Browse Prior Art Database

A system and method to prioritise alerts in anomaly detection systems

IP.com Disclosure Number: IPCOM000245766D
Publication Date: 2016-Apr-06
Document File: 3 page(s) / 67K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method is proposed to better prioritise alerts by taking into consideration two quality properties of analytic models: (1) data availability and (2) model staleness.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 38% of the total text.

Page 01 of 3

A system and method to prioritise alerts in anomaly detection systems

A novel way to reduce alarm volume from anomaly detection systems.

    Anomaly detection systems use behavioural learning algorithms to build anomaly detection models based on a set of time series metric data. These models can cover individual metrics from a set, or subset of those metrics . When new data arrives for these metrics they are then evaluated using the models, and when the data does not fit the model, an alarm is generated.

    Configurationless systems do not have a topology, service model or other configuration and therefore has no idea how urgent the alarm it is generating is. The result is a number of alarms with the same priority, which leaves the operator with a difficult question: "which alarm do I look at first?".

    In traditional monitoring systems, a severity is applied to an alarm based on some specific domain knowledge. The severity helps an operator prioritise the alarms that are currently open. For example, a disk failure alarm is typically a major alarm that requires immediate attention - however if it is part of a broad array of redundant disks then it is not immediately urgent. Knowing that the alarm relates to a disk, and that the disk is part of an array are both configuration steps that configurationless systems do not require.

    A key characteristic of an anomaly is that they are rare. Therefore a basic approach to alarm prioritization in anomaly detection systems is that if an anomaly is not rare, then the alarm should either not be raised, or reduced in priority. While severity, rarity and/or impact are sensible basis for ranking alerts, they are pertinent only to the alerts themselves. Meanwhile, there are other important aspects in terms of the quality of analytic models generating such alerts that have not been exploited.

    The solution disclosed will describe a series of features which can be used to rank the priority of alarms, to help reduce operator workload, reduce OPEX, and ensure that the key problems are dealt with first - and still have the benefit of not requiring configuration that requires frequent updating and maintenance.

    A method is proposed to better prioritise alerts by taking into consideration two quality properties of analytic models: (1) data availability and (2) model staleness.

Prerequisites:

    1. An anomaly detection system in which analytic models are produced based on training data

    2. Those analytic models contain metadata regarding: the availability of the data used for training them, and the time window of the training data

    3. Alerts generated from analytic models
The method disclosed comprises the following steps:

    1. When an alarm is generated from an analytic model due to a deviation from the norm, decorate the alarm with information regarding the data availability and staleness of the model.

    2. Assign/update the priority score of the alarm based on the model's data availability.

    3. Assign/update the priority s...