-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
This FAQ addresses common questions from different user groups: product managers, engineering teams, and operations teams working with PATAS in production.
PATAS uses a two-stage pipeline designed for large-scale processing:
-
Stage 1 (Fast Scanning): Processes all messages with deterministic patterns (URLs, phone numbers, keywords). This is fast and catches obvious spam cases without using expensive AI models.
-
Stage 2 (Deep Analysis): Only suspicious patterns from Stage 1 get expensive semantic analysis and AI treatment. This reduces API costs by 70-90% while maintaining high-quality pattern discovery.
Performance benchmarks:
- Ingestion: ~13,000 messages/second
- Pattern mining: 100K messages in ~7 seconds (two-stage pipeline)
- Scales to millions of messages efficiently
The system discovers patterns by meaning (not just keywords), groups similar messages using DBSCAN clustering, and generates transparent SQL rules with precision/recall metrics.
PATAS is designed to minimize costs through the two-stage approach:
- Stage 1: No AI costs (deterministic patterns only)
- Stage 2: Only 3-10% of messages require AI processing
- Cost savings: 70-90% reduction compared to processing all messages with AI
Cost factors:
- Embedding API calls (for semantic mining)
- LLM API calls (optional, for rule generation)
- Infrastructure (database, compute)
On-premise option: You can use local models (vLLM/TGI/Ollama) to eliminate API costs entirely. See Configuration Examples for details.
Initial setup to first results:
- Installation: 10-15 minutes
- Data ingestion: Depends on volume (~13K msg/s)
- First pattern mining: 7-30 seconds for 100K messages
- Rule generation: Immediate after pattern discovery
Typical timeline:
- Day 1: Setup and initial data ingestion
- Day 2-3: First patterns discovered, rules generated
- Week 1: Rules evaluated in shadow mode
- Week 2: First rules promoted to active (if metrics meet thresholds)
PATAS has multiple safety mechanisms:
- Shadow Evaluation: All rules are tested on historical data before activation
- Conservative Profile: Default profile requires precision ≥ 0.95 (≤5% false positives)
- Automatic Degradation: Rules are automatically deprecated if precision drops >10%
- Manual Review: Rules go through candidate → shadow → active lifecycle, allowing review at each stage
- SQL Safety: All generated SQL is validated for safety (whitelisted tables/columns, SELECT-only queries)
You can configure aggressiveness profiles (conservative, balanced, aggressive) based on your tolerance for false positives.
PATAS is API-first and designed for minimal integration effort:
- REST API: Standard HTTP endpoints for all operations
- Rule Export: Export rules in SQL, ROL (Rule Orchestrator Language), or custom formats
- Database: Works with PostgreSQL or SQLite
- No code changes required: PATAS runs as a separate service
Integration options:
- API Integration: Call PATAS API from your application
- Database Integration: PATAS reads from your message database
- File Import: Import logs via CSV/JSONL files
- Rule Export: Export generated rules to your rule engine
See API Reference for details.
Yes, PATAS supports full on-premise deployment:
- Local Embedding Models: Use BGE-M3 or similar models via vLLM/TGI/Ollama
- Local LLM Models: Use Mistral-7B or similar models for rule generation
- Privacy Mode STRICT: Disables all external API calls by default
- No data leaves your infrastructure: All processing happens locally
Recommended on-premise models:
- Embeddings:
BAAI/bge-m3(multilingual, strong performance) - LLM:
mistralai/Mistral-7B-Instruct-v0.2(compact, Apache 2.0 license)
See Configuration Examples for on-premise setup.
Recommended schedule:
- Initial setup: Run once to discover patterns from historical data
- Continuous operation: Run daily or weekly depending on spam volume
- Real-time: Can be triggered via API when new spam patterns are detected
Automation options:
- CLI: Use cron jobs or scheduled tasks
- API: Trigger via HTTP requests from your monitoring system
- Event-driven: Integrate with your message processing pipeline
Pattern mining is designed to be idempotent and can be run safely multiple times.
