WO2017030546A1 - Interactive analytics interfaces based on context modifications - Google Patents

Interactive analytics interfaces based on context modifications Download PDF

Info

Publication number
WO2017030546A1
WO2017030546A1 PCT/US2015/045471 US2015045471W WO2017030546A1 WO 2017030546 A1 WO2017030546 A1 WO 2017030546A1 US 2015045471 W US2015045471 W US 2015045471W WO 2017030546 A1 WO2017030546 A1 WO 2017030546A1
Authority
WO
WIPO (PCT)
Prior art keywords
analytics
context
interface
module
characterization
Prior art date
Application number
PCT/US2015/045471
Other languages
French (fr)
Inventor
Renato Keshet
Sagi Schein
Yaniv SABO
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to PCT/US2015/045471 priority Critical patent/WO2017030546A1/en
Publication of WO2017030546A1 publication Critical patent/WO2017030546A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/40Software arrangements specially adapted for pattern recognition, e.g. user interfaces or toolboxes therefor

Definitions

  • a variety of analytic tasks may be performed on data, and the results may be provided to a user.
  • the analytics tasks may include anomaly detection, clustering, pattern detection, classification, cohort analysis, and so forth.
  • Figure 1 is a functional block diagram illustrating one example of a system for interactive analytics interfaces based on context modifications.
  • Figure 2 is a block diagram illustrating one example of a computer readable medium for interactive analytics interfaces based on context modifications.
  • Figure 3 is a flow diagram illustrating one example of a method for interactive analytics interfaces based on context modifications.
  • Enterprises generally store vast amounts of data originating from their business, including operations data, financial data, Human Resource data, and so forth. There is a huge potential in mining such data for insights. At present, tapping into this potential typically requires lengthy and expensive analytics projects, involving subject matter experts (SMEs), data scientists, IT personnel and developers. Generally, enormous time and resources are spent for the SMEs, data scientists and developers to communicate, transfer knowledge, identify relevant problems, and design appropriate solutions. This is neither scalable nor efficient.
  • Analytics solutions are generally created through complex projects, rather than by means of a computer application.
  • Existing visual analytics applications enable interaction with data visualization, but such applications do not generally provide a medium to interact with the data analytics behind the applications.
  • There are a number of algorithms that receive user input in addition to the data e.g., Constraint K-Means or Constrained Non-Negative Matrix Factorization (“NMF”).
  • NMF Constrained Non-Negative Matrix Factorization
  • Such solutions do not provide interactive platforms that run a suite of algorithms in tandem, and aimed at generic data exploration.
  • Active learning techniques allow user interactions, but such interactions are limited to user responses to questions generated by the algorithm.
  • the system may enable the SME to steer a suite of algorithms at the SME’s pace and/or preference.
  • the role of a data scientist may be considerably reduced, and/or eliminated.
  • the computer implemented system is able to interact with the SME and quickly learn to identify and provide analytics results that are relevant to the SME.
  • Existing techniques generally provide insights by tagging data elements in a data repository.
  • a computer implemented system may generate or already have access to results of data analytics, such as, for example, anomalous events, patterns, clusters, etc. Accordingly, it may be more efficient to tag the results of data analytics to gain actionable insights, as is described herein.
  • the system described herein does not aim for an analytics automation; instead the system may continually interact with the SME, and may rely on the SME, to steer the system to select a suite of analytics capabilities that may be relevant to the SME.
  • a computer implemented system accesses data and a collection of analytics modules to iteratively provide a sequence of interactive analytics interfaces that are respectively based on selections of data characteristics, and/or results of data analytics.
  • the term“analytics interface” as used herein describes a user interface for visual representation of results of analytics algorithms.
  • the analytics interface may provide a visual representation of analyzed data, including any identified anomalous events.
  • the analytics interface may provide a visual representation of clusters of data based on a suitable similarity.
  • such visualizations may be progressive (e.g., continually updated as more data is received and/or analyzed).
  • One example is a system including a context module and an interaction module.
  • the context module accesses a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset.
  • the interaction module provides the first analytics interface to a computing device via a graphical user interface, identifies a requested change in the first context characterization via an interaction with the graphical user interface, and prompts the context module to pause generation of the first analytics interface in response to the requested change.
  • the context module modifies the first context characterization based on the requested change to create a second context characterization, and generates a second analytics interface responsive to the second context characterization.
  • FIG. 1 is a functional block diagram illustrating one example of a system 100 for interactive analytics interfaces based on context modifications.
  • System 100 includes a context module 106, and an interaction module 108.
  • the context module 106 may access a collection of analytics modules 102 to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset 104.
  • the source dataset 104 may include structured and unstructured data.
  • the source dataset 104 may include data related to weather, food, drugs, natural phenomena, health, and so forth.
  • the data in the source dataset 104 may be in structured form.
  • the data may be represented as a linked database, a tabular array, an excel worksheet, a graph, a tree, and so forth.
  • the data in the source dataset 104 may be unstructured.
  • the data may be a collection of log messages, snippets from text messages, messages from social networking platforms, and so forth.
  • the data may be in semi-structured form.
  • the data in the source dataset 104 may be represented as an array.
  • columns may represent features of the data
  • rows may represent data elements.
  • rows may represent a traffic incident
  • columns may represent features associated with each traffic incident, including weather conditions, road conditions, time of day, date, a number of casualties, types of injuries, victims’ ages, and so forth.
  • the context module 106 may access a collection of analytics modules 102.
  • the collection of analytics modules 102 includes a plurality of data analytics processing systems that may be communicatively linked to system 100.
  • the collection of analytics modules 102 may include an anomaly detection module that processes the source dataset 104 to detect anomalies.
  • the collection of analytics modules 102 may include a clustering module that processes the source dataset 104 to identify clusters of data elements.
  • the collection of analytics modules 102 may include a cohort service that processes the source dataset 104 to identify cohorts of similar data elements.
  • the collection of analytics modules 102 may include a classifier service that processes the source dataset 104 to deploy a classifier to perform machine learning operations based on interactions via a computing device 110.
  • the collection of analytics modules 102 may include additional modules, such as, for example, an information links module that provides results to a search query for information, an aggregative analysis module that provides analysis based on entity, temporal, and/or spatial parameters.
  • the context module 106 may identify a context characterization indicative of a plurality of parameters of the source dataset 104.
  • the source dataset 104 may be in the form of an array, and the context characterization may include parameters such as filters, features, feature weights, and so forth.
  • the source dataset 104 may be in the form of an array, and the context characterization may include at least one of filters (e.g., applied to rows of the array), features (e.g., extracted from columns of the array), and feature weights (e.g., to weight the importance/relevance of each of the features).
  • the context characterization may include derived features. Derived features may be generally inferred from existing features.
  • a column in the array may be for a“timestamp”.
  • a data element may be associated with a value“7-21-2015”, and some features may be derived from such timestamp data. For example, a month,“July”, a date,“21”, a year,“2015”, and a day“Tuesday”, may be inferred from the timestamp value“7-21-2015”.
  • derived features may be associated with feature weights.
  • a context characterization may generally comprise two broad classes of filters, a selection filter set and a reference filter set.
  • the selection filter set may include filters.
  • a selection filter set may indicate which rows of the source dataset 104 are to be considered as selection by the collection of analytics modules 102.
  • the reference filter set may include filters, which may be different from the selection filters.
  • a reference filter set may indicate which rows of the source dataset 104 are to be considered as reference by the collection of analytics modules 102.
  • a selection filter set could indicate a single user-selected anomalous event (row) is included in the selection set, whereas all other events (rows) may be indicated by the reference filters set.
  • the user-selection anomalous event are included in the selection, whereas all the other events are included in the reference.
  • events in a selected cluster are included in the selections set, whereas events from another cluster may be included in the reference set.
  • the set of selection rows may or may not intersect with the reference rows.
  • the context module 106 may automatically run a suite of analytic algorithms from the collection of analytics modules 102, each of which may take as input all the context inputs (data, filters, features, etc.). These algorithms may generally depend on context feature weights.
  • the selection filter set may be utilized by the anomaly detection module, clustering module, information links module, and the aggregative analysis module, among others.
  • the cohort service and the classifier service utilize both the selection filter set and the reference filter set. For example, as described herein, a row in the array may be selected (included in the selection set), and the cohort service may analyze other rows in the array (included in the reference set) to identify rows that are similar to the selected row.
