Patent Application
20170286856
Field
Embodiments described herein generally relate to data analysis systems, and more particularly to trend analysis with semantic memory.
Description of the Related Art
Many currently available surveillance and monitoring systems (e.g., video surveillance systems, SCADA systems, data network security systems, and the like) are trained to observe specific activities and alert an administrator after detecting those activities.
However, such rules-based systems require advance knowledge of what actions and/or objects to observe. The activities may be hard-coded into underlying applications or the system may train itself based on any provided definitions or rules. In other words, unless the underlying code includes descriptions of certain behaviors or rules for generating an alert for a given observation, the system is incapable of recognizing such behaviors. Such a rules-based approach is rigid. That is, unless a given behavior conforms to a predefined rule, an occurrence of the behavior can go undetected by the monitoring system. Even if the system trains itself to identify the behavior, the system requires rules to be defined in advance for what to identify.
One approach to addressing these limitations includes an adaptive behavior recognition system capable of modeling data monitored by a sensor, such as a video camera or temperature sensor. However, small or gradual changes or adaptations over relatively long periods of time may be difficult to detect where each change is not enough by itself to trigger any kind of alert or warning.
One embodiment presented herein includes a method for detecting changes in a neuro-linguistic model. The method generally includes receiving a first neuro-linguistic model, wherein the first neuro-linguistic model provides a set of statistical descriptions generated from a first set of input data received from one or more sensor devices during a first time period receiving a second neuro-linguistic model having a second set of statistical descriptions for second input data, wherein the second neuro-linguistic model provides a set of statistical descriptions of the second input data transmitted from the one or more sensor devices during a second time period. The method continues by comparing the second set of statistical descriptions to the first set statistical descriptions to determine a set of matching statistical descriptions and generating a similarity score based on the matching statistical descriptions. Upon determining a trend change based on a comparison between the similarity score and a threshold, outputting an alert indication of trend change.
Another embodiment presented herein includes a computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for detecting changes in a neuro-linguistic model. The operation itself generally includes receiving a first neuro-linguistic model, wherein the first neuro-linguistic model provides a set of statistical descriptions generated from a first set of input data received from one or more sensor devices during a first time period receiving a second neuro-linguistic model having a second set of statistical descriptions for second input data, wherein the second neuro-linguistic model provides a set of statistical descriptions of the second input data transmitted from the one or more sensor devices during a second time period. The method continues by comparing the second set of statistical descriptions to the first set statistical descriptions to determine a set of matching statistical descriptions and generating a similarity score based on the matching statistical descriptions. Upon determining a trend change based on a comparison between the similarity score and a threshold, outputting an alert indication of trend change.
Yet another embodiment presented herein includes a system having a processor and a memory storing one or more application programs configured to perform an operation for detecting changes in a neuro-linguistic model. The operation itself generally includes receiving a first neuro-linguistic model, wherein the first neuro-linguistic model provides a set of statistical descriptions generated from a first set of input data received from one or more sensor devices during a first time period receiving a second neuro-linguistic model having a second set of statistical descriptions for second input data, wherein the second neuro-linguistic model provides a set of statistical descriptions of the second input data transmitted from the one or more sensor devices during a second time period. The method continues by comparing the second set of statistical descriptions to the first set statistical descriptions to determine a set of matching statistical descriptions and generating a similarity score based on the matching statistical descriptions. Upon determining a trend change based on a comparison between the similarity score and a threshold, outputting an alert indication of trend change.
So that the manner in which the above recited features of the present disclosure can be understood in detail, a more particular description of the disclosure, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only exemplary embodiments and are therefore not to be considered limiting of its scope, may admit to other equally effective embodiments.
To facilitate understanding, identical reference numerals have been used, where possible, to designate identical elements that are common to the figures. It is contemplated that elements and features of one embodiment may be beneficially incorporated in other embodiments without further recitation.
Embodiments presented herein describe a behavior recognition system. The behavior recognition system may be configured with one or more data collector components that collect raw data values from different data sources (e.g., video data, building management data, SCADA data, network data). For example, a behavior recognition system may be configured for video surveillance. The behavior recognition system may include a data collector component that retrieves video frames in real-time, separates foreground objects from background objects, and tracks foreground objects from frame-to-frame. The data collector component may normalize the video frame data into numerical values (e.g., falling within a range from 0 to 1 with respect to a given data type).
