The patent or application file contains at least one drawing executed in color. Copies of this patent or patent application publication with color drawing(s) will be provided by the Office upon request and payment of the necessary fee.
1. Field
This disclosure is generally related to a user interface. More specifically, this disclosure is related to a user interface that enables multiple levels of visualization of anomalies in a large corporation.
2. Related Art
Anomaly detection plays a very important role in preventing disastrous incidents caused by insiders in a large organization, such as a corporation or a government agency. By detecting anomalous behaviors of an individual, the organization may intervene or prevent the individual from committing a crime that may harm the organization or society at large. For example, a military base may monitor behaviors of soldiers and notice that a particular solider may exhibit signs of mental instability. Early intervention, such as consulting with a psychiatrist, may prevent that individual solider from becoming homicidal or suicidal. The detected anomalies are often presented to an analyst, who will conduct further investigations.
One embodiment of the present invention provides a user interface for presenting anomaly-detection outcomes associated with an organization to a user. The user interface includes a receiving mechanism configured to receive the anomaly-detection outcomes, a display that displays the anomaly-detection outcomes at a first resolution, and a command-receiving mechanism configured to receive commands from the user. In response to receiving a respective user command, the display is configured to display the anomaly-detection outcomes at a second resolution.
In a variation on this embodiment, the display is configured to display an organizational chart for the organization, the organizational chart includes at least one visual representation of a component within the organization, and the visual representation is displayed in a way that is associated with anomaly-detection outcomes specific to the component.
In a further variation, the organizational chart includes a tree diagram representing the hierarchy of the organization, and the visual representation of the component includes a node on the tree diagram.
In a further variation, while displaying the anomaly-detection outcomes at a second resolution, the display is configured to at least one of: expand a node on the tree diagram and collapse a node on the tree diagram.
In a further variation, the visual representation of the component is displayed in a color that is determined by the anomaly-detection outcomes specific to the component.
In a variation on this embodiment, the display is further configured to display an anomaly report specific to a respective individual.
In a further variation, the anomaly report includes at least one of: a time-varying anomaly score, one or more time-varying psychological variables, and one or more groups with which the individual is affiliated.
In a further variation, the anomaly report further includes notes entered by the user.
In a further variation, the anomaly report further includes an event train which displays events and corresponding occurring times of the events.
In the figures, like reference numerals refer to the same figure elements.
The following description is presented to enable any person skilled in the art to make and use the embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present disclosure. Thus, the present invention is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
Embodiments of the present invention provide a user interface (UI) that can provide multiple levels of visualization of the anomaly detection for an organization. More specifically, the UI includes a visual representation, such as graphs or charts in gray or color scales, of the anomaly-detection result to a user. A user is capable of zooming in and out of that visual representation to view anomaly-detection outcomes at different levels of the organizational hierarchy.
Anomaly characterization and detection can provide useful and sometimes critical information to an organization, especially for the purpose of intervention and prevention of threats posed by insiders of the organization. In general, an anomaly-detection system is able to analyze massive amounts of data, which may include all sorts of electronically recorded user activities, including but not limited to: emails, text messages, file transfers, and various types of online activities (web pages visited, postings on social network sites, etc.), associated with employees of an organization, and detect abnormal behaviors associated with one or more employees. The anomaly-detection results are then presented to an analyst via an interactive graphical user interface, which allows the analyst to view the results at multiple organizational hierarchy levels. Based on the presented results, the analyst can conduct further analysis and investigation on a particular individual employee.
Network 102 can generally include any type of wired or wireless communication channel capable of coupling together computing nodes. This includes, but is not limited to, a local area network (LAN), a wide area network (WAN), an enterprise's intranet, a virtual private network (VPN), and/or a combination of networks. In one embodiment of the present invention, network 102 includes the Internet. Network 102 may also include telephone and cellular networks, such as Global System for Mobile Communications (GSM) networks or Long Term Evolution (LTE) networks
Client machines 104-110 can generally include any nodes on a network with computational capability and a mechanism for communicating across the network. General users, such as users 116 and 118, perform their daily activities on these client machines. The clients can include, but are not limited to: a workstation, a personal computer (PC), a laptop computer, a tablet computer, a smartphone, and/or other electronic computing devices with network connectivity. Furthermore, the client machines may couple to network 102 using wired and/or wireless connections. In one embodiment, each client machine includes a mechanism that is configured to record activities being performed by the general users.
Activity database 112 can generally include any type of system for storing data associated with the electronically recorded activities in non-volatile storage. This includes, but is not limited to, systems based upon magnetic, optical, and magneto-optical storage devices, as well as storage devices based on flash memory and/or battery-backed up memory. In one embodiment, the client machines 104-110 send their recorded user activities to activity database 112 via network 102.