  • a collection of rows may comprise a selected cluster, and the clustering module may analyze other rows in the array (included in the reference set) to identify similar clusters.
  • the interaction module 108 may identify, via a graphical user interface 112, a selection of at least one cluster displayed in the analytics interface, and the context module 108 may access a classifier service from the collection of analytics modules for deployment.
  • the classifier service may build a classifier that optimally separates between the selection filter set and the reference filter set.
  • the interaction module 108 may provide the analytics interface to a computing device 110 via the graphical user interface 112.
  • the analytics interface is a visual representation of results of the algorithms. For example, based on a selection set and a reference set, the context module 106 may run an anomaly detection module, and the analytics interface may provide a visual representation of the data, including any identified anomalous events. As another example, based on a selection set, the context module 106 may run clustering module, and the analytics interface may provide a visual representation of the clusters. In some examples, such visualizations may be progressive (e.g., continually updated as more data is received and/or analyzed).
  • the interaction module 108 may identify a requested change in the context characterization via an interaction with the graphical user interface 112.
  • a requested change is generally any change in the context characterization, including changes to filters, features, feature weights, and so forth.
  • the interaction module 108 may identify a selection of an anomalous event, a cluster, a pattern, and so forth. For example, a plurality of rows in a tabular array may be selected for analysis. Also, for example, a region in a scatterplot may be selected, for example, via drawing a boundary for a selected region, highlighting a selected region with a highlighter or a different color. This may result in a filtering of the source dataset 104.
  • traffic data may be filtered based on an age range of casualties.
  • traffic data may be filtered based on a number of casualties.
  • traffic data represented via an interactive map may be selected by selecting a region of the displayed map.
  • the interaction module 108 may identify a modification of a feature weight. For example, a higher feature weight may be associated with a column for“road condition” during a traffic incident.
  • the interaction module 108 may prompt the context module 106 to pause generation of the analytics interface in response to the requested change.
  • the analytics interface may be based on an anomaly detection module.
  • the analytics interface may be progressive (e.g., continually updated as more data is received and/or analyzed).
  • the interaction module 108 may identify a requested change related to the analytics interface. For example, the interaction module 108 may identify a selection of an anomalous event. Based on such a selection, the interaction module 108 may prompt the context module 106 to pause the generation of the analytics interface.
  • the context module 106 and/or the interaction module 108 may store data related to the analytics interface in a data repository (not shown in the Figures). For example, each context characterization, and its associated analytics interface may be stored in the repository. In some examples, any associated analytics modules from the collection of analytics modules 102 may be stored as well.
  • system 100 may include a stand-alone context repository that may store data related to the analytics processes. Such a data repository and/or context repository may be a single database or a collection of databases. I some examples, the collection of databases may be spatially and/or temporally distributed. Such a data repository and/or context repository may be accessible to context module 106 and/or the interaction module 108.
  • any saved context characterization, analytics interface, and/or analytics module may be made available to the computing device 110.
  • the interaction module 108 may identify selection of a saved context characterization, analytics interface, and/or analytics module, and the context module 106 may access it from the repository.
  • the context module 106 may modify the context characterization based on the requested change to create another context characterization.
  • the interaction module 108 may identify a selection of an anomalous event.
  • the context module 108 may filter the source dataset 104 to identify rows in the tabular array that are in the same cluster as the selected anomalous event.
  • the interaction module 108 may identify that a column in the tabular array has been associated with a higher feature weight. Accordingly, the context module 106 may apply the higher feature weight to filter the source dataset 104. For example, only data with feature weights higher than a threshold may be included. Accordingly, a new context characterization may be created.
  • a change in the context characterization i.e., filters, features, feature weights, etc.
  • the computation of a current analytics interface is paused, and a new child analytics interface is generated.
  • the child analytics interface generally inherits all the data that is not affected by the requested change, and re-computes everything else.
  • the context module 106 may generate another analytics interface responsive to the new context characterization. For example, the context module 106 may identify events similar to the identified anomalous events, and generate a new analytics interface to provide a visualization of the selected events. Also, for example, the context module 106 may generate a new analytics interface to provide a visualization of clusters based on changed feature weights.
  • the context module 106 may provide the new analytics interface via the graphical user interface 112. For example, a requested change to a first analytics interface based on a first context characterization may be identified. As described herein, the context module 106 may pause the generation of the first analytics interface, and generate a second analytics interface responsive to a second context characterization (e.g., a modified first context characterization). The context module 106 may provide the second analytics interface via the graphical user interface 112. As described herein, the second analytics interface may be progressive (e.g., continually updated as more data is received and/or analyzed).
  • such steps may be iteratively repeated to provide insights into the source dataset 104.
  • the interaction module 108 may identify a second requested change in the second context characterization via the graphical user interface 112.
  • the interaction module 108 may prompt the context module 106 to pause generation of the second analytics interface in response to the second requested change.
  • the context module 106 may modify the second context characterization based on the second requested change, and may generate a third analytics interface based on the modified second context characterization.
  • the interaction module 108 may provide the third analytics interface via the graphical user interface 112.
  • the context module 106 may store the paused first analytics interface, and the interaction module 108 may provide a first selectable menu option associated with the paused first analytics interface.
  • an iterative interaction via the graphical user interface 112 may generate a sequence of analytics interfaces, for example, X1, X2,..., Xn, where X1, X2,..., Xn-1 may be paused analytics interfaces, and X n may be a currently running analytics interface.
  • the context module 106 may store the paused analytics interfaces X1, X2,..., Xn-1 and provide selectable menu options associated with each of the paused analytics interfaces.
  • the interaction module 108 may identify a selection of a selectable menu option associated with one of the paused analytics interfaces. For example, the interaction module 108 may identify a selection of a selectable menu option associated with the third paused analytics interface X3. Accordingly, the interaction module 108 may prompt the context module 106 to pause generation of the currently running analytics interface X n in response to the selection, and may continue generation of the third paused analytics interface X 3 . Generally, the interaction module 108 may access any previously stored analytics interface in a sequence of generated analytics interfaces, and continue generation of the paused analytics interface.
  • An SME such as a senior cyber security analyst, may be interested in exploring Web Proxy streams to detect malicious events that are not detected by existing rules.
  • the SME may run the cyber-security data through system 100.
  • the context module 106 may access a collection of analytics modules to generate a first analytic interface, which computes statistics, anomalies, common clusters, and aggregate anomalies.
  • the context module 106 does not compute cohorts or a classifier, because it does not have a reference set to use, as the context characterization is the entire source dataset 104.
  • the interaction module 108 may provide the first analytics interface to a computing device 110 via a graphical user interface 112.
  • the SME may decide to filter this common cluster out of the data.
  • the interaction module 108 may identify a requested change in the first context characterization via an interaction with the graphical user interface 112. This creates a second analytics interface, a child of the first analytics interface, characterized by having that common cluster as an out-filter. Generation of the first analytics interface, if not completed, is paused and stored in memory, and the second analytics interface is generated based on statistics, anomalies, common clusters, and aggregate anomalies for a second context characterization.
  • the context module 106 does not compute cohorts or a classifier, because these are defined by the cluster.
  • the interaction module 108 may provide the second analytics interface to the computing device 110 via the graphical user interface 112.
  • the SME may examine the new clusters based on the second context characterization, and displayed on the graphical user interface 112.
  • the context module 106 generates the third analytics interface, a child of the second analytics interface.
  • the interaction module 108 may provide the third analytics interface to the computing device 110 via the graphical user interface 112.
  • the SME may detect, via the graphical user interface 112, that the top anomalies identified are mostly anomalous because of the "byte in" field, and the SME may determine that this as not relevant to the current analysis. Thus, the SME may decrease a feature weight associated with feature for the field "byte in”. This creates a fourth context characterization, generation of the third analytics interface is paused, and all the analytics are computed for a fourth analytics interface.