In some embodiments, the behavior recognition system includes a neuro-linguistic module that performs neural network-based linguistic analysis on the collected data. Specifically, for each type of data monitored by a sensor, the neuro-linguistic module creates and refines a linguistic model of the normalized data. That is, the neuro-linguistic module builds a grammar used to describe the normalized data. The linguistic model includes symbols that serve as building blocks for the grammar. The neuro-linguistic module identifies combinations of symbols to build a dictionary of words. Once the dictionary is built, the neuro-linguistic module identifies phrases that include various combinations of words in the dictionary. The behavior recognition system uses such a linguistic model to describe what is being observed. The linguistic model allows the behavior recognition system to distinguish between normal and abnormal activity observed in the input data. As a result, the behavior recognition system can issue alerts whenever abnormal activity occurs.
To generate the linguistic model, a neuro-linguistic module receives normalized data values and organizes the data into clusters. The neuro-linguistic module evaluates statistics of each cluster and identifies statistically relevant clusters. Further, the neuro-linguistic module generates symbols, e.g., letters, corresponding to each statistically relevant cluster. Thus, input values mapping to a given cluster may correspond to a symbol.
The neuro-linguistic module generates a lexicon, i.e., builds a dictionary, of observed combinations of symbols, i.e., words, based on a statistical distribution of symbols identified in the input data. Specifically, the neuro-linguistic module may identify patterns of symbols in the input data at different frequencies of occurrence. Further, the neuro-linguistic module can identify statistically relevant combinations of symbols at different lengths (e.g., from one-symbol to a maximum-symbol word length). The neuro-linguistic module may include such statistically relevant combinations of symbols in a dictionary used to identify phrases for the linguistic model.
Using words from the dictionary, the neuro-linguistic module generates phrases based on probabilistic relationships of each word occurring in sequence relative to other words as additional data is observed. For example, the neuro-linguistic module may identify a relationship between a given three-letter word that frequently appears in sequence with a given four-letter word, and so on. The neuro-linguistic module determines a syntax based on the identified phrases.
The syntax allows the behavior recognition system to learn, identify, and recognize patterns of behavior without the aid or guidance of predefined activities. Unlike a rules-based surveillance system, which contains predefined patterns of what to identify or observe, the behavior recognition system learns patterns by generalizing input and building behavior memories of what is observed. Over time, the behavior recognition system uses these memories to distinguish between normal and anomalous behavior reflected in observed data.
For example, the neuro-linguistic module builds letters, words, phrases, and estimates an “unusualness score” for each identified letter, word, or phrase. The unusualness score (for a letter, word, or phrase observed in input data) provides a measure of how infrequently the letter, word, or phrase has occurred relative to past observations. Thus, the behavior recognition system may use the unusualness scores to both measure how unusual a current syntax is, relative to a stable model of symbols (i.e., letters), a stable model of words built from the symbols (i.e., a dictionary) and a stable model of phrase built from the words (i.e., a syntax)—collectively the neuro-linguistic model.
As the neuro-linguistic module continues to receive input data, the neuro-linguistic module may decay, reinforce, and generate the letters, words, and syntax models. In parlance with the machine learning field, the neuro-linguistic module “learns on-line” as new data is received and occurrences a given type of input data either increases, decreases, appears, or disappears.
The CPU 120 retrieves and executes programming instructions stored in the memory 123 as well as stores and retrieves application data residing in the storage 124. In some embodiments, the GPU 121 implements a Compute Unified Device Architecture (CUDA). Further, the GPU 121 is configured to provide general purpose processing using the parallel throughput architecture of the GPU 121 to more efficiently retrieve and execute programming instructions stored in the memory 123 and also to store and retrieve application data residing in the storage 124. The parallel throughput architecture provides thousands of cores for processing the application and input data. As a result, the GPU 121 leverages the thousands of cores to perform read and write operations in a massively parallel fashion. Taking advantage of the parallel computing elements of the GPU 121 allows the behavior recognition system 100 to better process large amounts of incoming data (e.g., input from a video and/or audio source). As a result, the behavior recognition system 100 may scale with relatively less difficulty.
