Entry Name: “PKU-Yu-MC3”

 VAST Challenge 2016
Mini-Challenge 3

 

 

Team Members:

Yu Zhang, Peking University, yuzhang94@pku.edu.cn     PRIMARY

Chufan Lai, Peking University, chufan.lai.1990@gmail.com

GuoZheng Li, Peking University, liguozhengsdu@gmail.com

QiangQiang Liu, Peking University, lqqyeah@gmail.com

Lu Feng, Peking University, 1200012795@pku.edu.cn

Ren Zuo, Peking University, zuoren@pku.edu.cn

Shuai Chen, Peking University, seinchen@foxmail.com

TangZhi Ye, Peking University, yetangzhi66@gmail.com

Zhuo Zhang, Qihoo 360, zhuangzhuo@360.cn

Zhanyi Wang, Qihoo 360, wangzhanyi@360.cn

Xin Huang, Qihoo 360, huangxin-xy@360.cn

Fengchao Xu, Qihoo 360, xufengchao@360.cn

Yu Li, Qihoo 360, liyu-safe@360.cn

Shunlong Zhang, Qihoo 360, zhangshunlong@360.cn

Qiusheng Li, Qihoo 360, liuqiusheng-s@360.cn

Siming Chen, Peking University, simingchen3@gmail.com

Xiaoru Yuan, Peking University, xiaoru.yuan@pku.edu.cn (Advisor)

 

Student Team:  NO

 

Tools Used:

EXCEL, MATLAB, and own developed tools.

Tableau is used for data exploration.

 

Approximately how many hours were spent working on this submission in total?

500 hours.

 

May we post your submission in the Visual Analytics Benchmark Repository after VAST Challenge 2016 is complete? YES

 

Video

http://vis.pku.edu.cn/pku-qihoo-mc3-video.mp4 

 

Questions

MC3.1 – Describe the unusual or unexpected patterns and anomalies you observed during the first two days of streaming data (June 14-15). Please describe up to ten notable patterns or anomalies.

Limit your response to no more than 10 images and 1000 words.

 

1. New prox ID appeared

ibaza002 and  vawelon002, but they move normally, following their previous (ibaza001 and vawelon001) moving patterns.

 

2. Visiting new zones

1) ostrum001’s trajectory is abnormal (visit floor3 zone2, a rarely visited zone for him) on 6.13.

 

3. Other abnormal trajectories

1) From the picture below, we could see that on 6.16 and on 6.2, after arriving at the office in floor3 zone2, rpantanal001 go back to the entry of the company (f1z1, in brown) and return to the office again after some time.

 

2) On the night from 6.14 to 6.15, tseifer001 (administration) stay at the floor 3 zone2 for the whole night.

 

3) On 6.14 at 14: 15, jholly001(administration), korilla001(engineering), lborrasca001(engineering), cshipp001(facilities) did not go to conference room for the meeting.

 

4) From the figure below, we can see that malinai001，wvasco001，zcoronado001，rmieshaber001, these four persons went to the Floor2 Zone2, after the meeting at 11:40, instead of directly going back to their office or deli.

Some staffs stay for a long time at abnormal place, malinai001, wvasco001, zcoronado001, rmieshaber001 went to the Floor2 Zone2 which do not exist its office at around 11: 40 am, and lasted at around 12: 15. On the morning of June 15th, jsanjorge001, rmieshaber001 and Malinai001 stay in the zone for a while that is not the zone with their offices.

 

4. Server Room downtime

The equipment power of Server Room (f3z9) is constant except the period from 6.15 11:45 to 6.15 18:05. During this period, the equipment power drops dramatically. A related event is that the cooling setpoint and heating setpoint of this server room was greatly raised from 6.15 10:50 to 6.15 16:00, which lead to a sudden rise of air temperature in this zone, from around 30 degrees to around 38 degrees. After the rise of temperature, the equipment power dropped, which suggests that someone turned down the machines to fix the problem, or the machines in Server Room stopped working because of the high temperature. After this drop of equipment power, the temperature fell probably because someone has fixed the problem of abnormal temperature, or that the machines stopped working and stopped releasing much heat.

At that time, cforluniau001 seems to be at the server in floor1 zone1, which may imply that he changed the parameters of Server Room in floor3. After that, someone (maybe csolos001 or ncalixto001 or sflecha001) went to the Server Room to deal with the problem that the cooling power was abnormally high. After someone (maybe csolos001 or ncalixto001 or sflecha001) had fixed this problem, he left the Server Room.

 

5. Records of the stolen card

In mc2, we find that the prox-card of pyoung001 has been used unauthorized by other staffs, also the sequence could be found from the following picture. In June 16^th, we found the card has been used by others again following the same trajectory with the former.

 

6. Abnormal cooling and heating event

On 6.14 and 6.15, the cooling system was working at relatively low cooling setpoint, with high cooling power in the day (around 7:00 to around 23:00), which led to low temperature in the day. While at night, the cooling setpoint rose up, and led to high temperature at night.