  • the context module 106 generates the fourth analytics interface, a child of the third analytics interface.
  • the interaction module 108 may provide the fourth analytics interface to the computing device 110 via the graphical user interface 112.
  • the SME may now detect a cluster that appears to be suspicious, and may decide to "focus on” such a suspicious cluster.
  • the SME may convert the suspicious cluster into a "focus-on filter", thus creating a fifth context characterization, generation of the fourth analytics interface is paused, and all the analytics are computed for a fifth analytics interface.
  • the SME may observe that several anomalies among the top anomalies list are indeed threats.
  • the SME may decide to save the fifth analytics interface for future use on additional data.
  • the SME may decide to investigate top anomalies #3 and #4, which appear to be similar.
  • the SME may select these anomalies, and a sixth context characterization is created, for which the reference set may be the entire source dataset 104.
  • the context module 106 may access a cohort service from the collection of analytics modules 102 to identify events similar to the selected top anomalies #3 and #4.
  • the context module 106 may access a classifier service to produce and deploy a classifier, which may be displayed via the graphical user interface 112, to detect similar events in the future.
  • the components of system 100 may be computing resources, each including a suitable combination of a physical computing device, a virtual computing device, a network, software, a cloud infrastructure, a hybrid cloud infrastructure that may include a first cloud infrastructure and a second cloud infrastructure that is different from the first cloud infrastructure, and so forth.
  • the components of system 100 may be a combination of hardware and programming for performing a designated visualization function.
  • each component may include a processor and a memory, while programming code is stored on that memory and executable by a processor to perform a designated function.
  • the context module 106 may be a combination of hardware and programming to generate analytics interfaces based on respective context characterizations. Also, for example, the context module 106 may include software programming to identify and access an appropriate algorithm from the collection of analytics modules. The context module 106 may include hardware to physically store and/or maintain a dynamically updated database that stores the generated and/or paused analytics interfaces.
  • the interaction module 108 may be a combination of hardware and programming to provide the analytics interfaces to the computing device 110 via the graphical user interface 112. Also, for example, the interaction module 108 may include programming to identify a requested change in a context characterization via an interaction with the graphical user interface 112. The interaction module 108 may include hardware to physically store, for example, visualization features of the analytics interfaces. Also, for example, the interaction module 108 may include software programming to dynamically interact with the other components of system 100.
  • the components of system 100 may include programming and/or physical networks to be communicatively linked to other components of system 100.
  • the components of system 100 may include a processor and a memory, while programming code is stored and on that memory and executable by a processor to perform designated functions.
  • a computing device may be, for example, a web-based server, a local area network server, a cloud-based server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, a mobile phone, an electronic book reader, or any other electronic device suitable for provisioning a computing resource to perform a unified visualization interface.
  • the computing device may include a processor and a computer-readable storage medium.
  • FIG. 2 is a block diagram illustrating one example of a computer readable medium for interactive analytics interfaces based on context modifications.
  • Processing system 200 includes a processor 202, a computer readable medium 208, input devices 204, and output devices 206.
  • Processor 202, computer readable medium 208, input devices 204, and output devices 206 are coupled to each other through a communication link (e.g., a bus).
  • a communication link e.g., a bus
  • Processor 202 executes instructions included in the computer readable medium 208.
  • Computer readable medium 208 includes analytics module access instructions 210 to access, via the processor 202, a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset.
  • Computer readable medium 208 includes analytics interface providing instructions 212 to provide the first analytics interface to a computing device via a graphical user interface.
  • Computer readable medium 208 includes requested change identification instructions 214 to identify a requested change in the first context characterization via an interaction with the graphical user interface.
  • Computer readable medium 208 includes analytics interface pausing instructions 216 to pause generation of the first analytics interface in response to the requested change.
  • Computer readable medium 208 includes context modification instructions 218 to modify the first context characterization based on the requested change to create a second context characterization.
  • Computer readable medium 208 includes second interface generation instructions 220 to generate a second analytics interface responsive to the second context characterization.
  • Computer readable medium 208 includes interface storing instructions 222 to store the paused first analytics interface via the graphical user interface. [0040] Computer readable medium 208 includes menu option providing instructions 224 to provide a first selectable menu option associated with the paused first analytics interface.
  • Input devices 204 include a keyboard, mouse, data ports, and/or other suitable devices for inputting information into processing system 200. In some examples, input devices 204, such as a computing device, are used to receive the requested changes to context characterizations.
  • Output devices 206 include a monitor, speakers, data ports, and/or other suitable devices for outputting information from processing system 200. In some examples, output devices 206 are used to provide the analytics interfaces.
  • a“computer readable medium” may be any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like.
  • any computer readable storage medium described herein may be any of Random Access Memory (RAM), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., a hard drive), a solid state drive, and the like, or a combination thereof.
  • RAM Random Access Memory
  • volatile memory volatile memory
  • non-volatile memory non-volatile memory
  • flash memory e.g., a hard drive
  • solid state drive e.g., a solid state drive, and the like, or a combination thereof.
  • the computer readable medium 208 can include one of or multiple different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage devices.
  • semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories
  • magnetic disks such as fixed, floppy and removable disks
  • optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage devices.
  • various components of the processing system 200 are identified and refer to a combination of hardware and programming configured to perform a designated visualization function.
  • the programming may be processor executable instructions stored on tangible computer readable medium 208, and the hardware may include processor 202 for executing those instructions.
  • computer readable medium 208 may store program instructions that, when executed by processor 202, implement the various components of the processing system 200.
  • Such computer readable storage medium or media is (are) considered to be part of an article (or article of manufacture).
  • An article or article of manufacture can refer to any manufactured single component or multiple components.
  • the storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.
  • Computer readable medium 208 may be any of a number of memory components capable of storing instructions that can be executed by Processor 202. Computer readable medium 208 may be non-transitory in the sense that it does not encompass a transitory signal but instead is made up of one or more memory components configured to store the relevant instructions. Computer readable medium 208 may be implemented in a single device or distributed across devices. Likewise, processor 202 represents any number of processors capable of executing instructions stored by computer readable medium 208. Processor 202 may be integrated in a single device or distributed across devices. Further, computer readable medium 208 may be fully or partially integrated in the same device as processor 202 (as illustrated), or it may be separate but accessible to that device and processor 202. In some examples, computer readable medium 208 may be a machine-readable storage medium.
  • Figure 3 is a flow diagram illustrating one example of a method for interactive analytics interfaces based on context modifications.
  • such an example method may be implemented by a system such as, for example, system 100 of Figure 1.
  • a collection of analytics modules may be accessed via a processing system to generate a first analytics interface based on a first context characterization, where the first context characterization is indicative of a plurality of parameters of a source dataset.
  • the first analytics interface may be provided to a computing device via a graphical user interface.
  • a requested change in the first context characterization may be identified via an interaction with the graphical user interface.
  • generation of the first analytics interface may be paused in response to the requested change.
  • the first context characterization may be modified based on the requested change to create a second context characterization.
  • a second analytics interface responsive to the second context characterization may be generated.
  • the second analytics interface may be provided via the graphical user interface.
  • the method may include identifying a second requested change in the second context characterization via the graphical user interface, and pausing generation of the second analytics interface in response to the second requested change.
  • the method may include modifying the second context characterization based on the second requested change, and generating a third analytics interface based on the modified second context characterization.
  • Examples of the disclosure provide a generalized system for interactive analytics interfaces based on context modifications.
  • the generalized system automatically enables subject matter experts to explore and extract insights from their data without the need to engage in a complex information technology project.
  • an interactive platform runs a suite of algorithms in tandem aimed at data exploration to enable a user to steer the suite of algorithms, at the user’s pace and preference.

