RU2793549C1 - System and method for revealing the structure of patterns and anomalies in the stream of events coming from a cyber-physical system or an information system - Google Patents

Abstract

FIELD: computing technology.

SUBSTANCE: system for detecting patterns and anomalies in the flow of events coming from the CPS or IS contains a memory and a hardware processor with the ability to implement a storage subsystem designed to store the configuration of event fields, the episode configuration, the system configuration, as well as to store and load the neurosemantic network into memory according to the configurations and the previous state of the neurosemantic network; connectors designed to receive data about events, generate an episode consisting of a sequence of events received before one of the conditions is met, and transfer the generated episodes to the event processor; as well as an event processor designed to process episodes using a neurosemantic network.

EFFECT: enabling the possibility of identifying recurring events and patterns and classifying new events and new patterns as anomalies in operation of the cyber-physical system (CPS) or information system (IS) in the flow of events from the CPS or IS.

31 cl, 13 dwg, 1 tbl

Description

Technical field

The invention relates to the field of information technology and information management systems, including information and industrial security, and more specifically to systems and methods for identifying the structure of patterns and anomalies in the flow of events coming from a cyber-physical system (CPS) or an information system (IS) .

State of the art

Monitoring objects (hereinafter - objects) of CFS or IS are characterized by the presence of a data flow characterizing the operation of these objects. Such data serve as an important subject of analysis both in real time (online) and retrospectively based on the collected data to detect anomalies (deviations from the normal operation of the object), as well as to identify patterns in the normal operation of the object. The latter is very important for the object operator, because allows you to identify cause-and-effect relationships in the work of the object and draw conclusions about which aspect of these relationships was violated when the behavior of the object deviated from the norm.

The data streams coming from the object are divided into two groups:

• telemetry of CPS physical processes (sensor readings, setting values, levels of control actions), hereinafter referred to as telemetry;

• events in the CPS (individual commands, actions of personnel, alarms, etc.) and events in the IS (actions of personnel, establishment of connections and similar events in the data transmission network, transition of subsystems to one state or another), including including those accumulated using solutions such as SIEM, further - events.

To analyze data of the first type (telemetry of physical processes), predictive models based on neural networks and other machine learning methods are successfully used, hereinafter referred to as predictive detectors. Examples of such detectors are described, for example, in patents RU2724716, RU2724075, RU2749252, US11175976B2.

Physical processes have two properties that make predictive models possible:

- continuity: the physical process develops continuously and any of its parameters has a specific value at any moment of time, regardless of whether the value of the parameter is measured at this moment or not;

- strong interdependence: process parameters are rigidly interconnected in time; other things being equal, changes in one parameter always lead to changes in another parameter after a certain time at a certain rate (this does not mean that the laws of such changes are known; it is precisely their establishment that is the task of machine learning).

The data of the second type is a stream of events.

An event is a non-developing atomic change in the state of an object, which is characterized by the moment in time when the change occurred and a set of fields (event fields) whose values describe the composition of the change.

Patterns are sequences of elements (events or other patterns) into which the stream of events from the monitoring object is divided, corresponding to individual subprocesses in the operation of the object. One pattern corresponds to two sequences from the same set of elements, provided that the intervals between the elements of the two sequences of elements are within the specified limits and / or the order of the elements varies within the specified limits, in particular when the composition and order of the elements are strictly observed, and the intervals between the elements vary in given limits. In the case when a pattern consists of other patterns, such a pattern is called a compound or just a pattern, and other patterns are called nested. This hierarchical nesting of patterns is called pattern structure. Each pattern, through nested patterns, can be represented as a sequence of events.

Within each pattern, events or nested patterns follow a specific order. The intervals between them, on the one hand, are random (there is no exact repeatability of time intervals), but on the other hand, they are within certain limits implicitly specified by the specifics of the object's functioning.

Patterns can be repetitive (but not necessarily periodic) or new (occurred once). Repeating patterns characterize the learned work of the object during the monitoring time. A new event or new pattern indicates an anomaly in the operation of an object - an event or sequence of events that was not previously observed. New patterns and, accordingly, anomalies will be considered as sequences of events with a significant change in the intervals between events while maintaining the sequence of events of a previously known repeating pattern, and with a violation of the actual sequence of events (change of order, omission or appearance of new events) compared to previously known repeating ones. patterns.

Therefore, a technical problem arises, which consists in identifying the structure of hierarchically nested repeating (but not necessarily periodic) patterns in the flow of events from CPS or IS, which reflects cause-and-effect relationships in the flow of events from CFS or IS, as well as in assigning new patterns and new events to anomalies. That is, information about which event or pattern or which part of the pattern structure was not previously observed indicates the presence of an anomaly in the FSC or IS.

Despite the fact that an experienced operator, familiar with the patterns of his object, is able to detect anomalies in the flow of events, the psychophysical capabilities of a person do not allow him to cope with the flow of information coming from modern complex objects (tens and hundreds of events per second). Processing such a flow of information in real time is only possible with the help of an automated system based on machine learning and artificial intelligence (AI).

However, the flow of events does not have any of the above properties of physical processes, namely the following.

First, the flow of events is discrete: events exist only at specific moments in time and are not defined in the intervals between them. This circumstance does not allow the use of approaches based on modeling continuous functions, which underlie many machine learning methods.

Secondly, the interdependence of events, as a rule, is weak: events form repeating sequences (for example, the event “FSC operator entered the machine room” arrives, after which the event “command to turn on the unit was given”) arrives, however, the time intervals between events within the sequence can vary widely (in the example above, the normal interval between events is 4 to 8 minutes).

Thus, technologies and predictive detectors used when working with continuous processes are not suitable for event analysis due to the specific properties of events.

Known approaches in the field of searching for anomalies in sequences of events can be conditionally divided into three classes:

1) using the principle of searching for events and sequences of events by signatures (predetermined rules), see, for example, US9529690B2, US20170293757A1;

2) based on machine learning, operating on the principle of learning on some historical sample from the stream of events, see, for example, US20200143292A1;

3) based on the search for patterns in the stream of symbolic information, for example, using the Sequitur algorithm.

The first class of solutions can be attributed to the class of diagnostic rules (search for anomalies according to specified criteria). Solutions in this class are sensitive only to previously known scenarios, moreover, their use is associated with significant difficulties in taking into account possible variations in the time intervals between events in the sequence of events.

The second class of decisions is subject to various kinds of errors associated with the initial incompleteness of the events presented in the historical sample, their order and time intervals in the sequences.

The advantage of the third class is that the search is conducted on an open data stream - neither the training sample nor the set of patterns is limited in advance. However, this class does not take into account the variability of time intervals between characters and does not work with multidimensional character streams, which you have to deal with when working with events.

It follows from the foregoing that the technologies known from the prior art do not allow solving the claimed technical problem. Therefore, there is a need to solve this technical problem and the claimed invention.

Disclosure of the essence of the invention

The first technical result is to identify repetitive events and patterns and to attribute new events and new patterns to anomalies in the operation of the FSC or IS in the flow of events from the FSC or IS. The first technical result is achieved through machine learning methods based on a neurosemantic network without the need to divide the work process into two phases isolated from each other: a) training on historical data and b) recognition (eng. inference).

The second technical result is to recognize the structure of patterns in the flow of events from the FSC or IS. The second technical result is achieved through machine learning methods based on a neurosemantic network without the need to divide the work process into two phases isolated from each other: a) learning from historical data and b) recognition.

The third technical result is to improve the quality of detection of events and patterns and their assignment to an anomaly in the work of the FSC or IS. The third technical result is achieved due to each of the following factors: continuous online learning, additional optimization of the neurosemantic network during a special phase of the work cycle in the "sleep" mode (see Fig. 4 ) of the system, a mechanism for selective monitoring of neurosemantic activity networks based on special monitor neurons, interaction with predictive detectors that detect anomalies in the telemetry stream.

The fourth technical result is to improve the quality of detecting patterns and anomalies in the FSC or in the IS if the data contains only a small number of examples of sequences of events corresponding to the pattern (one-shot learning) through the use of a neurosemantic network.

The fifth technical result is to reduce the level of information noise in the event stream by using the mechanism of attention to the values of the event fields that characterize a specific FSC or IS.

According to the implementation variant, a system is used to detect patterns and anomalies in the flow of events coming from a cyber-physical system (CPS) or an information system (IS) containing memory and a hardware processor with the ability to implement: a storage subsystem designed to store the configuration of event fields, episode configuration, system configuration, as well as for storing and loading into the memory of the neurosemantic network according to the mentioned configurations and the previous state of the neurosemantic network; connectors designed to: receive data about events, including for each event a set of field values and an event timestamp; forming at least one episode, consisting of a sequence of events received before one of the conditions is met: a time limit is reached or a limit number of events is reached - or before the fulfillment of one of the mentioned conditions, which was met first; transferring the generated episodes to the event processor; an event processor designed to process episodes using a neurosemantic network, moreover, episode processing includes: recognition of events and patterns previously learned by the neurosemantic network - sequences of events in which the order of events is observed, and the time intervals between events are within the specified limits stored in the form of neurons neurosemantic network, and the activation of these neurons; neurosemantic network training, which consists in creating and activating neurons that are associated with new event field values, new events, as well as new patterns and activating previously learned neurons so that the previously learned and new patterns of the neurosemantic network cover all the events of the episode; revealing the structure of patterns by matching the patterns of neurons on the hierarchy of layers of the neurosemantic network; classifying events and patterns corresponding to neurons of the neurosemantic network as an anomaly depending on the number of activations of the corresponding neuron; saving the state of the neurosemantic network, in particular information about the created and activated neurons, in the storage subsystem.

According to one of the particular implementation options, episode processing additionally includes identifying events and patterns of the neurosemantic network that meet predefined criteria, and generating output information about these events and patterns by using special monitor neurons of the neurosemantic network, which, by activating monitor neurons, track the creation and activation of neurons corresponding to events and patterns, and the mentioned criteria are set at least: on the values of the fields of individual events and events in patterns; on the sign of the recurrence of such events and patterns; on a sliding time interval to track such activations and the number of such activations on a sliding time interval.

According to one of the particular implementation options, the optimal coverage of all episode events is selected according to the hierarchical principle of the minimum description length, or the most compact coverage of all events of the current and previous episodes is selected.

According to another particular implementation variant, the processing of the episode occurs in the neurosemantic network in layers.

According to another particular implementation variant, the structure of the pattern is revealed through the hierarchy of layers of the neurosemantic network on which the neurons are located, and on the zero (terminal) layer there are neurons of the values of the event fields grouped by channels corresponding to the event fields, on the first layer there are event neurons, on the second layer there are patterns consisting of events, on the third and higher layers there are patterns consisting of patterns of the previous layer (nested patterns).

According to one of the private implementation options, neurons corresponding to the values of the event fields are located on the zero layer of the neurosemantic network, grouped by channels corresponding to the event fields, and the duration of the terminal neuron is taken as 0; on the first layer there are neurons corresponding to events and having inputs from neurons of the terminal layer, with each input corresponding to a terminal neuron of a channel different from the channels of terminal neurons of other inputs; time intervals between event inputs from field values are taken as 0, and the total duration of the event neuron is accordingly taken as 0 - the event has no duration; on the second layer there are neurons corresponding to episodes, the number of inputs of the neuron of the episode is equal to the number of events in the episode, the intervals between events in the episode are exactly stored as the intervals between the inputs of the neuron of the episode; the second and subsequent layers also contain neurons corresponding to the sequences of events, and the neurons of layers 3 and above have inputs from the neurons of the previous layer and the opening of the pattern neuron to the sequence of events is carried out through recursive disclosure of all its inputs - up to the first layer, and the event is expanded to the values fields through their inputs from terminal neurons.