PATAS provides comprehensive metrics for each rule:
Core Metrics:
- Precision: Fraction of matches that are actually spam (spam_hits / total_hits)
- Recall: Fraction of spam messages caught (spam_hits / total_spam_count)
- F1-Score: Harmonic mean of precision and recall
- Coverage: Fraction of traffic matched by the rule
- Drift Detection: Tracks precision degradation over time
Access metrics via:
- API endpoints:
/api/v1/rules/{id}with evaluation data - Database: Query
rule_evaluationstable directly - Prometheus: Metrics exported for monitoring (see Monitoring)
Rules are evaluated continuously in shadow mode before promotion to active.
Yes, PATAS adapts automatically:
- Continuous Monitoring: Rules are evaluated regularly on new data
- Drift Detection: Automatic detection when rule precision drops >10%
- Automatic Deprecation: Degraded rules are automatically deprecated
- New Pattern Discovery: Regular pattern mining discovers new spam patterns
- Rule Evolution: System can update rules based on new data
Recommended workflow:
- Run pattern mining weekly to discover new patterns
- Monitor rule evaluations daily
- System automatically handles rule lifecycle (promotion/deprecation)
Yes, PATAS provides full transparency:
Rule Lifecycle:
- Candidate: Newly generated rules (can be reviewed)
- Shadow: Rules tested on historical data (evaluation metrics available)
- Active: Rules in production (monitored continuously)
- Deprecated: Rules that degraded (automatically or manually)
Review options:
- View rules via API:
/api/v1/rules?status=shadow - Check evaluation metrics before promotion
- Manual promotion: Only promote rules that meet your criteria
- Export rules for external review
You can configure the system to require manual approval before promoting rules to active.
Two-stage pipeline benefits:
-
Cost Efficiency: 70-90% reduction in AI/LLM API costs
- Stage 1: No AI costs (deterministic patterns)
- Stage 2: Only 3-10% of messages require AI processing
-
Performance: Faster processing of large volumes
- Stage 1: Fast scanning of all messages
- Stage 2: Deep analysis only for suspicious patterns
-
Scalability: Handles millions of messages efficiently
- Stage 1: O(n) complexity, processes in large batches
- Stage 2: O(n log n) with DBSCAN, processes smaller batches
-
Quality: Maintains high-quality pattern discovery
- Stage 1: Catches obvious spam patterns
- Stage 2: Finds subtle semantic patterns
Benchmark comparison:
- Single-stage: ~2 hours for 10M messages (with AI)
- Two-stage: ~20 minutes for 10M messages (70-90% cost savings)
DBSCAN advantages for spam pattern discovery:
- Automatic cluster count: No need to specify number of clusters (unlike K-means)
- Noise handling: Automatically identifies outliers (noise points)
- Arbitrary cluster shapes: Finds clusters of any shape (not just spherical)
- Performance: O(n log n) complexity with optimizations
- Density-based: Groups messages by semantic similarity density
Why not K-means:
- Requires knowing number of clusters in advance
- Assumes spherical clusters
- Doesn't handle noise well
- Less suitable for semantic similarity clustering
DBSCAN parameters:
-
eps: Cosine distance threshold (derived from similarity threshold, default 0.75) -
min_samples: Minimum messages per cluster (default 3)
Multilingual support:
- Embedding Models: Uses multilingual embedding models (e.g., BGE-M3) that support 100+ languages
- Language Detection: Detects message language automatically
- Language-Aware Clustering: Groups messages by semantic meaning across languages
- Pattern Discovery: Finds patterns regardless of language
Supported languages:
- Primary: English, Russian, Ukrainian (well-tested)
- Extended: All languages supported by multilingual embedding models