Abstract

Interactive analytics interfaces based on context modifications are disclosed. One example is a system including a context module and an interaction module. The context module accesses a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset. The interaction module provides the first analytics interface to a computing device via a graphical user interface, identifies a requested change in the first context characterization via an interaction with the graphical user interface, and prompts the context module to pause generation of the first analytics interface in response to the requested change. The context module modifies the first context characterization based on the requested change to create a second context characterization, and generates a second analytics interface responsive to the second context characterization.

Description

INTERACTIVE ANALYTICS INTERFACES BASED ON
CONTEXT MODIFICATIONS Background
[0001] A variety of analytic tasks may be performed on data, and the results may be provided to a user. The analytics tasks may include anomaly detection, clustering, pattern detection, classification, cohort analysis, and so forth. Brief Description of the Drawings
[0002] Figure 1 is a functional block diagram illustrating one example of a system for interactive analytics interfaces based on context modifications.
[0003] Figure 2 is a block diagram illustrating one example of a computer readable medium for interactive analytics interfaces based on context modifications.
[0004] Figure 3 is a flow diagram illustrating one example of a method for interactive analytics interfaces based on context modifications. Detailed Description
[0005] Enterprises generally store vast amounts of data originating from their business, including operations data, financial data, Human Resource data, and so forth. There is a huge potential in mining such data for insights. At present, tapping into this potential typically requires lengthy and expensive analytics projects, involving subject matter experts (SMEs), data scientists, IT personnel and developers. Generally, enormous time and resources are spent for the SMEs, data scientists and developers to communicate, transfer knowledge, identify relevant problems, and design appropriate solutions. This is neither scalable nor efficient.
[0006] Analytics solutions are generally created through complex projects, rather than by means of a computer application. Existing visual analytics applications enable interaction with data visualization, but such applications do not generally provide a medium to interact with the data analytics behind the applications. There are a number of algorithms that receive user input in addition to the data (e.g., Constraint K-Means or Constrained Non-Negative Matrix Factorization (“NMF”). However, such solutions do not provide interactive platforms that run a suite of algorithms in tandem, and aimed at generic data exploration. Active learning techniques allow user interactions, but such interactions are limited to user responses to questions generated by the algorithm.
[0007] Accordingly, there is a need for a computer-implemented system that enables SMEs to explore their data and obtain actionable insights, without the need for an analytics project. The system may enable the SME to steer a suite of algorithms at the SME’s pace and/or preference. The role of a data scientist may be considerably reduced, and/or eliminated. The computer implemented system is able to interact with the SME and quickly learn to identify and provide analytics results that are relevant to the SME. Existing techniques generally provide insights by tagging data elements in a data repository. However, a computer implemented system may generate or already have access to results of data analytics, such as, for example, anomalous events, patterns, clusters, etc. Accordingly, it may be more efficient to tag the results of data analytics to gain actionable insights, as is described herein.
[0008] Generally, the system described herein does not aim for an analytics automation; instead the system may continually interact with the SME, and may rely on the SME, to steer the system to select a suite of analytics capabilities that may be relevant to the SME. As described herein, a computer implemented system is disclosed that accesses data and a collection of analytics modules to iteratively provide a sequence of interactive analytics interfaces that are respectively based on selections of data characteristics, and/or results of data analytics. Generally, the term“analytics interface” as used herein, describes a user interface for visual representation of results of analytics algorithms. For example, the analytics interface may provide a visual representation of analyzed data, including any identified anomalous events. As another example, the analytics interface may provide a visual representation of clusters of data based on a suitable similarity. In some examples, such visualizations may be progressive (e.g., continually updated as more data is received and/or analyzed).
[0009] As described in various examples herein, interactive analytics interfaces based on context modifications are disclosed. One example is a system including a context module and an interaction module. The context module accesses a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset. The interaction module provides the first analytics interface to a computing device via a graphical user interface, identifies a requested change in the first context characterization via an interaction with the graphical user interface, and prompts the context module to pause generation of the first analytics interface in response to the requested change. The context module modifies the first context characterization based on the requested change to create a second context characterization, and generates a second analytics interface responsive to the second context characterization.
[0010] In the following detailed description, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific examples in which the disclosure may be practiced. It is to be understood that other examples may be utilized, and structural or logical changes may be made without departing from the scope of the present disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims. It is to be understood that features of the various examples described herein may be combined, in part or whole, with each other, unless specifically noted otherwise.
[0011] Figure 1 is a functional block diagram illustrating one example of a system 100 for interactive analytics interfaces based on context modifications. System 100 includes a context module 106, and an interaction module 108. The context module 106 may access a collection of analytics modules 102 to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset 104. The source dataset 104 may include structured and unstructured data. The source dataset 104 may include data related to weather, food, drugs, natural phenomena, health, and so forth.
[0012] In some examples, the data in the source dataset 104 may be in structured form. For example, the data may be represented as a linked database, a tabular array, an excel worksheet, a graph, a tree, and so forth. In some examples, the data in the source dataset 104 may be unstructured. For example, the data may be a collection of log messages, snippets from text messages, messages from social networking platforms, and so forth. In some examples, the data may be in semi-structured form.
[0013] In some examples, the data in the source dataset 104 may be represented as an array. For example, columns may represent features of the data, whereas rows may represent data elements. For example, rows may represent a traffic incident, whereas columns may represent features associated with each traffic incident, including weather conditions, road conditions, time of day, date, a number of casualties, types of injuries, victims’ ages, and so forth.
[0014] The context module 106 may access a collection of analytics modules 102. Generally, the collection of analytics modules 102 includes a plurality of data analytics processing systems that may be communicatively linked to system 100. For example, the collection of analytics modules 102 may include an anomaly detection module that processes the source dataset 104 to detect anomalies. As another example, the collection of analytics modules 102 may include a clustering module that processes the source dataset 104 to identify clusters of data elements. Also, for example, the collection of analytics modules 102 may include a cohort service that processes the source dataset 104 to identify cohorts of similar data elements. As another example, the collection of analytics modules 102 may include a classifier service that processes the source dataset 104 to deploy a classifier to perform machine learning operations based on interactions via a computing device 110. In some examples, the collection of analytics modules 102 may include additional modules, such as, for example, an information links module that provides results to a search query for information, an aggregative analysis module that provides analysis based on entity, temporal, and/or spatial parameters.