According to another particular implementation variant, the event processor is additionally designed to configure, save and restore the neurosemantic network from the storage subsystem, and the configuration of the neurosemantic network includes: configuring the input channels of the neurosemantic network in accordance with the event fields specific to a particular CPS or IC; configuring the attention of the neurosemantic network by setting attention directions for filtering received events based on criteria for field values for pattern recognition among events filtered for each such direction; configuring permissible temporal deviations in the duration of the pattern, within which the neurosemantic network will interpret sequences of the same events or nested patterns, but with different total durations of such sequences, as the same pattern; configuring the hyperparameters of the network layers, which are responsible for the number of inputs of neurons on the layer; configuring the network hyperparameter responsible for the allowable number of layers of the neurosemantic network.

According to another particular implementation variant, the event processor is additionally intended for: configuring neurosemantic network activity monitors (output channels) by creating special monitor neurons that are activated based on a subscription to other neurons or layers on which new neurons are created, the neurosemantic network, and the subscription is formed according to the criteria specified in terms of the values of the event fields, the sliding time interval and the number of activations of the neurons to which such a subscription is made; execution of user requests on the history of events and patterns; performing periodic optimization of the neurosemantic network in the "sleep" mode of the system, including optimizing the structure of patterns, as well as pattern recognition over long time intervals; performing permanent storage of the state of the neurosemantic network, in particular, information about patterns and statistics of their activations on the event stream, as well as processed information about event episodes.

According to one of the particular implementation options, a system is used that additionally contains a graphical user interface, through which the configurations of the neurosemantic network and connectors are controlled, the configuration of neurosemantic network activity monitors and the output of information about them and their operation, setting user queries on the history of patterns and events and displaying the results of such requests, control of the "sleep" mode and settings for saving the state of the neurosemantic network.

According to another particular implementation variant, learning is partially stopped by forcing the neurosemantic network into a mode where no new neurons are created, and all learning occurs only by changing neurons when they are activated, in particular, the neuron attribute responsible for the frequency of its activation or for number of activations.

According to another particular implementation variant, the possibility of training a neurosemantic network "with a teacher" is used by supplying training-targeted patterns to the input and then modifying the attribute in the formed neurons that is responsible for the frequency of its activation, or, in particular, for the number of activations.

According to one of the particular implementation options, the data storage subsystem additionally serves to provide the possibility of saving the firings (hereinafter, the detections) of monitor neurons.

According to another particular implementation, the storage subsystem further serves to enable the event processor to restart after a stop while retaining previously learned events and patterns.

According to another particular embodiment, the event processor periodically removes unused pattern neurons from the neurosemantic network, and the use of neurons is determined by the statistical properties of neurons and the hierarchical principle of the minimum length of the description of the neurosemantic network functioning.

According to one particular implementation, the event processor processes episodes consisting of a single event in parallel on a massively parallel processor hardware architecture; or performs processing of episodes consisting of a plurality of events sequentially on a single hardware processor, and the number of events in an episode is selected based on the requirements to provide information about the monitoring of the FSC or IS in a mode acceptable to the user of the system.

According to another particular implementation variant, events come from predictive detectors via FSC telemetry and/or directly from FSC.

According to the implementation variant, a method is used to detect patterns and anomalies in the stream of events coming from the FSC or IS, in which: using at least one connector, the following steps are performed: event data is obtained, including for each event a set of field values and an event timestamp ; at least one episode is formed, consisting of a sequence of events received before one of the conditions is met: the time limit is reached or the limit number of events is reached - or before the fulfillment of one of the mentioned conditions that was met first; transmitting the generated episodes to the event processor; using the event processor, the episodes are processed using the neurosemantic network, and the episode processing includes: recognition of events and patterns previously learned by the neurosemantic network - sequences of events in which the order of events is observed, and the time intervals between events are within the specified limits stored in the form of neurons neurosemantic network, and the activation of these neurons; neurosemantic network training, which consists in creating and activating neurons that are associated with new event field values, new events, as well as new patterns and activating previously learned neurons so that the previously learned and new patterns of the neurosemantic network cover all the events of the episode; revealing the structure of patterns by matching the patterns of neurons on the hierarchy of layers of the neurosemantic network; classifying events and patterns corresponding to neurons of the neurosemantic network as an anomaly depending on the number of activations of the corresponding neuron; saving the state of the neurosemantic network, in particular information about the created and activated neurons, in the storage subsystem.

According to one of the particular implementation options, episode processing additionally includes identifying events and patterns of the neurosemantic network that meet predefined criteria, and generating output information about these events and patterns by using special monitor neurons of the neurosemantic network, which, by activating monitor neurons, track the creation and activation of neurons corresponding to events and patterns, and the mentioned criteria are set at least: on the values of the fields of individual events and events in patterns; on the sign of the recurrence of such events and patterns; on a sliding time interval to track such activations and the number of such activations on a sliding time interval.

According to one of the private implementation options, learning is partially stopped due to the forced transfer of the neurosemantic network to a mode where the creation of new neurons does not occur, and all learning occurs only by changing neurons when they are activated, in a particular case, the neuron attribute responsible for the frequency of its activation changes or for the number of activations.

According to another particular implementation variant, the possibility of training a neurosemantic network "with a teacher" is used by supplying training-targeted patterns to the input and then modifying the attribute in the formed neurons that is responsible for the frequency of its activation, or, in a particular case, for the number of activations.

According to another particular implementation option, unused pattern neurons are periodically removed from the neurosemantic network, and the use of neurons is determined by the statistical properties of neurons and the hierarchical principle of the minimum description length that determines the functioning of the neurosemantic network.

According to one of the particular implementation options, the structure of patterns is revealed through the hierarchy of layers of the neurosemantic network, which determines the order of the layers of the neurosemantic network on which the neurons are located, and the neurosemantic network for event processing is used as follows: on the zero (terminal) layer of the neurosemantic network, there are neurons corresponding to the values of the fields events grouped by channels corresponding to the event fields, and the duration of the terminal neuron is taken as 0; on the first layer there are neurons corresponding to events and having inputs from neurons of the terminal layer, with each input corresponding to a terminal neuron of a channel different from the channels of terminal neurons of other inputs; time intervals between event inputs from field values are taken as 0, and the total duration of the event neuron is accordingly taken as 0 - the event has no duration; on the second layer there are neurons corresponding to episodes, the number of inputs of the neuron of the episode is equal to the number of events in the episode, the intervals between events in the episode are exactly stored as the intervals between the inputs of the neuron of the episode; on the second and subsequent layers there are also neurons corresponding to the sequences of events, and the neurons of layers 3 and above have inputs from the neurons of the previous layer and the opening (expand) of the pattern neuron to the sequence of events is carried out through recursive disclosure of all its inputs - up to layer 1, and the event is expanded to the values of the fields through its inputs from the terminal neurons.

According to another particular implementation variant, each episode is sequentially processed on the layers of the neurosemantic network: by matching the values of the event fields of terminal neurons, by matching the events of the first layer neurons, by creating top-episode neurons on the second layer, by matching the sequences of events of pattern neurons on the second and higher layers up to the layer on which one neuron of the top pattern will be matched or the maximum layer will be reached.

определяемого длительностью нейрона паттерна d и гиперпараметром нейросемантической сети σ > 0.According to another particular implementation variant, the activation of the pattern neuron is performed when a sequence is recognized in the event stream, with the order of events corresponding to the order of events obtained by opening this neuron, performed recursively through its inputs up to the first layer, and the duration of the detected sequence within the interval

determined by the duration of the pattern neuron d and the hyperparameter of the neurosemantic network σ > 0 .

According to another particular implementation variant, the user creates or changes during the operation of the neurosemantic network on a special minus the first layer neurons-monitors that allow monitoring the creation and activation of neurons of the neurosemantic network according to specified conditions; moreover, monitor neurons are used as output channels from the neurosemantic network to alert the user or external systems.

According to another particular implementation variant, the neurons of layers 0 and above have at least the following properties: they contain a vector of input connections from neurons of the previous layer; for layer 0, the vector contains one categorical or converted to categorical value of the event field; contain a vector of time intervals between activations of connections from neurons of the previous layer, fixed during the creation of the neuron; moreover, for layer 0 this vector consists of one zero value; for neurons of layers 1 and above that have only one input, the duration of a single input is taken equal to the duration of a single input neuron; in the presence of output connections, they contain a set of the mentioned output connections to monitor neurons minus the first layer; contain the time of the last activation of the neuron; contain a statistical parameter reflecting the frequency of neuron activations, in particular, the number of activations.

According to one of the particular implementation options, the attention configuration of the neurosemantic network is additionally set by setting attention directions for filtering received events based on criteria for field values for pattern recognition among events filtered for each such direction.

According to another particular implementation variant, each episode is sequentially processed on layers from the second and higher in each direction of attention in the case of setting an attention configuration, up to the layer on which the top pattern is matched for this direction of attention or the maximum layer is reached.

According to another particular implementation variant, a neuron is matched during processing by activating a neuron of the corresponding layer, if it is found (recognized), or by creating and activating a new neuron if a new field value, event or pattern is observed, depending on the layer.

According to one of the particular implementation options, the hierarchical structure of patterns on the layers of the neurosemantic network is optimized due to the periodic transition of the neurosemantic network to the "sleep" mode, in which events in episodes are not processed or are processed in parallel on other computing resources; at the same time, in the "sleep" mode, processing of events from the interval of the event history obtained by combining several short episodes and ordering events according to their timestamps is performed for cases where some of the events in the stream came outside of their episode, as well as processing at long intervals for those directions attention, in which events are rare, or in the case of changing directions of attention.

According to another particular implementation, monitor neurons (neurons minus the first layer) have at least the following properties: they contain at least one input to which a dendritic tree is attached with nodes that implement logical operations on the outputs attached to them from other neurons or from network layers ; contain a dendritic node attached to the root of the dendritic tree with a logical operation "or" and attached outputs from neurons of layers 0 and above, used to detect activation of field values, events and patterns already learned by the network; the criterion for subscribing a neuron-monitor to the activation of such neurons is set through the definition of conditions for field values; contain 0 or more other dendritic nodes connected to the “or” node with the logical operation “and”, to which, in turn, outputs from layer 0 neurons are connected, corresponding to field values and outputs directly from layers 0 and above, which are used to detect the creation of new neurons corresponding, depending on the layer, to field values, either events or patterns; dendritic nodes “and” set the conditions for what field values the neurons created on the specified layers should have in order to activate this neuron-monitor; have the ability to dynamically change the set of monitor neuron inputs from network neurons - automatically add new created neurons to the dendritic node “or” that meet the criteria of the dendritic node “and”; have the ability to set the "attention" option to the values of the subscription fields and create child monitor neurons for each unique value or a unique combination of such values of such fields, becoming a parent monitor neuron; child monitor neurons will count the number of activations with this unique value and other subscription conditions, like the parent monitor neuron, and notify the parent monitor of their firing; have the ability to subscribe both to previously created and activated more than once neurons, and only to new neurons (which are activated once), as well as to both; while subscribing only to new neurons considers such neurons as corresponding to anomalies in the flow of events - that is, corresponding to unseen field values, or events, or sequences of events in the CPS or IS behavior previously learned by the neurosemantic network; contain a property for setting a sliding monitoring interval and the amount of activation of the monitor neuron on the sliding interval, upon reaching which the monitor neuron will generate a notification to the user or other systems.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

Fig. 1 is an example of the interaction of the claimed system with FSC, anomaly detection tools in telemetry and IS.

Fig. 2 is a diagram of the components of the claimed system.

Fig. 3 represents the main operation cycle of the claimed system.

Fig. 4 represents the sleep mode operation of the claimed system.

Fig. 5 represents the processing of a request to search for a history of patterns or anomalies.

Fig. 6 represents the processing of a request to create a performance monitor of the claimed system.

Fig. 7 represents the basic layer structure of the neurosemantic network for event processing.

Fig. 8 presents the main characteristics of the neuron of the neurosemantic network and its application to the analysis of the flow of events based on the processing of episodes.

Fig. 9a presents an example of processing an episode by a neurosemantic network for the case when attention directions are not defined.

Fig. 9b shows an example of episode processing for the case where one direction of attention is defined.

Fig. 10 presents examples of processing intervals between inputs of episode neurons, including cases of "transient" neurons with one input, on neurosemantic network layers.

