WO2020139301A1 - An anomaly detection system - Google Patents

An anomaly detection system Download PDF

Info

Publication number
WO2020139301A1
WO2020139301A1 PCT/TR2019/051227 TR2019051227W WO2020139301A1 WO 2020139301 A1 WO2020139301 A1 WO 2020139301A1 TR 2019051227 W TR2019051227 W TR 2019051227W WO 2020139301 A1 WO2020139301 A1 WO 2020139301A1
Authority
WO
WIPO (PCT)
Prior art keywords
alarm
data
analysis unit
unit
time series
Prior art date
Application number
PCT/TR2019/051227
Other languages
French (fr)
Inventor
Samet Alkent
Original Assignee
Turkcell Teknoloji Araştirma Ve Geli̇şti̇rme Anoni̇m Şi̇rketi̇
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Turkcell Teknoloji Araştirma Ve Geli̇şti̇rme Anoni̇m Şi̇rketi̇ filed Critical Turkcell Teknoloji Araştirma Ve Geli̇şti̇rme Anoni̇m Şi̇rketi̇
Publication of WO2020139301A1 publication Critical patent/WO2020139301A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06393Score-carding, benchmarking or key performance indicator [KPI] analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Definitions

  • the present invention relates to a system whereby anomaly detection is performed by using machine learning algorithms and artificial intelligence technology in a time series.
  • Time series which is a set of measurements of a magnitude of interest indexed in time, is analysed in order to understand a fact represented by an observation set and estimate future values of variables in a time series correctly.
  • Anomaly detection is performed for detecting a section which occurs in any time interval within a time series and is incompatible with other sub-sections of the time series, and it is detected by different applications today.
  • the United States patent document no. US2015006972 discloses a system for detecting anomalies in time series data by comparing universal features extracted from testing time series data with the universal features acquired from training time series data to determine a score.
  • time series can be decomposed into a smooth curve and random fluctuations around the smooth curve. The method detects anomalous patterns in time series data.
  • sensor data from a machine may normally produce a periodic pattern, e.g., a sine wave. If the sensor produces a constant signal, a flat line, this would be anomalous even though no values fall outside of the normal operating range.
  • the invention models both the stochasite component of a times series as well as the trajectory component.
  • the invention solves the problem of finding anomalies that works well with any type of time series data.
  • the method uses a set of universal features that summarize the time series data used for training.
  • the features are called universal because the features are designed to handle different types of time series data.
  • the method is a feature-based approach.
  • a time series data source is characterized as a combination of stochastic components and trajectory components.
  • the stochastic components produce data with random fluctuations around a moving mean or average, while the trajectory components produce a trajectory-like, smooth curve.
  • Prior art methods such as ones that model the time series using an autoregressive model, only work well on stochastic time series.
  • An objective of the present invention is to realize a system whereby anomaly detection is performed by using machine learning algorithms and artificial intelligence technology in a time series.
  • Another objective of the present invention is to realize a system which makes calculation by considering characteristic features of actions that it follows regarding their trend.
  • Another objective of the present invention is to realize a system which keeps natural trend of an action by excluding unusual actions such as natural disasters, special days, breakdowns that are known/unknown at the step of creating trends.
  • Another objective of the present invention is to realize a system wherein the most appropriate estimation method of each KPI (key performance indicator), that will be monitored by time series and has a unique characteristic structure, for characteristic structure is detected by artificial intelligence.
  • KPI key performance indicator
  • Figure l is a schematic view of the inventive anomaly detection system.
  • the inventive system (1) for performing anomaly detection in a time series comprises:
  • At least one data collection module (2) which collects and records data from various source systems
  • At least one analysis unit (3) which is in communication with the data collection module (2), wherein collected data is analysed, usual behaviour trend is created by dealing with a certain time series of data, unusual behaviours are eliminated and temporal estimates of each action are created together with the given character analysis and the eliminated data;
  • At least one alarm unit (4) which is in communication with the analysis unit (3) and transforms abnormal behaviours of an action into alarm and shares it with external systems.
  • the data collection module (2) is a unit which is in communication with the analysis unit (3) and carries out data collection transaction from external systems. Data collected in the data collection module (2) are used for character analysis, data filtering and determining the average in the analysis unit (3).
  • the analysis unit (3) is a unit wherein character analysis is done at first, then unusual behaviours are filtered and temporal estimates of each action are created on the data kept on the data collection module (2).
  • the analysis unit (3) determines usual behaviour trend by considering a certain time series of data in the data collection module (2).
  • the analysis unit (3) determines and eliminates unusual behaviours by using the information of behaviour trend determined by it.
  • the analysis unit (3) creates temporal estimates of each action together with the character analysis created by the usual behaviour trend and the eliminated unusual behaviours.
  • the analysis unit (3) determines correlative trends by using artificial intelligence technology.
  • the alarm unit (4) makes query on correlative trends and reflects the query result on the generated alarm score in the event that the analysis unit (3) detects anomaly over correlative trends.
  • the alarm unit (4) is a unit which transforms abnormal behaviours of an action into alarm and it scores the alarm generated by correlative alarm scoring method and gives information about the alarm level. The alarm unit (4) also decides on which alarms will be sent to the end user by machine learning method on alarms generated by it.
  • the alarm unit (4) is in communication with user and receives true or false feedbacks from user about the generated alarms and creates a learning structure.
  • the alarm unit (4) has a structure adjustable according to the end user request.