This pattern of 6.14 and 6.15 (cool in day, hot at night) is reverse of the pattern of 6.7 and 6.8 (cool at night, hot in day).

 

7. From the trajectory analysis part of our system, we could find three kinds of anomalies. Firstly, some staff did not come to the conference room for meeting during the meeting time. In June 14th, at around 10:45 am, sflecha001, csolos001 (information technology), cshipp001 (facility), korilla001 (engineer) and jholly001 (administration) did not go to the conference room. At around 14:15, jholly001 (administration), Korilla001 (engineering), lborrasca001 (engineering), cshipp001 (facilities) did not go to the meeting for the meeting. In June 15th, at around 14:15, jsanjorge001，rmieshaber001, malinari001 did not go to the conference for the meeting.

 

8.  Light in floor3 zone3 is continuously on from 6.14 8:35 to 6.15 17:20

 

9. Trajectory’s of jump zone (moving from one zone to anther nonadjacent zone) movement

1) rmieshaber on 6.15

f1z1 →f1z4 →f2z4 → f2z1 → f2z2 → f3z6 → f3z1 → f3z4 → f2z4 → f2z1 → f2z2 → f2z1 → f2z4 → f1z4 → f1z1

 

MC3.2 – Which additional sensor did you choose to add to your data stream? What was the rationale for your selection? Did it provide additional insight?

Limit your response to no more than 2 images and 200 words.

 

1.       The abnormal of the lighting-on time.

From the above figure, we could see that the light-on time of floor3 zone5 is not regular.

2.       From the other sensors location and detection result, considering the other sensors location of Hazium, the location of sensors at floor3 could not cover the most part of the prox zone compared with the other floor.

3.       For the trajectory, we found some abnormal conditions during the beginning 60 hours of data. For example, the staff gflorez001, who lose many proxy-card before has arrived the selected room for several times. Also, there is a staff, yfinny001, that has stayed in the room for a long time in the day. What’s more, from the figure below, the lost proxy-card with id pyoung001 was unauthorized charged in floor3.

4.       Compared with the other floors, the staff at the floor3 could be more important in this company, so we think that the criminal behaviors could be more possibly happened in the floor3.

With this additional sensor, we find that the Hazium concentration is extremely high compared with the former break-out of Hazium, so we could think this might be the course of the Hazium break-out.

 

MC3.3 – Describe anomalies or unusual events you saw in the last four hours of the data stream. 

a.       Describe specific anomalies or unusual events

b.      Which of these anomalies may be of greatest concern? What is your rationale?

Limit your response to no more than 10 images and 1000 words.

 

1. Absence and late of arrival

1) mvollan001 did not come for work during the last day, June 16^th.

 

2) On June 14^th and 15^th, ostrum001 was absent, and on June 16^th, he was late for the work, and arrived at the company at 10 o’clock.

 

2. Visiting new areas

Many people came to Floor2 Zone7 for the first time in the last four hours.

1) On June 16^th  around 11:31,  acampo001 arrived Floor2 Zone7, where he never went before.

 

2) On June 16^th, during 10:30 to 11:50, jholly001 also arrived at Floor2 Zone7.

 

3) On June 14^th, during 13:32 to 16:45, mbramar001 arrived this place first time. And he has never went there later before that.

We could get the information from mc2 that Floor2 Zone7 is the work place for the facilities department, the department that has some suspicious person we detected, such as pyoung001, gforez001.

 

3. Decrease in Hazium concentration

A major anomaly we found in these two days, is the abnormal pattern of HVAC system, and the rose in Hazium readings. But in the last 4 hours, the concentration of Hazium went down from the peak. Specifically, the extra f3z5 sensor shows the highest level of Hazium. It was also descending during the last four hours.

We found that the “Thermostat Cooling Setpoint” was set very high (29.7℃) at night (from 22:05 to 7:10 in the next day), while it was set low (15.6℃) in the day. As shown in the history records, this temperature should be between 24 and 26.7℃ in a normal day.

The change in setpoint temperature has affected lots of aspects, such as Thermostat Temp, SUPPLY INLET Temperature, SUPPLY INLET Mass Flow Rate, etc.

On the other hand, Hazium readings have risen in the two days. This pattern is similar to that appeared in June 7th and 8th, where the setpoint temperature was set low at night and high in the day, while the hazium readings also rised during the period.

 

4. On June 16th, at around 9:05 am, a majority of people gathered in #2365, which is far earlier than the daily meeting in the morning. Also, department of the staffs joining in this meet is mixed, including the information technology, engineering, facilities, and security.

 

5. On June 16th, at around 10:55am, the executive in the black box in the above figure, named ibarranco001, went to the Floor2 during the staffs’ meetings, which is different from his former trajectory pattern.