Fig. 11 shows an example of the implementation of neurosemantic network activity monitors using special monitor neurons on the minus first layer of this network.

Fig. 12 is an example of a general purpose computer system with which the present invention may be implemented.

Implementation of the invention

The gist of the present invention, the method for achieving the gist of the invention will become apparent by referring to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The foregoing description is intended to assist a person skilled in the art in a thorough understanding of the invention, which is defined only within the scope of the appended claims.

Glossary

Information system (English information system, IS) - a set of computing devices and communications used for their communication.

A cyber-physical system (CFS) is an information technology system that integrates computing resources into physical processes. Examples of a cyber-physical system are automated process control systems, the Internet of Things (including wearable devices), and the industrial Internet of Things.

Technological process (TP) - a physical process, accompanied by a stream of telemetry.

Telemetry - telemetry of CFS physical processes (values of technological parameters, settings, control parameters).

Process Variable (PV) - the current measured value of a certain part of the TP, which is observed or controlled. The process variable can be, for example, a sensor measurement.

Setpoint - the supported value of the technological parameter.

Manipulated Variable (MV) is a variable that is adjusted to keep the process variable at the setpoint.

Object - monitoring object, IS or FSC.

An event is a non-developing atomic change in the state of an object, which is characterized by the moment in time when the change occurred and a set of fields (event fields) whose values describe the composition of the change.

Patterns are sequences of elements (events or other patterns) into which the stream of events from the monitoring object is divided, corresponding to individual subprocesses in the operation of the object. One pattern corresponds to two sequences from the same set of elements, provided that the intervals between the elements of the two sequences of elements are within the specified limits and / or the order of the elements varies within the specified limits, in particular when the composition and order of the elements are strictly observed, and the intervals between the elements vary in given limits. In the case when a pattern consists of other patterns, such a pattern is called a compound or just a pattern, and other patterns are called nested. This hierarchical nesting of patterns is called pattern structure. Each pattern, through nested patterns, can be represented as a sequence of events.

Patterns can be repetitive (but not necessarily periodic) or new (occurred once). Repeating patterns characterize the learned work of the object during the monitoring time. A new event, or a new pattern, or a new part of the pattern structure indicates an anomaly in the operation of the object - an event or sequence of events that was not previously observed.

To track events and patterns, the system provides a special mechanism (technology along with a software and user interface) that allows you to notify the user or other systems about the occurrence of certain statistical and categorical conditions. For example, an alert is triggered if a pattern or event that satisfies certain criteria for the values of the event fields and their novelty occurs on a given sliding window a number of times that exceeds a given threshold. The most general concept of an anomaly within a given system is an event or pattern that has met for the first time. If the system starts from scratch, then all events and patterns will first occur for the first time. Therefore, before turning on notifications, it is advisable to give the system some time (depending on the monitored object), “listen” to the flow of events and form a set of patterns and events typical for the operation (usually normal) of the object.

An event processor is a proposed technical solution and a component based on it, designed to process events in a CPS or IS. The event processor may be a hardware processor, an example of which is shown in FIG. 12 (processor 21 ), functionally modified to perform the specified functionality, or by a software module executing on a hardware processor that is configured to implement the specified functionality. In a particular case, the hardware processor for the event processor can be implemented as a special neuromorphic processor containing many elements corresponding to the neurons of the impulse network or its varieties, which can process input signals in a massively parallel mode and generate output signals.

Attention - an option that indicates to the system directions in the general flow of events, among which the event processor will search for patterns.

Direction of attention - a filter on the flow of events, highlighting events by field values (one or more, including their dynamic setting is possible). For a certain direction of attention, the event processor searches for patterns only among events, each of which contains the specified field values. An event processor can have many directions of attention.

A predictive detector is a tool for analyzing the telemetry of physical processes that operates on the principle of a predictive model based on neural networks and other machine learning methods.

Diagnostic rules - solutions for the analysis of telemetry of physical processes, used in cases where the criteria for anomalies are defined and formalized.

SIEM (English security information and event management) is a system that provides real-time analysis of information security (IS) events from network devices and applications.

neurosemantic network

The present invention proposes a solution to the problem of identifying (recognizing and / or creating new) patterns and, accordingly, detecting anomalies in the flow of events based on the use of the neurosemantic network proposed in [1, 2], which by its nature is closest to the impulse (Eng. .spiking) neural network.

The neurons of the neurosemantic network, as well as the neurons of the impulse neural network, are activated by input impulses. However, the neuron of the neurosemantic network has an important difference - it is sensitive to the order and intervals between activations of its inputs. This property makes the neurosemantic network a highly effective tool for working with event streams, identifying stable sequences in them, thereby providing the user with a structure of cause-and-effect relationships of events from the monitored object, as well as for identifying new events and new sequences of events as signs of possible deviations from the learned to this normal behavior (functioning) of the object.

The traditional or classical neural network used in predictive models is an approximator of a continuous function of a large number of variables. At each point in time, the output of a classical neural network is determined by the values of its input parameters.

An impulse neural network has a different structure: the data in it is distributed in the form of spikes - instantaneous excitations of neurons, and in the neurosemantic network, the sequence of occurrence of spikes at the inputs of a neuron and the intervals between spike arrivals are of decisive importance for the generation of its own spike by a neuron. It is easy to see that spikes are intuitively similar to events.

The neurosemantic network starts its work on identifying patterns from a pure state, while the number of patterns to be detected and their length are not known in advance (they are not set), however, it is possible to set the attention directions of the neurosemantic network in order to focus the detection of patterns during event processing on certain events and avoid “noise” patterns by those events that are less relevant.

The neurosemantic network does not have a dedicated pre-training period. It constantly learns, builds and modifies its network as it receives new events from the event stream. If a newly identified sequence of events begins to repeat itself steadily, it turns from an anomaly into a pattern. And vice versa, if the pattern has not been seen for a long time, the neurosemantic network can “forget” it, and then the next appearance of this sequence will already be regarded as an anomaly.

The present invention uses the representation of an event as a set of values for a certain set of fields defined for a given object. For example, in a particular CFS variant, the event fields can be as follows: operator name, operator terminal, installation block, installation block state. In another private variant of the IS, the event fields can be as follows: user name, IP address of the user's terminal, IP address of the server in the office network, verdict issued by the server on the user's request. The event fields are assigned in a special way to the input channels and neurons of the neurosemantic network.

In this approach, one can point to an analogy with the analysis of telemetry parameters from different sources, for example, the temperature, pressure and filling level of the FSC reactor can be considered as three channels (three fields) of input information.

In a particular implementation, it is possible to forcibly partially stop the learning process of the neurosemantic network by stopping the creation of new neurons in the network that respond to new events and patterns. At the same time, partly, learning still occurs due to the modification of previously created neurons when they are activated when the patterns, events, or values of event fields corresponding to neurons are recognized in the event stream. Such a use case may be appropriate in a number of cases when the user knows for sure that when training the network he presented all variants of the normal behavior of the object, and wants to “freeze” this knowledge, thereby detecting as anomalies all new events and their sequences that did not take place in the stream of events presented during training. In such a case, the network will try to present a new sequence of events from previously occurring patterns and events, without combining them into a new pattern. If a new event is encountered, the system will try to represent it in terms of the values of the fields of previously occurring events, without creating such an event itself. If a value of the event field is encountered that has not previously taken place, then the network will not activate any of its neurons, and there will be a gap in the representation of the flow of events in the form of known values of the event fields, events and patterns. A user alert can also be generated for such a gap.

In the present invention, the main component of the proposed system and method for identifying the structure of patterns and anomalies in the flow of events coming from the FSC or IC is called an event processor.

To receive the event stream, specialized connectors (software or firmware modules) to event sources are used. In a particular implementation of events from the SIEM subsystem, this can be a connector that supports the transmission of events and their parameters in the CEF (Common Event Format) format. In another particular implementation, these may be events from message brokers of other subsystems. In another particular case, these can be events from the Active Directory or Net Flow protocols. The above particular implementation options do not limit the application of the invention to other event sources.

In a particular implementation, the event processor can be used as a standalone detector if the object data contains only events. Such an application is typical, for example, for analyzing the actions of employees in order to identify erroneous or malicious operations.

Industrial facilities typically generate both types of data (process telemetry and events). In this case, the predictive anomaly detection detectors for the telemetry stream and the event processor complement each other. Anomalies detected by a predictive detector or a diagnostic rule can be interpreted as events and sent to the event processor along with events received directly from the monitored object. This two-level detection provides users with new opportunities to identify problem situations.

In a particular practical example, this might look like this. Pumping station compressor performance describes a continuous physical process and is monitored by a predictive detector. The start of an adjacent compressor introduces significant distortions in these indicators and leads to the registration of an anomaly by a predictive detector. This anomaly is fed as an event to the input of the event processor along with commands to start neighboring compressors. At the same time, there is no rigid connection in time between the command to start the neighboring compressor and the detection of an anomaly by the predictive detector on the first compressor, since the duration of this interval in a particular case is determined by a large number of factors, including those not observed by the predictive detector. Nevertheless, the event processor detects the corresponding pattern, and if this pattern is violated, it notifies the user about an anomaly: when the distortion of the first compressor's performance occurred outside the context of starting another compressor, or when the start of an adjacent compressor did not cause a corresponding change in the behavior of the first one.

The predictive detector and the event processor solve one common task: the detection of hidden anomalies in the operation of the monitored object, but they use different types of data for this and, as a result, different machine learning methods. Comparative features of these types of detectors are summarized in the table below.

Predictive detector Event Processor Data Telemetry of continuous physical processes Events (commands, personnel actions, etc.) Education Requires pre-training on a large amount of historical data. The detector learns internal patterns and rules that determine the course of the process. It is not necessary to formulate the process equations in advance. Continuous learning in the process of analyzing the flow of events. The event processor learns the patterns. It is not necessary to formulate descriptions of patterns in advance. Anomaly detection Anomalies in telemetry are detected - deviations from the normal course of the process: unusual changes in values and trends, mismatch in the mutual behavior of technological parameters. Anomalies are detected - violations of patterns (missing or extra events, wrong order, unusual intervals between events, new events).

Thus, the present invention proposes a solution to one of the urgent problems in the field of information and control systems, including information and industrial security, the problem of detecting anomalies - anomalous events and anomalous sequences of events, as well as the accompanying problem of automatic interpretation of the structure of a regular flow of events based on the identification of patterns and their structure in the flow of events from the monitoring object - FSC or IS.

Composition and methods of functioning

OnFig. 1 an example of the interaction of the claimed system is presented to identify the structure of patterns and anomalies in the flow of events coming from a cyber-physical system or an information system300 (hereinafter - the system for identifying the structure of patterns and anomalies300 or system300), with cyber-physical system100(FSC100), means of detecting anomalies in telemetry200 (including diagnostic rules201 and predictive detector based on machine learning202) and information system400(IP400), and also describes the method of operation of the claimed system300. Examples of CFS100 are: process automation systems, Internet of things, industrial Internet of things.

System300 receives events500 directly from one or more of the following systems: FSC100, IP400, from anomaly detection tools in telemetry200. Events500 come to the connectors for receiving events and providing information about anomalies and patterns304 (hereinafter - connectors304). Connectors304 - software or software and hardware modules designed to receive events, that is, data about events, including for each event a set of field values and an event timestamp, as well as to provide information about anomalies and patterns. Moreover, the time stamp of the event can be either the time the event was generated, the time the event was received, or another point in time characterizing the event. Connectors304 can be implemented as services or processes running on the hardware processor of a computer (see an example onFig. 12). System300 may contain a user interface303, which allows you to monitor the activity of the neurosemantic network and make queries on the history of events and patterns. The mentioned history is stored in the neurosemantic network and in the storage subsystem302 a set of specially structured information (the structure is determined by the neurosemantic network) about events500 and identified patterns, as well as timestamps. Access to the history of events and patterns can be provided through the user interface303, an example of which is shown inFig. 5. Storage subsystem302 can be represented by memory (e.g. memory22 or a special file bit-by-bit compactly storing the neurosemantic network, or a database with special tables for storing the structures of the neurosemantic network, etc.) and a data processing module in this memory, executed, for example, on a computer hardware processor.

