Download Patterns for PredictiveBusiness(TM)

Processing Patterns for
PredictiveBusinessTM
Event Processing Symposium
March 14, 2006
Tim Bass, CISSP
Principal Global Architect
TIBCO Software Inc.
Our Agenda
 Introduction
 Event-Decision Architecture
 Traditional vs. State-of-the-Art Processing Architecture
 Capstone Constraints and Requirements
 Inference and Processing Architecture
 Processing Patterns for PredictiveBusinessTM
 Open Discussion
2
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Introduction
 Event-Decision Processing is Computationally Intensive
 CEP requires a Number of Technologies:
 Distributed Computing, Publish/Subscribe and SOA
 Hierarchical, Cooperative Inference Processing
 High Speed, Real Time Processing with State Management
 Event-Decision Architecture for Complex Situations and Events
 There is no single “CEP Solution” or “CEP Product”
 CEP needs a Common Vocabulary and Functional Architecture
based on Mature, Industry-Standard Inference Models
 Processing and Integration Patterns for CEP need to be
Developed and Formalized
3
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
A Vocabulary of Confusion (Work in Progress)
Sensor
Management
Resource Management
Processing
Management
Control
Sensor Fusion
Estimation
Planning
Correlation
Tracking
Information
Fusion
Data Mining
Data Fusion
Adapted from: Steinberg, A., & Bowman, C., CRC Press, 2001
4
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Complex Event
Processing
Event Stream
Processing
The Predictive Enterprise
US Legislation - Monitoring Requirements
5
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
TM
PredictiveBusiness
Source: Ranadivé, V., The Power to Predict, 2006.
6
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Example PredictiveBusinessTM Scenarios
 Finance
 Program (Opportunistic) Trading and Execution
 Risk Management
 Pricing and Consumer Relationship Management
 Fraud and Intrusion Detection
 Business Process Management
 Process Monitoring
 Exception Management and Outage Prediction
 Scheduling
 Sensor Networks
 Reliability of Complex, Distributed Systems
 RFID Applications
 Manufacturing Floor – “Sense and Respond”
 Power Grid Monitoring
 Military
7
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
PredictiveBusinessTM & Complex Event Processing (CEP)
Graphic Sources: TIBCO Software Inc & IBM
More CEP Scenarios:
Stock Trading
Event Streams
Real-time Detection
and Prediction
 Automatic identification of
buy/sell opportunities.
Compliance Checks
CEP
Situation
Manager
 Sarbanes-Oxley detection.
Fraud Detection
 Odd credit card purchases
performed within a period.
Historical Data
"Events in several forms, from simple
events to complex events, will become
very widely used in business applications
during 2004 through 2008"
--- Gartner July 2003
8
CRM
 Alert if three orders from the
same platinum customer were
rejected.
Insurance Underwriting
 Identification of risk.
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Our Agenda
 Introduction
 Event-Decision Architecture
 Traditional vs. State-of-the-Art Processing Architecture
 Capstone Constraints and Requirements
 Inference and Processing Architecture
 Processing Patterns for PredictiveBusinessTM
 Open Discussion
9
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
A Traditional Event-Driven Architecture (Fraud)
Network TAP
Queue
Sensor Preprocessing
Queue
Service
API
10
Queue
Queue
Queue
Queue
Screen
Based
Channel
Client/
Server
Channel
EMS
Channel
Unix/ VT
Channel
HTTP
Channel
API
Channel
Screen
Audit events
…1234Joe01021970…..
Structured
messages
Message Audit
events
Screen/ message
Audit events
HTTP request /
response
Structured
messages
Fraud
Detection
Rules
Fraud
Detection
Rules
Fraud
Detection
Rules
Fraud
Detection
Rules
Fraud
Detection
Rules
Fraud
Event
Fraud
Event
Fraud
Event
Fraud
Event
Fraud
Event
Fraud
Detection
Rules
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Fraud
Event
Fraud
Detection
Rules
Emerging Event-Decision Architecture
Internet/Extranet
Sensors
Human
Sensors
Edge/POC
Sensors
Operations
Center
Distributed Multisensor Infrastructure
Purpose-Built
Analytics
Customer
Profiles
Other
References
Sensors are Everywhere!
