WSO2 Complex Event Processor is succeeded by WSO2 Stream Processor. To view the latest documentation for WSO2 SP, see WSO2 Stream Processor Documentation.
||
Skip to end of metadata
Go to start of metadata

The Markov Models extension allows abnormal patterns relating to user activity to be detected when carrying out real time analysis. There are two approaches for using this extension. Click on the relevant tab for detailed information about the required approach.

You can input an existing Markov matrix as a csv file. It should be a N x N matrix, and the first row should include state names as shown in the following samples. The rows below that indicate the transition probabilities/transition counts for all the possible state transitions.

testState01,testState02,testState03
0.1,0.6,0.3
0.3,0.5,0.2
0.6,0.3,0.1
testState01,testState02,testState03
2,12,6
6,10,4
12,6,2

Syntax

The following is the syntax for a query with the Markov Models extension using an existing matrix.

markov:markovChain(<String> id, <String> state, <int|long|time> durationToKeep, <double> alertThreshold, <String> markovMatrixStorageLocation, <boolean> train)

Input parameters

The following are the input parameters for this extension.

ParameterRequired/OptionalDescription
idRequiredThe ID of the particular user or object being analyzed.
stateRequiredThe current state of the ID.
durationToKeepRequiredThe maximum time duration to be considered for a continuous state change of a particular ID.
alertThresholdRequired

The alert threshold probability.

markovMatrixStorageLocationRequired

The location of the CSV file that contains the existing Markov matrix to be used.

trainOptional

If this is set to true, event values are used to train the Markov matrix. If this is set to false, the Markov matrix values remain the same.

Output parameters

The following are the output parameters for this extension.

ParameterNameDescription

lastState

Last stateThe previous state of the particular ID.
transitionProbabilityTransition probabilityThe transition probability between the previous state and the current state for a particular ID.
notifynotifyThis signifies a notification that indicates that the transition probability is less than or equal to the alert threshold probability.

Example

The following returns notifications to indicate whether a transition probability is less than or equal to 0.2 according to the Markov matrix you have provided.

define stream InputStream (id string, state string);
from InputStream#markov:markovChain(id, state, 60 min, 0.2, “markovMatrixStorageLocation”, false)
select id, lastState, state, transitionProbability, notify
insert into OutputStream;

This approach involves using a reasonable amount of incoming data to train a Markov matrix and then using it to create notifications.

Syntax

The following is the syntax for a query with the Markov Models extension using a matrix newly built using incoming data.

markov:markovChain(<String> id, <String> state, <int|long|time> durationToKeep, <double> alertThreshold, <int|long> notificationsHoldLimit, <boolean> train)


Input parameters

The following are the input parameters for this extension.

ParameterRequired/OptionalDescription
idRequiredThe ID of the particular user or object being analyzed.
stateRequiredThe current state of the ID.
durationToKeepRequiredThe maximum time duration to be considered for a continuous state change of a particular ID.
alertThresholdRequired

The alert threshold probability.

notificationsHoldLimitorRequired

The number of events that should be received before the matrix starts triggering notifications.

trainOptional

If this is set to true, event values are used to train the Markov matrix. If this is set to false, the Markov matrix values remain the same.

Output parameters

The following are the output parameters for this extension.

ParameterNameDescription

lastState

Last stateThe previous state of the particular ID.
transitionProbabilityTransition probabilityThe transition probability between the previous state and the current state for a particular ID.
notifynotifyThis signifies a notification that indicates that the transition probability is less than or equal to the alert threshold probability.

Example

The following query returns notifications that indicate whether a transition probability is less than or equal to 0.1 according to the Markov matrix that is build using incoming data itself. This starts sending notifications after the first 500 events arrive.

define stream InputStream (id string, state string, train bool);
from InputStream#markov:markovChain(id, state, 60 min, 0.1, 500, train)
select id, lastState, state, transitionProbability, notify
insert into OutputStream;
  • No labels