Your SlideShare is downloading. ×
Processing Patterns for Predictive Business
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Processing Patterns for Predictive Business

3,894

Published on

Tim Bass' keynote presentation at the 1st Workshop on Event Processing, held in NY, March 14, 2006.

Tim Bass' keynote presentation at the 1st Workshop on Event Processing, held in NY, March 14, 2006.

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,894
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
251
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Processing Patterns for PredictiveBusiness TM Event Processing Symposium March 14, 2006 Tim Bass, CISSP Principal Global Architect TIBCO Software Inc.
    • 2. Our Agenda
      • Introduction
      • Event-Decision Architecture
        • Traditional vs. State-of-the-Art Processing Architecture
        • Capstone Constraints and Requirements
        • Inference and Processing Architecture
      • Processing Patterns for PredictiveBusiness TM
      • Open Discussion
    • 3. Introduction
      • Event-Decision Processing is Computationally Intensive
      • CEP requires a Number of Technologies:
        • Distributed Computing, Publish/Subscribe and SOA
        • Hierarchical, Cooperative Inference Processing
        • High Speed, Real Time Processing with State Management
        • Event-Decision Architecture for Complex Situations and Events
      • There is no single “CEP Solution” or “CEP Product”
      • CEP needs a Common Vocabulary and Functional Architecture based on Mature, Industry-Standard Inference Models
      • Processing and Integration Patterns for CEP need to be Developed and Formalized
    • 4. A Vocabulary of Confusion (Work in Progress) Resource Management Data Fusion Sensor Fusion Information Fusion Tracking Data Mining Correlation Planning Complex Event Processing Processing Management Sensor Management Control Estimation Event Stream Processing Adapted from: Steinberg, A., & Bowman, C., CRC Press, 2001
    • 5. US Legislation - Monitoring Requirements The Predictive Enterprise
    • 6. PredictiveBusiness TM Source: Ranadiv é , V., The Power to Predict , 2006.
    • 7. Example PredictiveBusiness TM Scenarios
      • Finance
        • Program (Opportunistic) Trading and Execution
        • Risk Management
        • Pricing and Consumer Relationship Management
        • Fraud and Intrusion Detection
      • Business Process Management
        • Process Monitoring
        • Exception Management and Outage Prediction
        • Scheduling
      • Sensor Networks
        • Reliability of Complex, Distributed Systems
        • RFID Applications
        • Manufacturing Floor – “Sense and Respond”
        • Power Grid Monitoring
        • Military
    • 8. PredictiveBusiness TM & Complex Event Processing (CEP)
      • More CEP Scenarios:
      • Stock Trading
        • Automatic identification of buy/sell opportunities.
      • Compliance Checks
        • Sarbanes-Oxley detection.
      • Fraud Detection
        • Odd credit card purchases performed within a period.
      • CRM
        • Alert if three orders from the same platinum customer were rejected.
      • Insurance Underwriting
        • Identification of risk.
      " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003 Graphic Sources: TIBCO Software Inc & IBM CEP Situation Manager Event Streams Historical Data Real-time Detection and Prediction
    • 9. Our Agenda
      • Introduction
      • Event-Decision Architecture
        • Traditional vs. State-of-the-Art Processing Architecture
        • Capstone Constraints and Requirements
        • Inference and Processing Architecture
      • Processing Patterns for PredictiveBusiness TM
      • Open Discussion
    • 10. A Traditional Event-Driven Architecture (Fraud) HTTP request / response Structured messages Screen Audit events Message Audit events Screen/ message Audit events Fraud Detection Rules Fraud Detection Rules Queue Client/Server Channel Queue Fraud Detection Rules EMS Channel Queue Fraud Detection Rules Screen Based Channel Fraud Event Sensor Preprocessing Service API Queue Fraud Detection Rules HTTP Channel Queue Fraud Detection Rules API Channel … 1234Joe01021970….. Fraud Event Fraud Event Fraud Event Fraud Event Structured messages Queue Unix/ VT Channel Fraud Detection Rules Fraud Event Network TAP
    • 11. Emerging Event-Decision Architecture Customer Profiles Purpose-Built Analytics Distributed Multisensor Infrastructure Internet/Extranet Sensors Human Sensors Edge/POC Sensors Operations Center Other References Complex Event Processors Sensors are Everywhere!
