1 / 36

Processing Patterns for PredictiveBusiness TM

Processing Patterns for PredictiveBusiness TM. Event Processing Symposium March 14, 2006 Tim Bass, CISSP Principal Global Architect TIBCO Software Inc. . Our Agenda. Introduction Event-Decision Architecture

yen
Download Presentation

Processing Patterns for PredictiveBusiness TM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Processing Patterns for PredictiveBusinessTM Event Processing Symposium March 14, 2006 Tim Bass, CISSP Principal Global Architect TIBCO Software Inc.

  2. Our Agenda • Introduction • Event-Decision Architecture • Traditional vs. State-of-the-Art Processing Architecture • Capstone Constraints and Requirements • Inference and Processing Architecture • Processing Patterns for PredictiveBusinessTM • Open Discussion

  3. Introduction • Event-Decision Processing is Computationally Intensive • CEP requires a Number of Technologies: • Distributed Computing, Publish/Subscribe and SOA • Hierarchical, Cooperative Inference Processing • High Speed, Real Time Processing with State Management • Event-Decision Architecture for Complex Situations and Events • There is no single “CEP Solution” or “CEP Product” • CEP needs a Common Vocabulary and Functional Architecture based on Mature, Industry-Standard Inference Models • Processing and Integration Patterns for CEP need to be Developed and Formalized

  4. A Vocabulary of Confusion (Work in Progress) Sensor Management Resource Management Control Processing Management Data Fusion Sensor Fusion Estimation Information Fusion Planning Tracking Complex Event Processing Correlation Event Stream Processing Data Mining Adapted from: Steinberg, A., & Bowman, C., CRC Press, 2001

  5. US Legislation - Monitoring Requirements The Predictive Enterprise

  6. PredictiveBusinessTM Source: Ranadivé, V., The Power to Predict, 2006.

  7. Example PredictiveBusinessTM Scenarios • Finance • Program (Opportunistic) Trading and Execution • Risk Management • Pricing and Consumer Relationship Management • Fraud and Intrusion Detection • Business Process Management • Process Monitoring • Exception Management and Outage Prediction • Scheduling • Sensor Networks • Reliability of Complex, Distributed Systems • RFID Applications • Manufacturing Floor – “Sense and Respond” • Power Grid Monitoring • Military

  8. PredictiveBusinessTM & Complex Event Processing (CEP) Graphic Sources: TIBCO Software Inc & IBM More CEP Scenarios: Stock Trading • Automatic identification of buy/sell opportunities. Compliance Checks • Sarbanes-Oxley detection. Fraud Detection • Odd credit card purchases performed within a period. CRM • Alert if three orders from the same platinum customer were rejected. Insurance Underwriting • Identification of risk. Event Streams Real-time Detection and Prediction CEP Situation Manager Historical Data "Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008" --- Gartner July 2003

  9. Our Agenda • Introduction • Event-Decision Architecture • Traditional vs. State-of-the-Art Processing Architecture • Capstone Constraints and Requirements • Inference and Processing Architecture • Processing Patterns for PredictiveBusinessTM • Open Discussion

  10. Network TAP A Traditional Event-Driven Architecture (Fraud) Queue Screen Based Channel Fraud Detection Rules Screen Audit events Fraud Event Client/Server Channel Queue Fraud Detection Rules …1234Joe01021970….. Structured messages Fraud Event Queue Fraud Detection Rules EMS Channel Fraud Detection Rules Message Audit events Sensor Preprocessing Fraud Event Unix/ VT Channel Queue Fraud Detection Rules Screen/ message Audit events Fraud Event Queue Fraud Detection Rules HTTP Channel HTTP request / response Fraud Event Service API Queue Fraud Detection Rules API Channel Structured messages Fraud Event

  11. Distributed Multisensor Infrastructure Emerging Event-Decision Architecture Internet/Extranet Sensors Human Sensors Edge/POC Sensors Operations Center Customer Profiles Other References Purpose-Built Analytics Complex Event Processors Sensors are Everywhere!