Tools for detecting anomalies in telemetry200 (hereinafter - detectors200) receive telemetry data from FSC100 and transmit the detected anomalies in telemetry in the form of events to the system300.

In a particular implementation, the detectors 200 are made in the form of a predictive detector 202 based on machine learning (for example, in accordance with patents RU2724716, RU2724075, RU2749252, US11175976B2), information about anomalies in the FSC telemetry 100 additionally includes such information about the anomaly in telemetry, such as time detection (also - detection or operation) of an anomaly in telemetry, the time interval for observing an anomaly in telemetry, the main telemetry parameters of FSC 100 (hereinafter referred to as FSC parameters) that contributed to the anomaly in telemetry, - the names of FSC parameters and their values at the time of detection or on throughout the interval of the anomaly in the telemetry, information on the method of detecting the specified anomaly in the telemetry in the detector 200 . At the same time, the parameters of the FSC include the technological parameters of the FSC (that is, telemetry data of the FSC 100 ). The event processor 301 processes the stream of events 500 with the neurosemantic network and periodically stores the state of the neurosemantic network in the storage subsystem 302 .

In yet another particular implementation, the detectors 200 include a limit-based detector (the simplest variation of the diagnostic rule 201 ) that determines an anomaly in telemetry when the value of at least one FSC parameter from a subset of FSC parameters is outside a predetermined range of values for the specified FSC parameter. In this case, the specified ranges of values can be calculated from the values of the characteristics or documentation for the FSC 100 or obtained from the operator of the FSC through a feedback interface, such as user interface 303 .

In another particular implementation, the detectors 200 include a detector based on diagnostic rules 201 formed by specifying a set of FSC parameters used in the diagnostic rule and a method for calculating the values of the auxiliary FSC parameter, which is an indicator of the fulfillment of the criteria of this diagnostic rule. As a result, the diagnostic rules module determines an anomaly in telemetry in the FSC according to predetermined criteria for the behavior of the FSC parameters.

On FIG. 2 shows the components of the claimed system 300 .

The present invention uses an approach whose key component is an event processor based on a neurosemantic network 301 . The general principles of the neurosemantic network are described in [1, 2]. The principles of using the neurosemantic network for event processing are illustrated in Figs 2-11 .

Thus, events 500 arrive as a stream of events from one or more of the following systems: system 100 , detectors 200 , or system 400 to connectors 304 . Event data 500 is represented as a set of field values and a timestamp. Field values can take categorical values or numerical values. In a particular implementation of connector 304, events 500 may be in CEF (Common Event Format) format. In another particular implementation, the numerical values of the event fields 500 are converted into categorical (symbolic) values, for example, by sampling with a given precision. In another variant, special layers can be built into the neurosemantic network, which allow comparing different numerical values (see examples in [1, 2]).

Connectors 304 are also designed to generate (accumulate) episodes - a time-limited and/or event-limited sequence from the entire event stream 500 , consisting of at least one event 500 . In one particular implementation, an episode is considered accumulated (generated) when one of the following conditions is met:

a) the accumulation time has reached the threshold specified in the system configuration 302i (for example, 1 second) - in this case, the episode will include a sequence of events that arrived during the specified accumulation time;

b) the number of accumulated (received) events 500 has reached the threshold specified in the system configuration 302i (for example, 4096 events 500 ) - in this case, the episode will include a sequence of received events limited by the specified threshold.

In another particular embodiment, the episode is considered to be formed when one of the above conditions is met, which is fulfilled first.

It is advisable to use the mentioned variant of episode accumulation for the von Neumann hardware architecture and sequential processing of input events.

In another particular embodiment, when using a massively parallel implementation of the hardware architecture, each individual event can be processed (when episodes consist of a single event), which becomes appropriate when the capabilities of the hardware platform are sufficient to perform parallel processing of multiple events across all network layers.

Connectors 304 then pass the generated episodes to the event processor 301 .

The event processor 301 processes the received episodes using the neurosemantic network and converts the events 500 into information about the creation and activation of neurons, or about the activation of previously created neurons of the neurosemantic network.

Episode processing includes the recognition of events and patterns previously learned by the neurosemantic network and the structure of patterns, where patterns are sequences of elements (events or nested patterns) in which the order of the elements is observed, and the time intervals between the elements are within the specified limits, stored as neurons of the neurosemantic network and activation of these neurons.

In addition, episode processing includes learning the neurosemantic network, which consists in creating and activating neurons that are associated with new values of event fields, new events, and new patterns in such a way that previously learned and new patterns of the neurosemantic network cover all events of the episode. In a particular implementation, all events of the current (currently being processed) and previous episodes are covered in the most compact way in accordance with the principle of operation of the neurosemantic network - the hierarchical principle of minimizing the description length.

Episode processing also includes classifying events and patterns corresponding to neurons of the neurosemantic network as anomalies depending on the number of activations of the corresponding neuron.

In one embodiment, the processing of an episode further includes identifying events and patterns that meet predetermined criteria, and generating output information (alerts) about these events and patterns, through the use of special monitor neurons of the neurosemantic network that track (due to the activation of monitor neurons ) cases of creation and activation of neurons corresponding to events and patterns, and the criteria are given at least:

• on the values of the fields of individual events and events in patterns;

• on the basis of the recurrence of such events and patterns;

• on a sliding time interval to track such activations and the number of such activations on a sliding time interval.

Moreover, it is possible to save the facts of detection of such events and patterns as a history of notifications that meet the specified criteria.

The event processor 301 serves to recognize the hierarchical nesting of patterns (pattern structure) through the hierarchy of neurosemantic network layers on which neurons are located, and on the zero (terminal) layer there are neurons of event field values grouped by channels corresponding to event fields, on the first layer there are neurons events, on the second layer there are patterns consisting of events, on the third (if any) and higher layers (if any) there are patterns consisting of patterns of the previous layer (nested patterns).

The results of episode processing, in particular information about the creation and activation of neurons, the event processor 301 stores as part of the neurosemantic network in the storage subsystem 302 in the form of neurons 302a , network 302b (connections of neurons), as well as linear in time, but compactly represented part of the composition information episode 302c (in the form of a once activated neuron for each episode with exact intervals between events - see Fig. 7-10 ) .

Additionally, the storage subsystem 302 stores:

- information about special neurons of the neurosemantic network, designated as neurons-monitors 302d (see more details Fig. 6, 11 );

- information about patterns and anomalies 600 detected by monitor neurons 302d ;

- information about the configuration of event fields 302f ;

- information about the configuration of attention 302g (see more Fig. 6, 11 );

- episode configuration information 302h ;

- information about the system configuration 302i , including information about the hyperparameters of the neurosemantic network (for example, the number of layers, the number of neuron inputs on each layer);

- information about the configuration of the user interface 302j (described in more detail below).

Before system 300 starts, a system 300 startup configuration may be defined containing the specific configurations 302f - 302i at the time system 300 started.

System 300 may include a user interface 303 that contains the following elements according to configuration 302j :

- filters for setting requests for the history of patterns and events and the form for outputting results 303a (see more in Fig. 5 );

- indicators of monitor states (functionality that provides the ability to monitor) based on neurons-monitors 302d , forms for viewing the detailed state of monitors, managing the creation of new and deleting previously created monitors 303b (see Fig. 6 for more details);

- system configuration controls 303c (controls 302f , 302g , 302h , 302i );

- connector controls 303d (see Fig. 3 , action 702 for details);

- controls for the cycle of operation of the system 300 in the "sleep" mode 303e (see more Fig. 4 ).

Using the user interface 303 allows you to monitor the activity of the neurosemantic network and make queries on the history of events and patterns.

On FIG. 3 shows the main mode 700 of operation of the claimed system 300 .

Work begins with the launch of the event processor301 at the stage701, which can be executed by user action303f (directly or indirectly - by setting the appropriate system configuration302i at system startup300). Next, at the stage703 from the storage subsystem302 loading into memory (for example, random access memory25 onFig. 12) neurosemantic network, and when loading, the configuration of event fields is taken into account302f, attention configuration302g, episode configuration302h, system configuration302i, as well as the previous state of the neurosemantic network: neurons302a, net302b, episodes302c, monitor neurons302d. After loading into memory, the event processor301 enters the waiting mode for an episode to arrive at the stage704.

The arrival of events begins at step 702 with the launch of the connectors 304 , which can be initiated by the user, for example (via control of the connectors 303d - either directly or indirectly via the system startup configuration 300 ). Upon episode accumulation, events 500 are passed to event processor 301 .

Next step705 event processor neurosemantic network301 performs the processing of the episode and the generation of alerts by monitor neurons302d about patterns and anomalies. These processes are discussed in more detail atFig. 9a-eleven. If during the processing of the episode the condition for generating notifications by the monitor neuron is met302d (for details see. Fig. 6, 11), then on the monitor form303b in the user interface303 update the corresponding trigger indicator of the monitor neuron corresponding to this monitor302d on the current sliding window, send an anomaly or pattern alert600 to external CFS subscribers100 and IP400 (for example, to a remote server, other CFS or IS associated with the specified ones), and also perform the preservation of the fact of operation706 - monitor neuron detection302e in the storage subsystem302.

Upon completion of step 705 , a network state save is performed at step 707 : updating information about neurons 302a , network 302b , episodes 302c and monitor neurons 302d in storage subsystem 302 .

The loop consisting of steps 704, 705, 707 is repeated until the stop of the event processor 301 at step 708 is called. In one particular case, a loop stop call may be made by the user through the user interface 303 . In another particular case, the call to stop the main loop may be made by the system 300 in accordance with the sleep mode configuration specified as part of the system configuration 302i . In yet another particular case, the main loop may stop when the entire system 300 is stopped. In a particular implementation, the storage subsystem 302 further serves to allow the event processor to restart after a stop while retaining previously learned events and patterns.

In one of the options for implementing the storage subsystem 302, it is possible to save the state of the neurosemantic network to a special file with bit coding, which reflects the basic principle of the functioning of the neurosemantic network - the minimum length of the description (see [1]).

On FIG. 4 shows an embodiment of the claimed system 300 in sleep mode 800 . The "sleep" mode allows you to optimize the large-scale structure of the neurosemantic network and identify patterns and anomalies 600 at large intervals, which can be difficult in the real-time event processing mode. This optimization requires additional ordering of events. In one particular embodiment, this may be a re-cumulative processing of previously processed short episodes. In another particular variant, this may be the processing of episodes for which late events were subsequently received that arrived in other episodes, but with timestamps that are within the time of events from previously processed episodes. In a third particular variant, due to a change in the direction of attention, it may be necessary to reprocess part of the history of episodes in order to search for patterns with new directions of attention. The above options are presented as an example and do not limit the possibility of using the "sleep" mode to optimize the large-scale structure of the neurosemantic network.

Sleep mode 800 works in a loop. In a particular implementation, the episode history interval specified as part of the system configuration 300 is processed in one cycle. For example, if the episode size is set to 4096 events or 4 seconds of wait, the interval of one sleep cycle can be 100 episodes and span a history interval of 400 seconds of data source clock time.

Another set of parameters within system configuration 302i of system 300 are parameters that determine when and for how long system 300 can go to sleep. In one particular embodiment, this may be the time of day when the flow of events is the least intense (for example, in the period 01:00-06:00), and the main mode 700 of real-time event processing can be suspended during the sleep cycle. In this case, events 500 can be temporarily accumulated in the connectors 304 for the purpose of their subsequent processing after exiting the "sleep" mode. In another particular case, when the computing resources of the system 300 are more than enough to process the stream of events in real time, some of the resources can be transferred to the parallel execution of cycles in the "sleep" mode.