11
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Complex Event
Processors
Capstone Constraints & Requirements
 Constraints:
 Distributed, heterogeneous Internet and Intranet environments
 Purpose built systems and analytics, compartmentalization and specialization
 Data-at-rest (databases and warehouses) and data-in-motion (real time, event driven)
 Infrastructure Requirements:






Service-oriented architecture
Event-driven, zero-latency, distributed message-oriented middleware
Support for both standards-based interfaces and purpose-built (proprietary) interfaces
Real-time event-decision processing
Specialization, data warehousing, data mining, analytics
Human interaction with computers and networks
 Processing Requirements





12
Layered knowledge / inference and analytics processing
Complex event processing, state and temporal management, state estimation
Progressive hierarchical inference – data, event, complex event, situation, impact, prediction
Adaptive control and resource management
Enterprise processing model (architecture)
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
22
Event-Inference Hierarchy
Analysis of Situation & Plans
Impact Assessment
Situational Assessment
HIGH
Relationship of Events
Contextual and Causal
Analysis
Causal Analysis, Bayesian
Belief Networks, NNs,
Identify Events
Location, Times and Rates
of Events of Interest
MED
Correlation, State Estimation,
Classification
Existence of Possible
Event of Interest
Use of Distributed
Sensors for Estimations
Data/Event Cloud
Raw Sensor Data
(Passive and Active)
LOW
Adapted from: Waltz, E. & Llinas, J., Multisensor Data Fusion, 1990
13
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
22
Event-Decision High Level Architecture
KS
KS
KS
KS
KS
KS
KS
KS
KS
EVENT CLOUD
(DISTRIBUTED DATA SET)
KS
KS
KS
KS
KS
Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 &
Luckham, D., The Power of Events, 2002
14
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
22
HLA - Knowledge Sources
KS
 Sensors
• Systems that provide data and events to the inference models
and humans
KS
 Actuators
• Systems that take action based on inference models and human
interactions
KS
 Knowledge Processors
• Systems that take in data and events, process the data and
events, and output refined, correlated, or inferred data or events
15
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Event-Decision Architecture
EVENT
SOURCES
EXTERNAL
EVENT PREPROCESSING
COMPLEX EVENT PROCESSING (CEP)
DISTRIBUTED
LOCAL
EVENT
SERVICES
.
.
EVENT
.
PROFILES
.
. .
.
DATA
BASES
.
.
OTHER
DATA
LEVEL ONE
LEVEL TWO
LEVEL THREE
EVENT
REFINEMENT
SITUATION
REFINEMENT
IMPACT
ASSESSMENT
USER
INTERFACE
DB MANAGEMENT
LEVEL FOUR
Historical
Data
Profiles &
Patterns
PROCESS
REFINEMENT
Adapted from JDL:
Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001
16
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
24
Structured Processing for Event-Decision
 Multi-level inference in a distributed event-decision architectures
 Level 5 – User Interface
 Human visualization, interaction and situation management
Level of  Level 4 – Process Refinement
Inference
 Decide on control feedback, for example resource allocation, sensor and
state management, parametric and algorithm adjustment
High
 Level 3 – Impact Assessment
 Impact threat assessment, i.e. assess intent on the basis of situation
development, recognition and prediction
Med
 Level 2 – Situation Refinement
 Identify situations based on sets of complex events, state estimation, etc.
 Level 1 – Event Refinement
 Identify events & make initial decisions based on association and correlation
Low
17
 Level 0 – Event Preprocessing
 Cleansing of event-stream to produce semantically understandable data
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 0 – Event Preprocessing
 Cleanse/Refine/Normalize Data for Upstream Processing
 Calibrate Raw Event Cloud:
 Web Server Farm Event Stream Example  Group HTTP REQUESTS and RESPONSES
 Reduce and Extract Required Data from Transaction
 Format into Event for Upstream Processing
 Intelligent Agent Fraud Detection Event Steam Example  Receive Event Stream from Purpose-Built FD Application
 Reduce and Extract Required Event from Event Stream
 Format for Upstream Processing
 Reduces System Load by Preprocessing Events
 Enables Upstream to Concentrate on Most Relevant Events
 Focuses on Objects/Events
18
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 1 – Event Refinement
 Problem: Which Events in the Event Stream Are “Interesting”?