- Quality: Best on languages with sufficient training data in embedding model
Configuration:
- Embedding model:
BAAI/bge-m3(recommended for multilingual) - Language detection: Automatic via message metadata or text analysis
Database architecture:
- ORM: SQLAlchemy 2.0 with async/await
- Supported databases: PostgreSQL (production), SQLite (development)
- Migrations: Alembic-based migrations (see Migration Guide)
Key tables:
-
messages: Normalized message storage -
patterns: Discovered spam patterns -
rules: SQL blocking rules with lifecycle status -
rule_evaluations: Evaluation metrics (precision, recall, F1, coverage)
Scaling recommendations:
- PostgreSQL: Use connection pooling (default: 20 connections)
- Indexing: Automatic indexes on frequently queried columns
-
Partitioning: Consider partitioning
messagestable by timestamp for large volumes - Archiving: Archive old messages (>90 days) to reduce table size
Performance:
- Ingestion: ~13K messages/second
- Pattern mining: Optimized for large datasets with chunking
- Evaluation: Efficient queries with proper indexing
Recommended on-premise models:
Embeddings:
- BAAI/bge-m3: Multilingual, strong performance for RU/UK/EN spam logs
- Hardware: 8GB+ RAM, GPU optional but recommended
- Performance: ~1000 embeddings/second on CPU, ~5000/second on GPU
LLM:
- mistralai/Mistral-7B-Instruct-v0.2: Compact 7B model, Apache 2.0 license
- Hardware: 16GB+ RAM, GPU recommended (24GB+ VRAM)
- Performance: ~10-20 tokens/second on GPU
Deployment options:
- vLLM: Fast inference, good for production
- TGI: HuggingFace Text Generation Inference
- Ollama: Easy setup, good for development
Benchmarks:
- See Performance Guide for detailed benchmarks
- Quality: Comparable to OpenAI models for spam detection tasks
- Cost: $0 API costs, only infrastructure costs
Embedding cache strategy:
- Cache storage: In-memory cache with configurable size limits
- Cache key: Message text hash (deduplicates identical messages)
- Cache eviction: LRU (Least Recently Used) when cache is full
- Memory management: Configurable cache size to prevent OOM
Memory usage:
- Per embedding: ~1KB (1536 dimensions × 4 bytes)
- 100K messages: ~100MB cached embeddings
- 1M messages: ~1GB cached embeddings
Recommendations:
- Set cache size based on available memory
- Monitor cache hit rate (should be >80% for repeated patterns)
- Use Redis for distributed caching in multi-instance deployments
Configuration:
embedding_cache:
max_size: 100000 # Maximum cached embeddings
ttl_seconds: 86400 # Cache TTL (24 hours)LLM is optional and can be disabled:
With LLM:
- Pattern explanation and refinement
- Better rule generation for complex patterns
- Higher quality for semantic patterns
Without LLM:
- Deterministic pattern discovery still works
- Semantic clustering still works (via embeddings)
- Rule generation uses simpler heuristics
- Quality drop: ~10-15% for complex semantic patterns
Recommendation:
- Start without LLM: Use deterministic + semantic mining only
- Add LLM later: If you need better rule quality for complex patterns
- On-premise: Use local LLM if API costs are a concern
Configuration:
pattern_mining:
use_llm: false # Disable LLM, use embeddings onlyMulti-layer SQL safety:
-
SQL Parsing: Uses
sqlparselibrary for accurate SQL parsing - Whitelist Validation: Only allows queries on whitelisted tables/columns
- Operation Restrictions: Only SELECT queries allowed (no UPDATE/DELETE/INSERT)
- Injection Prevention: No semicolons, no subqueries, no UNION SELECT
- Coverage Limits: Rejects rules matching >80% of messages (too broad)
- LLM Validation: Optional LLM-based validation for additional safety
Safety checks:
- ✅ Whitelisted tables:
messages,reportsonly - ✅ Whitelisted columns: Only safe columns (text, is_spam, timestamp, etc.)