The sleep cycle 800 begins with the selection of the next episode history interval at step 801 . In a particular embodiment, system 300 may remember the end of a previous sleep cycle interval and begin a new sleep cycle at a subsequent interval. In another particular embodiment, the system 300 may store features of those episodes that for various reasons (eg, at the request of the user) should be optimized. In one embodiment, an indication that an episode needs to be optimized is too few events in a real-time episode. In another embodiment, a change in the directions of attention of the user may be a sign of the need to optimize the episode. In yet another embodiment, an indication of the need to optimize the episode is a small number of events in the composition of the episode in one or more directions of attention.

The second step 802 of the sleep cycle is to put monitor neurons 302d into sleep mode. Monitor neurons 302d are tuned to distinguish between data sources on which patterns and anomalies are detected. If a pattern or anomaly was detected during a history interval reprocessed in the "sleep" mode, then an alert is not generated or generated only for exceptional cases, for example, those associated with patterns detected over long time intervals or in new directions of attention. If the patterns are selected in real time, in parallel with the "sleep" mode 800, the main event processing mode 700 , then the notification is performed.

The main step 803 of the sleep cycle is to optimize the large-scale structure of the episode history interval and patterns of the neurosemantic network. In this case, the events 500 received in this interval are reprocessed, and they are combined into longer episodes that are optimal for the given object and the neurosemantic network. For example, episodes of 4 seconds that received 100 events each are combined into long episodes of 4096 events or, if the total number of events in the interval is less, then the number of events available in the interval is combined. Note that the optimality of the number of 4096 elements in an episode of a neurosemantic network is explained in [1]. Patterns are also reprocessed on the interval. This takes into account the current 302g attention configuration. In the process of restructuring patterns, the neurosemantic network can find more optimal patterns, as well as patterns that cover longer periods of time. Pattern optimality is a key characteristic of the neurosemantic network operation (see [1] and Fig. 7 for more details) and is determined by the attributes of the neuron corresponding to the pattern, and primarily by the following attributes: the number of activations ( w ), the number of nested patterns that make up the pattern, or events ( k ) and the number of their activations ( wp ), the number of field values of all pattern events ( l ) (for more details, see [1]).

The next step 804 is to save the state of the neurosemantic network after optimizing the history interval (neurons 302a , network 302b , episodes 302c, monitor neurons 302d given their sleep mode).

After that, the neurons-monitors return.302d to main mode at the stage805, and the "sleep" loop800 repeats. The loop is stopped and the sleep mode is exited at the stage806according to the selected sleep control303e.

Note that at steps 705 (episode processing) and 803 (optimization of the large-scale structure of the interval), the operation of periodically removing rarely used neurons of the neurosemantic network (not shown in Figs. 3 and 4 ) corresponding to some patterns that were created on a certain layer can additionally be performed. , but were not used in episode coverage (coding) on this layer of the neurosemantic network, since The neurosemantic network has identified other patterns that better cover the observed sequences of events (for example, those that are more common in the event stream and therefore are advantageous for minimizing the length of the description of the entire information stream, i.e. for fulfilling the basic principle of information encoding in the neurosemantic network (see This operation makes it possible to optimize the volume of neurons in the network and, accordingly, significantly reduce the need for resources of the storage subsystem 302 without losing a significant part of the statistical information on events and patterns in the history.

On FIG. 5 shows a method 900 for processing user queries on the history of events and patterns of the claimed system 300 .

The user interface 303 of the system 300 provides pattern and event history query filters and result output forms 303a .

A user of the system 300 (eg, a FSC or IS operator) sets event and pattern history query filters at step 901 . To do this, the user:

- indicates the search time interval;

- determines whether it searches for individual events or patterns;

- determines whether it is only interested in new events or patterns, or also those that have been activated several times;

- when querying by pattern history, defines the "attention" option for at least one field from the composition of those fields that are specified in the configuration of attention directions 302g ; when querying the event history, the "attention" option is not indicated;

- defines the desired filters on the values of the fields of individual events or events occurring in patterns; the filter can be specified as a list of desired values or as a regular expression; additionally, for the field with the “attention” option, when searching for patterns, the filter option “all values” can be selected - in this case, the values defined in the attention configuration 302g for this field for the system 300 will be used.

At step 902 , the user's request is processed by the system 300 using the stored states of neurons 302a , network 302b , episodes 302c , and gives the user a result containing the found events and patterns, with the ability to indicate the numbers of neurons corresponding to them, the number of their activations, and the date of the last activation. In the case of patterns of layers 3 and above of the neurosemantic network (see Fig. 7 - 10 ), for the pattern indicate its constituent nested patterns of the previous layer, which in turn can be recursively expanded to their constituent events and the values of the fields of these events. In one particular embodiment, the results 902 may be presented in tabular form; the table view is specified by the user by configuring the user interface 302j .

In another particular variant, the event search result can be represented as a directed acyclic graph, for which the user sets the configuration of event fields 302f , in which he indicates the semantic relations of the fields: which event fields are considered the beginning of the graph, which are internal vertices, and which are end vertices of the graph . For example, for a particular variant of the fields: "user", "computer" of the user, "system" to which the user accesses, and the "verdict" received for this appeal - the nodes of the relationship graph can be built according to the principle: 1) which "user", 2) from which “computer”, 3) to which “system” he turned and 4) which received the “verdict”. The possible representations of the results are not limited to the above examples.

On FIG. 6 shows a method 1000 for handling user requests to create a new monitor neuron 302d during system operation 300 .

The user fills out the form 303b of the user interface 303 to create a new monitor 1001 , the monitor being stored in the system 300 as neuron-monitor 302d . To do this, the user fills in the following monitor parameters:

- name of the monitor understandable to the user;

- sliding window interval - the neuron-monitor 302d on a given sliding window counts the number of its activations;

- triggering threshold for the number of activations of the neuron-monitor 302d on the sliding window - when this threshold is exceeded, the neuron-monitor 302d generates and sends an alert about detected patterns or anomalies, which the system 300 delivers to the external systems FSC 100 and IS 400 and also stores in the subsystem storing 302 as a monitor neuron detection 302e ;

- activation stack size - the capacity of the stack in which monitor neuron 302d will temporarily store information about the last events or patterns that activated monitor neuron 302d and the activation time.

The user also sets subscription filters that determine the conditions under which the monitor neuron will be activated:

- determines whether the monitor neuron 302d is subscribed to individual events or patterns;

- determines whether the subscription will be only to new events or patterns, or to events or patterns that have happened before;

- defines fields with the "attention" option: a) at least one field with the "attention" option must be set for subscribing to patterns, if directions of attention are specified in the system 300 configuration, b) for subscribing to events, the "attention" option can be specified for one or more fields, generating an arbitrary temporal attention pattern for subscribing the monitor neuron 302d to events (patterns are not built based on the temporal pattern of attention). For each new combination of values of these fields that defines a particular direction of attention, monitor neuron 302d creates a child monitor neuron 302d that will count activations for events only for that particular direction of attention. Activations of the child monitor neurons 302d are transmitted by the neurosemantic network to the parent monitor neuron 302d . For the convenience of the user, the child monitor neurons 302d can be hidden from the user, and the user will learn about their activations through the parent monitor neuron 302d . This mechanism allows you to organize event monitoring for many field values that may not be known in advance, while not cluttering the user interface 303 . For example, in one particular variant of the configuration of the event fields of the monitoring object, which contains the fields: "user name", "user host", "server of the user's request", "server verdict on the user's request" - and when setting the "attention" option for the event monitor for fields "username" neuron-monitor 302d will be able to track events for each individual user (to keep a separate count of the number of activations for each user), while users may not be known in advance, because new users may appear on the monitored object;

- defines the desired filters on the values of the fields of individual events or events occurring in patterns. The filter can be specified as a list of desired values or as a regular expression. Additionally, for a field with the “attention” option, when searching for patterns, the filter option “all values” can be selected - in this case, those field values that are defined in the attention configuration 302g for this field for the system 300 will be used.

The user's request to create a monitor is processed by event processor 301 at step 1002 based on information about neurons 302a and network 302b , and a dedicated monitor neuron 302d is created. When the system 300 operates in the main loop or in the sleep loop, the neurosemantic network of the event processor 301 activates the monitor neuron 302d according to its subscriptions (see the example in Fig. 11 ).

Application of a neurosemantic network for event processing (Fig. 7)

The neurosemantic network is multi-layered. The numbering of the main layers of the network starts from 0 and ends with L_max , where L_max is set as a neurosemantic network hyperparameter. Event processing is performed exactly on the main layers of the network. There is also layer -1 (minus the first) on which special monitor neurons 302d are located (not shown in Fig. 7 , see Fig. 11 for more details). It should be noted that this numbering was introduced for the sake of clarity of presentation and corresponds to the numbering adopted in [1]. Without losing the generality of the claims, the numbers of the layers can be assigned in another way, only the sequence of the links of the layers is important.

The neurons on each layer from 1 to L_max have inputs only from the neurons of the previous layer. The inputs of neurons in layer 0 and layer -1 are formed differently - see below.

Layer 0 is called terminal. It contains terminal neurons that are activated by the values of the event fields. Terminal neurons activated by different values of the same event field are grouped on the terminal layer by channels, i.e. the channel of the neurosemantic network is assigned to the field of events. Thus, the neurosemantic network has as many input channels as there are fields defined for the event. In a particular case of using a neurosemantic network, each terminal neuron has only one input, which corresponds to one value of the field to which this neuron is activated.

The monitor neurons 302d minus the first layer, unlike the neurons of the other layers of the neurosemantic network, have inputs that can connect these neurons with the outputs of neurons of any layer, as well as with the outputs of the layers of the neurosemantic network. The inputs of the monitor neurons 302d connecting them to the outputs from the layers of the neurosemantic network allow the monitor neurons 302d to subscribe to the creation of new neurons on these layers (see Fig. 11 for more details).

The channels and terminal neurons of these channels serve as inputs to the neurosemantic network. Monitor neurons 302d serve as outputs from the neurosemantic network.

Layer 1 contains neurons corresponding to events. Event neurons have no more inputs than the number of channels (event fields). Each input of the event neuron is associated with one terminal neuron, while all inputs of the event neuron are associated with terminal neurons from different channels.

Layer 2 contains neurons that have events as inputs: these are event history episode neurons (or episode neurons) and patterns (or pattern neurons).

An episode neuron is created by a neurosemantic network when the next episode is fed to its input and its subsequent processing. An episode neuron has a number of inputs equal to the number of events in the episode. The inputs of the episode neuron make it possible to reconstruct the exact history of events, since when a neurosemantic network creates an episode neuron, it retains the exact intervals between the arrival of the events that make up the episode (see Fig. 8 for more details).

Pattern neurons correspond to sequences of events. On the second layer, the pattern neurons have inputs from the corresponding event neurons on the first layer.

On layer 3 and above, there are also pattern neurons, but they have as inputs the pattern neurons of the previous layer. Thus, in order to obtain a sequence of events corresponding to the pattern of layer 3 and above, it is necessary to recursively “expand” (English expand) each input of such a neuron up to the inputs from layer 1 (the layer of events).

который зависит от длительности нейрона паттерна d, и гиперпараметра сети σ > 0.In a particular implementation of the neurosemantic network, pattern neurons retain the exact sequence of inputs from the neurons of the previous layer (the neuron is sensitive to the order of inputs). However, the intervals between neuron inputs allow for variations: for example, if, when creating a neuron, the total duration of the intervals between activations of its inputs (hereinafter referred to as the duration of the neuron) was equal to d , then such a neuron can correspond to the same sequence of events or patterns, but with a total duration within the specified interval, for example equal to

which depends on the duration of the pattern neuron d , and the network hyperparameter σ > 0 .

In another particular implementation of the neurosemantic network, the allowable sequence duration variation interval (in order to correspond to a pattern neuron of duration d ) can be determined by a metric of neuron proximity to the observed sequence, for example, based on the Gaussian distribution of the pattern duration

In yet another particular implementation, the proximity metric of the order of inputs can also be defined (see [1, 2]).

On the layers of the neurosemantic network, when episodes are processed by the event processor 301 , new neurons are created and then activated if the episode contains values of event fields, events and sequences of events that have not previously taken place. Otherwise, the previously created neurons are activated (taking into account the allowable variations of the intervals).

