WO2007120140A1 - Classification of false alarms in a security system - Google Patents

Classification of false alarms in a security system Download PDF

Info

Publication number
WO2007120140A1
WO2007120140A1 PCT/US2006/014521 US2006014521W WO2007120140A1 WO 2007120140 A1 WO2007120140 A1 WO 2007120140A1 US 2006014521 W US2006014521 W US 2006014521W WO 2007120140 A1 WO2007120140 A1 WO 2007120140A1
Authority
WO
WIPO (PCT)
Prior art keywords
alarm
false alarm
incident
false
security system
Prior art date
Application number
PCT/US2006/014521
Other languages
French (fr)
Inventor
Roxana Zangor
Rajul Misra
Robert N. Tomastik
Original Assignee
Chubb International Holdings Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chubb International Holdings Limited filed Critical Chubb International Holdings Limited
Priority to PCT/US2006/014521 priority Critical patent/WO2007120140A1/en
Publication of WO2007120140A1 publication Critical patent/WO2007120140A1/en

Links

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B25/00Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems
    • G08B25/01Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium
    • G08B25/08Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium using communication transmission lines
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B29/00Checking or monitoring of signalling or alarm systems; Prevention or correction of operating errors, e.g. preventing unauthorised operation
    • G08B29/18Prevention or correction of operating errors
    • G08B29/20Calibration, including self-calibrating arrangements
    • G08B29/22Provisions facilitating manual calibration, e.g. input or output provisions for testing; Holding of intermittent values to permit measurement