- ✅ No dangerous operations: DROP, DELETE, UPDATE, etc. are blocked
- ✅ No command chaining: Semicolons are rejected
- ✅ No complex queries: Subqueries and UNION are blocked
Testing:
- Comprehensive test suite for SQL safety
- Penetration testing recommended for production deployments
- See Security for details
Yes, multiple validation layers:
- LLM Prompt Engineering: Prompts explicitly request safe SELECT queries only
- SQL Safety Validator: All generated SQL is validated before storage
- Whitelist Enforcement: Only whitelisted tables/columns are allowed
- Coverage Check: Rules matching too many messages are rejected
- Fallback: If validation fails, rule is rejected and logged
Error handling:
- Invalid SQL: Rule is rejected, error logged
- Retry: System can retry rule generation with adjusted prompts
- Fallback: Falls back to deterministic rules if LLM fails
Monitoring:
- All validation failures are logged
- Metrics track validation success rate
- Alerts can be configured for high failure rates
PII redaction support:
Redacted data types:
- Social Security Numbers (SSN)
- Passport numbers
- Driver license numbers
- Bank account numbers
- Credit card numbers
- Phone numbers (optional)
- Email addresses (optional)
Redaction modes:
- STANDARD: Redacts PII from logs and API responses
- STRICT: Additional redaction, disables external API calls by default
OCR text redaction:
- PII in OCR-extracted text is also redacted
- Supports multiple languages and formats
Configuration:
privacy_mode: STRICT # Enable strict PII redaction
pii_redaction:
enabled: true
redact_phones: true
redact_emails: trueCompliance:
- GDPR-compliant data handling
- No PII stored in embeddings or LLM prompts (in STRICT mode)
- See Privacy and Data Protection for details
Performance benchmarks:
Ingestion:
- Throughput: ~13,000 messages/second
- Latency: <10ms per message (batch processing)
Pattern Mining:
- 100K messages: ~7 seconds (two-stage pipeline)
- 1M messages: ~2-3 minutes
- 10M messages: ~20-30 minutes
Rule Evaluation:
- Per rule: <100ms for 100K messages
- Batch evaluation: Parallel evaluation of multiple rules
API Endpoints:
- Analyze endpoint: ~500ms for 1000 messages
- Health check: <10ms
Scaling:
- Horizontal scaling: Run multiple instances behind load balancer
- Database: Use read replicas for evaluation queries
- Caching: Embedding cache reduces redundant API calls
Hardware recommendations:
- Small (<1M messages/day): 4 CPU, 8GB RAM
- Medium (1-10M messages/day): 8 CPU, 16GB RAM
- Large (>10M messages/day): 16+ CPU, 32GB+ RAM, GPU recommended
Load handling mechanisms:
- Rate Limiting: Configurable rate limits per API key
- Graceful Degradation: Falls back to simpler processing when overloaded
- Queue Management: Request queuing when system is busy
- Circuit Breakers: Stops calling external services if they fail repeatedly
- Timeout Handling: Configurable timeouts prevent hanging requests
Graceful degradation:
- Embedding service down: Falls back to deterministic patterns only
- LLM service down: Uses rule generation heuristics instead
- Database slow: Returns cached results when available
- High load: Prioritizes critical operations, queues non-critical
Configuration:
rate_limiting:
enabled: true
requests_per_minute: 1000
graceful_degradation:
enabled: true
fallback_to_deterministic: trueResource requirements for 1M messages:
Memory:
- Base system: ~500MB
- Message storage: ~50MB (compressed)
- Embedding cache: ~1GB (if caching enabled)
- Pattern mining: ~2GB peak (temporary during processing)
- Total: ~3-4GB recommended
CPU:
- Ingestion: 2-4 cores
- Pattern mining: 4-8 cores (benefits from parallelization)
- Evaluation: 2-4 cores
- Total: 8 cores recommended for 1M messages
Storage:
- Database: ~100MB for 1M messages
- Logs: ~50MB
- Total: ~150MB
Scaling:
- 10M messages: 16GB RAM, 16 cores
- 100M messages: 64GB+ RAM, 32+ cores, GPU recommended
Optimization tips:
- Use database connection pooling
- Enable embedding caching
- Archive old messages (>90 days)
- Use two-stage pipeline to reduce AI costs
Understanding precision:
- Precision 0.95 means 95% of matches are spam, 5% are false positives
- For high-traffic systems, 5% false positives can still be significant
- Example: 1M messages/day, 10% coverage = 100K matches, 5K false positives
Solutions:
- Use Conservative Profile: Requires precision ≥ 0.98 (2% false positives)
- Adjust Coverage: Rules with lower coverage have fewer false positives
- Manual Review: Review high-coverage rules before promotion
- Custom Thresholds: Configure custom precision thresholds per rule type
Interpreting metrics:
- Precision: Fraction of matches that are spam (higher is better)
- Recall: Fraction of spam caught (higher is better)
- F1-Score: Balance between precision and recall
- Coverage: Fraction of traffic matched (lower = fewer false positives)
Recommendation: Use precision ≥ 0.98 for high-traffic systems, precision ≥ 0.95 for low-traffic systems.