The choice of certain sequences for the formation of patterns is determined by the hierarchical principle of the minimum description length (eng. Hierarchical Minimal Discrepancy Length), see works [1, 2], and in a particular implementation of this principle, based on the neuron “strength” functional, see Fig. work [1].

For example, a pattern matched by a neuron in the second layer could be generated based on neurons in the first layer matched by episode events. To do this, a sliding window is passed with a length, for example, from 2 to 8 events (network hyperparameters), through the sequence of episode events, and for each window that occurs for the first time, a new neuron of the pattern is created on the second layer. Then all neurons corresponding to such windows (newly created or encountered earlier created in previous episodes) are sorted according to their statistical properties (frequency of occurrence on the entire stream, length in terms of event fields, and other criteria - see the “strength” functional in [ 1]). The sorted neurons are used to completely cover the sequence of events in an episode, starting with the "strongest" neurons at the top of the list. Those neurons that are not used in such a coverage are considered less optimal than those used, and can be removed to save network resources in whole or in part (in the latter case, some of the unused neurons from the composition sorted as described above are preserved and activated when they are detected). in the flow of events in the expectation that in another episode they may turn out to be more optimal). The patterns of the subsequent layers of the neurosemantic network are formed in a similar way, however, the input sequence for them will not be events, but the patterns of the previous layer of the network for the current episode.

At the first start of the event processor 301 , the neurosemantic network has only three layers without neurons: 0, 1, 2. When events arrive at the input of the neurosemantic network and their layer-by-layer processing, new neurons and layers from 3 to L_max are added to the network - as the corresponding neurons appear patterns, as well as layer -1 - when the user adds monitor neurons.

On FIG. Figure 8 shows the neurons of the neurosemantic network and their correspondence to field values, events, episode history, and patterns.

The general attributes of a neuron of a neurosemantic network are shown on the example of a layer L neuron. A neuron is identified by a neuron number and a layer number. The main attributes are:

n_n - neuron number;

n_l - layer number, (for layerL, n_l = L);

v_in - vector of inputs from neurons of the previous layer;

v_d - vector of intervals between activations of inputs (what these intervals were when creating this neuron);

w - number of neuron activations;

v_out - a set of outputs to monitor neurons.

In addition, there are a number of other important attributes:

k - the number of inputs, which is limited by the hyperparameters of the upper and lower limits of the number of inputs of neurons on each layer of the neurosemantic network, specified as part of the system configuration302i, - by default, for example, interval [2, 8];

d - duration equal to the sum of intervals v_d ;

l - terminal length equal to the sum of the terminal lengths of the inputs;

c - channel in case n_l = 0, otherwise undefined;

e - the type of the top neuron, if it is an episode or a top pattern, otherwise it is not defined. The definitions of the top episode neuron and the top pattern are given below.

These attributes are explained below.

On the layers of the neurosemantic network, when processing sequences of events coming in the form of episodes, the neurosemantic network creates and activates new neurons or activates existing neurons. All episode events (neurons of layer 1) are combined by a neurosemantic network into one top-neuron of the episode on the second layer of the network.

In addition, if directions of attention are determined (see Fig. 9b ), then pattern detection occurs by sequences of events obtained from the complete sequence of events of the episode by filtering only events containing field values corresponding to their direction of attention. For each such filtered sequence of events on some layer of the neurosemantic network, all detected patterns are combined into a top pattern (or into several top patterns in the case when the maximum possible network layer is reached, but the coding did not reduce the episode to only one top neuron; the latter is typical for a stream of events containing long repeating sequences, which, when they are encoded, lead to repeating patterns on each layer of the network, which it is advisable to leave without combining into even longer patterns).

For top neurons (top episode neurons and top patterns), a special attribute e is defined. For the top pattern, it determines the direction of attention matched. For the top neuron of the episode, it is 0. For neurons that are not the top neuron, the e attribute is not defined. It should be noted that the choice of specific values of this attribute may be different, only the principle of correlating the top neuron with the top neuron of the episode or with the top pattern in the direction of attention is important.

The first interval v_d[0] in the neuron's vector v_d is usually equal to zero. If this is a layer 0 neuron corresponding to the value of the event field, then it has one input of zero duration, since the event field value has no duration. If this is an event, then the inputs correspond to the values of the fields and the intervals between them, according to the definition of the event adopted in the invention, are zero. If this is a neuron of an episode of the history of events or a neuron of a pattern, then the neuron itself contains information only about the intervals between activations of its inputs, and information about what happened before the activation of the first input for such a neuron is not contained in the neuron itself. However, for the last statement there is an exception related to the possibility of the existence of "transitional" neurons-patterns, which have only one input. The semantic meaning of "transitional" neurons is explained in [1]. These neurons "transmit" the pattern of the previous layer to the current layer. At the same time, the duration of the transmitted pattern of the previous layer is known and it determines the first interval v_d[0] of the only input of the "transitional" neuron. This feature is illustrated in Fig. 10 . This approach allows you to save all the time intervals between the events of the episode when they sequentially compare (encode) the pattern neurons on the layers of the neurosemantic network.

The rule that the first interval is equal to zero should be taken into account when understanding the meaning of the duration d of the pattern neuron. For neurons of layer 3 and above, in the general case, d is not equal to the duration of the sequence of events corresponding to a given neuron and obtained by opening a neuron to layer 1, because the first entry will also be a pattern that has its own duration, and the duration of the first nested pattern is not taken into account in the duration d. The neuron “knows” the intervals only between the activations of its inputs, but “does not know” what happened before the activation of its first input (the neuron of the first nested pattern “knows” about this).

It should be noted that for the patterns identified in the given direction of attention (see Fig. 9b ), on layer 1, from the complete sequence of events in the episode, the network selects only those events that correspond to the direction of attention. Accordingly, the intervals are counted between the selected events.

The above is formalized as follows:

• if ( L = 0 ), or ( L = 1 ), or ( L > 1 and k > 1), then the interval v_d[0] = 0 ;

• if ( L > 1 ), and e does not point to the top-neuron of the episode (i.e., it is a pattern or top-pattern neuron), and ( k = 1 ), then the interval v_d[0] is equal to the duration of the layer neuron ( L – 1 ).

The upper bound on the number of neuron inputs k is a hyperparameter of the neurosemantic network layer. The more k , the faster the sequence of events will be encoded into one top-pattern of some layer. For a smaller upper bound k, such encoding will require more layers of the neurosemantic network. The minimum encoding rate corresponds to the lower bound k = 2 . In addition, it was noted above that "transitional" neurons with k = 1 can occur. In a particular version of the application of the principle of learning a neurosemantic network due to hierarchical minimization of the description length (see [1]), if during the processing of an episode on a certain layer it turned out that all pattern neurons had just been created, i.e. activated only once on a given episode, which means that all of them have w = 1 , then the network “folds” them into one top-pattern of the episode on the next layer, and the number of inputs for such a top-pattern can exceed k (for more details, see [1 ]). Similarly, the top neuron corresponding to the episode may have the value of the attribute k above the boundary specified for layer 2.

The attribute l is the terminal length of the neuron, which in the proposed approach corresponds to the number of field values in the entire sequence of events corresponding to the neuron. It should be noted that not all values from the full set of fields may be defined for some events; accordingly, the terminal length of such events will be less than for events with the full set of fields.

The v_out attribute is used by the neurosemantic network to notify the monitor neurons (see Fig. 11 ) on the minus first layer of the network, subscribed to the activation of this neuron.

A particular version of the terminal neuron is shown in Fig. 8 . As already mentioned, the terminal neuron in the proposed use of the neurosemantic network for event processing has one input k = 1 . And the value of this input v_in[0] is the value of the event field. The attribute c is equal to the number of the channel corresponding to the field of this value. The time duration of the field value is zero: v_d[0] = 0 . And the terminal length is unity (one value) l = 1 .

Another particular version of the neuron in Fig. 8 is shown for the event neuron on layer 1. The number of inputs k of such a neuron is at least one and the maximum is equal to the number of fields defined in the system configuration 300 . All values of the event fields happen simultaneously, so the vector v_d contains k zeros and the total duration of the event is also zero d = 0 . The terminal length of the event is equal to the number of field values, i.e. l = k .

Another particular version of the neuron in Fig. 8 is for the top neuron of the episode. In this case , k is equal to the number of events in the episode. The v_in neuron inputs point to the episode event neurons in the order they occurred in the episode. It should be noted that if the same event enters the episode several times, then the corresponding v_in elements point to the same event neuron. The vector v_d contains the exact time intervals between events. The first interval v_d[0] corresponding to the first event in the episode is equal to zero, because at the level of the episode neuron, it is not known what happened before the first event of the episode. For the top neuron of the episode, the feature e = 0 . Also, as mentioned above, for each episode, a separate top-neuron of the episode is created, even if the entire sequence of events is identical to the previous one. This part of the neurosemantic network grows linearly with time, but in fact it is a time-ordered set of links (inputs) to event neurons, which allows you to completely restore the history of events.

Another particular version of the neuron onFig. 8presented for a pattern neuron on layer 2 or higher. Input Vector v_in points to events or pattern neurons of the previous layer of the neurosemantic network. Vector v_d corresponds to the input activation intervals at the moment of creating the pattern neuron. Number of regular pattern entries k is, for example, in the interval [2, 8] (hyperparameters of the neurosemantic network layer). For the top pattern, the number of entries k may be higher than the upper limit. In contrast to the top neuron of the episode, where all the intervals between events are exactly stored in the vector v_d , for pattern neuron vector v_d contains such intervals between inputs as they were when the neuron was created. If in the event stream there is a sequence of events with the order of events similar to the one that was during the creation of the neuron, but the duration of the sequence does not match the duration of the neuron d , the pattern neuron can still be associated with this sequence (i.e., activated) if the duration of the sequence is within some allowable interval, given, for example, as

where σ > 0 is the neurosemantic network hyperparameter.

Thus, the episode is sequentially processed on the layers of the neurosemantic network: by matching the values of the event fields of the terminal neurons, by matching the events of the neurons of the first layer, by creating top-episode neurons on the second layer, by matching the sequences of events of pattern neurons on the second and higher layers up to the layer , on which one neuron of the top pattern will be matched or the maximum layer will be reached.

In a particular implementation, matching a neuron during processing is performed by activating a neuron of the corresponding layer if it is found (recognized), or by creating and activating a new neuron if a new field value, event or pattern is observed, depending on the layer.

The above method of creating neurons allows you to partially stop the training of the neurosemantic network by forcing it into a mode where no new neurons are created, and all network training occurs only by changing the neurons when they are activated (the neuron attribute w is changed, which is responsible for the number of activations).

Also, a similar method of processing episodes makes it possible to train a neurosemantic network “with a teacher” due to the special input of target (presented by the teacher) patterns and subsequent modification of the attribute w , formed for these patterns, by assigning it a sufficiently large value. This makes it possible to increase the priority of this neuron when it is recognized on the stream compared to other neurons corresponding to other patterns (see the explanation above about sorting neurons when covering an episode), thus guaranteeing recognition of the pattern presented by the teacher.

и на обе пары активируется один и тот же паттерн P2_1.On FIG. 9a shows an example of episode processing. In this example, directions of attention are not defined, and patterns are built across all events. The presented diagram shows that the sequence of two events E1-E2 occurs twice, but with different time intervals. Nevertheless, for the hyperparameter value σ = 0.5 used in the example, the duration of the second pair of events E1-E2 is within the interval

and the same pattern P2_1 is activated for both pairs.

On FIG. 9b shows a modified from Fig. 9a an example of episode processing: one direction of attention is defined - corresponding to the value " u1 " of the field " user ". Accordingly, the event processor to search for patterns filtered out from the full input sequence only events with the value of the " user " field equal to " u1 ", and created a top-pattern P3_1 on layer 3, which has two inputs, each pointing to the same pattern P2_1 of the layer 2.

