The what's strange about recent events (WSARE) algorithm (Wong et al., 2002,Wong and Moore, 2002, Wong et al., 2003) is a rule-based anomaly pattern detector that operates on discrete, multidimensional data sets with a temporal component. This algorithm compares recent data against a baseline distribution with the aim of finding rules that summarize significant patterns of anomalies. Each rule is made up of components of the form Xi = Vj, where X; is the ith feature and Vi is the jth value of that feature. Multiple components are joined together by a logical AND. For example, a
two-component rule would be Gender = Male AND Home Location = NW. These rules should not be interpreted as rules from a logic-based system in which the rules have an antecedent and a consequent. Rather, these rules can be thought of as SQL SELECT queries because they identify a subset of the data having records with attributes that match the components of the rule. WSARE finds these subsets whose proportions have changed the most between recent data and the baseline.
We will overview versions 2.0 and 3.0 of the WSARE algorithm. These two algorithms only differ in how they create the baseline distribution; all other steps in the WSARE framework remain identical. WSARE 2.0 uses raw historical data from selected days as the baseline while WSARE 3.0 models the baseline distribution using a Bayesian network.
Was this article helpful?