Enable semantic mining:
Semantic mining finds patterns by meaning, not exact words:
-
Enable Semantic Mining: Set
enable_semantic_mining: true - Adjust Similarity Threshold: Lower threshold (0.70-0.75) finds more variations
- Use Embeddings: Semantic similarity via embeddings catches synonyms and variations
- DBSCAN Clustering: Groups semantically similar messages
Configuration:
pattern_mining:
use_semantic: true
semantic_similarity_threshold: 0.75 # Lower = more variations
semantic_min_cluster_size: 3Tuning:
- Higher threshold (0.80+): More precise, fewer variations
- Lower threshold (0.70-0.75): More variations, may include false positives
- Test and adjust: Start with 0.75, adjust based on results
Common reasons:
- Threshold too high: Pattern doesn't meet minimum spam count threshold
- Insufficient data: Need at least 10 spam messages for pattern (configurable)
- Semantic mining disabled: Deterministic patterns only catch exact matches
- Pattern too diverse: Messages vary too much for clustering
Solutions:
-
Lower thresholds: Reduce
min_spam_countandmin_spam_ratio - Enable semantic mining: Finds patterns by meaning, not exact words
- Increase data: More historical data improves pattern discovery
- Manual patterns: Add manual patterns for known spam types
Diagnostics:
- Check pattern mining logs for rejected patterns
- Review
min_spam_countandmin_spam_ratiosettings - Verify semantic mining is enabled
- Check if messages are too diverse (low similarity scores)
Recommended schedule:
- Initial training: Once on historical data (last 30-90 days)
- Continuous updates: Run pattern mining weekly or bi-weekly
- Rule evaluation: Daily or weekly to detect drift
- Automatic retraining: System automatically discovers new patterns
Drift detection:
- Automatic monitoring: Tracks precision over time
- Degradation threshold: Rules deprecated if precision drops >10%
- New pattern discovery: Weekly pattern mining finds new spam patterns
Configuration:
rule_lifecycle:
shadow_evaluation:
evaluation_window_days: 7 # Evaluate weekly
deprecation:
precision_drop_threshold: 0.10 # 10% drop triggers reviewBest practices:
- Monitor rule evaluations weekly
- Run pattern mining weekly to discover new patterns
- Review deprecated rules to understand why they degraded
- Adjust thresholds based on spam pattern evolution
Optimization strategies:
- Use Two-Stage Pipeline: Reduces processing time by 70-90%
- Increase Chunk Size: Larger chunks reduce overhead (default: 10K)
- Disable LLM: LLM adds significant time, disable if not needed
- Optimize Embeddings: Use faster embedding models or disable semantic mining
- Parallel Processing: Run pattern mining on time windows in parallel
Expected performance:
- Without optimization: ~2 hours for 10M messages
- With two-stage: ~20-30 minutes for 10M messages
- With optimizations: ~10-15 minutes for 10M messages
Configuration:
pattern_mining:
enable_two_stage_processing: true
stage1_chunk_size: 10000 # Increase for faster processing
stage2_chunk_size: 1000
use_llm: false # Disable if not needed
use_semantic: true # Keep enabled for qualityHardware:
- CPU: More cores = faster processing (parallelization)
- GPU: Accelerates embedding generation (5-10x faster)
- Memory: More RAM allows larger chunks
Faster embedding options:
-
Smaller Models: Use smaller embedding models (faster, slightly lower quality)
-
text-embedding-3-small(OpenAI): Fast, good quality -
all-MiniLM-L6-v2(local): Very fast, lower quality
-
-
Batch Optimization: Increase batch size (default: 2048)
- Larger batches = fewer API calls = faster processing
- Local models: Use batch size 512-1024
-
GPU Acceleration: Use GPU for local models (5-10x faster)