Abstract

The present invention relates to a system whereby anomaly detection is performed by using machine learning algorithms and artificial intelligence technology in a time series. With the inventive system (1); the most appropriate estimation method of each KPI (key performance indicator), that will be monitored by time series and has a unique characteristic structure, for characteristic structure is detected by artificial intelligence.

Description

AN ANOMALY DETECTION SYSTEM
Technical Field
The present invention relates to a system whereby anomaly detection is performed by using machine learning algorithms and artificial intelligence technology in a time series.
Background of the Invention
Time series, which is a set of measurements of a magnitude of interest indexed in time, is analysed in order to understand a fact represented by an observation set and estimate future values of variables in a time series correctly. Anomaly detection is performed for detecting a section which occurs in any time interval within a time series and is incompatible with other sub-sections of the time series, and it is detected by different applications today. The United States patent document no. US2015006972 discloses a system for detecting anomalies in time series data by comparing universal features extracted from testing time series data with the universal features acquired from training time series data to determine a score. According to embodiments of the invention, time series can be decomposed into a smooth curve and random fluctuations around the smooth curve. The method detects anomalous patterns in time series data. For example, sensor data from a machine may normally produce a periodic pattern, e.g., a sine wave. If the sensor produces a constant signal, a flat line, this would be anomalous even though no values fall outside of the normal operating range. The invention models both the stochasite component of a times series as well as the trajectory component. The invention solves the problem of finding anomalies that works well with any type of time series data. The method uses a set of universal features that summarize the time series data used for training. The features are called universal because the features are designed to handle different types of time series data. Hence, the method is a feature-based approach. According to the embodiments of the invention, a time series data source is characterized as a combination of stochastic components and trajectory components. The stochastic components produce data with random fluctuations around a moving mean or average, while the trajectory components produce a trajectory-like, smooth curve. Prior art methods, such as ones that model the time series using an autoregressive model, only work well on stochastic time series.
Summary of the Invention
An objective of the present invention is to realize a system whereby anomaly detection is performed by using machine learning algorithms and artificial intelligence technology in a time series.
Another objective of the present invention is to realize a system which makes calculation by considering characteristic features of actions that it follows regarding their trend.
Another objective of the present invention is to realize a system which keeps natural trend of an action by excluding unusual actions such as natural disasters, special days, breakdowns that are known/unknown at the step of creating trends.
Another objective of the present invention is to realize a system wherein the most appropriate estimation method of each KPI (key performance indicator), that will be monitored by time series and has a unique characteristic structure, for characteristic structure is detected by artificial intelligence.
Detailed Description of the Invention “An Anomaly Detection System” realized to fulfil the objectives of the present invention is shown in the figure attached, in which:
Figure l is a schematic view of the inventive anomaly detection system.
The components illustrated in the figure are individually numbered, where the numbers refer to the following:
1. System
2. Data collection module
3. Analysis unit
4. Alarm unit
The inventive system (1) for performing anomaly detection in a time series comprises:
- at least one data collection module (2) which collects and records data from various source systems;
at least one analysis unit (3) which is in communication with the data collection module (2), wherein collected data is analysed, usual behaviour trend is created by dealing with a certain time series of data, unusual behaviours are eliminated and temporal estimates of each action are created together with the given character analysis and the eliminated data; and
at least one alarm unit (4) which is in communication with the analysis unit (3) and transforms abnormal behaviours of an action into alarm and shares it with external systems.
In the inventive system (1), the data collection module (2) is a unit which is in communication with the analysis unit (3) and carries out data collection transaction from external systems. Data collected in the data collection module (2) are used for character analysis, data filtering and determining the average in the analysis unit (3).
In a preferred embodiment of the invention, the analysis unit (3) is a unit wherein character analysis is done at first, then unusual behaviours are filtered and temporal estimates of each action are created on the data kept on the data collection module (2).
In a preferred embodiment, the analysis unit (3) determines usual behaviour trend by considering a certain time series of data in the data collection module (2). The analysis unit (3) determines and eliminates unusual behaviours by using the information of behaviour trend determined by it. The analysis unit (3) creates temporal estimates of each action together with the character analysis created by the usual behaviour trend and the eliminated unusual behaviours.
In a preferred embodiment, the analysis unit (3) determines correlative trends by using artificial intelligence technology. The alarm unit (4) makes query on correlative trends and reflects the query result on the generated alarm score in the event that the analysis unit (3) detects anomaly over correlative trends.
The alarm unit (4) is a unit which transforms abnormal behaviours of an action into alarm and it scores the alarm generated by correlative alarm scoring method and gives information about the alarm level. The alarm unit (4) also decides on which alarms will be sent to the end user by machine learning method on alarms generated by it.
In a preferred embodiment, the alarm unit (4) is in communication with user and receives true or false feedbacks from user about the generated alarms and creates a learning structure. In a preferred embodiment of the invention, the alarm unit (4) has a structure adjustable according to the end user request. With the inventive system (1), an anomaly detection is performed in a time series. Calculations are made by considering characteristic features of actions trend of which are followed and alarms are generated by the system (1). Since each key performance indicator to be monitored by time series has a unique characteristic, the system (1) detects the most appropriate estimation method for this characteristic structure by artificial intelligence.
Within these basic concepts; it is possible to develop various embodiments of the inventive anomaly detection system (1); the invention cannot be limited to examples disclosed herein and it is essentially according to claims.