[0015] In some examples, the context module 106 may identify a context characterization indicative of a plurality of parameters of the source dataset 104. For example, the source dataset 104 may be in the form of an array, and the context characterization may include parameters such as filters, features, feature weights, and so forth. For example, the source dataset 104 may be in the form of an array, and the context characterization may include at least one of filters (e.g., applied to rows of the array), features (e.g., extracted from columns of the array), and feature weights (e.g., to weight the importance/relevance of each of the features). In some examples, the context characterization may include derived features. Derived features may be generally inferred from existing features. For example, a column in the array may be for a“timestamp”. A data element may be associated with a value“7-21-2015”, and some features may be derived from such timestamp data. For example, a month,“July”, a date,“21”, a year,“2015”, and a day“Tuesday”, may be inferred from the timestamp value“7-21-2015”. In some examples, derived features may be associated with feature weights.
[0016] A context characterization may generally comprise two broad classes of filters, a selection filter set and a reference filter set. The selection filter set may include filters. Generally, a selection filter set may indicate which rows of the source dataset 104 are to be considered as selection by the collection of analytics modules 102. The reference filter set may include filters, which may be different from the selection filters. Generally, a reference filter set may indicate which rows of the source dataset 104 are to be considered as reference by the collection of analytics modules 102. For example, a selection filter set could indicate a single user-selected anomalous event (row) is included in the selection set, whereas all other events (rows) may be indicated by the reference filters set. In this case, we say that the user-selection anomalous event are included in the selection, whereas all the other events are included in the reference. As another example, events in a selected cluster are included in the selections set, whereas events from another cluster may be included in the reference set. The set of selection rows may or may not intersect with the reference rows.
[0017] The context module 106 may automatically run a suite of analytic algorithms from the collection of analytics modules 102, each of which may take as input all the context inputs (data, filters, features, etc.). These algorithms may generally depend on context feature weights. Generally, the selection filter set may be utilized by the anomaly detection module, clustering module, information links module, and the aggregative analysis module, among others. However, the cohort service and the classifier service utilize both the selection filter set and the reference filter set. For example, as described herein, a row in the array may be selected (included in the selection set), and the cohort service may analyze other rows in the array (included in the reference set) to identify rows that are similar to the selected row. Also, for example, a collection of rows may comprise a selected cluster, and the clustering module may analyze other rows in the array (included in the reference set) to identify similar clusters.
[0018] In some examples, the interaction module 108 may identify, via a graphical user interface 112, a selection of at least one cluster displayed in the analytics interface, and the context module 108 may access a classifier service from the collection of analytics modules for deployment. The classifier service may build a classifier that optimally separates between the selection filter set and the reference filter set.
[0019] In some examples, the interaction module 108 may provide the analytics interface to a computing device 110 via the graphical user interface 112. As described herein, the analytics interface is a visual representation of results of the algorithms. For example, based on a selection set and a reference set, the context module 106 may run an anomaly detection module, and the analytics interface may provide a visual representation of the data, including any identified anomalous events. As another example, based on a selection set, the context module 106 may run clustering module, and the analytics interface may provide a visual representation of the clusters. In some examples, such visualizations may be progressive (e.g., continually updated as more data is received and/or analyzed).
[0020] In some examples, the interaction module 108 may identify a requested change in the context characterization via an interaction with the graphical user interface 112. A requested change is generally any change in the context characterization, including changes to filters, features, feature weights, and so forth. For example, the interaction module 108 may identify a selection of an anomalous event, a cluster, a pattern, and so forth. For example, a plurality of rows in a tabular array may be selected for analysis. Also, for example, a region in a scatterplot may be selected, for example, via drawing a boundary for a selected region, highlighting a selected region with a highlighter or a different color. This may result in a filtering of the source dataset 104. For example, traffic data may be filtered based on an age range of casualties. As another example, traffic data may be filtered based on a number of casualties. Also, for example, traffic data represented via an interactive map may be selected by selecting a region of the displayed map. Also, for example, the interaction module 108 may identify a modification of a feature weight. For example, a higher feature weight may be associated with a column for“road condition” during a traffic incident.
[0021] In some examples, the interaction module 108 may prompt the context module 106 to pause generation of the analytics interface in response to the requested change. For example, the analytics interface may be based on an anomaly detection module. As described herein, the analytics interface may be progressive (e.g., continually updated as more data is received and/or analyzed). In some examples, the interaction module 108 may identify a requested change related to the analytics interface. For example, the interaction module 108 may identify a selection of an anomalous event. Based on such a selection, the interaction module 108 may prompt the context module 106 to pause the generation of the analytics interface.
[0022] In some examples, the context module 106 and/or the interaction module 108 may store data related to the analytics interface in a data repository (not shown in the Figures). For example, each context characterization, and its associated analytics interface may be stored in the repository. In some examples, any associated analytics modules from the collection of analytics modules 102 may be stored as well. In some examples, system 100 may include a stand-alone context repository that may store data related to the analytics processes. Such a data repository and/or context repository may be a single database or a collection of databases. I some examples, the collection of databases may be spatially and/or temporally distributed. Such a data repository and/or context repository may be accessible to context module 106 and/or the interaction module 108. For example, any saved context characterization, analytics interface, and/or analytics module may be made available to the computing device 110. Also, for example, the interaction module 108 may identify selection of a saved context characterization, analytics interface, and/or analytics module, and the context module 106 may access it from the repository.
[0023] In some examples, the context module 106 may modify the context characterization based on the requested change to create another context characterization. For example, the interaction module 108 may identify a selection of an anomalous event. The context module 108 may filter the source dataset 104 to identify rows in the tabular array that are in the same cluster as the selected anomalous event. Also, for example, the interaction module 108 may identify that a column in the tabular array has been associated with a higher feature weight. Accordingly, the context module 106 may apply the higher feature weight to filter the source dataset 104. For example, only data with feature weights higher than a threshold may be included. Accordingly, a new context characterization may be created. Generally, when a change in the context characterization (i.e., filters, features, feature weights, etc.) is identified via an interaction, the computation of a current analytics interface is paused, and a new child analytics interface is generated. The child analytics interface generally inherits all the data that is not affected by the requested change, and re-computes everything else.
[0024] In some examples, the context module 106 may generate another analytics interface responsive to the new context characterization. For example, the context module 106 may identify events similar to the identified anomalous events, and generate a new analytics interface to provide a visualization of the selected events. Also, for example, the context module 106 may generate a new analytics interface to provide a visualization of clusters based on changed feature weights.