The sensor management module 130 provides one or more data collector components. Each of the collector components is associated with a particular input data source, e.g., a video source, a SCADA (supervisory control and data acquisition) source, an audio source, a network traffic source, etc. The collector components retrieve (or receive, depending on the sensor) input data from each source at specified intervals (e.g., once a minute, once every thirty minutes, once every thirty seconds, etc.). The sensor management module 130 controls the communications between the data sources. Further, the sensor management module 130 normalizes input data and sends the normalized data to the sensory memory component 135.
The sensory memory component 135 is a data store that transfers large volumes of data from the sensor management module 130 to the machine learning engine 140. The sensory memory component 135 stores the data as records. Each record may include an identifier, a timestamp, and a data payload. Further, the sensory memory component 135 aggregates incoming data in a time-sorted fashion. Storing incoming data from each of the data collector components in a single location where the data may be aggregated allows the machine learning engine 140 to process the data efficiently. Further, the computer system 115 may reference data stored in the sensory memory component 135 in generating alerts for anomalous activity. In some embodiments, the sensory memory component 135 may be implemented in via a virtual memory file system in the memory 123. In another embodiment, the sensory memory component 135 is implemented using a key-value share.
The machine learning engine 140 receives data output from the_sensor management module 135. Generally, components of the machine learning engine 140 generate a linguistic representation of the normalized vectors. As described further below, to do so, the machine learning engine 140 clusters normalized values having similar features and assigns a distinct symbol to each cluster. The machine learning engine 140 may then identify recurring combinations of symbols (i.e., words) in the data. The machine learning engine 140 then similarly identifies recurring combinations of words (i.e., phrases) in the data.
Note, however,
The persistence layer 210 includes data stores that maintain information used by components of the computer system 115. For example, the persistence layer 210 includes data stores that maintain information describing properties of the data collector modules 202, system properties (e.g., serial numbers, available memory, available capacity, etc. of the computer system 115), and properties of the source driver (e.g., active plug-ins 118, active sensors associated with each data source, normalization settings, etc.). Other data stores may maintain learning model information, system events, and behavioral alerts. In addition, the sensory memory component 135 resides in the persistence layer 210.
The machine learning engine 140 itself includes a neuro-linguistic module 215 and a cognitive module 225. The neuro-linguistic module 215 performs neural network-based linguistic analysis of normalized input data to build a neuro-linguistic model of the observed input data. The behavior recognition system can use the linguistic model to describe subsequently observed activity. However, rather than describing the activity based on pre-defined objects and actions, the neuro-linguistic module 215 develops a custom language based on symbols, words, and phrases generated from the input data. As shown, the neuro-linguistic module 215 includes a data transactional memory (DTM) component 216, a classification analyzer component 217, a mapper component 218, a lexical analyzer component 219, and a perceptual associative memory (PAM) component 220. The neuro-linguistic module 215 may also contain additional modules such as, for example, a trajectory module, for observing and describing various activities. In some embodiments, the neuro-linguistic module 215 may reside in GPU memory.
In some embodiments, the DTM component 216 retrieves the normalized vectors of input data from the sensory memory component 135 and stages the input data in the pipeline architecture provided by the GPU 121. The classification analyzer component 217 evaluates the normalized data organized by the DTM component 216 and maps the data on a neural network. In some embodiments, the neural network is a combination of a self-organizing map (SOM) and an adaptive resonance theory (ART) network.
The mapper component 218 clusters the data streams based on values occurring repeatedly in association with one another. Further, the mapper component 218 generates a set of clusters for each input feature. For example, assuming that the input data corresponds to video data, features may include location, velocity, acceleration etc. The mapper component 218 would generate separate sets of clusters for each of these features. The mapper component 218 identifies symbols (i.e., builds an alphabet of letters) based on the clustered input data. Specifically, the mapper component 218 determines a statistical distribution of data in each cluster. For instance, the mapper component 218 determines a mean, variance, and standard deviation for the distribution of values in the cluster. The mapper component 218 also updates the statistics as more normalized data is received. Further, each cluster may be associated with a statistical significance score. The statistical significance for a given cluster increases as more data is received which maps to that cluster. In addition, the mapper component 218 decays the statistical significance of the cluster as the mapper component 218 observes data mapping to the cluster less often over time.