Anomaly-detection server 114 includes any computational node having a mechanism for running anomaly-detection algorithms. In addition, anomaly-detection server 114 is able to provide an anomaly-report user interface, which allows an analyst to view anomaly-detection results. For example, an analyst 120 can access anomaly-detection server 114 using client machine 110 via network 102 and use the anomaly-report user interface to view the anomaly-detection results.
During operation, employees perform their daily activities on the various client machines. These activities may be recorded by the corresponding client machines. In one embodiment, a separate activity-recording server (not shown in
Anomaly-detection server 114 is responsible for detecting anomalous behaviors. In one embodiment, anomaly-detection server 114 accesses activity database 112 to obtain activity records associated with the employees of an organization. Various types of algorithms can be used to analyze the massive amount of data and perform the anomaly detection. For example, graph analysis and machine learning technologies can be used to detect data anomalies. In addition, the system can also use psychological modeling to detect psychological anomalies among the monitored employees.
The anomaly-detection results are presented to an analyst via a graphical user interface (GUI). The analyst can directly access anomaly-detection server 114 to use the anomaly-report GUI, or the analyst can use a client machine that is coupled to anomaly-detection server 114 to use the anomaly-report GUI. For example, an analyst 120 can use client machine 110 to access the GUI provided by anomaly-detection server 114 to view the anomaly-detections results.
In order to better assist the analyst in viewing the anomaly-detection results, the system presents visual representations (in the form of charts or graphs in gray or color scales) of the results in multiple resolutions. In addition to a visualization of the general sentiment or anomalous activities associated with the entire organization, the system also allows the analyst to view the anomaly-detection results associated with a sub-division of the system, as well as the anomaly-detection results associated with each individual employee. In one embodiment, the anomaly-detection results include anomaly scores and psychological variables associated with individual employees. An anomaly score associated with an individual indicates the possibility that this individual is anomalous. Examples of psychological variables include a measure of disgruntlement.
In the example shown in
From the organizational hierarchy shown in
Similarly,
Each team includes a number of individuals, visualized in
In screenshot 212, root node 204 is expanded to three branches, each leading to a node representing a division within the organization. The visualization of the individual divisions is similar to the visualization of the entire organization. The grayscale or color used for each division node indicates the aggregated anomalous value for members within the division. Division node 206 is light pink, indicating that the corresponding division has an elevated anomalous level. If a user wishes to know more detailed information about this particular division, he can click on node 206, as shown by a hollow arrow 224. Clicking on division node 206 results in division node 206 expanding to three branches, each leading to a node representing a team within the division, as shown by screenshot 214. Like the division nodes, the grayscale or color used for a team node visualizes the generalized anomalous level associated with that team. In screenshot 214, team node 208 is light pink, indicating that the corresponding team has a slightly elevated anomalous level. If a user wishes to know more detailed information about this particular team, he can click on team node 208, as shown by a hollow arrow 226. Clicking on team node 208 will result in team node 208 expanding to multiple branches, each leading to a node representing an individual within the team, as shown in
Anomaly-scores display panel 312 displays anomaly scores of the selected individual, which is a user AAB0724 in the example shown in
Psychological-values display panel 314 includes a button 318, the clicking of which can result in the display of a psychological report on the selected individual. Like the anomaly scores, psychological values are also time-varying. In one embodiment, the time is visualized as a horizontal axis, and the psychological values are visualized as the shade of a horizontally expanding area.
Social-connection display panel 316 displays the social connection of the selected individual. For example, the selected individual may be associated with multiple groups, such as an employment-related group or a social group. Each of the groups can also be visualized as a color or grayscale patch, with the color or grayscale indicating its general health. An analyst can navigate from the anomaly report for an individual to an overview of an associated group by clicking on a patch representing the group. In addition to associated groups, one individual may have a close association to other individuals, such as a close friend. Such an association may also be displayed in social-connection display area 316. An analyst can navigate from the anomaly report for an individual to the anomaly report for a different, associated individual by clicking on the visual representation (such as a color-filled circle) for that different individual. Note that these two individuals may or may not belong to the same subdivision of the organization.
Anomaly-scores note panel 322 allows an analyst to input data associated with the anomaly scores relevant to the selected individual. For example, the analyst may fill in data that are missing from the automatic anomaly detection, such as data obtained from further investigation. Or the analyst may write a note suggesting what kind of data should be obtained during further investigation.
Psychological-values note panel 324 allows an analyst to write a note suggesting what patterns to watch for and countermeasures associated with the selected individual's psychological variables.
Social-connection note panel 326 allows an analyst to write a note to suggest any external data sources that may be useful in determining the individual's anomaly status. For example, it may be useful to obtain information for an outside individual that has a close relationship, such as a family member, with the selected individual.