[0025] In some examples, the context module 106 may provide the new analytics interface via the graphical user interface 112. For example, a requested change to a first analytics interface based on a first context characterization may be identified. As described herein, the context module 106 may pause the generation of the first analytics interface, and generate a second analytics interface responsive to a second context characterization (e.g., a modified first context characterization). The context module 106 may provide the second analytics interface via the graphical user interface 112. As described herein, the second analytics interface may be progressive (e.g., continually updated as more data is received and/or analyzed).
[0026] In some examples, such steps may be iteratively repeated to provide insights into the source dataset 104. For example, the interaction module 108 may identify a second requested change in the second context characterization via the graphical user interface 112. In response to the second requested change, the interaction module 108 may prompt the context module 106 to pause generation of the second analytics interface in response to the second requested change. In some examples, the context module 106 may modify the second context characterization based on the second requested change, and may generate a third analytics interface based on the modified second context characterization. The interaction module 108 may provide the third analytics interface via the graphical user interface 112.
[0027] In some examples, the context module 106 may store the paused first analytics interface, and the interaction module 108 may provide a first selectable menu option associated with the paused first analytics interface. Generally, an iterative interaction via the graphical user interface 112 may generate a sequence of analytics interfaces, for example, X1, X2,…, Xn, where X1, X2,…, Xn-1 may be paused analytics interfaces, and Xn may be a currently running analytics interface. The context module 106 may store the paused analytics interfaces X1, X2,…, Xn-1 and provide selectable menu options associated with each of the paused analytics interfaces.
[0028] In some examples, the interaction module 108 may identify a selection of a selectable menu option associated with one of the paused analytics interfaces. For example, the interaction module 108 may identify a selection of a selectable menu option associated with the third paused analytics interface X3. Accordingly, the interaction module 108 may prompt the context module 106 to pause generation of the currently running analytics interface Xn in response to the selection, and may continue generation of the third paused analytics interface X3. Generally, the interaction module 108 may access any previously stored analytics interface in a sequence of generated analytics interfaces, and continue generation of the paused analytics interface.
[0029] One overview example process for interactive analytics interfaces based on context modifications may be described. An SME, such as a senior cyber security analyst, may be interested in exploring Web Proxy streams to detect malicious events that are not detected by existing rules. The SME may run the cyber-security data through system 100. The context module 106 may access a collection of analytics modules to generate a first analytic interface, which computes statistics, anomalies, common clusters, and aggregate anomalies. The context module 106 does not compute cohorts or a classifier, because it does not have a reference set to use, as the context characterization is the entire source dataset 104. The interaction module 108 may provide the first analytics interface to a computing device 110 via a graphical user interface 112.
[0030] The SME may observe, via the graphical user interface 112, that the most common cluster is of normal, uninteresting traffic (e.g., http status 200-OK, proxy action = OBSERVED, low url randomness, etc.). The SME may decide to filter this common cluster out of the data. The interaction module 108 may identify a requested change in the first context characterization via an interaction with the graphical user interface 112. This creates a second analytics interface, a child of the first analytics interface, characterized by having that common cluster as an out-filter. Generation of the first analytics interface, if not completed, is paused and stored in memory, and the second analytics interface is generated based on statistics, anomalies, common clusters, and aggregate anomalies for a second context characterization. The context module 106 does not compute cohorts or a classifier, because these are defined by the cluster.
[0031] The interaction module 108 may provide the second analytics interface to the computing device 110 via the graphical user interface 112. The SME may examine the new clusters based on the second context characterization, and displayed on the graphical user interface 112. The SME may detect a second common cluster (e.g., method = tcp, port = 443, status = 200-OK, etc.), and may decide to filter out the second common cluster. This creates a third context characterization, generation of the second analytics interface is paused, and all the analytics are computed for a third analytics interface. The context module 106 generates the third analytics interface, a child of the second analytics interface. The interaction module 108 may provide the third analytics interface to the computing device 110 via the graphical user interface 112.
[0032] The SME may detect, via the graphical user interface 112, that the top anomalies identified are mostly anomalous because of the "byte in" field, and the SME may determine that this as not relevant to the current analysis. Thus, the SME may decrease a feature weight associated with feature for the field "byte in". This creates a fourth context characterization, generation of the third analytics interface is paused, and all the analytics are computed for a fourth analytics interface. The context module 106 generates the fourth analytics interface, a child of the third analytics interface. The interaction module 108 may provide the fourth analytics interface to the computing device 110 via the graphical user interface 112.
[0033] The SME may now detect a cluster that appears to be suspicious, and may decide to "focus on" such a suspicious cluster. The SME may convert the suspicious cluster into a "focus-on filter", thus creating a fifth context characterization, generation of the fourth analytics interface is paused, and all the analytics are computed for a fifth analytics interface. The SME may observe that several anomalies among the top anomalies list are indeed threats. The SME may decide to save the fifth analytics interface for future use on additional data.
[0034] Also, for example, the SME may decide to investigate top anomalies #3 and #4, which appear to be similar. The SME may select these anomalies, and a sixth context characterization is created, for which the reference set may be the entire source dataset 104. Now the context module 106 may access a cohort service from the collection of analytics modules 102 to identify events similar to the selected top anomalies #3 and #4. The context module 106 may access a classifier service to produce and deploy a classifier, which may be displayed via the graphical user interface 112, to detect similar events in the future.
[0035] The components of system 100 may be computing resources, each including a suitable combination of a physical computing device, a virtual computing device, a network, software, a cloud infrastructure, a hybrid cloud infrastructure that may include a first cloud infrastructure and a second cloud infrastructure that is different from the first cloud infrastructure, and so forth. The components of system 100 may be a combination of hardware and programming for performing a designated visualization function. In some instances, each component may include a processor and a memory, while programming code is stored on that memory and executable by a processor to perform a designated function.
[0036] For example, the context module 106 may be a combination of hardware and programming to generate analytics interfaces based on respective context characterizations. Also, for example, the context module 106 may include software programming to identify and access an appropriate algorithm from the collection of analytics modules. The context module 106 may include hardware to physically store and/or maintain a dynamically updated database that stores the generated and/or paused analytics interfaces.
[0037] Likewise, the interaction module 108 may be a combination of hardware and programming to provide the analytics interfaces to the computing device 110 via the graphical user interface 112. Also, for example, the interaction module 108 may include programming to identify a requested change in a context characterization via an interaction with the graphical user interface 112. The interaction module 108 may include hardware to physically store, for example, visualization features of the analytics interfaces. Also, for example, the interaction module 108 may include software programming to dynamically interact with the other components of system 100.