Definitions

  • the present invention relates to the field of security systems.
  • the present invention relates to classification of false alarms in an intrusion security system.
  • An intrusion security system detects specific events at a building or asset, typically with individual sensors that respond to security or safety breaches. When a sensor is triggered, an alarm signal is sent to a call center where the data is logged and an operator is informed. The operator then either determines that the alarm is a false alarm (i.e., caused by something other than an intruder, fire, flood, or monitored machinery failure), or calls an appropriate agency (such as a guard or the police) to verify and/or resolve the problem.
  • a false alarm occurs when a security system detects alarm status erroneously as a result of events such as user error, environmental triggering of sensors, or equipment failure.
  • a false dispatch occurs when the call center, after being unable to verify the cause of an alarm by calling the premises or a property contact person, notifies a responding authority that visits the premises and finds no evidence of a threat to the premises.
  • False alarms and false dispatches introduce significant overhead into the security business.
  • false dispatches compromise the level of security provided to the end user of the security system, since resources that could be dedicated to responding to legitimate alarms must instead be used in responding to the false alarms.
  • security companies do not have the ability to automatically diagnose or classify causes of false alarms based on past data of the security system. Rather, false alarm causes are determined either through a manual review of the past data, or by dispatching a service technician to the security system site to determine potential causes of the false alarms. Because both of these approaches are labor-intensive, false alarms and false dispatches continue to be burdensome for call centers and responding authorities.
  • the subject invention is directed to classification of false alarm incidents in an intrusion security system.
  • Alarm activity data related to alarm activity in the intrusion security system is parsed into alarm incident data blocks.
  • a false alarm class label is assigned to the analyzed incident based on features extracted from each alarm incident data block.
  • Each false alarm class corresponds to a pre-identified false alarm scenario, characterized by certain values or ranges of values for each feature.
  • the scenarios and their characteristics are stored in a false alarm scenario database.
  • FIG. 1 is a block diagram of a system for diagnosing false alarm causes in intrusion security systems according to the present invention.
  • FIG. 2 is a flow diagram for a process of diagnosing false alarm causes from security system alarm activity data according to the present invention.
  • FIG. 1 is a block diagram of a system 10 for classifying false alarms by cause in intrusion security systems according to the present invention.
  • System 10 includes output device 12, false alarm classification device 14, and security system activity database 16.
  • False alarm classification device 14 includes sequencing module 20 comprising data preprocessing application 22 and incident parsing application 24. False alarm classification device 14 also includes classification report generator 26, alarm incident classification module 28, and false alarm scenario database 30.
  • false alarm classification device 14 is a microprocessor based device and sequencing module 20, classification report generator 26, and alarm incident classification module 28 are computer programs or applications executed by false alarm classification device 14.
  • Security system activity database 16 receives information related to security system activity from a site and stores this information on a storage medium such as a hard drive. Security system activity database 16 provides an output to sequencing module 20, which is processed by data preprocessing application 22 and incident parsing application 24.
  • Sequencing module 20 provides an output to alarm incident classification module 28, which also receives an input from false alarm scenario database 30.
  • False alarm scenario database 30 stores information on a storage medium (such as a hard drive) that is related to false alarm signatures that are data representations of various types of false alarms.
  • Alarm incident classification module 28 processes information from sequencing module 20 and false alarm scenario database 30 and provides an output to classification report generator 26.
  • Classification report generator 26 provides an output to output device 12.
  • Output device 12 may be any device capable of providing information from classification report generator 26 in a viewable format, such as an electronic display or a printer.
  • FIG. 2 is a flow diagram for a process of classifying false alarm causes from security system alarm activity data according to the present invention.
  • Security system activity database 16 receives and stores information related to all activity and site information from monitored security system sites, including alarm activity, security system operator activity, account information for security system sites, and security system setup information (step 40).
  • Data preprocessing application 22 removes all unnecessary data prior to analysis to reduce the computational burden on false alarm classification device 14.
  • data preprocessing application 22 extracts alarm event information from the raw security system activity data in security system activity database 16 (step 42).
  • Data preprocessing application 22 accomplishes this by only passing information to incident parsing application 24 that is related to alarm events in active security system accounts, while filtering out information irrelevant to alarm events, such as records related to test security systems, training information, account administration activity, and the like.
  • the alarm event information that is received by incident parsing application 24 from data preprocessing application 22 is completely unstructured.
  • the alarm event information is a collection of data of different types (e.g., alarm signals, security system operator actions, etc.) for different accounts in the temporal order that the data was received by security system activity database 16.
  • Incident parsing application 24 organizes the alarm event information into alarm incident blocks (step 44).
  • Each alarm incident block is a sequence of events that starts with an event that requires a response by the security system operator (e.g., an alarm signal transmitted by the security system site control panel) and ends with an action or sequence of actions by the security system operator that indicates that the incident has been finalized.
  • Incident parsing application 24 thus finds all beginning and end events (for example, based on event codes associated with each type of event) and assigns all intermediate events (defined by the time received by security system activity database 16) to the same alarm incident block. Incident parsing application 24 also organizes the alarm incident blocks by security system site account so that the alarm incident blocks for a particular account may be analyzed.