In some embodiments, the mapper component 218 assigns a set of symbols to clusters having statistical significance. A cluster may have statistical significance if a threshold amount of input data mapping to that cluster is exceeded. A symbol may be described as a letter of an alphabet used to create words used in the neuro-linguistic analysis of the input data. A symbol provides a “fuzzy” representation of the data belonging to a given cluster.
Further, the mapper component 218 is adaptive. That is, the mapper component 218 may identify new symbols corresponding to new clusters generated from the normalized data, as such clusters are reinforced over time (resulting in such clusters reaching a level statistical significance relative to the other clusters that emerge from the input data). The mapper component 218 “learns on-line” and may merge similar observations to a more generalized cluster. The mapper component 218 may assign a distinct symbol to the resulting cluster.
Once a cluster has reached statistical significance (i.e., data observed as mapping to that cluster has reached a threshold amount of points), the mapper component 219 begins sending corresponding symbols to the lexical analyzer component 219 in response to normalized data that maps to that cluster. In some embodiments, the mapper component 218 limits symbols that can be sent to the lexical component 219 to the most statistically significant clusters. In practice, outputting symbols (i.e., letters) assigned to the top thirty-two clusters has shown to be effective. However, other amounts may also prove effective, such as the top sixty-four or 128 most frequently recurring clusters. Note, over time, the most frequently observed symbols may change as clusters increase (or decrease) in statistical significance. As such, it is possible for a given cluster to lose statistical significance. Over time, thresholds for statistical significance can increase, and thus, if the amount of observed data mapping to a given cluster fails to meet a threshold, then the cluster loses statistical significance.
In some embodiments, the mapper component 218 evaluates an unusualness score for each symbol. The unusualness score is based on the frequency of a given symbol relative to other symbols observed in the input data stream, over time. The unusualness score may increase or decrease over time as the neuro-linguistic module 215 receives additional data.
The mapper component 218 sends a stream of the symbols (e.g., letters), timestamp data, unusualness scores, and statistical data (e.g., a representation of the cluster associated with a given symbol) to the lexical analyzer component 219. The lexical analyzer component 219 builds a dictionary based on symbols output from the mapper component 218. In practice, the mapper component 218 may need approximately 5000 observations (i.e., normalized vectors of input data) to generate a stable alphabet of symbols.
The lexical analyzer component 219 builds a dictionary that includes combinations of co-occurring symbols, e.g., words, from the symbols transmitted by the mapper component 218. The lexical analyzer component 219 identifies repeating co-occurrences of letters and features output from the mapper component 218 and calculates frequencies of the co-occurrences occurring throughout the symbol stream. The combinations of symbols may represent a particular activity, event, etc.
In some embodiments, the lexical analyzer component 219 limits the length of words in the dictionary to allow the lexical analyzer component 219 to identify a number of possible combinations without adversely affecting the performance of the computer system 115. Further, the lexical analyzer component 219 may use level-based learning models to analyze symbol combinations and learn words. The lexical analyzer component 219 learns words up through a maximum symbol combination length at incremental levels, i.e., where one-letter words are learned at a first level, two-letter words are learned at a second level, and so on. In practice, limiting a word to a maximum of five or six symbols has shown to be effective.
Like the mapper component 218, the lexical analyzer component 219 is adaptive. That is, the lexical analyzer component 219 may learn and generate words in the dictionary over time. The lexical analyzer component 219 may also reinforce or decay the statistical significance of words in the dictionary as the lexical analyzer component 219 receives subsequent streams of symbols over time. Further, the lexical analyzer component 219 may determine an unusualness score for each word based on how frequently the word recurs in the data. The unusualness score may increase or decrease over time as the neuro-linguistic module 215 processes additional data.
