METHOD FOR DETECTING ANOMALOUS STATES OF A CONTROL OBJECT IN INFORMATION SYSTEMS BASED ON THE ANALYSIS OF TEMPORAL DATA AND KNOWLEDGE

The problem of finding the anomalous states of the control object in the management information system under conditions of uncertainty caused by the incompleteness of knowledge about this object is considered. The method of classifying the current state of the control object in real time, allowing to identify the current anomalous state. The method uses temporal data and knowledge. Data is represented by sequences of events with timestamps. Knowledge is represented as weighted temporal rules and constraints. The method includes the following key phases: the formation of sequences of logical facts; selection of temporal rules and constraints; classification based on a comparison of rules and constraints. Logical facts are represented as predicates on event attributes and reflect the state of the control object. Logical rules define valid sequences of logical facts. Performing a classification by successive comparisons of constraints and weights of the rules makes it possible to more effectively identify the anomalous state since the comparison of the constraints reduces the subset of facts comparing to the current state. The method creates conditions for improving management efficiency in the context of incomplete information on the state of a complex object by using logical inference in knowledge bases for anomalous states of such control objects.


Introduction
The information management system is a human-machine system that designed to solve the tasks of managing the production and business activities of an enterprise based on automated collection, transmission and processing of information about the activities of this enterprise [1].The tasks of enterprise management are implemented through a sequence of actions that allows to achieve planned results in terms of the impact of both internal and external environment of the enterprise [2,3].
In practice, these tasks are performed under conditions of uncertainty at the level of the control object as a whole or of its individual components.Uncertainty of the second type is caused by incomplete information about the values of individual parameters of the control object.The uncertainty of the first type reflects the incompleteness of information about the control object in general.
In solving problems of control under conditions of the uncertainty of the second type, a priori knowledge of the subject area and traditional, usually deterministic mathematical models of the control object are used [4].
When solving management problems under conditions of the uncertainty of the second type, it is relevant to use an expert knowledge base reflecting the experience of the company's personnel [4].This knowledge base formed or through experts' interrogation [5], or by monitoring the opera-Computer Sciences tion of the enterprise.The first approach is quite time-consuming, which does not allow constantly expanding the knowledge base during solving problems of real-time management.The second approach implements the paradigm of automated knowledge creation and use [6,7].Therefore, it can be used to support real-time management tasks [8].
Each of the management tasks is divided into subtasks of evaluating the current state of the enterprise as an object of management and the development of management actions that allow getting target results from the current state.These subtasks are usually solved sequentially, as knowledge about the current state is required to develop management actions.The subtask of evaluating the current state in case of incomplete knowledge of the object of management provides for the classification of this state.Classification of the state of the control object allows to simplify management decisions based on the choice of control actions from the set of permissible for a given class.Hence, the identification of abnormal states of the control object allows to narrow down the set of permissible management decisions and thereby increase the efficiency of enterprise management.
Thus, the problem of finding the abnormal states of the control object in the management information systems under conditions of uncertainty caused by the incomplete knowledge about this object is relevant.

Literature review
The knowledge base, designed to support the solution of management tasks in the information management system under uncertainty, should take into account the multivariance of the behavior of the control object.For a single description of several alternative behaviors, a knowledge representation based on the Markov Logic Networks is used [9,10].The logical component of this representation defines the possible states of the control object and the dependencies between these states.These dependencies are represented by logical formulas and reflect the allowable sequences of control actions leading to the transition between the states of the control object.The probabilistic component of knowledge representation is given by the weights of the specified logical dependencies.
In case incomplete information about the state of the control object, these dependencies describe the permissible sequences of these states in time.Therefore, they are represented in the form of temporal rules.Such rules reflect both explicit and implicit dependencies between subject area [11].With building these rules, temporal data is used in the form of event logs [12].The method of temporal rules formation is presented in [13].The method for calculating the weights of the rules is presented in the paper [14].The method of using temporal rules to decision support system is suggested in the paper [15].The current abnormal state is used as the initial data for this method, but the issues of detecting this abnormal state are not considered in this paper.
Existing approaches to finding anomalies in temporal data [16] are primarily aimed at processing data streams from sensors and various electronic devices.Therefore, they allow to provide support for management at the level of uncertainty of information regarding specific parameters of the control object.For solving this problem, it is necessary to consider not only temporal data but also temporal rules that determine the set of valid states of the control object.
The purpose of this article is development of a method for abnormal states detecting of a control object based on the temporal data and knowledge analysis in the context of incomplete information about the state of this object.

