Browse Prior Art Database

Real-Time Nearest Neighbors Statistical Anomaly Detector

IP.com Disclosure Number: IPCOM000115458D
Original Publication Date: 1995-May-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 4 page(s) / 115K

Publishing Venue

IBM

Related People

Waite, NB: AUTHOR

Abstract

Disclosed is a program which provides a new means of rapid, real-time anomaly detection for a target computer system, consisting of several components including both hardware and software, possibly interconnected by a computer network, which is subject to anomalies (faults, problems) in its behavior. Detections are relative to an accumulated history of normal operation of the target system. The basic concept is that an anomaly is detected when a new measurement of operational variables of the target systems is 'sufficiently different' from those measurements which characterize the normal operation, as is more fully described below. The detection of an anomaly may then result in a signal being generated which could subsequently be used to trigger some resulting action (e.g.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Real-Time Nearest Neighbors Statistical Anomaly Detector

      Disclosed is a program which provides a new means of rapid,
real-time anomaly detection for a target computer system, consisting
of several components including both hardware and software, possibly
interconnected by a computer network, which is subject to anomalies
(faults, problems) in its behavior.  Detections are relative to an
accumulated history of normal operation of the target system.  The
basic concept is that an anomaly is detected when a new measurement
of operational variables of the target systems is 'sufficiently
different' from those measurements which characterize the normal
operation, as is more fully described below.  The detection of an
anomaly may then result in a signal being generated which could
subsequently be used to trigger some resulting action (e.g., send a
message or transaction, cause a display to occur, etc.).

      Fig. 1 is a block diagram of a generalized embodiment of an
anomaly detection system in accordance with the principles as
disclosed.  The Target Computer System is composed of components,
each of which is coupled to a Data Collector Computer.  This Data
Collector Computer, which could be part of the Target Computer
System, receives the measurements of the operational variables of the
Target Computer System.  The Data Collector Computer has a Data
Storage device attached, in which device the operational history is
maintained.  The Anomaly Detector Computer, coupled to the Data
Collector Computer, and which could also be the Data Collector
Computer, determines if an anomaly occurred, in a process discussed
below.  It may have to access the operational history data in the
Data Storage device to do this.  An Anomaly Alarm Receiver, coupled
to the Anomaly Detector Computer, receives a signal from the Anomaly
Detector Computer if an anomaly is detected, and takes an appropriate
action.

      In a preferred embodiment, rapid, real-time anomaly detection
is performed as follows.  First, a number (M) of operational
variables are collected at a number (N) of operational history sample
points in time occurring during normal operation of the target
computer system.  Then, a "real-time" sampling point is established
by examining the variables as they are generated by the target
computer system.  As the "real-time" sampling point data is
collected, a test statistic is determined.  The test statistic is the
number of nearest neighbor distances, in M-dimensional space, between
the...