Operations

As the administrator, you coordinate the overall operations of TBAML: Data Management, Behavior Detection, and Post-Processing.

In a production environment, an Oracle client typically establishes a processing cycle to identify occurrences of behaviors of interest (that is, scenarios) at a specific frequency. Each cycle begins with Data Management, Behavior Detection, and Post-Processing, which prepares the detection results for presentation for the users.

Several factors determine specific scheduling of these processing cycles, including availability of data and the nature of the behavior that the system is to detect. The following sections describe each of the major steps in a typical production processing cycle:
  1. Start Batch
  2. Managing Data
  3. Behavior Detection
  4. Post-Processing
  5. End Batch

Start Batch

Using the Batch Control Utility, you can manage the beginning of the batch process.

Managing Data

The Ingestion Manager controls the Data Management process. The Data Interface Specification (DIS) contains specific definition of the types and format of business data that can be accepted for ingestion.

The Ingestion Manager supports files and messages for the ingestion of data. Data Management involves receiving source data from an external data source in one of these forms. The Ingestion Manager validates this data against the DIS, applies required derivations and aggregations, and populates the database with the results.

Behavior Detection

During Behavior Detection, OFSBD Algorithms control the scenario detection process. The Detection Algorithms search for events and behaviors of interest in the ingested data in the FCDM. Upon identification of an event or behavior of interest, the algorithms record a match in the database.

A match is created by executing scenarios. These scenarios are used to detect the behaviors of interest that correspond to patterns or the occurrences of pre-specified conditions in business data. The process also records additional data that the analysis of each match may require.

Post-Processing

During post-processing of detection results, Behavior Detection prepares the detection results for presentation to users. Preparation of the results depends upon the following processes:
  • Match Scoring: Computes a ranking for scenario matches indicating a degree of risk associated with the detected event or behavior.
  • Alert Creation: Packages the scenario matches as units of work (that is, events), potentially grouping similar matches together, for disposition by end users. This is applicable when multiple matches with distinct scores are grouped into a single event.
  • Alert Scoring: Ranks the events (including each match within the events) to indicate the degree of risk associated with the detected event or behavior.
  • Highlight Generation: Generates highlights for events that appear in the event list in the behavior detection subsystem and stores them in the database.
  • Historical Data Copy: Identifies the records against which the current batch's scenario runs generated events and copies them to archive tables. This allows for the display of a snapshot of information as of the time the event behavior was detected.
  • Alert Correlation: Uncovers relationships among events by correlating events to business entities and subsequently correlating events to each other based on these business entities. The relationships are discovered based on configurable correlation rule sets.

End Batch

The system ends batch processing when processing of data from the Oracle client is complete. The Alert & Case Management subsystem then controls the event and case management processes. See the Behavior Detection User Guide and Enterprise Case Management User Guide for more information.