  • the alarm incident blocks may then be classified by the type of event that represents the start of the incident. More specifically, each event is classified at a high level by an event code that is related to the nature of the event. These event codes may represent events at the security system site such as burglary, failure to close at an expected time, failure to open at an expected time, fire, duress, medical emergency, communication failure with the call center, tampering with the control panel, and administrative events.
  • This high level classification of the alarm incident blocks allows for diagnosis of some alarm events that have a readily discernable cause or are not easily diagnosed from the available data. These alarm events include failure to open at an expected time, fire, duress, medical emergency, communication failure with the call center, tampering with the control panel, and administrative events.
  • duress false alarms are most often produced by erroneously pressing a panic or duress button at the site.
  • communication failure or tampering with the control panel alarm events typically occur due to an equipment malfunction or weather occurrences for which the cause cannot easily be inferred from the alarm incident block data.
  • alarm incident blocks relating to burglary and failure to close events have several potential causes. These alarm incidents occur pursuant to scenarios that can be described through attributes or variables that are computable from the data available in the alarm incident blocks and the site activity history. These alarm incident blocks are classified or diagnosed by comparing them with false alarm scenarios stored in false alarm scenario database 30 (step 46). A discrete choice model is used for each alarm incident block to estimate the probability that the alarm incident block matches one of the false alarm signatures. In one embodiment, the discrete choice model is a multinomial logit random utility model. In essence, alarm incident classification module 28 employs a pattern matching algorithm to classify each alarm incident block by cause.
  • false alarm scenarios defined in false alarm scenario database 30 are most common in burglary and failure to close alarm incidents, are detailed enough to pinpoint a basic cause for the alarm, and can be characterized by attributes that are computable from the security system data.
  • the scenarios for a given customer account also depend on the amount of information in the available data for different types of security system accounts. For example, security system accounts can be set to transmit or not transmit arming and disarming signals to the call center when a user arms or disarms the security system, respectively. For security system accounts that send arming and disarming signals to the call center, the following scenarios may be included in false alarm scenario database 30:
  • Third party failure to close Third parties (e.g., automatic teller machine attendants, cleaners, etc.) disarm the system but remain inside the site for a longer time than allowed
  • the scenarios listed above represent a choice set.
  • explanatory variables that characterize the scenarios are selected.
  • IntervalArmDisarm The time interval between the arming and the disarming of the security system prior to the start of an alarm incident
  • RecentArm The time interval between the arming of the security system immediately prior to the start of the alarm incident and the start of the alarm incident
  • DiffSensors The total number of different sensors triggered during the alarm incident.
  • StartDoor The alarm incident starts with a burglary alarm triggered by a door contact
  • StartNoDoor The alarm incident starts with a burglary alarm not triggered by a door contact
  • StartFC The alarm incident starts with a failure to close alarm
  • SAFIag "See account” event code - indicates the presence of alarm activity in adjacent security system subsites, the cause of which may be determined from other security system activity for the account
  • APFIag "Answer at premise” event code - indicates that someone at the site responded to a communication from the call center.
  • DiffSensors The total number of different sensors triggered during the alarm incident.
  • CancelFlag "Cancel” event code - a user at the security system site canceled the alarm
  • Cancel Interval The time interval between the beginning of the alarm incident and the cancellation of the alarm
  • the false alarm scenarios in false alarm scenario database 30 are mapped into false alarm signatures.
  • a value or range of values for each of the variables is used to characterize each false alarm scenario.
  • the value or range of values for each variable assigned in the false alarm signature is the expected value or range of values for the false alarm type represented by the false alarm scenario.
  • each alarm incident block is compared to the false alarm signatures to determine the false alarm signature that most closely matches the alarm incident block. This is accomplished by estimating the likelihood that the alarm incident block matches one of the false alarm signatures. Thus, the probability that alarm incident block x. matches one of the false alarm signatures is given by
  • P 1 U) P(M(X n X j )) (Equation 3) where M is the pattern matching method.
  • M the pattern matching method.
  • each new alarm incident block is assigned a false alarm class label corresponding to the highest matching probability as determined from Equations 4 and 5.
  • the false alarm classification report provides a list of all alarm incidents for the site and the associated probable cause assigned to the alarm incident. This classification report, which may be customized based on specific interests of the recipient, may be provided in the form of an onscreen display of the report, or in the form of a printed report. The false alarm classification report may then be used by call centers to determine high false alarm activity accounts and to implement false alarm reduction solutions. The false alarm classification report may also be used by security system users to become aware of false alarm activity at the security system site and potentially eliminate patterns of behavior that cause the alarm activity.
  • the present invention is directed to classifying false alarm events in an intrusion security system.
  • Alarm activity data related to alarm activity in the intrusion security system is parsed into alarm incident data blocks. Characteristics of each alarm incident data block are then compared with like characteristics of stored false alarm signatures. Each stored false alarm signature is representative of a false alarm scenario.
  • a false alarm label is then assigned to each alarm incident data block based on a classification algorithm.
  • the false alarm events may be organized into a false alarm classification report for the intrusion security system. Call centers and alarm system companies may use this report to determine sites with high false alarm activity and implement false alarm reduction solutions at those sites.
  • a user of the intrusion security system may use the report to potentially eliminate patterns of behavior that generate false alarm activity.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Emergency Management (AREA)
  • Alarm Systems (AREA)