Method for detecting abnormal states of the control object
The developed method is designed to solve the problem of the control object's current state evaluating.Formally, this task is defined as follows. Let: -a type of dependencies R(s, u) between management impact u and the corresponding state s of the control object; -a sequence of control impacts D u ; -a state sequence S the control object.
The initial data on the state of the control object are presented in the log L as events { } ( ) k e a , which have a set of attributes { } k a .Attributes contain information about the type of event, the action performed u j , the values of the properties of the artifacts that which are members the control object.
The event also has a temporal attribute that contains the event's execution time.Then, the achievement of the state s j of the control object as a result of the controlling action u will be represented by a logical fact ft j on the event attributes: where Q -predicate on the set of event attributes.The behavior of the control object is represented in the log L as a set of events ordered in time 1 j e ,...,e ,... .π = In the case of repeated implementation of the management cycle, such sets of events are recorded repeatedly: Then each sequence of events π i in the log corresponds to a sequence S i of states of the control object, represented as a sequence of logical facts ft j : Expression (3) shows that it is possible to compare the states of the control object represented by different sequences of events π i .Comparison is performed basing on attribute values k j a comparing for each pair of events.
Based on this sequence of facts, the temporal rules proposed by the authors are formed: ft KvantifierOperator ft [14,15].The quantifier determines the area of application of the rule regarding the sequences of states S i of the control object.The developed rules use quantifiers E(Exists) and A(All).The first quantifier determines the area of the rules for one sequence S i .The second quantifier sets the truth of the rule for all states from the set S. Therefore, rules with quantifier A act as constraints in a temporal knowledge base.
Temporal operators define type relationships NeXt, Future, Until between the considered facts.The NeXt operator rule defines the relationship between a pair of sequential actions (or a pair of consecutive states).The rule with the NeXt operator defines the connection for a pair of actions (or states) between which intermediate actions are performed.The third rule determines the possibility of performing actions (transition to new states) depending on the current state of the control object.
The considered rules have a weight that corresponds to the probability of their realization on a given input set of temporal data [14].

Computer Sciences
The general idea of the proposed method is based on the use of the properties of the temporal rules of the types NeXt, Future.Type rule Until focused on the use of a subset of attributes, thus this method is not used.
The method includes the following steps.
According to expression (4), such sequences of facts of length from 1 to M are selected that correspond to a fragment of the sequence i S' , directly preceding fact i, j ft' .This means that we consider the inseparable sequences of states of the control object, which immediately precede the current state represented by the fact i, j ft' .However, instead of this fact, alternative states are present in the selected sequences.ft contain more constraints than fact i, j ft' , that fact i, j ft' reflects the abnormal state of the control object and the method ends.Otherwise, a subset of facts Ft' is selected, in which the constraints match with the constraints of the fact i, j ft' .
where A -quantifier All.
The potential is calculated as the sum of the weights of the temporal rules.The use of potential is due to the fact that temporal rules are based on the apparatus of Markov Logic Networks.Accordingly, the weights of the rules correspond to the probability of their implementation on the existing set of source data.ft' , has the form:

Computer Sciences
According to (7), if the potential difference of two facts surpass a predetermined threshold ε that fact i, J ft' is abnormal.Otherwise, the state i, J ft' belongs to the same class with the standard state l,M ft .
The result of this method is the abnormal or standard class of the current state represented as the fact i, J ft' .