 Event Refinement Example (Association & Classification):
 Hypothesis Generation (HG)
 Processing incoming events, data and reports
 Hypothesis: This Group of Events May Represent Fraud
 Output: Fraud Detection Scorecard or Matrix
 Hypothesis Evaluation (HE)
 Evaluates Scorecard/Matrix for likelihood comparison
 Rank Evaluation: These Events have a Higher Likelihood of Fraud
 Output: Fills Scorecard/Matrix with relative likelihood estimation
 Hypothesis Selection (HS)
 Evaluates Scorecard/Matrix for best fit into “badges of fraud”
 Evaluation: Provide an Estimate (Name) of the Fraudulent Activity
 Output: Assignment of fraudulent activity estimate to event
19
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 2 – Situation Refinement
 What is the Context of the Identified Events?
 Focuses on Relationships and States Among Events
 Situation Refinement




Event-Event Relationship Networks
Temporal and State Relationships
Geographic or Topological Proximity
Environmental Context
 Example: Brand currently used by phishing site in Internet increasing
probability of fraud and identity theft
 Event / Activity Correlation – Relational Networks
 Pattern, Profile and Signature Recognition Processing
 Question: Do “Complex Events” == “Situations”?
20
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 3 – Impact Assessment
 Predict Intention of Subject (Fraudster example)
 Make changes to account identity information?
 Transfer funds out of account?
 Test for access and return at later time?
 Estimate Capabilities of Fraudster
 Organized Gang or Individual Fraudster?
 Expert or Novice?
 Estimate Potential Losses if Successful
 Identify Other Threat Opportunities
21
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 4 – Process Refinement
 Evaluate Process Performance and Effectiveness
 Exception Detection, Response Efficiency and Mitigation
 Knowledge Development
 Identify Changes to System Parameters
 Adjust Event Stream Processing Variables
 Fine Tune Filters, Algorithms and Correlators
 Determine If Other Source Specific Resources are
Required
 Recommend Allocation and Direction of Resources
22
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP - Database Management Examples
 Reference Database
 User Profiles
 Activity and Event Signatures and Profiles
 Environmental Profiles
 Inference Database
 Subject Identification
 Situation and Threat Assessment
 Knowledge Mining
 Referential Mapping Database Examples
 Mapping Between IP Address and Domain
 Mapping Between Known Anonymous Proxies
23
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
CEP Level 5 – User Interface / Interaction
 Operational Visualization at all “Levels”
 Dynamic Graphical Representations of Situations
 Supports the Decision Making Process of Analytics Personnel
 Process and Resource Control
 Supports Resource Allocation and Process Refinement
 Display Control & Personalization
 Different Operator Views Based on Job Function and Situation
24
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Our Agenda
 Introduction
 Event-Decision Architecture
 Traditional vs. State-of-the-Art Processing Architecture
 Capstone Constraints and Requirements
 Inference and Processing Architecture
 Processing Patterns for PredictiveBusinessTM
 Open Discussion
25
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Processing Patterns for PredictiveBusinessTM
Processing Patterns
Business
Context
26
Inference
Processing
Techniques
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Inference Algorithms for Event-Decision Processing
 A sample of event-decision processing algorithms relevant to
CEP:
 Rule-Based Inference
 Bayesian Belief Networks (Bayes Nets)
 Dempster-Shafer’s Method
 Adaptive Neural Networks
 Cluster Analysis
 State-Vector Estimation
 Key Takeaway: Analytics for CEP exist in the art & science of
mature multi-sensor data fusion processing - these analytics can
be mapped to recurring business patterns.