Abstract

False alarm events in an intrusion security system are classified (10). Alarm activity data related to alarm activity in the intrusion security system is parsed into alarm incident data blocks (24). Characteristics of each alarm incident data block are then compared with like characteristics of stored false alarm signatures (28). Each stored false alarm signature (30) is representative of a false alarm event class. A false alarm event class is then assigned to each alarm incident data block based on the comparison with the stored false alarm signatures (26).

Description

CLASSIFICATION OF FALSE ALARMS IN A SECURITY SYSTEM
BACKGROUND OF THE INVENTION
The present invention relates to the field of security systems. In particular, the present invention relates to classification of false alarms in an intrusion security system.
An intrusion security system detects specific events at a building or asset, typically with individual sensors that respond to security or safety breaches. When a sensor is triggered, an alarm signal is sent to a call center where the data is logged and an operator is informed. The operator then either determines that the alarm is a false alarm (i.e., caused by something other than an intruder, fire, flood, or monitored machinery failure), or calls an appropriate agency (such as a guard or the police) to verify and/or resolve the problem. A false alarm occurs when a security system detects alarm status erroneously as a result of events such as user error, environmental triggering of sensors, or equipment failure. A false dispatch occurs when the call center, after being unable to verify the cause of an alarm by calling the premises or a property contact person, notifies a responding authority that visits the premises and finds no evidence of a threat to the premises.
False alarms and false dispatches introduce significant overhead into the security business. In addition, false dispatches compromise the level of security provided to the end user of the security system, since resources that could be dedicated to responding to legitimate alarms must instead be used in responding to the false alarms. However, security companies do not have the ability to automatically diagnose or classify causes of false alarms based on past data of the security system. Rather, false alarm causes are determined either through a manual review of the past data, or by dispatching a service technician to the security system site to determine potential causes of the false alarms. Because both of these approaches are labor-intensive, false alarms and false dispatches continue to be burdensome for call centers and responding authorities.
BRIEF SUMMARY OF THE INVENTION
The subject invention is directed to classification of false alarm incidents in an intrusion security system. Alarm activity data related to alarm activity in the intrusion security system is parsed into alarm incident data blocks. A false alarm class label is assigned to the analyzed incident based on features extracted from each alarm incident data block. Each false alarm class corresponds to a pre-identified false alarm scenario, characterized by certain values or ranges of values for each feature. The scenarios and their characteristics are stored in a false alarm scenario database.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a system for diagnosing false alarm causes in intrusion security systems according to the present invention.
FIG. 2 is a flow diagram for a process of diagnosing false alarm causes from security system alarm activity data according to the present invention.
DETAILED DESCRIPTION FIG. 1 is a block diagram of a system 10 for classifying false alarms by cause in intrusion security systems according to the present invention. System 10 includes output device 12, false alarm classification device 14, and security system activity database 16. False alarm classification device 14 includes sequencing module 20 comprising data preprocessing application 22 and incident parsing application 24. False alarm classification device 14 also includes classification report generator 26, alarm incident classification module 28, and false alarm scenario database 30. In one embodiment, false alarm classification device 14 is a microprocessor based device and sequencing module 20, classification report generator 26, and alarm incident classification module 28 are computer programs or applications executed by false alarm classification device 14. Security system activity database 16 receives information related to security system activity from a site and stores this information on a storage medium such as a hard drive. Security system activity database 16 provides an output to sequencing module 20, which is processed by data preprocessing application 22 and incident parsing application 24.
Sequencing module 20 provides an output to alarm incident classification module 28, which also receives an input from false alarm scenario database 30. False alarm scenario database 30 stores information on a storage medium (such as a hard drive) that is related to false alarm signatures that are data representations of various types of false alarms.
Alarm incident classification module 28 processes information from sequencing module 20 and false alarm scenario database 30 and provides an output to classification report generator 26. Classification report generator 26 provides an output to output device 12. Output device 12 may be any device capable of providing information from classification report generator 26 in a viewable format, such as an electronic display or a printer.
System 10 is used to diagnose or classify false alarm incidents in an intrusion security system. FIG. 2 is a flow diagram for a process of classifying false alarm causes from security system alarm activity data according to the present invention. Security system activity database 16 receives and stores information related to all activity and site information from monitored security system sites, including alarm activity, security system operator activity, account information for security system sites, and security system setup information (step 40).
When data is received from security system sites, some of the data that is stored in security system activity database 16 is unnecessary for classifying false alarm incidents. Data preprocessing application 22 removes all unnecessary data prior to analysis to reduce the computational burden on false alarm classification device 14. In particular, data preprocessing application 22 extracts alarm event information from the raw security system activity data in security system activity database 16 (step 42). Data preprocessing application 22 accomplishes this by only passing information to incident parsing application 24 that is related to alarm events in active security system accounts, while filtering out information irrelevant to alarm events, such as records related to test security systems, training information, account administration activity, and the like.