[0038] Generally, the components of system 100 may include programming and/or physical networks to be communicatively linked to other components of system 100. In some instances, the components of system 100 may include a processor and a memory, while programming code is stored and on that memory and executable by a processor to perform designated functions.
[0039] A computing device, as used herein, may be, for example, a web-based server, a local area network server, a cloud-based server, a notebook computer, a desktop computer, an all-in-one system, a tablet computing device, a mobile phone, an electronic book reader, or any other electronic device suitable for provisioning a computing resource to perform a unified visualization interface. The computing device may include a processor and a computer-readable storage medium.
[0032] Figure 2 is a block diagram illustrating one example of a computer readable medium for interactive analytics interfaces based on context modifications. Processing system 200 includes a processor 202, a computer readable medium 208, input devices 204, and output devices 206. Processor 202, computer readable medium 208, input devices 204, and output devices 206 are coupled to each other through a communication link (e.g., a bus).
[0033] Processor 202 executes instructions included in the computer readable medium 208. Computer readable medium 208 includes analytics module access instructions 210 to access, via the processor 202, a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset.
[0034] Computer readable medium 208 includes analytics interface providing instructions 212 to provide the first analytics interface to a computing device via a graphical user interface.
[0035] Computer readable medium 208 includes requested change identification instructions 214 to identify a requested change in the first context characterization via an interaction with the graphical user interface.
[0036] Computer readable medium 208 includes analytics interface pausing instructions 216 to pause generation of the first analytics interface in response to the requested change.
[0037] Computer readable medium 208 includes context modification instructions 218 to modify the first context characterization based on the requested change to create a second context characterization.
[0038] Computer readable medium 208 includes second interface generation instructions 220 to generate a second analytics interface responsive to the second context characterization.
[0039] Computer readable medium 208 includes interface storing instructions 222 to store the paused first analytics interface via the graphical user interface. [0040] Computer readable medium 208 includes menu option providing instructions 224 to provide a first selectable menu option associated with the paused first analytics interface.
[0041] Input devices 204 include a keyboard, mouse, data ports, and/or other suitable devices for inputting information into processing system 200. In some examples, input devices 204, such as a computing device, are used to receive the requested changes to context characterizations. Output devices 206 include a monitor, speakers, data ports, and/or other suitable devices for outputting information from processing system 200. In some examples, output devices 206 are used to provide the analytics interfaces.
[0042] As used herein, a“computer readable medium” may be any electronic, magnetic, optical, or other physical storage apparatus to contain or store information such as executable instructions, data, and the like. For example, any computer readable storage medium described herein may be any of Random Access Memory (RAM), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., a hard drive), a solid state drive, and the like, or a combination thereof. For example, the computer readable medium 208 can include one of or multiple different forms of memory including semiconductor memory devices such as dynamic or static random access memories (DRAMs or SRAMs), erasable and programmable read-only memories (EPROMs), electrically erasable and programmable read-only memories (EEPROMs) and flash memories; magnetic disks such as fixed, floppy and removable disks; other magnetic media including tape; optical media such as compact disks (CDs) or digital video disks (DVDs); or other types of storage devices.
[0043] As described herein, various components of the processing system 200 are identified and refer to a combination of hardware and programming configured to perform a designated visualization function. As illustrated in Figure 2, the programming may be processor executable instructions stored on tangible computer readable medium 208, and the hardware may include processor 202 for executing those instructions. Thus, computer readable medium 208 may store program instructions that, when executed by processor 202, implement the various components of the processing system 200. [0044] Such computer readable storage medium or media is (are) considered to be part of an article (or article of manufacture). An article or article of manufacture can refer to any manufactured single component or multiple components. The storage medium or media can be located either in the machine running the machine-readable instructions, or located at a remote site from which machine-readable instructions can be downloaded over a network for execution.
[0045] Computer readable medium 208 may be any of a number of memory components capable of storing instructions that can be executed by Processor 202. Computer readable medium 208 may be non-transitory in the sense that it does not encompass a transitory signal but instead is made up of one or more memory components configured to store the relevant instructions. Computer readable medium 208 may be implemented in a single device or distributed across devices. Likewise, processor 202 represents any number of processors capable of executing instructions stored by computer readable medium 208. Processor 202 may be integrated in a single device or distributed across devices. Further, computer readable medium 208 may be fully or partially integrated in the same device as processor 202 (as illustrated), or it may be separate but accessible to that device and processor 202. In some examples, computer readable medium 208 may be a machine-readable storage medium.
[0046] Figure 3 is a flow diagram illustrating one example of a method for interactive analytics interfaces based on context modifications. In some examples, such an example method may be implemented by a system such as, for example, system 100 of Figure 1.
[0047] At 300, a collection of analytics modules may be accessed via a processing system to generate a first analytics interface based on a first context characterization, where the first context characterization is indicative of a plurality of parameters of a source dataset.
[0048] At 302, the first analytics interface may be provided to a computing device via a graphical user interface.
[0049] At 304, a requested change in the first context characterization may be identified via an interaction with the graphical user interface. [0050] At 306, generation of the first analytics interface may be paused in response to the requested change.
[0051] At 308, the first context characterization may be modified based on the requested change to create a second context characterization.
[0052] At 310, a second analytics interface responsive to the second context characterization may be generated.
[0053] At 312, the second analytics interface may be provided via the graphical user interface.
[0054] In some examples, the method may include identifying a second requested change in the second context characterization via the graphical user interface, and pausing generation of the second analytics interface in response to the second requested change.
[0055] In some examples, the method may include modifying the second context characterization based on the second requested change, and generating a third analytics interface based on the modified second context characterization.
[0056] Examples of the disclosure provide a generalized system for interactive analytics interfaces based on context modifications. The generalized system automatically enables subject matter experts to explore and extract insights from their data without the need to engage in a complex information technology project. As described herein, an interactive platform runs a suite of algorithms in tandem aimed at data exploration to enable a user to steer the suite of algorithms, at the user’s pace and preference.
[0057] Although specific examples have been illustrated and described herein, a variety of alternate and/or equivalent implementations may be substituted for the specific examples shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific examples discussed herein. Therefore, it is intended that this disclosure be limited only by the claims and the equivalents thereof.