In addition, as additional observations (i.e., symbols) are passed to the lexical analyzer component 219 and identified as a being part of a given word, the lexical analyzer component 219 may determine that the word model has matured. Once a word model has matured, the lexical analyzer component 219 may output observations of those words in the model to the PAM component 219. In some embodiments, the lexical analyzer component 219 limits words sent to the PAM component 320 to the most statistically relevant words. In practice, for each single sample, outputting occurrences of the top thirty-two most frequently occurring words has shown to be effective (while the most frequently occurring words stored in the models can amount to thousands of words). Note, over time, the most frequently observed words may change as the observations of incoming letters change in frequency (or as new letters emerge by the clustering of input data by the mapper component 218.
Once the lexical analyzer component 219 has built the dictionary (i.e., identifies words that have a reached a predefined statistical significance), the lexical analyzer component 219 sends occurrences of words subsequently observed in the input stream to the PAM component 220. The PAM component 220 builds a syntax of phrases with from the words output by the lexical analyzer component 219. In practice, lexical analyzer component 219 may build a useful dictionary of words after receiving approximately 15,000 observations (i.e., input letters from the mapper component 218).
The PAM component 220 identifies a syntax of phrases based on the sequence of words output from the lexical analyzer component 219. Specifically, the PAM component 220 receives the words identified by the lexical analyzer component 219 generates a connected graph, where the nodes of the graph represent the words, and the edges represent a relationship between the words. The PAM component 220 may reinforce or decay the links based on the frequency that the words are connected with one another in a data stream.
Similar to the mapper component 218 and the lexical analyzer component 219, the PAM component 220 determines an unusualness score for each identified phrase based on how frequently the phrase recurs in the linguistic data. The unusualness score may increase or decrease over time as the neuro-linguistic module 215 processes additional data.
Similar to the lexical analyzer component 219, the PAM component 220 may limit the length of a given phrase to allow the PAM component 220 to be able to identify a number of possible combinations without adversely affecting the performance of the computer system 115.
The PAM component 220 identifies syntax phrases over observations of words output from the lexical analyzer component 219. As observations of words accumulate, the PAM component 220 may determine that a given phrase has matured, i.e., a phrase has reached a measure of statistical relevance. The PAM component 220 then outputs observations of that phrase to the cognitive module 225. The PAM component 220 sends data that includes a stream of the symbols, words, phrases, timestamp data, unusualness scores, and statistical calculations to the cognitive module 325. In practice, the PAM component 220 may obtain a meaningful set of phrases after observing about 5000 words from the lexical analyzer component 219.
After maturing, the generated letters, words, and phrases form a stable neuro-linguistic model of the input data that the computer system 115 uses to compare subsequent observations of letters, words, and phrases against the stable model. The neuro-linguistic module 215 updates the linguistic model as new data is received. Further, the neuro-linguistic module 215 may compare a currently observed syntax to the model. That is, after building a stable set of letters, the neuro-linguistic module 215 may build a stable model of words (e.g., a dictionary). In turn, the neuro-linguistic module 215 may be used to build a stable model of phrases (e.g., a syntax). Thereafter, when the neuro-linguistic module 215 receives subsequently normalized data, the module 215 can output an ordered stream of symbols, words, and phrases, all of which can be compared to the stable model to identify interesting patterns or detect deviations occurring in the stream of input data.
The cognitive module 225 performs learning analysis on the linguistic content delivered to semantic memory 230 (i.e., the identified symbols, words, phrases) by comparing new observations to the learned patterns in the stable neuro-linguistic model kept in semantic memory 230 and then estimating the rareness of these new observations.
As shown, the cognitive module 225 includes a workspace 226, a semantic memory 230, codelet templates 235, episodic memory 240, long-term memory 245, and an anomaly detection component 250. The semantic memory 230 stores the stable neuro-linguistic model described above, i.e., a stable copy from the mapper component 218, lexical analyzer component 219, and the PAM component 220. In some embodiments, the semantic memory 260 may reside in system memory and may be updated periodically, such as after a period of time or during a system save, with statistically significant data from the neuro-linguistic model.
In some embodiments, the workspace 226 provides a computational engine for the machine learning engine 140. The workspace 226 performs computations (e.g., anomaly modeling computations) and stores immediate results from the computations.