- vLLM/TGI with GPU: ~5000 embeddings/second
- CPU only: ~1000 embeddings/second
-
Caching: Enable embedding cache to avoid regenerating embeddings
-
Disable Semantic Mining: Use deterministic patterns only (fastest)
Performance comparison:
- OpenAI text-embedding-3-small: ~2000 embeddings/second
- BGE-M3 (GPU): ~5000 embeddings/second
- BGE-M3 (CPU): ~1000 embeddings/second
- all-MiniLM-L6-v2 (CPU): ~2000 embeddings/second
Recommendation: Use GPU-accelerated BGE-M3 for best performance/quality balance.
Data retention strategy:
Recommended retention:
- Messages: 90 days (sufficient for pattern discovery)
- Patterns: Keep indefinitely (small size)
- Rules: Keep indefinitely (small size)
- Evaluations: 180 days (for trend analysis)
Archiving:
- Archive messages older than 90 days to separate table or storage
- Keep message IDs and metadata for reference
- Patterns and rules reference message IDs (not full text)
Configuration:
data_retention:
messages_days: 90
evaluations_days: 180
archive_enabled: true
archive_table: "messages_archive"Storage optimization:
- Compression: Enable database compression
- Partitioning: Partition messages table by timestamp
- Indexing: Only index frequently queried columns
- Cleanup: Regular cleanup of old evaluation data
Scripts:
- Use provided archiving scripts to move old data
- See Deployment Guide for details
Horizontal scaling strategies:
- Multiple Instances: Run multiple PATAS instances behind load balancer
- Database Scaling: Use read replicas for evaluation queries
- Distributed Processing: Partition data by time windows, process in parallel
- Caching Layer: Use Redis for distributed embedding cache
- Message Queue: Use message queue for async processing
Architecture:
Load Balancer
↓
[PATAS Instance 1] [PATAS Instance 2] [PATAS Instance 3]
↓ ↓ ↓
[PostgreSQL Primary] ← [PostgreSQL Replica] ← [PostgreSQL Replica]
↓
[Redis Cache]
Configuration:
- Connection pooling: Increase pool size for multiple instances
- Shared cache: Use Redis for distributed caching
- Partitioning: Partition pattern mining by time windows
Limitations:
- Pattern mining is currently single-instance (can be parallelized by time windows)
- Database becomes bottleneck at very large scales
- Consider data partitioning and sharding for 100M+ messages
Yes, pattern mining can be parallelized:
- Time Window Partitioning: Split data into time windows (e.g., daily/weekly)
- Parallel Execution: Run pattern mining on each window in parallel
- Result Merging: Merge discovered patterns from all windows
- Deduplication: Remove duplicate patterns across windows
Implementation:
- Use separate database connections for each parallel job
- Process different time ranges concurrently
- Merge results after all jobs complete
Example:
# Process last 30 days in 6 parallel jobs (5 days each)
windows = [
(0, 5), (5, 10), (10, 15), (15, 20), (20, 25), (25, 30)
]
# Run pattern mining on each window in parallelConsiderations:
- Database connection limits
- Memory usage per job
- Result merging complexity
- Pattern deduplication
Multi-instance deployment:
Current support:
- Stateless API: API endpoints are stateless, can run multiple instances
- Shared Database: All instances share same database
- Distributed Cache: Use Redis for shared embedding cache
Not yet supported:
- Automatic clustering/discovery
- Shared state management
- Distributed pattern mining coordination
Recommended setup:
- Load Balancer: Route requests to multiple PATAS instances
- Shared Database: All instances connect to same PostgreSQL
- Redis Cache: Shared embedding cache across instances
- Session Affinity: Not required (stateless API)
Configuration:
deployment:
instances: 3
load_balancer: nginx # or AWS ALB, etc.