    • 12. Capstone Constraints & Requirements
      • Constraints:
        • Distributed, heterogeneous Internet and Intranet environments
        • Purpose built systems and analytics, compartmentalization and specialization
        • Data-at-rest (databases and warehouses) and data-in-motion (real time, event driven)
      • Infrastructure Requirements:
        • Service-oriented architecture
        • Event-driven, zero-latency, distributed message-oriented middleware
        • Support for both standards-based interfaces and purpose-built (proprietary) interfaces
        • Real-time event-decision processing
        • Specialization, data warehousing, data mining, analytics
        • Human interaction with computers and networks
      • Processing Requirements
        • Layered knowledge / inference and analytics processing
        • Complex event processing, state and temporal management, state estimation
        • Progressive hierarchical inference – data, event, complex event, situation, impact, prediction
        • Adaptive control and resource management
        • Enterprise processing model (architecture)
      22
    • 13. Event-Inference Hierarchy 22 Impact Assessment Situational Assessment Relationship of Events Identify Events Location, Times and Rates of Events of Interest Existence of Possible Event of Interest Data/Event Cloud Analysis of Situation & Plans Contextual and Causal Analysis Causal Analysis, Bayesian Belief Networks, NNs, Correlation, State Estimation, Classification Use of Distributed Sensors for Estimations Raw Sensor Data (Passive and Active) Adapted from: Waltz, E. & Llinas, J., Multisensor Data Fusion, 1990 HIGH LOW MED
    • 14. Event-Decision High Level Architecture 22 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002
    • 15.
      • Sensors
        • Systems that provide data and events to the inference models and humans
      • Actuators
        • Systems that take action based on inference models and human interactions
      • Knowledge Processors
        • Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events
      HLA - Knowledge Sources KS KS KS
    • 16. Event-Decision Architecture 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT REFINEMENT USER INTERFACE COMPLEX EVENT PROCESSING (CEP) DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION REFINEMENT LEVEL THREE IMPACT ASSESSMENT LEVEL FOUR PROCESS REFINEMENT Adapted from JDL: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001
    • 17. Structured Processing for Event-Decision
      • Multi-level inference in a distributed event-decision architectures
        • Level 5 – User Interface
          • Human visualization, interaction and situation management
        • Level 4 – Process Refinement
          • Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment
        • Level 3 – Impact Assessment
          • Impact threat assessment, i.e. assess intent on the basis of situation development, recognition and prediction
        • Level 2 – Situation Refinement
          • Identify situations based on sets of complex events, state estimation, etc.
        • Level 1 – Event Refinement
          • Identify events & make initial decisions based on association and correlation
        • Level 0 – Event Preprocessing
          • Cleansing of event-stream to produce semantically understandable data
      Level of Inference Low Med High
    • 18. CEP Level 0 – Event Preprocessing
      • Cleanse/Refine/Normalize Data for Upstream Processing
      • Calibrate Raw Event Cloud:
        • Web Server Farm Event Stream Example -
          • Group HTTP REQUESTS and RESPONSES
          • Reduce and Extract Required Data from Transaction
          • Format into Event for Upstream Processing
        • Intelligent Agent Fraud Detection Event Steam Example -
          • Receive Event Stream from Purpose-Built FD Application
          • Reduce and Extract Required Event from Event Stream
          • Format for Upstream Processing
      • Reduces System Load by Preprocessing Events
      • Enables Upstream to Concentrate on Most Relevant Events
      • Focuses on Objects/Events
    • 19. CEP Level 1 – Event Refinement
      • Problem: Which Events in the Event Stream Are “Interesting”?