The alarm event information that is received by incident parsing application 24 from data preprocessing application 22 is completely unstructured. The alarm event information is a collection of data of different types (e.g., alarm signals, security system operator actions, etc.) for different accounts in the temporal order that the data was received by security system activity database 16. Incident parsing application 24 organizes the alarm event information into alarm incident blocks (step 44). Each alarm incident block is a sequence of events that starts with an event that requires a response by the security system operator (e.g., an alarm signal transmitted by the security system site control panel) and ends with an action or sequence of actions by the security system operator that indicates that the incident has been finalized. Incident parsing application 24 thus finds all beginning and end events (for example, based on event codes associated with each type of event) and assigns all intermediate events (defined by the time received by security system activity database 16) to the same alarm incident block. Incident parsing application 24 also organizes the alarm incident blocks by security system site account so that the alarm incident blocks for a particular account may be analyzed.
The alarm incident blocks may then be classified by the type of event that represents the start of the incident. More specifically, each event is classified at a high level by an event code that is related to the nature of the event. These event codes may represent events at the security system site such as burglary, failure to close at an expected time, failure to open at an expected time, fire, duress, medical emergency, communication failure with the call center, tampering with the control panel, and administrative events. This high level classification of the alarm incident blocks allows for diagnosis of some alarm events that have a readily discernable cause or are not easily diagnosed from the available data. These alarm events include failure to open at an expected time, fire, duress, medical emergency, communication failure with the call center, tampering with the control panel, and administrative events. For example, duress false alarms are most often produced by erroneously pressing a panic or duress button at the site. As another example, communication failure or tampering with the control panel alarm events typically occur due to an equipment malfunction or weather occurrences for which the cause cannot easily be inferred from the alarm incident block data. :
The remaining alarm incident blocks relating to burglary and failure to close events have several potential causes. These alarm incidents occur pursuant to scenarios that can be described through attributes or variables that are computable from the data available in the alarm incident blocks and the site activity history. These alarm incident blocks are classified or diagnosed by comparing them with false alarm scenarios stored in false alarm scenario database 30 (step 46). A discrete choice model is used for each alarm incident block to estimate the probability that the alarm incident block matches one of the false alarm signatures. In one embodiment, the discrete choice model is a multinomial logit random utility model. In essence, alarm incident classification module 28 employs a pattern matching algorithm to classify each alarm incident block by cause.
The false alarm scenarios defined in false alarm scenario database 30 are most common in burglary and failure to close alarm incidents, are detailed enough to pinpoint a basic cause for the alarm, and can be characterized by attributes that are computable from the security system data. The scenarios for a given customer account also depend on the amount of information in the available data for different types of security system accounts. For example, security system accounts can be set to transmit or not transmit arming and disarming signals to the call center when a user arms or disarms the security system, respectively. For security system accounts that send arming and disarming signals to the call center, the following scenarios may be included in false alarm scenario database 30:
(1) Exceeded entrance delay: User takes too long to disarm the system after entering an armed site
(2) Movement in armed site before disarming: User enters the armed site and moves around before attempting to disarm the system
(3) Disarming disregarded: User enters armed site and disregards the disarming process completely
(4) Exceeded exit delay: User takes too long to exit after arming the system
(5) Movement in armed site after arming: User arms the system and remains inside the site; other people are left behind in the armed site
(6) Failure to close: User fails to arm the system before expiration of an arming time window after an expected time of closing
(7) Failure to close after disarming: User arms and then disarms the system within the arming time window
(8) Third party failure to close: Third parties (e.g., automatic teller machine attendants, cleaners, etc.) disarm the system but remain inside the site for a longer time than allowed
(9) Environmental or faulty equipment: An alarm is produced by non-human causes
(10) Other: Alarm produced by an unknown cause.
For security system accounts that do not send arming and disarming signals to the call center, the following scenarios may be included in false alarm scenario database 30: (1 ) User error: User error in arming or disarming
(2) Environmental or faulty equipment: An alarm is produced by non-human causes (3) Other: Alarm produced by an unknown cause.
In the discrete choice modeling framework of alarm incident classification module 28, the scenarios listed above represent a choice set. In order to model this choice set, explanatory variables that characterize the scenarios are selected. The explanatory variables for the false alarm scenarios may be represented as a set {xn,n = l,...,N} . For security system accounts that send arming and disarming signals, the following are examples of explanatory variables that are characteristic of each of the scenarios (1)-(10) above:
(a) IntervalArmDisarm: The time interval between the arming and the disarming of the security system prior to the start of an alarm incident
(b) QuickDisarm: The time interval between the start of the alarm incident and the disarming of the system after the start of the alarm incident
(c) RecentArm: The time interval between the arming of the security system immediately prior to the start of the alarm incident and the start of the alarm incident (d) DiffSensors: The total number of different sensors triggered during the alarm incident.
(e) NumSensorsDay. The total number of sensors triggered in the past day at the security system site