 

6. Another anomaly toke place at 10:40 in three zones: f2z4, f2z11 and f2z15. At this time point, the cooling temperature was not changed (second timeline), but the HVAC system reduced the input air, as shown in SUPPLY INLET Mass Flow Rate and SUPPLY INLET Temperature in the 3rd and 4th timelines. This led to a sharp drop in the air temperature in the first timeline. But after some time at 11:25, everything returned to normal.

 

MC3.4 – Mini-Challenge 3 asks you to develop ways of understanding developments in streaming data that take place even while you are away from the data.

a.       Describe how your team approached the challenge of catching up on events that took place while you were not monitoring the stream. What features of your software helped you to review past events and catch up on things you missed? 

b.      How could these features be used to help you reconsider recent data in light of new events?

Limit your response to no more than 10 images and 1000 words.

a. 

In our system, a warning stack view in the following image is used to pile the unresolved warnings and anomalies.

 

The data format of warnings in the stack is unified to the tuple (start time, length of time range, place type, place, attribute, value, reason), no matter the warning is related to building data or prox card data. Start time, length of time range, place, and attribute are displayed in the view as an entry that occupies a row. The warnings in the stack are grouped according to temporal similarity, so as to reduce the number of warnings.

Clicking an entry would make the system focus to the situation described in this entry. For example, clicking an entry displayed as (6.16 1:20, 645minutes, F1Z8A, Hazium) would make the timeline zoom to the time range from 6.16 1:20 to 6.16 12:05, the HVAC zone F1Z8A becomes selected, and the attribute Hazium becomes selected. Therefore, a timeline of Hazium concentration in HVAC zone F1Z8A with a focus time range of 6.16 1:20 to 6.16 12:05 is derived, as the following.

 

The warning stack can be viewed as a summary of the streaming data, which highlight the time range, area, and attribute of the event that might be interesting.

More specifically, for building data, the value of a certain attribute at a certain position that significantly deviates from its former distribution is regarded as abnormal. The former distribution is calculated from the sample of this attributes’ values at the same place and at the same time range.

For prox card data, the events of : 1. detection of a new prox ID card, 2. conflict between robot’s detection and prox zone detection, 3. jumping from a prox zone to another nonadjacent prox zone, are recorded.

 

With the streaming data coming in, the stack grows continuously, with new warnings pushed on the top, marking the latest event that is notice-worthy. While the user is not monitoring the system, the stack is still growing. When the user comes back, he can briefly view all the titles in the stack at first to get an overview. Then he can check the events by clicking and zooming into the context of the events. Double clicking the events to remove those warnings that are not of interest. For building data, only the warnings with top X greatest deviation are displayed, so as to limit the number of warning entries.

 

Besides, the streaming data are saved in our database, and can be displayed with a rate to speed up. The monitor view for displaying is shown as the following. The display rate and focused time range can be selected.

 

b.

The warning stack displays warning events detected by our system automatically from the streaming data. Instead of watching at all data manually, our system extracts events we need to notice as an entrance for streaming data analysis. Most recent events are placed on the top of warning stack. Each event contains mental information event type, time, place and ID for HAVC (attributes) or movement (prox-id). Users can click an event and system would reproduce the scene where the event happened.

 

For example, with the recommendation in this system, we check a Hazium attribute at the very beginning of the stack.

First, we choose F3Z1 Hazium, then attribute “Hazium”, place “F3Z1”, and the timerange get selected, and the line chart, product of selected place and attribute, is displayed.

Then, we check reheat point of F3Z9 starting at 6.15 11:00 and cooling point of F3Z9 starting at 6.15 11:00, because these two warnings last long.

As a result, we get three line charts, with abnormal part of it marked in red.

We easily observe the coexistence of abnormal time range of the three charts, which suggest that the relationships among them deserve further detailed verification.

 

On the other hand, for the trajectory part of our system, we support the simulation of each staffs’ movement. We define 3 different conditions (accurate, in office, in public) of the staffs’ locations according to certainty, because it is not the case that we know the exact position of all the staffs at a given time point. The locations of an employee could be divided into 4 categories: 1. a position detected by the robot (accurate position and ambiguous timestamp), 2. in the zone that contains the employees’ office (we assume that the staff stays in the office in this case), 3. a prox zone without the staff’s office but contains public area ,e.g. meeting room, (we assume that the staff stays in public area in this case) , 4. a prox zone without the staff’s office and public area (we regard such case as abnormal). Through this way, we could make the position more accurate with the fusion of prox zone data and robot data.

This part supports the replay of the staffs’ trajectory, when we find some interesting part of the staff’s trajectory, we could label the anomaly and replay the condition.

In order to save the analysis time, we use a trajectory monitor view which summarizes all staffs’ trajectory by displaying the time line for all the employees. It can updated with the streaming data, and support detection of abnormal conditions, including the conflict between the robot location and proxy-card location and the situation that the employee is staying at a zone without his office.