      • Event Refinement Example (Association & Classification):
        • Hypothesis Generation (HG)
          • Processing incoming events, data and reports
          • Hypothesis: This Group of Events May Represent Fraud
          • Output: Fraud Detection Scorecard or Matrix
        • Hypothesis Evaluation (HE)
          • Evaluates Scorecard/Matrix for likelihood comparison
          • Rank Evaluation: These Events have a Higher Likelihood of Fraud
          • Output: Fills Scorecard/Matrix with relative likelihood estimation
        • Hypothesis Selection (HS)
          • Evaluates Scorecard/Matrix for best fit into “badges of fraud”
          • Evaluation: Provide an Estimate (Name) of the Fraudulent Activity
          • Output: Assignment of fraudulent activity estimate to event
    • 20. CEP Level 2 – Situation Refinement
      • What is the Context of the Identified Events?
      • Focuses on Relationships and States Among Events
      • Situation Refinement
        • Event-Event Relationship Networks
        • Temporal and State Relationships
        • Geographic or Topological Proximity
        • Environmental Context
          • Example: Brand currently used by phishing site in Internet increasing probability of fraud and identity theft
      • Event / Activity Correlation – Relational Networks
      • Pattern, Profile and Signature Recognition Processing
      • Question: Do “Complex Events” == “Situations”?
    • 21. CEP Level 3 – Impact Assessment
      • Predict Intention of Subject (Fraudster example)
        • Make changes to account identity information?
        • Transfer funds out of account?
        • Test for access and return at later time?
      • Estimate Capabilities of Fraudster
        • Organized Gang or Individual Fraudster?
        • Expert or Novice?
      • Estimate Potential Losses if Successful
      • Identify Other Threat Opportunities
    • 22. CEP Level 4 – Process Refinement
      • Evaluate Process Performance and Effectiveness
        • Exception Detection, Response Efficiency and Mitigation
        • Knowledge Development
      • Identify Changes to System Parameters
        • Adjust Event Stream Processing Variables
        • Fine Tune Filters, Algorithms and Correlators
      • Determine If Other Source Specific Resources are Required
      • Recommend Allocation and Direction of Resources
    • 23. CEP - Database Management Examples
      • Reference Database
        • User Profiles
        • Activity and Event Signatures and Profiles
        • Environmental Profiles
      • Inference Database
        • Subject Identification
        • Situation and Threat Assessment
        • Knowledge Mining
      • Referential Mapping Database Examples
        • Mapping Between IP Address and Domain
        • Mapping Between Known Anonymous Proxies
    • 24. CEP Level 5 – User Interface / Interaction
      • Operational Visualization at all “Levels”
        • Dynamic Graphical Representations of Situations
        • Supports the Decision Making Process of Analytics Personnel
      • Process and Resource Control
        • Supports Resource Allocation and Process Refinement
      • Display Control & Personalization
        • Different Operator Views Based on Job Function and Situation
    • 25. Our Agenda
      • Introduction
      • Event-Decision Architecture
        • Traditional vs. State-of-the-Art Processing Architecture
        • Capstone Constraints and Requirements
        • Inference and Processing Architecture
      • Processing Patterns for PredictiveBusiness TM
      • Open Discussion
    • 26. Processing Patterns Business Context Inference Processing Techniques Processing Patterns for PredictiveBusiness TM
    • 27. Inference Algorithms for Event-Decision Processing
      • A sample of event-decision processing algorithms relevant to CEP:
        • Rule-Based Inference
        • Bayesian Belief Networks (Bayes Nets)
        • Dempster-Shafer’s Method
        • Adaptive Neural Networks
        • Cluster Analysis
        • State-Vector Estimation
      • Key Takeaway: Analytics for CEP exist in the art & science of mature multi-sensor data fusion processing - these analytics can be mapped to recurring business patterns.