The workspace 226 retrieves the neuro-linguistic data from the PAM component 220 and disseminates this data to different portions of the cognitive module 225 as needed.
The episodic memory 240 stores linguistic observations related to a particular episode in the immediate past and may encode specific details, such as the “what” and the “when” of a particular event.
The long-term memory 245 stores generalizations of the linguistic data with particular episodic details stripped away. In this way, when a new observation occurs, memories from the episodic memory 240 and the long-term memory 245 may be used to relate and understand a current event, i.e., the new event may be compared with past experience (as represented by previously observed linguistic data), leading to both reinforcement, decay, and adjustments to the information stored in the long-term memory 245, over time. In a particular embodiment, the long-term memory 245 may be implemented as an ART network and a sparse-distributed memory data structure. Importantly, however, this approach does not require events to be defined in advance.
The codelet templates 235 provide a collection of executable codelets, or small pieces of code that evaluate different sequences of events to determine how one sequence may follow (or otherwise relate to) another sequence. The codelet templates 325 may include deterministic codelets and stochastic codelets. More generally, a codelet may detect interesting patterns from the linguistic representation of input data. For instance, a codelet may compare a current observation (i.e., a current phrase instance with what has been observed in the past) with previously observed activity stored in the semantic memory 230. By repeatedly scheduling codelets for execution, copying memories and percepts to/from the workspace 226, the cognitive module 225 performs a cognitive cycle used to observe, and learn, about patterns of behavior that occur within the linguistic data.
The anomaly detection component 250 evaluates unusualness scores sent by the neuro-linguistic module 215 to determine whether to issue an alert in response to some abnormal activity indicated by the unusualness scores. The anomaly detection component 250 provides probabilistic histogram models (e.g., an unusual lexicon score model, an unusual syntax score model, and an anomaly model) which represent the unusualness scores. The unusual lexicon or word score model and unusual syntax score model are generated based on unusualness scores sent from the lexical analyzer component 219 and the PAM component 220. The anomaly model receives input percentiles from the unusual lexicon score model and unusual syntax score model and generates a normalized absolute unusualness score based on the percentiles for a given sample. The anomaly detection component 250 evaluates the unusualness scores of each of the symbols, words, and phrases to identify abnormal occurrences in the observed data and determines whether to send an alert based on a given score. The anomaly detection component 250 may send alert data to an output device, where an administrator may view the alert, e.g., via a management console.
The trend detection component 255 evaluates output of the neuro-linguistic module 215 for gradual or long-term changes in learning behavior. As indicated above components within the neuro-linguistic module 215, such as the mapper component 218, lexical analyzer component 219, and PAM component 220, may adapt or change over time. Relatively small or gradual changes or adaptation may be difficult to detect as the individual changes may not be, on their own, statistically significant, but can add up to large changes over time. The trend detection component extracts these long term changes by observing changes in the semantic memory 230 for statically significant long term changes.
Method 300 begins at step 305, where the data collector module 202 retrieves (or receives) data from the source input device. In this case, the data collector module 202 may retrieve sensor readings from one or more sensors, such as temperature and pressure sensors positioned to observe conditions for a particular tank. Further, the data collector module 202 identifies data values to send to the sensory memory component 135. To do so, the data collector module 202 may evaluate the sensor data to identify temperature and pressure values and generate a set of data values characterizing these aspects of the monitored tank.
At step 310, the data collector module 202 normalizes each data value to a numerical value falling within a range, e.g., between 0 to 1, inclusive, relative to the type of that data value. For example, values associated with kinematic features are normalized from 0 to 1 relative to other values associated with kinematic features. Doing so converts each value to a common format and allows the neuro-linguistic module 215 to recognize recurring events in the video stream.
After normalizing the values, at step 315, the data collector module 202 identifies additional data associated with the normalized values, such as a timestamp of a given value, an average associated with the data type (e.g., kinematic features, appearance features, location, position, etc.) of the value, and historical high and low values for that data type. Doing so allows the data collector module 202 to re-adjust the normalization in the event that the video source is modified. Specifically, the data collector module 202 references the identified historical values and averages to re-adjust the normalization.