Fig. 10 presents an example of processing time intervals between events and patterns on the layers of a neurosemantic network when processing episode events. Events correspond to layer 1 neurons, which are conditionally designated by one letter: a, b, c, d, e, f - and are located on the time axis in the same order and at the same intervals as they occur within the episode. The neurosemantic network in this example tracks patterns among all episode events (similar to Fig. 9a ). The hyperparameter chosen is σ = 0.5 . The sequence of events ab occurs three times, it corresponds to the pattern p1 on the second layer. The sequence of events cde occurs twice, it corresponds to the pattern p2 on the second layer of the network. The event f occurs once in the episode, and on the second layer it corresponds to the "transitional" pattern p3 with zero duration - like the event itself. On the third layer of the network, the sequence of patterns p1p2 , which occurs twice on the second layer, corresponds to the pattern n1 . But the pattern p3 and the pattern p1 , which starts at time t5 , are transmitted to the third layer through "transitional" neurons with one input - respectively n3 with a duration of 0 and n2 with a duration equal to t6-t5 .

Within episode event processing, intervals between patterns correspond to the exact intervals between events corresponding to the beginning and end of those patterns. For example, in FIG. 10 , the interval on layer 2 between the first pattern p2 and the second (middle) pattern p1 is exactly equal to the interval t5-t4 . But the durations of the patterns themselves are only approximately equal to the durations between the events corresponding to the beginning and the end of the pattern, as has been explained in FIG. 9a . For example, in FIG. 10 , the duration between events c and e in the first sequence cde is t3-t1 , while the duration between events c and e of the second sequence cde is t11-t9 and greater than t3-t1 . Pattern p2 for interval t3-t1 and pattern p2 for interval t11-t9 are the same, but in FIG. 10, both times it is depicted as rectangles of different widths, and when processing one episode to the next third layer, it transmits the exact intervals as its duration - respectively t3-t1 and t11-t9 .

The above is true only at the stage of processing the events of the episode. After the processing of episode events is completed, the exact information about the intervals between events in the patterns is not saved. If after the end of the processing of the episode, descending the inputs (eng. expand), the top-pattern of the top1 episode to the layer of events, then the information about the intervals between events will be restored only with a certain accuracy. For example, with such an expansion, top1 on the second layer will expand into two patterns p1 of the same length - the one that corresponds to the moment the neuron of this pattern was created, i.e. t3-t1 in this example.

This feature of working with the duration of pattern neurons allows you to generalize information in the input stream to the level of the order of events while maintaining the intervals between events only with a certain accuracy. Such a generalization is able to reflect real processes in CFS or IS objects, in which the times within identical sequences of events can vary.

Accurate information about all the times of events in all episodes is stored after processing the episodes only in the neurons of the top episodes on the second layer of the network (see Fig. 9a ).

On FIG. 11 shows an example of monitoring the activity of a neurosemantic network based on a special monitor neuron 302d on the minus first layer (-1). In a particular variation of this example, monitor neuron 302d named "Monitor 1" has one dendritic tree input. For each node of the dendritic tree, when the monitor neuron is created, the logic (in particular, the logical "and" or the logical "or") is determined, and the dendritic tree entirely determines how the monitor neuron can be activated. These nodes can be attached to the root (root node) of the dendritic tree. Dendritic node logic is applied to event field values (see Fig. 6 ). The number of inputs in the nodes of the dendritic tree can change during the network operation - for example, a monitor neuron can subscribe to new neurons created in the network that satisfy certain conditions imposed on the values of the event fields corresponding to these neurons.

In the present example, the monitor neuron302d "Monitor 1" is activated by one event neurone1 on layer 1 or (node"or") by creating new event neurons on layer 1 and at the same time (node "And") having input from the neuron-valuev1 on layer 0 in channel 0. If the second condition for a new event with the specified field value is met, then "Monitor 1" is activated and at the same time remembers the newly created event already as a new input in the node"or" from the created event neuron.

Address subscription to neurons in the “ or ” node allows you to automatically receive notifications only from those neurons of the neurosemantic network that fall into the subscription area, significantly reducing the load on the use of computing resources of the technical solution, in contrast to the option of receiving notifications about the creation or activation of any network neuron and then checking if this neuron matches the subscription filters of monitor neuron 302d .

However, if you subscribe to an alert layer, you have to receive about the creation of all the neurons of this layer and only then filter out those neurons that satisfy additional conditions for the field values in the “and” node.

During its operation, the monitor neuron 302d counts the number of its activations on the sliding window. The user is notified by the neuron-monitor 302d when a predetermined threshold for the number of activations of the neuron-monitor 302d on the sliding window is exceeded.

When using the “attention” option for the field of the neuron-monitor 302d , a multiple subscription to each individual value of the direction of attention for a given field is possible: for each value of this field, a child, hidden from the user, individual neuron-monitor 302d of the number of activations for this individual value is created. Information about the activation of the child monitor neuron 302d is transmitted to the parent. Hiding child monitors from the user is expedient, because in practical cases, the number of field values can be quite large and the user interface 303 would be heavily congested without such hiding. At the same time, the transmission of information about the activation of the child monitor neuron 302d to the parent monitor neuron 302d solves the problem of alerting the user (or an external FSC or IC system).

Thus, the claimed invention allows solving the specified technical problem, which consists in identifying a structure of hierarchically nested repeating (but not necessarily periodic) patterns in the flow of events from a CPS or IS, which reflects cause-and-effect relationships in the flow of events from a CFS or IS, as well as in attributing new patterns and new events to anomalies. Moreover, information about which event or pattern or which part of the pattern structure was not previously observed indicates the presence of an anomaly in the FSC or IS,

The claimed invention makes it possible to identify recurring events and patterns and their structure, as well as to attribute new events and new patterns to anomalies in the operation of the CPS or IS in the flow of events from the CPS or IS due to machine learning methods based on a neurosemantic network without the need to split the work process into two phases isolated from each other: a) training on historical data and b) recognition.

The claimed invention improves the quality of detecting events and patterns and assigning them to an anomaly in the operation of the FSC or IS due to each of the following factors: continuous learning, additional optimization of the neurosemantic network during a special phase of the cycle in the “sleep” mode (see Fig. 4 ) systems, a mechanism for selective monitoring of neurosemantic network activity based on special monitor neurons, interaction with predictive detectors that detect anomalies in telemetry.

The claimed invention also makes it possible to detect patterns and anomalies in the FSC or in the IS in the presence of only a small number of examples of sequences of events corresponding to the pattern in the data, through the use of a neurosemantic network.

The claimed invention also reduces the level of information noise in the event stream by using the mechanism of attention to the values of the event fields that characterize a specific FSC or IS.

On FIG. 12 shows an example of a general purpose computer system with which the present invention can be implemented, in particular system 300' . The personal computer or server 20 (hereinafter referred to as "computer") includes a central processing unit 21 , system memory 22 , and a system bus 23 , which contains various system components, including memory associated with the central processing unit 21 . In a particular case, the central processor may include a specialized neuromorphic processor containing many elements corresponding to the neurons of an impulse network or its variety and allowing such a network to operate in a massively parallel mode. The system bus 23 is implemented as any bus structure known in the art, in turn comprising a bus memory or bus memory controller, a peripheral bus, and a local bus capable of interfacing with any other bus architecture. The system memory contains read-only memory (ROM) 24 , random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20 , for example, at the time of booting the operating system using ROM 24 .

The personal computer 20 in turn comprises a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31 such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27 , the magnetic disk drive 28 , the optical drive 30 are connected to the system bus 23 via the hard disk interface 32 , the magnetic disk interface 33 , and the optical drive interface 34 , respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other personal computer or server data 20 .

The present description discloses an implementation of a system that uses a hard disk 27' , a removable magnetic disk 29' , and a removable optical disk 31' , but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55 .

The computer 20 has a file system 36 that stores the recorded operating system 35 as well as additional software applications 37 , other program modules 38 and program data 39 . The user (operator) has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40 , mouse 42 ). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48' . In addition to the monitor 47 , the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment using a network connection to another or more remote computers 49 . The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the nature of the personal computer 20 shown in FIG. 12 . Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks (also - information systems), internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local network 50 via a network adapter or network interface 51 . When using networks, personal computer 20 may use a modem 54 or other means to communicate with a wide area network, such as the Internet. The modem 54 , which is an internal or external device, is connected to the system bus 23 via the serial port 46 . It should be clarified that network connections are only indicative and are not required to represent the exact network configuration, i.e. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

As described, the components, execution steps, data structure described above can be executed using various types of operating systems, computer platforms, programs.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula.

Bibliography

1. Lavrentyev A.B., chapter 12 "Neurosemantic Network" in "Neuroinformatics and Semantic Representations", Cambridge Scholars Publishing, 2020, ISBN: 1-5275-4852-X, ISBN13: 978-1-5275-4852-7.

2. VI Bodyakin "Neurosemantics. Information and control systems. Artificial intelligence". Scientific works. M.: Academic project; Mir Foundation, 2020 - 803 p. ISBN 978-5-8291-3825-7, ISBN 978-5-919840-39-8.

Claims (87)