27
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Map Business Context to Classical Methods
Note: For Illustrative Purposes Only
Sensor Optimization
Complex Diagnostics
Fraud Detection
Intrusion Detection
Network Management
Counterterrorism
Opportunistic Trading
Compliance Monitoring
Supply Chain Optimization
Business Context
28
Classical Inference
Bayesian Belief Networks
Hidden Markov Models
Dempster-Shafer’s Method
Self-Organizing Feature Maps
State-Vector Estimation
Adaptive Neural Networks
Rule-Based Inference
Inference Processing Techniques
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Bayes Net: Identity Theft Detection / Phishing
Profile
Mismatch
Brand
Phishing
Login
Success
Uses
Proxy
Brand
Misuse
Phishing
Alert
Identity
Theft
Known
Fraud
IP
Alert
Security
Accou
nt
Lockou
t
Alert
Service
Alert
Customer
Source: Bass, T., TIBCO Software Inc., January 2006
29
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Bayes Net: Simple Web-Click Behavior
Session
Time
# Items
Purchased
Total
Purchase
Click to
Purchase
Associate
Session ID
Recognize
Session
ID
Browser
Click
Pg
Subtyp
e
ID
OS
Click
Pg
Type
Session ID
Code
Click
Price
Price
Click
Elapse
d
Stores
Visited
Click
Count
Source: Ambrosio, B., CleverSet Inc., December 2004
30
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Recurring Pattern(s) for PredictiveBusinessTM
 Bayesian Techniques for Complex Event Processing in:
 SPAM Filtering
 Telecommunications Fraud
 Other Behavior-Based Fraud & Intrusion Detection
 Financial Risk Management
 Credit Approval and Credit Limit Automation
 Medical Diagnosis
 Military ID, Command and Control

BNs dominate many other areas in Complex Event Processing
 Graphical representation of your domain knowledge
 Both causality and probability reside in the models
 Well established as a knowledge processing technique
31
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Event-Decision Processing Characteristics
JDL Model
Levels
Association
Process
Estimation
Process
Entity
Estimate
Activity
(L4)
Process
Refinement
Planning
(Control)
(Action)
Decision
Making
(L3)
Impact
Assessment
Aggregation
Plan
Interaction
Effect
(situation, given plan)
Impact
Assessment
(L2)
Situation
Refinement
Aggregation
Relational
Aggregation
(L1)
Event Refinement
Assignment
Attribution
Individual Event
Event
Processing
(L0)
Event
Preprocessing
Assignment
Detection
Sensor Output
Sensor
Processing
(situation)
Situation
Assessment
Adapted (this and the next slide) from:
Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001
32
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Comparison of Event-Decision Models
JDL Model
Levels
(L5)
33
Waterfall
Model
Visualization
Boyd
Loop
Sense &
Respond
Intelligence
Cycle
Activity
Act
Respond
Disseminate
Decision
Execution
(L4)
Process Refinement
Decision
Making
Decide
Decide
Disseminate
Decision
Making
(L3)
Impact Assessment
---
Orient
Analyze
Evaluate
Impact
Assessment
(L2)
Situation Refinement
Situation
Assessment
Orient
Analyze
Evaluate
Situation
Assessment
(L1)
Event Refinement
Pattern
Processing /
Feature
Extraction
Orient
Detect
Collate
Event
Processing
(L0)
Event Preprocessing
Sensor
Processing
Orient
Detect
Collate
Sensor
Processing
---
Sensing
Observe
Sense
Collect
Sensor
Acquisition
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Key Takeaways
 Event Processing can be a Computationally Intensive
 CEP Requires a Number of Technologies:
 Distributed Computing, Publish/Subscribe and SOA
 Hierarchical, Cooperative Inference Processing
 High Speed, Real Time Rules Processing with State Management
 Event-Decision Architecture for Complex Events / Situations
 CEP Community Needs Common Vocabulary and
Functional Architecture based on Established
Inference Models
 Processing Patterns for CEP Need to be Developed
based on using a Common Vocabulary and Functional
Architecture
34
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
Thank You!
Tim Bass, CISSP
Principal Global Architect
[email protected]
Complex Event Processing at TIBCO
JDL Example: Inference ScoreCards
ScoreCard
Fraud Situations
Level 3
Impact
Assessment
Level 0
Pre-Processing
Raw Data
Event Stream
ScoreCard
Level 1
Event
Refinement
Event Stream
ScoreCard
Business Impact
Fraud
Situations
Level 2
Situation
Assessment
Fraud Events
Level 4
Process
Refinement
Task
Event Source
Modified from: Steinberg, A., & Bowman, C., CRC Press, 2001
36
© 2006 TIBCO Software Inc. All Rights Reserved. Confidential and Proprietary.
ScoreCard
Fraud Events
ScoreCard