  12. Capstone Constraints & Requirements • Constraints: • Distributed, heterogeneous Internet and Intranet environments • Purpose built systems and analytics, compartmentalization and specialization • Data-at-rest (databases and warehouses) and data-in-motion (real time, event driven) • Infrastructure Requirements: • Service-oriented architecture • Event-driven, zero-latency, distributed message-oriented middleware • Support for both standards-based interfaces and purpose-built (proprietary) interfaces • Real-time event-decision processing • Specialization, data warehousing, data mining, analytics • Human interaction with computers and networks • Processing Requirements • Layered knowledge / inference and analytics processing • Complex event processing, state and temporal management, state estimation • Progressive hierarchical inference – data, event, complex event, situation, impact, prediction • Adaptive control and resource management • Enterprise processing model (architecture) 22

  13. HIGH MED LOW Event-Inference Hierarchy Impact Assessment Situational Assessment Relationship of Events Identify Events Location, Times and Rates of Events of Interest Existence of Possible Event of Interest Data/Event Cloud Analysis of Situation & Plans Contextual and Causal Analysis Causal Analysis, Bayesian Belief Networks, NNs, Correlation, State Estimation, Classification Use of Distributed Sensors for Estimations Raw Sensor Data (Passive and Active) Adapted from: Waltz, E. & Llinas, J., Multisensor Data Fusion, 1990 22

  14. Event-Decision High Level Architecture KS KS KS KS KS KS KS EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002 22

  15. KS KS KS HLA - Knowledge Sources • Sensors • Systems that provide data and events to the inference models and humans • Actuators • Systems that take action based on inference models and human interactions • Knowledge Processors • Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events

  16. Event-Decision Architecture EVENT SOURCES EVENT PRE-PROCESSING COMPLEX EVENT PROCESSING (CEP) EXTERNAL DISTRIBUTED LEVEL ONE EVENTREFINEMENT LEVEL TWO SITUATION REFINEMENT LEVEL THREE IMPACT ASSESSMENT USERINTERFACE LOCAL EVENTSERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA . . . DB MANAGEMENT Historical Data Profiles & Patterns LEVEL FOUR PROCESS REFINEMENT Adapted from JDL: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001 24

  17. Structured Processing for Event-Decision • Multi-level inference in a distributed event-decision architectures • Level 5 – User Interface • Human visualization, interaction and situation management • Level 4 – Process Refinement • Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment • Level 3 – Impact Assessment • Impact threat assessment, i.e. assess intent on the basis of situation development, recognition and prediction • Level 2 – Situation Refinement • Identify situations based on sets of complex events, state estimation, etc. • Level 1 – Event Refinement • Identify events & make initial decisions based on association and correlation • Level 0 – Event Preprocessing • Cleansing of event-stream to produce semantically understandable data Level of Inference High Med Low

  18. CEP Level 0 – Event Preprocessing • Cleanse/Refine/Normalize Data for Upstream Processing • Calibrate Raw Event Cloud: • Web Server Farm Event Stream Example - • Group HTTP REQUESTS and RESPONSES • Reduce and Extract Required Data from Transaction • Format into Event for Upstream Processing • Intelligent Agent Fraud Detection Event Steam Example - • Receive Event Stream from Purpose-Built FD Application • Reduce and Extract Required Event from Event Stream • Format for Upstream Processing • Reduces System Load by Preprocessing Events • Enables Upstream to Concentrate on Most Relevant Events • Focuses on Objects/Events

  19. CEP Level 1 – Event Refinement • Problem: Which Events in the Event Stream Are “Interesting”? • Event Refinement Example (Association & Classification): • Hypothesis Generation (HG) • Processing incoming events, data and reports • Hypothesis: This Group of Events May Represent Fraud • Output: Fraud Detection Scorecard or Matrix • Hypothesis Evaluation (HE) • Evaluates Scorecard/Matrix for likelihood comparison • Rank Evaluation: These Events have a Higher Likelihood of Fraud • Output: Fills Scorecard/Matrix with relative likelihood estimation • Hypothesis Selection (HS) • Evaluates Scorecard/Matrix for best fit into “badges of fraud” • Evaluation: Provide an Estimate (Name) of the Fraudulent Activity • Output: Assignment of fraudulent activity estimate to event

  20. CEP Level 2 – Situation Refinement • What is the Context of the Identified Events? • Focuses on Relationships and States Among Events • Situation Refinement • Event-Event Relationship Networks • Temporal and State Relationships • Geographic or Topological Proximity • Environmental Context • Example: Brand currently used by phishing site in Internet increasing probability of fraud and identity theft • Event / Activity Correlation – Relational Networks • Pattern, Profile and Signature Recognition Processing • Question: Do “Complex Events” == “Situations”?