Experiment
The goal of the experiment is testing the possibility of classifying the current state of the control object under conditions of uncertainty.Uncertainty is expressed in the absence of complete information about the characteristics of the current state of the control object.For example, as a result of an external impact, an object passed into a state that was not incorporated in its model.In this case, information about this state is incomplete.The initial data of the method are given in Table 1.ft AXft , 7 Type rules NeXt (ft EXft 0, (ft EXft 2,7027) Type rules Future (ft EFft 0,0857), (ft EFft 0,04286), (ft EFft 0,01429), (ft EFft 0,0857), (ft EFe 0,04286), (ft EFft 0,01429), (ft EFft 0,0857), (ft EFft 0,04286), (ft EFft 0,0857) Initial information includes temporal data and temporal rules.The data describes the behavior of the control object.The initial temporal data contains 6 sequences of events, which indicates that the management cycle has been repeatedly executed.The last (sixth) sequence contains information about the object in the current management cycle.The final event e 6,10 reflects the current state s 10 of the control object.It is required to determine whether this condition is abnormal.
For the method's functioning, knowledge is used represented in the form of temporal rules.Among these rules, subsets of constraints, rules of type NeXt и Future.The subset of constraints includes rules with quantifier A. This means that these rules are executed both when abnormal states and typical states are reached.Therefore, restrictions are not used when classifying the current state of the control object.NeXt type rules associate the successive states of the control object.Rules of the Future type associate states between which there may be other intermediate states.
Since the facts included in the rules take into account information about the actions that are being carried out, these rules associate not only states but also control actions.Note that the double index is not specified for the rules due to the use of quantifiers.
In accordance with the initial data, a classification was made for the current state recorded in the log as the last event e 6,10 .The results of the method operation are presented in Table 2.

Table 2
The results of the method operation

Classified state s 10 Set of typical states S Std
The resulting facts During of implementing of this method, a check of the abnormal state s 10 was carried out twice: by constraints and by the rules.
The results of the check on the constraints show that for this state the constraint is not executed 1 7 ft AFft .The constraint has weight , ∞ which certainly exceeds the threshold ε , so state s 10 not standard and refers to abnormal.However, an additional comparison was made of the total potential of the rules, which also confirmed the non-standard character of this state.

Results and Discussion
The result of the work is a method for detecting an abnormal state, focused on the usage of temporal data and rules that define the behavior of a control object in real time.
The resulting evaluate of the current state of the method allows real-time detection of deviations in the behavior of an object from a standard trajectory and thus ensures that it is possible to make management decisions in time for the target state to be reached.
The difference of the proposed method is in the usage of knowledge in the form of temporal rules instead of initial temporal data.The potential of these rules reflects the likelihood of their execution on all sequences of events in the source data.Therefore, the classification of an indefinite current state is carried out on the basis of a probabilistic indicator, which makes it possible to evaluate the typical or non-standard state on the whole set of initial data.
The advantage of the method is in the ability of detecting anomalies both on the basis of restrictions and using rules.This makes it possible to increase the classification efficiency by selecting a set of standard states, the constraints of which correspond to the constraints of the current state and the subsequent detection of anomalies by comparing the potentials of the remaining rules.
The disadvantage of the method is that the rules and restrictions used significantly depend on the quality of the initial temporal data.Errors and noise in the source data may lead to the incorrect classification.
The developed method is intended for use in the management cycle under conditions of uncertainty using the temporal knowledge base by successively solving the problems of analyzing and supporting management decision making.

Conclusions
The problem of the control object's current state evaluating in information and management systems under conditions of uncertainty caused by unforeseen external influences is considered.

Stage 4 .Stage 5 .
Rule set formation { } M Rl for sequence { } l M S for each alternative state l,M ft .Result set contains constraints.Comparison of constraints for sets { } M Rl and { } i Rl' .In the event that all the facts l,M

Stage 6 .
Removing constraints.At this stage of the sets { } M Rl and sets { } i Rl' general rules are deleted according to conditions:

Stage 8 .
The classification of this state by the nearest neighbor method.metrics.Facts are ordered by the value of their potential.The potential of the fact i, J ft' is compared with the potential of the facts { } l,M ft .The condition of the state of the control object represented by the fact i, J It is necessary to determine whether the current state s' is standard: The result of this stage is a set of temporal rules and constraints that describe all the available ways to achieve the state i S' .
i Rl' of the types NeXt and Future for { } i S' .
The result of this stage are subsets of specific rules { } m The calculation of the total potential for each alternative fact