Claims

CLAIMS 1. A system comprising:
a context module to access a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset;
an interaction module to:
provide the first analytics interface to a computing device via a graphical user interface,
identify a requested change in the first context characterization via an interaction with the graphical user interface,
prompt the context module to pause generation of the first analytics interface in response to the requested change; and
wherein the context module is to:
modify the first context characterization based on the requested change to create a second context characterization, and
generate a second analytics interface responsive to the second context characterization.
2. The system of claim 1, wherein the interaction module is to provide the second analytics interface via the graphical user interface.
3. The system of claim 2, wherein the interaction module is to:
identify a second requested change in the second context characterization via the graphical user interface; and
prompt the context module to pause generation of the second analytics interface in response to the second requested change.
4. The system of claim 3, wherein the context module is to:
modify the second context characterization based on the second requested change; and generate a third analytics interface based on the modified second context characterization.
5. The system of claim 1, wherein the collection of analytics modules includes at least one of an anomaly detection module, a clustering module, and an aggregative analysis module.
6. The system of claim 1, wherein the interaction module is to identify, via the graphical user interface, a selection of at least one anomalous event displayed in the first analytics interface, and the context module is to access a cohort service from the collection of analytics modules to identify events similar to the selected anomalous event, and the interaction module is to further include the identified events for display in the second analytics interface.
7. The system of claim 1, wherein the interaction module is to identify, via the graphical user interface, a selection of at least one cluster displayed in the first analytics interface, and the context module is to access a classifier service from the collection of analytics modules for deployment.
8. The system of claim 1, wherein the context characterization includes at least one of the source dataset, filters, features, derived features, and feature weights.
9. The system of claim 1, wherein the context module is to store the paused first analytics interface, and the interaction module is to provide a first selectable menu option associated with the paused first analytics interface.
10.The system of claim 9, wherein the interaction module is to:
identify a selection of the first selectable menu option;
prompt the context module to pause generation of the second analytics interface in response to the selection; and
continue generation of the paused first analytics interface.
11.The system of claim 10, wherein the interaction module is to provide the restarted first analytics interface via the graphical user interface.
12.The system of claim 10, wherein the context module is to store the paused second analytics interface, and the interaction module is to provide a second selectable menu option associated with the paused second analytics interface.
13.A method comprising:
accessing, via a processing system, a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset; providing the first analytics interface to a computing device via a graphical user interface;
identifying a requested change in the first context characterization via an interaction with the graphical user interface;
pausing generation of the first analytics interface in response to the requested change;
modifying the first context characterization based on the requested change to create a second context characterization;
generating a second analytics interface responsive to the second context characterization; and
providing the second analytics interface to the computing device via the graphical user interface.
14.The method of claim 13, further comprising:
identifying a second requested change in the second context characterization via the graphical user interface; and
pausing generation of the second analytics interface in response to the second requested change;
modifying the second context characterization based on the second requested change; and generating a third analytics interface based on the modified second context characterization.
15.A non-transitory computer readable medium comprising executable instructions to:
access, via a processor, a collection of analytics modules to generate a first analytics interface based on a first context characterization indicative of a plurality of parameters of a source dataset;
provide the first analytics interface to a computing device via a graphical user interface;
identify a requested change in the first context characterization via an interaction with the graphical user interface;
pause generation of the first analytics interface in response to the requested change;
modify the first context characterization based on the requested change to create a second context characterization;
generate a second analytics interface responsive to the second context characterization;
store the paused first analytics interface via the graphical user interface; and
provide a first selectable menu option associated with the paused first analytics interface.
PCT/US2015/045471 2015-08-17 2015-08-17 Interactive analytics interfaces based on context modifications WO2017030546A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2015/045471 WO2017030546A1 (en) 2015-08-17 2015-08-17 Interactive analytics interfaces based on context modifications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2015/045471 WO2017030546A1 (en) 2015-08-17 2015-08-17 Interactive analytics interfaces based on context modifications

Publications (1)

Publication Number Publication Date
WO2017030546A1 true WO2017030546A1 (en) 2017-02-23

Family

ID=58052122

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/045471 WO2017030546A1 (en) 2015-08-17 2015-08-17 Interactive analytics interfaces based on context modifications

Country Status (1)

Country Link
WO (1) WO2017030546A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120102053A1 (en) * 2010-10-26 2012-04-26 Accenture Global Services Limited Digital analytics system
US8667385B1 (en) * 2009-12-07 2014-03-04 Google Inc. Method and system for generating and sharing analytics annotations
US20140343997A1 (en) * 2013-05-14 2014-11-20 International Business Machines Corporation Information technology optimization via real-time analytics
US20150088808A1 (en) * 2013-09-23 2015-03-26 Sap Ag Dynamic Determination of Pattern Type and Chart Type for Visual Analytics
US20150095471A1 (en) * 2013-10-01 2015-04-02 Adobe Systems Incorporated Method and apparatus for enabling dynamic analytics configuration on a mobile device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8667385B1 (en) * 2009-12-07 2014-03-04 Google Inc. Method and system for generating and sharing analytics annotations
US20120102053A1 (en) * 2010-10-26 2012-04-26 Accenture Global Services Limited Digital analytics system
US20140343997A1 (en) * 2013-05-14 2014-11-20 International Business Machines Corporation Information technology optimization via real-time analytics
US20150088808A1 (en) * 2013-09-23 2015-03-26 Sap Ag Dynamic Determination of Pattern Type and Chart Type for Visual Analytics
US20150095471A1 (en) * 2013-10-01 2015-04-02 Adobe Systems Incorporated Method and apparatus for enabling dynamic analytics configuration on a mobile device

Similar Documents

Publication Publication Date Title
US10909241B2 (en) Event anomaly analysis and prediction
US11461368B2 (en) Recommending analytic tasks based on similarity of datasets
Yaqoob et al. Big data: From beginning to future
Wang et al. Information Computing and Applications
US10884891B2 (en) Interactive detection of system anomalies
US10735272B1 (en) Graphical user interface for security intelligence automation platform using flows
US10666666B1 (en) Security intelligence automation platform using flows
US20210112101A1 (en) Data set and algorithm validation, bias characterization, and valuation
US11706234B2 (en) Feature-agnostic behavior profile based anomaly detection
US11699116B2 (en) System and method for custom security predictive methods
WO2016093837A1 (en) Determining term scores based on a modified inverse domain frequency
Jain et al. Big data analytic using cloud computing
Bhuyan et al. Crime predictive model using big data analytics
Epishkina et al. A syllabus on data mining and machine learning with applications to cybersecurity
Al-Enazi et al. Advanced Classification Techniques for Improving Networks’ Intrusion Detection System Efficiency
US10387024B2 (en) Interactive analysis of data based on progressive visualizations
Collier et al. Machine Learning with the Elastic Stack: Expert techniques to integrate machine learning with distributed search and analytics
WO2017030546A1 (en) Interactive analytics interfaces based on context modifications
Manchanda Computational Intelligence for Big Data Analysis
US20220407863A1 (en) Computer security using activity and content segregation
Sayeed et al. Smartic: A smart tool for Big Data analytics and IoT
US20230319062A1 (en) System and method for predicting investigation queries based on prior investigations
Karthikeyan et al. Taxonomy of Big Data and Analytics Solutions for Internet of Things
Cofas The role of big data in digitalizing information.
Basurto et al. Beta-Hebbian Learning to enhance unsupervised exploratory visualizations of Android malware families

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15901825

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15901825

Country of ref document: EP

Kind code of ref document: A1