Admission control based on the end-to-end availability
US-2015363256-A1 · Dec 17, 2015 · US
Detecting anomalous process behavior
US9633198B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9633198-B2 |
| Application number | US-201414181188-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 14, 2014 |
| Priority date | Jul 13, 2007 |
| Publication date | Apr 25, 2017 |
| Grant date | Apr 25, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method for learning a process behavior model based on a process past instances and on one or more process attributes, and a method for detecting an anomalous process using the corresponding process behavior model.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method for monitoring executed process instances of a business process workflow, each process instance indicating an occurrence of the business process workflow and a sequence of events of a first process instance indicating a behavior of the first process instance, the method comprising: identifying, by a server computer, a learned behavior model of the business process workflow, wherein the learned behavior model is a Weighted Finite State Transducer; determining, by the server computer, based on the learned behavior model, the first process instance, wherein the first process instance is running; determining, by the server computer, for the first process instance, a sequence of events for a second process instance; calculating, by the server computer, a likelihood as a sum of weights along the sequence of events, the likelihood including only the weights associated with already executed activities; determining, by the server computer, whether the likelihood is above a threshold value; responsive to determining the likelihood is not above the threshold value, reporting, by the server computer, the sequence of events as anomalous behavior. 2. The method of claim 1 , further comprising: responsive to determining the likelihood is above the threshold value, proceeding, by the server computer, to a first step on a third process instance. 3. The method of claim 1 , wherein the learned behavior is associated with at least one attribute value, and comprises a set of paths, wherein a path comprises a set of nodes and a set of transitions and a union of the paths form a directed graph corresponding to the business process workflow. 4. The method of claim 1 , wherein the likelihood is obtained by multiplying the weights together. 5. The method of claim 1 , further comprising: determining, by the server computer, a plurality of attributes of the first process instance; determining, by the server computer, a cluster to which the first process instance belongs; determining, by the server computer, whether the first process instance enters a new state; responsive to determining the first process instance enters the new state, calculating, by the server computer, a probability that each of a plurality of process instances in the cluster proceed through each of a same set of states that the first process instance proceeds through; determining, by the server computer, whether the probability is above a threshold value; and responsive to determining the probability is not above the threshold value, alerting, by the server computer, a user that the first process instance is anomalous.
Assignees
Inventors
Classifications
Administration; Management · CPC title
Computing arrangements based on specific mathematical models · CPC title
Error or fault detection not based on redundancy (power supply failures G06F1/30; network fault management H04L41/06) · CPC title
- G06F11/0715Primary
in a system implementing multitasking (multitasking per se G06F9/46) · CPC title
- G06F21/50Primary
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9633198B2 cover?
- A method for learning a process behavior model based on a process past instances and on one or more process attributes, and a method for detecting an anomalous process using the corresponding process behavior model.
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F11/0715. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Apr 25 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).