A psychological-variables display 402 provides a visual representation of one or more psychological variables, such as a disgruntlement measure. In one embodiment, a psychological variable is plotted in a chart as a function of time. In the example shown in
The observables displayed in psychological report 400 indicate what types of event have been monitored by the system when determining the psychological variables. The observables may include, but are not limited to: activity level, productivity, punctuality, departure events, etc. For example, a sudden change in the productivity or punctuality of an individual employee may indicate psychological instability, or the departure of a key team member may impact the psychological status of the remaining team members.
Psychological report 400 also includes a model display area 404 that displays the psychological models used for determining the psychological variables. For example, a personality-prediction model can be used to determine an individual's personality based on his monitored behavior and interactions with others within his social network. These models can be system defaults or inputted by an analyst. Moreover, the analyst can edit these models via the user interface.
Psychological report 400 also includes an additional information display area 406, which displays additional information that can be useful in determining the selected individual's psychological status. The additional information includes, but is not limited to: similar cases on record, countermeasures that have been implemented, behavior patterns that should be watched for, etc.
To give an analyst a clear view of how an individual's psychological state impacts the overall state of his subdivision, or even the entire organization, it may be helpful to plot the individual's psychological state (such as his disgruntlement measure) against that of the subdivision or the organization.
Based on the organization hierarchy, user 502 (corresponding to user AAB0724) belongs to Team 2, which in turn belongs to Division 2 of the organization. Consequently, in addition to displaying the disgruntlement measure of the user AAB0724,
Like
In addition to comparing an individual's psychological status with his affiliated groups, in some embodiments, the user interface also displays various characteristics of the individual, such as his anomaly scores or disgruntlement measure, alongside similar characteristics of his history or other individuals.
An individual's life events often impact his psychological status. To better understand how certain events can lead to anomalous behavior, it may be helpful to plot events against time and compare the reults with the determined psychological status. In the example shown in
Subsequently, the system receives a user command (operation 606). The user command may be a click on a visual representation of the organization or a sub-division, or a selection made to a specific side panel. In response, the system updates the display resolution (operation 608). For example, if the user clicks on the visual representation of a sub-division, the system expands the sub-division to sub-divisions at a lower hierarchy and displays anomaly-detection results for those lower hierarchy sub-divisions. If the user clicks on a visual representation of an individual, the system presents a detailed anomaly report and/or psychological report for that individual. In addition, the user may choose to return to a higher hierarchy level resolution by collapsing a sub-division node, and all child nodes for the sub-division node are then hidden.
In general, the anomaly-report user interface provided by embodiments of the present invention allows an analyst to visualize anomalies (such as anomalous behaviors or disgruntled sentiments) within an organization at multiple resolutions, such as at the organizational level, at various sub-divisional levels, or at the individual level. Moreover, the user interface makes it possible for the analyst to navigate freely among the different resolutions. For example, the analyst can click on a node in a tree diagram representing the organization's hierarchy to expand the node to branches that represent groups or individuals at lower hierarchy levels, and specific panels on the side of the user interface may allow the analyst to navigate up to a higher hierarchy level. Detailed anomaly or psychological reports of an individual can also be presented when the analyst click on a visual representation of a particular individual. Various visual-assistance techniques, such as color schemes, can be used to display the anomalies or psychological variables.
Note that the various views of the user interface displayed in the figures (such as
The data structures and code described in this detailed description are typically stored on a computer-readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. The computer-readable storage medium includes, but is not limited to, volatile memory, non-volatile memory, magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs), DVDs (digital versatile discs or digital video discs), or other media capable of storing computer-readable media now known or later developed.
The methods and processes described in the detailed description section can be embodied as code and/or data, which can be stored in a computer-readable storage medium as described above. When a computer system reads and executes the code and/or data stored on the computer-readable storage medium, the computer system performs the methods and processes embodied as data structures and code and stored within the computer-readable storage medium.
Furthermore, methods and processes described herein can be included in hardware modules or apparatus. These modules or apparatus may include, but are not limited to, an application-specific integrated circuit (ASIC) chip, a field-programmable gate array (FPGA), a dedicated or shared processor that executes a particular software module or a piece of code at a particular time, and/or other programmable-logic devices now known or later developed. When the hardware modules or apparatus are activated, they perform the methods and processes included within them.
The foregoing descriptions of various embodiments have been presented only for purposes of illustration and description. They are not intended to be exhaustive or to limit the present invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. Additionally, the above disclosure is not intended to limit the present invention.
This invention was made with government support under W911NF-11-C-0216(3729) awarded by Army Research Office. The government has certain rights in the invention.