US 10,891,558 B2
Creation of metric relationship graph based on windowed time series data for anomaly detection
Yoni Yom Tov Ben Simhon, Natanya (IL); and Ira Cohen, Reut (IL)
Assigned to Anodot Ltd., Ra'anana (IL)
Filed by Anodot Ltd., Ra'anana (IL)
Filed on Jan. 20, 2016, as Appl. No. 15/2,260.
Claims priority of provisional application 62/106,207, filed on Jan. 21, 2015.
Prior Publication US 2016/0210556 A1, Jul. 21, 2016
Int. Cl. G06N 20/00 (2019.01); G06N 3/08 (2006.01); G06F 11/34 (2006.01); G06F 11/07 (2006.01); H04L 29/06 (2006.01)
CPC G06N 20/00 (2019.01) [G06N 3/08 (2013.01); G06F 11/07 (2013.01); G06F 11/3452 (2013.01); G06F 2201/875 (2013.01); H04L 63/1425 (2013.01)] 26 Claims
OG exemplary drawing
1. A system comprising:
a windowing circuit configured to divide, for each metric of a plurality of metrics, time series data for values of the metric into a plurality of time series portions, each corresponding to a respective window of time;
a hash circuit configured to calculate a hash value for each of the time series portions for each of the plurality of metrics;
a candidate identification circuit configured to (i) compare the hash values for each pair of metrics from the plurality of metrics, (ii) for a selected pair of metrics, count for how many windows of time the hash values of the selected pair of metrics are equal to each other, and (iii) identify the pair of metrics as a candidate pair in response to the count exceeding a threshold;
a metric relationship graph creation circuit configured to selectively create a first edge in a graph based on the candidate pair of metrics, wherein (i) each metric of the plurality of metrics is a node in the graph and (ii) direct relationships between each pair of the plurality of metrics are edges in the graph;
an anomaly combination circuit configured to detect an anomaly condition based on the graph; and
a conditioning circuit logically positioned prior to the windowing circuit and configured to:
apply a low-pass filter to the time series data for the metrics,
wherein the low-pass-filtered time series data is divided into the plurality of time series portions by the windowing circuit.