(f) StartDoor. The alarm incident starts with a burglary alarm triggered by a door contact (g) StartNoDoor. The alarm incident starts with a burglary alarm not triggered by a door contact
(h) StartFC: The alarm incident starts with a failure to close alarm (i) SAFIag: "See account" event code - indicates the presence of alarm activity in adjacent security system subsites, the cause of which may be determined from other security system activity for the account (j) APFIag: "Answer at premise" event code - indicates that someone at the site responded to a communication from the call center.
For accounts that do not send arming and disarming signals, the following are example, explanatory variables that are characteristic of each of the scenarios (1 )-(3) above:
(a) DiffSensors: The total number of different sensors triggered during the alarm incident.
(b) NumSensorsDay. The total number of sensors triggered in the past day at the security system site
(c) StartDoor. The alarm incident starts with a burglary alarm triggered by a door contact
(d) StartNoDoor. The alarm incident starts with a burglary alarm not triggered by a door contact
(e) CancelFlag: "Cancel" event code - a user at the security system site canceled the alarm (f) Cancel Interval: The time interval between the beginning of the alarm incident and the cancellation of the alarm
(g) APFIag: "Answer at premise" event code - indicates that someone at the site responded tσa communication from the call center.
With the above variables, the false alarm scenarios in false alarm scenario database 30 are mapped into false alarm signatures. In the false alarm signatures, a value or range of values for each of the variables is used to characterize each false alarm scenario. The value or range of values for each variable assigned in the false alarm signature is the expected value or range of values for the false alarm type represented by the false alarm scenario. Let J represent the number of false alarm scenarios, wherein the Jth scenario always corresponds to the "other" scenario having an unknown cause, while scenarios 1, 2,..., J-1 correspond to the scenarios with known, pre-defined causes. Thus, a set of J false alarm signatures for the above given set of explanatory variables may be represented as SFA = {xj = [χβ , xJ2 ,..., xjN IJ = 1,..., J} (Equation 1 ).
Each alarm incident block provided by incident parsing application
24 to alarm incident classification module 28 may also be characterized by the same explanatory variables as set forth above. Thus, the values of explanatory variables characterizing the zth alarm incident block is given by
X1 = [>,jn=1 N (Equation 2).
Next, each alarm incident block is compared to the false alarm signatures to determine the false alarm signature that most closely matches the alarm incident block. This is accomplished by estimating the likelihood that the alarm incident block matches one of the false alarm signatures. Thus, the probability that alarm incident block x. matches one of the false alarm signatures is given by
P1U) = P(M(XnXj)) (Equation 3) where M is the pattern matching method. Thus, the probability that alarm incident block X1 matches one of the false alarm signatures is determined by matching patterns in alarm incident block x. with each of the false alarm signatures. In one embodiment, the pattern matching method is a multinomial logit formulation. For this type of formulation, the probability P1U) for / = 1 , 2, ..., J-1 is given by: *(/>- jff f'* (Equations
and P1(J) is given by:
J-X
W) = 1-∑W) (Equation s)
Figure imgf000012_0001
where ,ΛT = [1,JCΠ ,ΛΓ/29...,ΛΓW ] is a matrix of the explanatory variables that characterize alarm incident block i and β = [βnj]n=la w+i;y=i,2 j-i are rnodel parameters determined during model calibration. The values of model parameters β are estimated through log-likelihood maximization on a calibration dataset containing manually labeled alarm incident blocks. The log-likelihood function is given by:
/ J-I LL(β) = ∑∑yg 1Og(P1 U)) (Equation 6)
1=1 7=1 where j/y = 1 when alarm incident block i matches false alarm signature j and yij = 0 when the alarm incident block i does not match false alarm signature/.
With the estimated model parameters, each new alarm incident block is assigned a false alarm class label corresponding to the highest matching probability as determined from Equations 4 and 5. Thus, for each incident i in the set of J false alarm scenarios (where the Jth scenario corresponds to the "other" scenario having an unknown cause), the false alarm class label assigned to each incident i is given by: C1 = argmax{/?(/) : j = l,2,...,J,maxy P1(J) > τ\ (Equation 7) and
C1. = J,maxy P1 (j) < T (Equation 8) where T is a threshold probability (e.g., near zero).
When each of the alarm incident blocks for a security system site has been classified, a false alarm classification report is generated (step
48). The false alarm classification report provides a list of all alarm incidents for the site and the associated probable cause assigned to the alarm incident. This classification report, which may be customized based on specific interests of the recipient, may be provided in the form of an onscreen display of the report, or in the form of a printed report. The false alarm classification report may then be used by call centers to determine high false alarm activity accounts and to implement false alarm reduction solutions. The false alarm classification report may also be used by security system users to become aware of false alarm activity at the security system site and potentially eliminate patterns of behavior that cause the alarm activity.
In summary, the present invention is directed to classifying false alarm events in an intrusion security system. Alarm activity data related to alarm activity in the intrusion security system is parsed into alarm incident data blocks. Characteristics of each alarm incident data block are then compared with like characteristics of stored false alarm signatures. Each stored false alarm signature is representative of a false alarm scenario. A false alarm label is then assigned to each alarm incident data block based on a classification algorithm. When the false alarm events have been classified, they may be organized into a false alarm classification report for the intrusion security system. Call centers and alarm system companies may use this report to determine sites with high false alarm activity and implement false alarm reduction solutions at those sites. In addition, a user of the intrusion security system may use the report to potentially eliminate patterns of behavior that generate false alarm activity.
Although the present invention has been described with reference to examples and preferred embodiments, workers skilled in the art will recognize that changes may be made in form and detail without departing from the spirit and scope of the invention.