At step 320, the data collector module 202 sends a vector of the normalized values and associated data to the sensory memory component 135. As stated, the sensory memory component 135 stores the normalized values and associated data. The neuro-linguistic module 215 may then retrieve the normalized values from the sensory memory component 135 and perform linguistic analysis thereafter.
The trend detection component 255 evaluates observations of components of the neuro-linguistic module 215 in order to detect long-term changes over time. The trend detection component 255 may store, in the workspace 226, a trend model 402 based on a previous state of the semantic memory 230. The trend extraction module 404 extracts the most significant features from semantic memory 230 for storage in the trend model 402, and the trend measurement module 406 matches data between the trend model and semantic memory and generates a measurement of any potential difference.
At 515, the statistical significance of the N clusters are compared to determine those with a statistical significance greater than S. That is, S is a threshold statistical significance level for storage in the trend model. In some embodiments, S may be statically defined, a variable, or a function of statistical significance. The clusters with statistical significance greater than S may then be stored in the trend model at 520.
The trend model may also be periodically updated. For example, semantic memory may be updated on each save after a period of time or number of observations (e.g., every two hours or 27,000 observations). When a model in semantic memory is updated, an update to the trend model may also be triggered. Where an update from semantic memory is received and the trend model exists, at 615 the update is checked to see if it is from the same year as the current trend model. Where they are from the same year, then the update and the trend model are statistically merged at 620. When merging the update with the trend model, the closest clusters between the two are matched and the mean, variance, and statistical significance information of the clusters are updated. If a merge between two closest clusters is unsuccessful, both clusters may be kept if there are less than N clusters. If there is more than N, then the less significant cluster is deleted.
Where the trend model receives an update from a different year than the trend model at 615, trend model may be updated and all trend features replaced. The trend model may store three models including a current year, Y, last year Y′, and all the previous years Y″. At 625, the model for last year, Y′ is statistically merged with the model from the previous years, Y″ as described above in conjunction with 620. Where no model exists for the previous year, such as during the third year, the Y″ may be a copy of Y′. Where there is no model for the last year, such as during the second year, merging may be skipped. At 630, the model for last year, Y′ is updated based on the model for the current year, Y. This update replaces all the trend features of Y′ with the trend features of Y. At 635, Y is deleted by resetting the model to null.
Some embodiments of the present disclosure are implemented as a program product for use with a computer system. The program(s) of the program product defines functions of the embodiments (including the methods described herein) and can be contained on a variety of computer-readable storage media. Examples of computer-readable storage media include (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM or DVD-ROM disks readable by an optical media drive) on which information is permanently stored; (ii) writable storage media (e.g., floppy disks within a diskette drive or hard-disk drive) on which alterable information is stored. Such computer-readable storage media, when carrying computer-readable instructions that direct the functions of the present disclosure, are embodiments of the present disclosure. Other examples media include communications media through which information is conveyed to a computer, such as through a computer or telephone network, including wireless communications networks.
In general, the routines executed to implement the embodiments of the present disclosure may be part of an operating system or a specific application, component, program, module, object, or sequence of instructions. The computer program of the present disclosure is comprised typically of a multitude of instructions that will be translated by the native computer into a machine-readable format and hence executable instructions. Also, programs are comprised of variables and data structures that either reside locally to the program or are found in memory or on storage devices. In addition, various programs described herein may be identified based upon the application for which they are implemented in a specific embodiment of the disclosure. However, it should be appreciated that any particular program nomenclature that follows is used merely for convenience, and thus the present disclosure should not be limited to use solely in any specific application identified and/or implied by such nomenclature.
As described, embodiments herein provide techniques for determining a syntax based on a dictionary of words that represents data input from a source (e.g., video source, SCADA source, network security source, etc.) via a neuro-linguistic behavior recognition system. The symbols, words, and syntax form the basis for a linguistic model used to describe input data observed by the behavior recognition system. The behavior recognition system analyzes and learns behavior based on the linguistic model to distinguish between normal and abnormal activity in observed data. Advantageously, this approach does not relying on predefined patterns to identify behaviors and anomalies but instead learns patterns and behaviors by observing a scene and generating information on what it observes.
While the foregoing is directed to embodiments of the present disclosure, other and further embodiments of the disclosure may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.
