criteria are usually encoded in terms of condition-action rules which are used by the monitoring system to automatically detect and handle significant situations. The main problem with this approach is that it assumes a priori knowledge of the anomalous behaviors and therefore does not detect hidden, potentially more critical, situations.

"The state of the art technique in situation management involves: (1) the use of sophisticated analysis techniques to manually detect situations and investigate their root causes; and (2) the use of rule-based monitoring to automatically detect predefined situations.

"The first approach allows users to employ sophisticated analysis techniques to detect situations, and investigate their root causes. These techniques include multidimensional analysis, statistical analysis, and other data mining capabilities such as: clustering of data values; determining associations between data elements; discovering repeated sequences of events; classifying data into predefined classes; and predicting the values of data elements. There are two problems with this approach. First, users have to manually inspect a huge amount of events and data. Second, situations are detected after their occurrence, not while the process is performing.

"The second approach for situation detection depends on rule-based monitoring of the running instances. This approach allows domain experts to define criteria for the detection of critical situations. These criteria are encoded in terms of condition-action rules which are used by the system to monitor the running instances. Many inventions have proposed frameworks for defining and managing complex situations. For example, the U.S. patent application US 2005/0267765A1, filed by Jun-Jang Jeng et al., and entitled 'Apparatus and Method for Policy-driven Business Process Exception Handling' provides an exception management framework that allows developers to define exception policies in a declarative manner. Also, U.S. Pat. No. 6,604,093, filed by Opher Etzion et al., and entitled 'Situation Awareness System', provides a method for situation management that allows users to define complex events using event composition operators. The main problem with this approach is that it only covers obvious situations, and does not allow the detection of hidden, potentially more critical, situations. Also, the process of manually defining detection criteria is inefficient, time consuming, and error-prone.

"To solve some of the problems encountered in traditional situation management approaches, U.S. patent application US 2003/0149604A1, filed by Fabio Casati et al., and entitled 'Exception Analysis, Prediction, and Prevention Method and System', proposes a method that uses data mining techniques to generate classification rules that identities normal from exceptional process instances. The method is based on a training set of previously 'labeled' process instances. The generated rules can be either investigated by the users to identify the causes of exceptional behavior or stored in a repository and compared with running instances to automatically detect exceptional behaviors. This method has several problems. First, the method depends on labeled process instances to train the classifier and therefore it can only detect previously-known exceptions. Moreover, the classification rules do not encode the dynamic behavior of the process instance (i.e., the change of state). This means that the approach does not detect process instances that exhibit exceptional sequence of states/events."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "According to a first aspect of the present invention there is provided a method for learning a behavior model of a workflow, the behavior model being associated with at least one value falling within a first predetermined range, and comprising a first set of paths, wherein a union of the paths form a directed graph corresponding to the workflow, the directed graph comprising a second set of nodes and a third set of transitions, wherein the method comprises: for each path comprised in the behavior model: identifying a fourth set of instances of the workflow among all instances of the workflow, wherein each of the instances to identify is associated with a value falling within the first predetermined range and any of the instances to identify corresponds to the path; computing a likelihood of the path as a function of the number of instances so identified; and assigning a weight to each transition of the third set of transitions as a function of the likelihood of the paths comprising the transition.

"One advantage is that the behavior model can be used for detecting anomalous processes that are either already executed or still running. A further advantage is that the behavior model can be continuously updated based on more recent process instances.

"According to a second aspect of the present invention, there is provided a method for monitoring an instance of a workflow, the instance being associated with a first value and with a first directed graph comprising a first set of nodes and a second set of transitions, the method comprising: identifying a behavior model, so that the first value falls within a predetermined range associated with the behavior model, and wherein the behavior model comprises a path which is a superset of the first directed graph; computing a likelihood of the instance as a function of weights associated with the transitions of the behavior model corresponding to the second set of transitions; and deciding on a normality of the instance as a function of the likelihood so computed and of a threshold.

"One advantage is that both executed and running instances can be analyzed and detected. A further advantage is that no specific rules are necessary to analyze a process and the proposed method can be used for any type of process.

"According to a third aspect of the present invention, there is provided an apparatus for carrying out the method according to the first or second aspect of the invention.

"One advantage is that this apparatus can be obtained very easily, thus making the method easy to execute.

"According to a fourth aspect of the present invention, there is provided a computer readable medium comprising instructions for carrying out the method according to the first or second aspect of the invention.

"One advantage is that this medium can be used to easily install the method on various apparatus.

"Further advantages of the present invention will become clear to the skilled person upon examination of the drawings and detailed description. It is intended that any additional advantages be incorporated herein.

BRIEF DESCRIPTION OF THE DRAWINGS

"Embodiments of the present invention will now be described by way of example with reference to the accompanying drawings in which like references denote similar elements.

"FIG. 1 shows a system implementing the present invention.

"FIG. 2 is a high level process depicting an implementation of the invention.

"FIG. 3 shows a high level process of the learning phase in an implementation of the invention.

"FIG. 4 shows a hierarchical clustering of process instances.

"FIG. 5 shows the search space for frequent patterns in an implementation of the invention.

"FIG. 6 shows a sample Weighted Finite State Transducer (WFST) that represents the behavior of a business process.

"FIG. 7 shows an overview of the data model in an implementation of the present invention.

"FIG. 8 shows a method for learning a WFST associated with a cluster, in an implementation of the present invention.

"FIG. 9 shows a finite state transducer representing all the legal sequences of events in a process definition, in an implementation of the present invention.

"FIG. 10 shows a finite state transducer representing the behavior of a process instance, in an implementation of the present invention.

"FIG. 11a shows the finite state transducer representing all the legal sequences of events, each legal sequence an arbitrary small weight, in an implementation of the present invention.

"FIG. 11b shows the union of all the transducers representing a possible sequence of states in the process, in an implementation of the present invention.

"FIG. 11c shows the resulting transducer with the probability of occurrence of each path, in an implementation of the present invention.

"FIG. 11d shows the WFST with the weights pushed toward the start, in an implementation of the present invention.

"FIG. 12 shows a method for monitoring executed process instances using WFST and measuring their normality, in an implementation of the present invention.

"FIGS. 13a and 13b illustrate the computation of the measure of normality of a sequence of events, in an implementation of the present invention.

"FIG. 14 shows a method for monitoring running process instances using WFST and measuring their normality, in an implementation of the present invention.

"FIG. 15 illustrates the computation of the threshold for the normality measure, in an implementation of the present invention.

"FIG. 16 shows a business process management system in which the present invention can be implemented."

URL and more information on this patent application, see: El-Rafei, Sherif M. E.; Farahat, Ahmed K.; Hassan, Hany M.; Mahfouz, Tamer A. Detecting Anomalous Process Behavior. Filed February 14, 2014 and posted June 19, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=58&p=2&f=G&l=50&d=PG01&S1=20140612.PD.&OS=PD/20140612&RS=PD/20140612

Keywords for this news article include: Information Technology, Information and Data Mining, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters