Integrated parameter systems are prevalent in virtually every industry and throughout large integrated networks, for example, from single-location manufacturing facilities through multi-location conglomerated systems, and up through and across large, geographically diverse communications platforms. As these systems become more complex and diversified over enormous geographic ranges, and as they come to include system nodes that are not readily identifiable as having a single geographic situs (e.g. nodes and servers within an internet application platform), the prospect of failures within these systems becomes more endemic. The plurality of environments under which these integrated parameter systems operate may further include a broad and complex range of conditions. Under these circumstances, it will be difficult or impossible for a system administrator to determine if a set of data that is not within an expected operating range represents normal or abnormal operation of the network. Administrators are thus charged with monitoring increasingly complex integrated parameter systems that include multiple nodes, each of which can generate millions or billions of data points with each passing second, and that can fail catastrophically if any system node or series of system nodes collapses or the system itself is attacked by an external threat. Objective knowledge of what constitutes normal or abnormal operation of an integrated data network will allow a system administrator or engineer to address a developing problem before abnormal operation leads to catastrophic failure of the entire system
Engineers have proposed and developed numerous methods and tools to facilitate the monitoring of complex integrated parameter systems. Those methods and tools typically involve creating mathematical models based on historical data that reflect a system's normal operations under various environmental conditions, and then comparing real-time data with the model that is based on historical data. These methods have strong utility in addressing unique aspects of potential collapses or specific types of external attacks, but they are equally limited in that they generally address only specific possible failures or attacks without being adaptable to address other unknown types of failures or attacks. Moreover, a majority of existing systems rely on an administrator's or an engineer's knowledge and expertise to identify anomalies, but that knowledge can be limited or skewed by individual biases or assumptions regarding the interconnectivity of two or more data streams that are generated by individual nodes within the network. Eliminating these biases is a critical goal of many monitoring methodologies.
For example, the vector-based anomaly detection system in US Patent Application Publication 2012/013674 A1 describes a method to detect anomalies in a multi-node network fabric comprising the mapping of a baseline vector that is based on specific metrics within the network, and then flagging variations from that baseline vector at any node. The baseline vector is essentially a mathematical model and the system flags data that falls outside of the boundaries of the model. This technique is useful at a micro level in that it can detect anomalies at individual points within a network, but it is not readily scalable to detect anomalies that may affect increasingly complex integrated parameter systems that include hundreds or thousands of nodes and potentially millions of data points. Moreover, by focusing on individual nodes this method accords equal treatment to each data point and each observation, which may not be valid and it places undue emphasis on an administrator's identification of signals that may be interrelated or correlated. An administrator's bias or incorrect assumptions regarding interconnectivity will limit the utility of the system described in this Publication.
US Patent Publication 2012/0240185 adopts a somewhat broader approach by seeking to establish patterns within a system or network, and particularly a computer network, where those patterns are specific to aspects of the network that are uniquely susceptible to specific forms of threats. Again, the patterns are mapped into a form of a mathematical model that is viewed as a baseline of normal operations. The technology described in this Publication is specific to computer networks and is not readily scalable to the broader category of integrated parameter systems.
U.S. Pat. No. 7,394,746 further broadens this conceptual framework into a more scalable system by describing a method for mining historical databases of operations of chemical refineries to detect patterns, and then flagging events as anomalies if they fall outside of the established pattern. The patterns so detected rely on known relationships among variables, and this system is not readily adaptable when data points are not correlated or when false assumptions about those correlations are incorporated into the system.
Another mode of pattern detection and modeling is disclosed in US Patent Publication 2012/0278477, which describes a modeling method that is a function of one type of data that is drawn from particular nodes within an integrated data network. Like other prior art methods, the method described in this Publication draws patterns out of data streams that are generated within an integrated data system, yet neither this method nor the other prior art systems disclose a broad and robust methodology that can be adapted across virtually any integrated parameter system. Also as noted, much or most of the prior art fails to eliminate administrator or engineer biases and, accordingly, the prior art may include false assumptions about the interconnectivity or absence of interconnectivity of two or more data streams, which in turn will lead to false positives or negatives as to whether a system is operating normally or abnormally. Further, the prior art methods and methodologies focus on specific industries or technologies or limit themselves to unique data sets that can be drawn out of specific systems. Without describing a general tool that can be adapted to integrated parameter systems regardless of the industry or technology in which those systems are implemented.
Other prior art methods and methodologies describe network monitoring techniques that are designed to give an operator a clearer picture of the functions and operations of a sophisticated integrated data network without flagging the normal or abnormal operations themselves, thus presumably allowing the operator to flag problems or anomalies as they occur. US patent Publication 2012/0278015, for example, discloses a real-time performance monitoring system for an electrical grid. This system monitors and stores a plurality of metrics in a unique database that an operator may access. The operator has an option to display various aspects of those metrics in graphic form for easier system monitoring. Regardless of how clear the picture may be, this method is particularly susceptible to an administrator's judgment and biases as he or she makes the final determination of normal or abnormal operation.
These prior art systems are invariably rigid in their selection and application of data that will be monitored, in their development of mathematical models to mirror the integrated parameter systems across which their methodologies will be applied, or in their techniques for flagging anomalies or variances within normal system operation. A need therefore exists for a more objective method and methodology for monitoring an integrated data network such that the user can direct the method and methodology with respect to the data that will be monitored and the tolerances that will be accepted before variances in data streams are flagged as being anomalies.
A need further exists for a method, methodology and apparatus that can be adapted across any form of integrated data network or system and that can be configured in the most optimal user-friendly manner to detect anomalies in the operation of that network or system. The method and methodology should be able to rely upon all historical and real-time data generated by that network or system to define a normal pattern of operations, with regular real-time updates, regardless of the correlation or inter-relationships between selected data streams. Other needs and desired features are as described in the specification.