Claims

CLAIMS:
1. A method for classifying false alarm events in an intrusion security system, the method comprising: parsing alarm activity data into alarm incident data blocks, wherein the alarm activity data is related to alarm activity in the intrusion security system; comparing characteristics of each alarm incident data block with corresponding characteristics of stored false alarm signatures, each stored false alarm signature representative of a false alarm event class; and assigning a false alarm event class to each alarm incident data block based on the comparison with the stored false alarm signatures.
2. The method of claim 1 , wherein parsing the alarm activity data into alarm incident data blocks comprises: identifying a first attribute in the alarm activity data that is characteristic of a beginning of an alarm event; identifying a second attribute in the alarm activity data that is characteristic of an end of the alarm event; and assigning the alarm activity data from the beginning of the alarm event to the end of the alarm event to an alarm incident block.
3. The method of claim 1 , wherein the comparing step comprises: estimating a probability that the alarm incident data block matches one of the stored false alarm signatures.
4. The method of claim 3, wherein estimating a probability comprises: correlating patterns in each alarm incident data block with patterns in the stored false alarm signatures.
5. The method of claim 3, wherein the assigning step comprises: assigning the false alarm event class that corresponds to the stored false alarm signature with a highest estimated matching probability to the alarm incident data block.
6. The method of claim 1 , and further comprising: generating a false alarm diagnostic report for the intrusion security system including the alarm incident data blocks and an associated assigned false alarm event class.
7. A method for classifying a false alarm event in a security system, the method comprising: providing false alarm signatures each representative of a false alarm class and characterized by a plurality of false alarm signature variables; extracting an alarm incident data block from security system event data, the alarm incident data block related to the false alarm event and characterized by a plurality of false alarm incident variables; estimating a probability that the alarm incident data block matches one of the false alarm signatures based on a comparison of the false alarm incident variables and the false alarm signature variables; and correlating the alarm incident data block with the false alarm class that corresponds to the false alarm signature with a highest estimated matching probability.
8. The method of claim 7, wherein extracting an alarm incident block comprises: retrieving alarm activity data related to alarm activity in the security system; and parsing the alarm activity data into alarm incident data blocks, wherein each alarm incident data block is related to a separate false alarm event.
9. The method of claim 8, wherein parsing the alarm activity data into alarm incident data blocks comprises: identifying a first attribute in the alarm activity data that is characteristic of a beginning of an alarm event; identifying a second attribute in the alarm activity data that is characteristic of an end of the alarm event; and assigning the alarm activity data from the beginning of the alarm event to the end of the alarm event to an alarm incident block.
10. The method of claim 7, wherein estimating a probability that the alarm incident data block matches one of the false alarm signatures comprises: correlating patterns in the false alarm signature variables with patterns in the false alarm incident variables.
11. The method of claim 7, wherein the probability is estimated using a discrete choice model estimation.
12. The method of claim 11 , wherein the discrete choice model is a random utility model.
13. The method of claim 12, wherein the random utility model estimation is a multinomial logit random utility model.
14. A system for classifying false alarm events in a security system, the system comprising: a security system activity database for storing alarm activity data related to alarm activity in the security system; a false alarm signature database for storing false alarm signatures, each false alarm signature representative of a false alarm class; a sequencing module for parsing the alarm activity data into alarm incident data blocks, wherein each alarm incident data block is related to a false alarm event and characterized by a plurality of false alarm incident variables; and an alarm incident classification module for comparing characteristics of each alarm incident data block with corresponding characteristics of the false alarm signatures and assigning a false alarm event class to each alarm incident data block based on the comparison.
15. The system of claim 14, wherein the alarm incident classification module compares the alarm incident data block and the false alarm signatures by estimating a probability that characteristics of the alarm incident data block matches characteristics of one of the stored false alarm signatures.
16. The system of claim 15, wherein the probability is estimated by correlating patterns in each alarm incident data block with patterns in the false alarm signatures.
17. The system of claim 15, wherein the alarm incident classification module employs a discrete choice model estimation.
18. The system of claim 17, wherein the discrete choice model is a random utility model.
19. The system of claim 18, wherein the random utility model estimation is a multinomial logit random utility model.
20. The system of claim 14, and further comprising: a classification report generator for generating a false alarm diagnostic report for the security system which provides the alarm incident data blocks with an associated assigned false alarm event class.
PCT/US2006/014521 2006-04-18 2006-04-18 Classification of false alarms in a security system WO2007120140A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2006/014521 WO2007120140A1 (en) 2006-04-18 2006-04-18 Classification of false alarms in a security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2006/014521 WO2007120140A1 (en) 2006-04-18 2006-04-18 Classification of false alarms in a security system