Claims

1. A system (1) for performing anomaly detection in a time series characterized by:
at least one data collection module (2) which collects and records data from various source systems;
at least one analysis unit (3) which is in communication with the data collection module (2), wherein collected data is analysed, usual behaviour trend is created by dealing with a certain time series of data, unusual behaviours are eliminated and temporal estimates of each action are created together with the given character analysis and the eliminated data; and
at least one alarm unit (4) which is in communication with the analysis unit (3) and transforms abnormal behaviours of an action into alarm and shares it with external systems.
2. A system (1) according to Claim 1; characterized by the data collection module (2) which is in communication with the analysis unit (3) and carries out data collection transaction from external systems.
3. A system (1) according to Claim 1 or 2; characterized by the data analysis unit (3) wherein character analysis is done at first, then unusual behaviours are filtered and temporal estimates of each action are created on the data kept on the data collection module (2).
4. A system (1) according to any of the preceding claims; characterized by the analysis unit (3) determines usual behaviour trend by considering a certain time series of data in the data collection module (2).
5. A system (1) according to any of the preceding claims; characterized by the analysis unit (3) which determines and eliminates unusual behaviours by using the information of behaviour trend determined by it.
6. A system (1) according to any of the preceding claims; characterized by the analysis unit (3) which creates temporal estimates of each action together with the character analysis created by the usual behaviour trend and the eliminated unusual behaviours.
7. A system (1) according to any of the preceding claims; characterized by the analysis unit (3) which determines correlative trends by using artificial intelligence technology.
8. A system (1) according to Claim 7; characterized by the alarm unit (4) which makes query on correlative trends and reflects the query result on the generated alarm score in the event that the analysis unit (3) detects anomaly over correlative trends.
9. A system (1) according to Claim 7 or 8; characterized by the alarm unit (4) which is a unit that transforms abnormal behaviours of an action into alarm and which scores the alarm generated by correlative alarm scoring method and gives information about the alarm level.
10. A system (1) according to any of the preceding claims; characterized by the alarm unit (4) which decides on which alarms will be sent to the end user by machine learning method on alarms generated by it.
11. A system (1) according to any of the preceding claims; characterized by the alarm unit (4) which is in communication with user and receives true or false feedbacks from user about the generated alarms and creates a learning structure.
PCT/TR2019/051227 2018-12-27 2019-12-26 An anomaly detection system WO2020139301A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2018/20716 2018-12-27
TR2018/20716A TR201820716A2 (en) 2018-12-27 2018-12-27 AN ABNORMAL DETECTION SYSTEM