    • 28. Map Business Context to Classical Methods Business Context Inference Processing Techniques
        • Classical Inference
        • Bayesian Belief Networks
        • Hidden Markov Models
        • Dempster-Shafer’s Method
        • Self-Organizing Feature Maps
        • State-Vector Estimation
        • Adaptive Neural Networks
        • Rule-Based Inference
        • Sensor Optimization
        • Complex Diagnostics
        • Fraud Detection
        • Intrusion Detection
        • Network Management
        • Counterterrorism
        • Opportunistic Trading
        • Compliance Monitoring
        • Supply Chain Optimization
      Note: For Illustrative Purposes Only
    • 29. Bayes Net: Identity Theft Detection / Phishing Source: Bass, T., TIBCO Software Inc., January 2006 Uses Proxy Alert Service Account Lockout Profile Mismatch Brand Phishing Alert Security Alert Customer Known Fraud IP Identity Theft Login Success Phishing Alert Brand Misuse
    • 30. Bayes Net: Simple Web-Click Behavior Click Pg Subtype Click Elapsed Associate Session ID Stores Visited Click Pg Type Click to Purchase Session Time # Items Purchased ID Browser Recognize Session ID OS Total Purchase Session ID Code Click Price Price Click Count Source: Ambrosio, B., CleverSet Inc., December 2004
    • 31. Recurring Pattern(s) for PredictiveBusiness TM
      • Bayesian Techniques for Complex Event Processing in:
        • SPAM Filtering
        • Telecommunications Fraud
        • Other Behavior-Based Fraud & Intrusion Detection
        • Financial Risk Management
        • Credit Approval and Credit Limit Automation
        • Medical Diagnosis
        • Military ID, Command and Control
      • BNs dominate many other areas in Complex Event Processing
        • Graphical representation of your domain knowledge
        • Both causality and probability reside in the models
        • Well established as a knowledge processing technique
    • 32. Event-Decision Processing Characteristics Adapted (this and the next slide) from: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001 Sensor Output Individual Event Aggregation (situation) Effect (situation, given plan) (Action) Entity Estimate Sensor Processing Event Processing Situation Assessment Impact Assessment Decision Making Activity Detection Assignment (L0) Event Preprocessing Attribution Assignment (L1) Event Refinement Relational Aggregation (L2) Situation Refinement Plan Interaction Aggregation (L3) Impact Assessment (Control) Planning (L4) Process Refinement Estimation Process Association Process JDL Model Levels
    • 33. Comparison of Event-Decision Models Sense Detect Detect Analyze Analyze Decide Respond Sense & Respond Sensor Processing Collate Orient Sensor Processing (L0) Event Preprocessing Sensor Acquisition Collect Observe Sensing --- Activity Intelligence Cycle Boyd Loop Waterfall Model JDL Model Levels Decision Execution Disseminate Act (L5) Visualization Collate Evaluate Evaluate Disseminate Event Processing Situation Assessment Impact Assessment Decision Making Orient Pattern Processing / Feature Extraction (L1) Event Refinement Orient Situation Assessment (L2) Situation Refinement Orient --- (L3) Impact Assessment Decide Decision Making (L4) Process Refinement
    • 34. Key Takeaways
      • Event Processing can be a Computationally Intensive
      • CEP Requires a Number of Technologies:
        • Distributed Computing, Publish/Subscribe and SOA
        • Hierarchical, Cooperative Inference Processing
        • High Speed, Real Time Rules Processing with State Management
        • Event-Decision Architecture for Complex Events / Situations
      • CEP Community Needs Common Vocabulary and Functional Architecture based on Established Inference Models
      • Processing Patterns for CEP Need to be Developed based on using a Common Vocabulary and Functional Architecture
    • 35. Thank You! Tim Bass, CISSP Principal Global Architect [email_address] Complex Event Processing at TIBCO
    • 36. JDL Example: Inference ScoreCards Event Stream Raw Data Level 0 Pre-Processing Fraud Events Event Stream Level 1 Event Refinement ScoreCard Fraud Situations Fraud Events Level 2 Situation Assessment Business Impact Fraud Situations Level 3 Impact Assessment ScoreCard ScoreCard ScoreCard Event Source Task Level 4 Process Refinement ScoreCard Modified from: Steinberg, A., & Bowman, C., CRC Press, 2001

    ×