1. A system for detecting patterns and anomalies in the flow of events coming from a cyber-physical system (CPS) or an information system (IS), containing a memory and a hardware processor with the ability to implement: a) a storage subsystem designed to store the configuration of event fields, episode configuration, system configuration, as well as to store and load into the memory of the neurosemantic network according to the mentioned configurations and the previous state of the neurosemantic network; b) connectors intended for: • obtaining data about events, including for each event a set of field values and a timestamp of the event; • formation of at least one episode, consisting of a sequence of events received before one of the conditions is met: the limit time interval is reached or the limit number of events is reached - or before the fulfillment of one of the mentioned conditions, which was met first; • transfer of generated episodes to the event processor; c) an event processor designed to process episodes using a neurosemantic network, and episode processing includes: • recognition of events and patterns previously learned by the neurosemantic network - sequences of events in which the order of events is observed, and the time intervals between events are within the specified limits stored in the form of neurons of the neurosemantic network, and activation of these neurons; • training of the neurosemantic network, which consists in the creation and activation of neurons associated with new values of the event fields, new events, as well as new patterns and activation of the previously learned neurons recognized in such a way that the previously learned and new patterns of the neurosemantic network cover all the events of the episode; • revealing the structure of patterns by matching the patterns of neurons on the hierarchy of layers of the neurosemantic network; • classifying events and patterns corresponding to neurons of the neurosemantic network as an anomaly depending on the number of activations of the neuron corresponding to them; • saving the state of the neurosemantic network, in particular information about created and activated neurons, in the storage subsystem. 2. The system according to claim 1, in which the processing of the episode additionally includes the detection of events and patterns of the neurosemantic network that meet predefined criteria, and the formation of output information about these events and patterns through the use of special monitor neurons of the neurosemantic network, which, by activating neurons - monitors track the creation and activation of neurons corresponding to events and patterns, and the mentioned criteria are set at least: • on the values of the fields of individual events and events in patterns; • on the basis of the recurrence of such events and patterns; • on a sliding time interval to track such activations and the number of such activations on a sliding time interval. 3. The system according to claim 1, in which the optimal coverage of all episode events is selected according to the hierarchical principle of the minimum description length or the most compact coverage of all events of the current and previous episodes is selected. 4. The system according to claim 1, in which the processing of the episode occurs in the neurosemantic network in layers. 5. The system according to claim 4, in which the structure of the pattern is revealed through the hierarchy of layers of the neurosemantic network on which the neurons are located, and on the zero layer there are neurons of the values of the event fields grouped by channels corresponding to the event fields, on the first layer there are event neurons, on the second layer contains patterns consisting of events, the third and higher layers contain patterns consisting of patterns of the previous layer (hereinafter referred to as nested patterns). 6. The system according to claim 5, in which: • on the zero layer of the neurosemantic network there are neurons corresponding to the values of the event fields, grouped by channels corresponding to the event fields, and the duration of the terminal neuron is taken as zero; • the first layer contains neurons corresponding to events and having inputs from neurons of the terminal layer, with each input corresponding to a terminal neuron of a channel different from the channels of terminal neurons of other inputs; time intervals between event inputs from field values are taken as zero, and the total duration of the event neuron is accordingly taken as zero - the event has no duration; • neurons corresponding to episodes are located on the second layer, the number of episode neuron inputs is equal to the number of events in the episode, the intervals between events in the episode are exactly stored as the intervals between the episode neuron inputs; • on the second and subsequent layers there are also neurons corresponding to the sequences of events, and the neurons of layers 3 and above have inputs from the neurons of the previous layer and the opening of the pattern neuron to the sequence of events is carried out through recursive disclosure of all its inputs - up to the first layer, and the event is opened up to field values through their inputs from terminal neurons. 7. The system according to claim 5, in which the event processor is additionally designed to configure, save and restore the neurosemantic network from the storage subsystem, and the configuration of the neurosemantic network includes: • configuring the input channels of the neurosemantic network in accordance with the event fields specific to a particular CPS or IS; • configuring the attention of the neurosemantic network by setting attention directions for filtering received events based on criteria for the field values for pattern recognition among events filtered for each such direction; • configuring permissible temporal deviations in the duration of the pattern, within which the neurosemantic network will interpret sequences of the same events or nested patterns, but with different total durations of such sequences, as the same pattern; • configuring the hyperparameters of the network layers, which are responsible for the number of inputs of neurons on the layer; • configuring the network hyperparameter responsible for the allowable number of layers of the neurosemantic network. 8. The system of claim 5, wherein the event processor is further configured to: • configuring neurosemantic network activity monitors (output channels) by creating special monitor neurons that are activated based on a subscription to other neurons or layers on which new neurons are created, the neurosemantic network, and the subscription is formed according to criteria specified in terms of event field values, a sliding time interval and the number of activations of neurons to which such a subscription is made; • execution of user requests on the history of events and patterns; • performing periodic optimization of the neurosemantic network in the "sleep" mode of the system, including optimization of the structure of patterns, as well as pattern recognition over long time intervals; • permanent saving of the neurosemantic network state, in particular, information about patterns and statistics of their activations on the event stream, as well as processed information about event episodes. 9. The system of claim 8, additionally containing a graphical user interface, through which the configurations of the neurosemantic network and connectors are controlled, the configuration of neurosemantic network activity monitors and displaying information about them and their operation, setting user queries on the history of patterns and events and displaying the results of such queries , control of the "sleep" mode and settings for saving the state of the neurosemantic network. 10. The system according to claim 1, in which learning is partially stopped due to the forced transfer of the neurosemantic network to a mode where the creation of new neurons does not occur, and all learning occurs only due to changes in neurons when they are activated, in particular, the attribute of the neuron responsible for the frequency of its activation or the number of activations. 11. The system according to claim 1, which uses the possibility of training a neurosemantic network “with a teacher” by supplying target patterns for training to the input and then modifying the attribute in the formed neurons that is responsible for the frequency of its activation, or, in particular, for the number of activations . 12. The system according to claim. 2, in which the data storage subsystem additionally serves to provide the ability to store the firings of monitor neurons. 13. The system of claim. 1, in which the storage subsystem further serves to provide the ability to restart the operation of the event processor after a stop with the preservation of previously learned events and patterns. 14. The system according to claim 1, in which the event processor performs periodic removal of unused pattern neurons from the neurosemantic network, and the use of neurons is determined by the statistical properties of neurons and the hierarchical principle of the minimum length of the description of the functioning of the neurosemantic network. 15. The system according to claim. 1, in which the event processor processes the episodes, consisting of a single event, in parallel on a massively parallel hardware architecture of the processors; or performs processing of episodes consisting of a plurality of events sequentially on a single hardware processor, and the number of events in an episode is selected based on the requirements to provide information about the monitoring of the FSC or IS in a mode acceptable to the user of the system. 16. The system according to claim 1, in which events are received from predictive detectors via FSC telemetry and/or directly from FSC. 17. A method for detecting patterns and anomalies in the flow of events coming from the FSC or IS, in which: a) using at least one connector, the following steps are performed: • receive data about events, including for each event a set of field values and a timestamp of the event; • at least one episode is formed, consisting of a sequence of events received before one of the conditions is met: the limit time interval is reached or the limit number of events is reached - or before the fulfillment of one of the mentioned conditions, which was met first; • transfer generated episodes to the event processor; b) using the event processor, the episodes are processed using the neurosemantic network, and the episode processing includes: • recognition of events and patterns previously learned by the neurosemantic network - sequences of events in which the order of events is observed, and the time intervals between events are within the specified limits stored in the form of neurons of the neurosemantic network, and activation of these neurons; • training of the neurosemantic network, which consists in the creation and activation of neurons associated with new values of the event fields, new events, as well as new patterns and activation of the previously learned neurons recognized in such a way that the previously learned and new patterns of the neurosemantic network cover all the events of the episode; • revealing the structure of patterns by matching the patterns of neurons on the hierarchy of layers of the neurosemantic network; • classifying events and patterns corresponding to neurons of the neurosemantic network as an anomaly depending on the number of activations of the neuron corresponding to them; • saving the state of the neurosemantic network, in particular information about created and activated neurons, in the storage subsystem. 18. The method according to claim 17, in which the processing of the episode further includes identifying events and patterns of the neurosemantic network that meet predefined criteria, and generating output information about these events and patterns through the use of special monitor neurons of the neurosemantic network, which, by activating neurons - monitors track the creation and activation of neurons corresponding to events and patterns, and the mentioned criteria are set at least: • on the values of the fields of individual events and events in patterns; • on the basis of the recurrence of such events and patterns; • on a sliding time interval to track such activations and the number of such activations on a sliding time interval. 19. The method according to claim 17, in which learning is partially stopped due to the forced transfer of the neurosemantic network to a mode where the creation of new neurons does not occur, and all learning occurs only by changing neurons when they are activated, in a particular case, the attribute of the neuron corresponding to for the frequency of its activation or for the number of activations. 20. The method according to claim 17, which uses the possibility of training a neurosemantic network “with a teacher” by supplying target patterns for training to the input and then modifying the attribute in the formed neurons that is responsible for the frequency of its activation, or, in a particular case, for the number activations. 21. The method according to claim 17, in which unused pattern neurons are periodically removed from the neurosemantic network, and the use of neurons is determined by the statistical properties of neurons and the hierarchical principle of the minimum description length that determines the functioning of the neurosemantic network. 22. The method according to claim 17, in which the structure of patterns is revealed through the hierarchy of neurosemantic network layers, which determines the order of neurosemantic network layers on which neurons are located, and the neurosemantic network for event processing is used as follows: • on the zero layer of the neurosemantic network there are neurons corresponding to the values of the event fields, grouped by channels corresponding to the event fields, and the duration of the terminal neuron is taken as 0; • the first layer contains neurons corresponding to events and having inputs from neurons of the terminal layer, with each input corresponding to a terminal neuron of a channel different from the channels of terminal neurons of other inputs; time intervals between event inputs from field values are taken as zero, and the total duration of the event neuron is accordingly taken as zero - the event has no duration; • neurons corresponding to episodes are located on the second layer, the number of episode neuron inputs is equal to the number of events in the episode, the intervals between events in the episode are exactly stored as the intervals between the episode neuron inputs; • the second and subsequent layers also contain neurons corresponding to the sequences of events, and the neurons of the third layer and subsequent layers have inputs from the neurons of the previous layer and the opening of the pattern neuron to the sequence of events is carried out through recursive disclosure of all its inputs - up to the first layer, and the event is revealed to field values through their inputs from terminal neurons. 23. The method according to claim 22, in which each episode is sequentially processed on the layers of the neurosemantic network: by matching the values of the event fields of the terminal neurons, by matching the events of the neurons of the first layer, by creating top-episode neurons on the second layer, by matching the sequences of events of pattern neurons on the second and higher layers up to the layer on which one neuron of the top pattern will be matched or the maximum layer will be reached. 24. The method according to claim 22, which activates the pattern neuron upon recognition in the event stream of a sequence with an order of events corresponding to the order of events obtained by opening this neuron, performed recursively through its inputs up to the first layer, and the duration of the detected sequence within interval

determined by the duration of the pattern neuron d and the hyperparameter of the neurosemantic network σ > 0. 25. The method according to p. 22, in which the user creates or changes during the operation of the neurosemantic network on a special minus the first layer monitor neurons that allow you to track the creation and activation of neurons of the neurosemantic network according to specified conditions; moreover, monitor neurons are used as output channels from the neurosemantic network to alert the user or external systems. 26. The method according to claim 22, in which the neurons of the zero layer and subsequent layers have at least the following properties: • contain a vector of input connections from neurons of the previous layer; for the zero layer, the vector contains one categorical or categorical value of the event field; • contain a vector of time intervals between activations of connections from neurons of the previous layer, fixed during the creation of the neuron; moreover, for the zero layer, this vector consists of one zero value; for neurons of the first layer and subsequent layers that have only one input, the duration of a single input is taken equal to the duration of a single input neuron; • in the presence of output connections, they contain a set of the mentioned output connections to monitor neurons minus the first layer; • contain the time of the last neuron activation; • contain a statistical parameter reflecting the frequency of neuron activations, in particular, the number of activations. 27. The method of claim 22, further comprising configuring the attention of the neurosemantic network by specifying attention directions for filtering received events based on criteria on field values for pattern recognition among events filtered by each such direction. 28. The method according to claim 27, in which each episode is sequentially processed on layers from the second and above in each direction of attention in the case of setting the attention configuration up to the layer on which the top pattern is matched for this direction of attention or the maximum layer is reached. 29. The method according to claim 27, in which the neuron is compared during processing by activating the neuron of the corresponding layer, if it is found (recognized), or by creating and activating a new neuron if a new field value, event or pattern is observed, depending on the layer . 30. The method according to claim 27, in which the hierarchical structure of patterns on the layers of the neurosemantic network is optimized due to the periodic transition of the neurosemantic network to the "sleep" mode, in which events in the episodes are not processed or are processed in parallel on other computing resources; at the same time, in the "sleep" mode, processing of events from the interval of the event history obtained by combining several short episodes and ordering events according to their timestamps is performed for cases where some of the events in the stream came outside of their episode, as well as processing at long intervals for those directions attention, in which events are rare, or in the case of changing directions of attention. 31. The method of claim 27, wherein the monitor neurons have at least the following properties: • contain at least one input to which a dendritic tree is attached with nodes that implement logical operations on outputs from other neurons or from network layers attached to them; • contain a dendritic node attached to the root of the dendritic tree with a logical operation “or” and attached outputs from neurons of the zero layer and subsequent layers, used to detect the activation of field values, events and patterns already learned by the network; the criterion for subscribing a neuron-monitor to the activation of such neurons is set through the definition of conditions for field values; • contain 0 or more other dendritic nodes connected to the “or” node with the logical operation “and”, which, in turn, are connected to the outputs from the zero layer neurons corresponding to the values of the fields, and the outputs directly from the zero layer and subsequent layers, which are used for detecting the creation of new neurons corresponding, depending on the layer, to field values, or events, or patterns; dendritic nodes “and” set the conditions for what field values the neurons created on the specified layers should have in order to activate this neuron-monitor; • have the ability to dynamically change the set of monitor neuron inputs from network neurons - automatically add new created neurons to the dendritic node “or” that meet the criteria of the dendritic node “and”; • have the ability to set the "attention" option to the values of subscription fields and create child monitor neurons for each unique value or a unique combination of such values of such fields, becoming a parent monitor neuron; child monitor neurons will count the number of activations with this unique value and other subscription conditions, like the parent monitor neuron, and notify the parent monitor of their firing; • have the ability to subscribe both to previously created and activated more than once neurons, and only to new neurons that are activated once, as well as to both; while subscribing only to new neurons considers such neurons as corresponding to anomalies in the flow of events - that is, corresponding to unseen field values, or events, or sequences of events in the CPS or IS behavior previously learned by the neurosemantic network; • contain a property for setting a sliding monitoring interval and the amount of activation of the monitor neuron on the sliding interval, upon reaching which the monitor neuron will generate a notification for the user or other systems.

Images