Publications (1)

Publication Number Publication Date
WO2020139301A1 true WO2020139301A1 (en) 2020-07-02

Family

ID=67955539

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2019/051227 WO2020139301A1 (en) 2018-12-27 2019-12-26 An anomaly detection system

Country Status (2)

Country Link
TR (1) TR201820716A2 (en)
WO (1) WO2020139301A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080208526A1 (en) * 2007-02-28 2008-08-28 Microsoft Corporation Strategies for Identifying Anomalies in Time-Series Data
US20160285700A1 (en) * 2015-03-24 2016-09-29 Futurewei Technologies, Inc. Adaptive, Anomaly Detection Based Predictor for Network Time Series Data
EP3376446A1 (en) * 2017-03-18 2018-09-19 Tata Consultancy Services Limited Method and system for anomaly detection, missing data imputation and consumption prediction in energy data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080208526A1 (en) * 2007-02-28 2008-08-28 Microsoft Corporation Strategies for Identifying Anomalies in Time-Series Data
US20160285700A1 (en) * 2015-03-24 2016-09-29 Futurewei Technologies, Inc. Adaptive, Anomaly Detection Based Predictor for Network Time Series Data
EP3376446A1 (en) * 2017-03-18 2018-09-19 Tata Consultancy Services Limited Method and system for anomaly detection, missing data imputation and consumption prediction in energy data

Also Published As

Publication number Publication date
TR201820716A2 (en) 2019-02-21

Similar Documents

Publication Publication Date Title
CN106911668B (en) Identity authentication method and system based on user behavior model
CN108731923B (en) Fault detection method and device for rotary mechanical equipment
CN107154950B (en) Method and system for detecting log stream abnormity
US7289857B2 (en) Data analysis system and method
CN102355381B (en) Method and system for predicting flow of self-adaptive differential auto-regression moving average model
Vogel-Heuser et al. Criteria-based alarm flood pattern recognition using historical data from automated production systems (aPS)
US11699278B2 (en) Mapper component for a neuro-linguistic behavior recognition system
CN112114995B (en) Terminal abnormality analysis method, device, equipment and storage medium based on process
JP6200833B2 (en) Diagnostic equipment for plant and control equipment
CN107273924A (en) The Fault Analysis of Power Plants method of multi-data fusion based on fuzzy cluster analysis
CN111970229B (en) CAN bus data anomaly detection method aiming at multiple attack modes
Xu et al. A lof-based method for abnormal segment detection in machinery condition monitoring
JP4635194B2 (en) Anomaly detection device
CN116842423A (en) Aeroengine fault diagnosis method and system based on multi-mode deep learning
CN111538311A (en) Flexible multi-state self-adaptive early warning method and device for mechanical equipment based on data mining
EP3469434B1 (en) Automatic visual and acoustic analytics for event detection
CN109255201B (en) SOM-MQE-based ball screw pair health assessment method
WO2020139301A1 (en) An anomaly detection system
CN117278591A (en) Park abnormity alarm system based on cloud platform
US10295965B2 (en) Apparatus and method for model adaptation
JP2017117034A (en) Diagnosis device and diagnostic method
Chang et al. Real-time detection of wave profile changes
Maleki et al. A one-class clustering technique for novelty detection and isolation in sensor networks
CN106599568B (en) A kind of greenhouse abnormal temperature diagnostic device
CN116599767B (en) Network threat monitoring system based on machine learning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19905062

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19905062

Country of ref document: EP

Kind code of ref document: A1