  21. CEP Level 3 – Impact Assessment • Predict Intention of Subject (Fraudster example) • Make changes to account identity information? • Transfer funds out of account? • Test for access and return at later time? • Estimate Capabilities of Fraudster • Organized Gang or Individual Fraudster? • Expert or Novice? • Estimate Potential Losses if Successful • Identify Other Threat Opportunities

  22. CEP Level 4 – Process Refinement • Evaluate Process Performance and Effectiveness • Exception Detection, Response Efficiency and Mitigation • Knowledge Development • Identify Changes to System Parameters • Adjust Event Stream Processing Variables • Fine Tune Filters, Algorithms and Correlators • Determine If Other Source Specific Resources are Required • Recommend Allocation and Direction of Resources

  23. CEP - Database Management Examples • Reference Database • User Profiles • Activity and Event Signatures and Profiles • Environmental Profiles • Inference Database • Subject Identification • Situation and Threat Assessment • Knowledge Mining • Referential Mapping Database Examples • Mapping Between IP Address and Domain • Mapping Between Known Anonymous Proxies

  24. CEP Level 5 – User Interface / Interaction • Operational Visualization at all “Levels” • Dynamic Graphical Representations of Situations • Supports the Decision Making Process of Analytics Personnel • Process and Resource Control • Supports Resource Allocation and Process Refinement • Display Control & Personalization • Different Operator Views Based on Job Function and Situation

  25. Our Agenda • Introduction • Event-Decision Architecture • Traditional vs. State-of-the-Art Processing Architecture • Capstone Constraints and Requirements • Inference and Processing Architecture • Processing Patterns for PredictiveBusinessTM • Open Discussion

  26. Processing Patterns Processing Patterns for PredictiveBusinessTM Business Context Inference Processing Techniques

  27. Inference Algorithms for Event-Decision Processing • A sample of event-decision processing algorithms relevant to CEP: • Rule-Based Inference • Bayesian Belief Networks (Bayes Nets) • Dempster-Shafer’s Method • Adaptive Neural Networks • Cluster Analysis • State-Vector Estimation • Key Takeaway: Analytics for CEP exist in the art & science of mature multi-sensor data fusion processing - these analytics can be mapped to recurring business patterns.

  28. Map Business Context to Classical Methods Note: For Illustrative Purposes Only • Sensor Optimization • Complex Diagnostics • Fraud Detection • Intrusion Detection • Network Management • Counterterrorism • Opportunistic Trading • Compliance Monitoring • Supply Chain Optimization • Classical Inference • Bayesian Belief Networks • Hidden Markov Models • Dempster-Shafer’s Method • Self-Organizing Feature Maps • State-Vector Estimation • Adaptive Neural Networks • Rule-Based Inference Business Context Inference Processing Techniques

  29. Profile Mismatch Brand Phishing Login Success Uses Proxy Brand Misuse Phishing Alert Identity Theft Known Fraud IP Alert Security Account Lockout Alert Service Alert Customer Bayes Net: Identity Theft Detection / Phishing Source: Bass, T., TIBCO Software Inc., January 2006

  30. Bayes Net: Simple Web-Click Behavior Session Time # Items Purchased Total Purchase Click Pg Subtype Click to Purchase Click Pg Type Session ID Code Associate Session ID Recognize Session Click Price Price ID Browser ID OS Click Elapsed Stores Visited Click Count Source: Ambrosio, B., CleverSet Inc., December 2004

  31. Recurring Pattern(s) for PredictiveBusinessTM • Bayesian Techniques for Complex Event Processing in: • SPAM Filtering • Telecommunications Fraud • Other Behavior-Based Fraud & Intrusion Detection • Financial Risk Management • Credit Approval and Credit Limit Automation • Medical Diagnosis • Military ID, Command and Control • BNs dominate many other areas in Complex Event Processing • Graphical representation of your domain knowledge • Both causality and probability reside in the models • Well established as a knowledge processing technique

  32. Event-Decision Processing Characteristics Adapted (this and the next slide) from: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001

  33. Comparison of Event-Decision Models

  34. Key Takeaways • Event Processing can be a Computationally Intensive • CEP Requires a Number of Technologies: • Distributed Computing, Publish/Subscribe and SOA • Hierarchical, Cooperative Inference Processing • High Speed, Real Time Rules Processing with State Management • Event-Decision Architecture for Complex Events / Situations • CEP Community Needs Common Vocabulary and Functional Architecture based on Established Inference Models • Processing Patterns for CEP Need to be Developed based on using a Common Vocabulary and Functional Architecture

  35. Thank You! Tim Bass, CISSP Principal Global Architect tbass@tibco.com Complex Event Processing at TIBCO

  36. JDL Example: Inference ScoreCards Event Source ScoreCard Level 4 Process Refinement Task Fraud Situations Business Impact ScoreCard ScoreCard Level 2 Situation Assessment Level 3 Impact Assessment Fraud Situations Fraud Events Event Stream Fraud Events ScoreCard ScoreCard Level 0 Pre-Processing Level 1 Event Refinement Raw Data Event Stream Modified from: Steinberg, A., & Bowman, C., CRC Press, 2001

More Related