Publications (1)

Publication Number Publication Date
WO2007120140A1 true WO2007120140A1 (en) 2007-10-25

Family

ID=38609802

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/014521 WO2007120140A1 (en) 2006-04-18 2006-04-18 Classification of false alarms in a security system

Country Status (1)

Country Link
WO (1) WO2007120140A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104036623A (en) * 2013-03-05 2014-09-10 南京物联传感技术有限公司 Method for correcting false data information alarm
US11225821B2 (en) 2017-06-30 2022-01-18 Assa Abloy Entrance Systems Ab Door operator

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5608377A (en) * 1995-10-20 1997-03-04 Visonic Ltd. Acoustic anti-tampering detector
US6351214B2 (en) * 1997-10-28 2002-02-26 Pittway Corp. Glass breakage detector
US20040160316A1 (en) * 2003-02-04 2004-08-19 Mr. Robert J. Trent, Spiral Technologies Limited Automatic siren silencing device for false alarms
US20070008098A1 (en) * 2005-07-08 2007-01-11 Hsing-Kuo Wong Method and architecture for online classification-based intrusion alert correlation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5608377A (en) * 1995-10-20 1997-03-04 Visonic Ltd. Acoustic anti-tampering detector
US6351214B2 (en) * 1997-10-28 2002-02-26 Pittway Corp. Glass breakage detector
US20040160316A1 (en) * 2003-02-04 2004-08-19 Mr. Robert J. Trent, Spiral Technologies Limited Automatic siren silencing device for false alarms
US20070008098A1 (en) * 2005-07-08 2007-01-11 Hsing-Kuo Wong Method and architecture for online classification-based intrusion alert correlation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104036623A (en) * 2013-03-05 2014-09-10 南京物联传感技术有限公司 Method for correcting false data information alarm
US11225821B2 (en) 2017-06-30 2022-01-18 Assa Abloy Entrance Systems Ab Door operator

Similar Documents

Publication Publication Date Title
US10636283B2 (en) System and method for alarm signaling during alarm system destruction
US10522031B2 (en) System and method providing early prediction and forecasting of false alarms by applying statistical inference models
US10187411B2 (en) Method for intrusion detection in industrial automation and control system
US8272053B2 (en) Physical security management system
CN102622818B (en) All-directional intelligent monitoring method for bank ATMs
US7595815B2 (en) Apparatus, methods, and systems for intelligent security and safety
US7679507B2 (en) Video alarm verification
US7158022B2 (en) Automated diagnoses and prediction in a physical security surveillance system
US7289023B2 (en) Supervised guard tour tracking systems and methods
US20070183604A1 (en) Response to anomalous acoustic environments
WO2006101472A1 (en) Context-aware alarm system
CN104050787A (en) System and Method of Anomaly Detection with Categorical Attributes
US9998894B2 (en) Auto-generate emergency voice call based on sensor response and pre-entered data
CN116457851B (en) System and method for real estate monitoring
US7286048B2 (en) Supervised guard tour systems and methods
WO2007120140A1 (en) Classification of false alarms in a security system
EP1915743A1 (en) Physical security management system
KR102643500B1 (en) Data collection apparatus for fire receiver based on communication signal photographing data and remote fire protection system comprising the same
CN214996794U (en) Intelligent lock anti-theft device
CN113160534A (en) Method, equipment and storage medium for alarming abnormity of intelligent access control system
CN112926527A (en) Rapid verification system for supervision place
WO2009107097A2 (en) Situation management system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06758393

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06758393

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)