database: shared_postgresql
cache: redis_clusterLimitations:
- Pattern mining should run on single instance (or coordinate via external scheduler)
- Rule promotion should be coordinated (use database locks)
Graceful degradation:
If embedding service is unavailable:
- Falls back to deterministic patterns: System continues with URL/keyword/phone patterns
- No semantic mining: Semantic pattern discovery is disabled
- Rule generation continues: Uses deterministic rule generation
- No data loss: All functionality except semantic mining continues
Configuration:
graceful_degradation:
enabled: true
fallback_to_deterministic: true
embedding_service_timeout: 30 # secondsMonitoring:
- Health checks detect embedding service failures
- Metrics track fallback usage
- Alerts can be configured for service failures
Recovery:
- System automatically resumes semantic mining when service recovers
- No manual intervention required
Error handling for LLM failures:
- SQL Validation: All generated SQL is validated before storage
- Retry Logic: Failed generations are retried (up to 3 times by default)
- Fallback: Falls back to deterministic rule generation if LLM fails
- Error Logging: All failures are logged for debugging
Invalid SQL handling:
- Validation failure: Rule is rejected, error logged
- Retry: System retries with adjusted prompt
- Fallback: Uses deterministic rule generation heuristics
- No data corruption: Invalid rules are never stored
Configuration:
llm:
max_retries: 3
timeout_seconds: 30
fallback_to_deterministic: trueMonitoring:
- Track LLM success/failure rates
- Alert on high failure rates
- Review error logs for pattern issues
Idempotency and recovery:
Pattern mining is designed to be idempotent:
- Can be safely rerun multiple times
- Duplicate patterns are automatically deduplicated
- No data corruption from interrupted runs
Recovery:
- Restart pattern mining: Simply rerun the command
- Deduplication: System automatically handles duplicate patterns
- No manual cleanup: No need to clean up partial results
Best practices:
- Run pattern mining in transactions (automatic rollback on failure)
- Use database backups before large pattern mining runs
- Monitor pattern mining progress via logs
Checkpointing (future enhancement):
- Planned: Save progress checkpoints during long runs
- Resume from last checkpoint if interrupted
Critical metrics to monitor:
- Pattern Discovery Rate: Number of new patterns discovered per day/week
- Rule Quality: Average precision/recall of active rules
- False Positive Rate: Number of legitimate messages blocked
- System Performance: API latency, throughput, error rates
- Cost Metrics: LLM/embedding API costs, infrastructure costs
Prometheus metrics:
-
patas_patterns_discovered_total: Total patterns discovered -
patas_rules_active: Number of active rules -
patas_rules_precision: Average precision of active rules -
patas_api_latency_seconds: API response latency -
patas_llm_calls_total: Total LLM API calls -
patas_embedding_calls_total: Total embedding API calls
Grafana dashboards:
- See Monitoring Guide for ready-made dashboards
- Custom dashboards can be created from Prometheus metrics
SLA recommendations:
- API latency: P95 < 500ms
- Pattern discovery: >10 patterns/week (depends on spam volume)
- Rule precision: >0.95 average
- System uptime: >99.9%
Drift detection and alerting:
Automatic drift detection:
- Tracks precision over time for each rule
- Detects precision drops >10% (configurable)
- Automatically deprecates degraded rules
Alerting configuration:
monitoring:
alerts:
enabled: true
precision_drop_threshold: 0.10 # Alert if precision drops 10%
false_positive_threshold: 20 # Alert if 20+ false positives
rule_degradation_threshold: 0.15 # Alert if precision drops 15%Integration options:
- Prometheus Alertmanager: Configure alerts via Prometheus
- Webhooks: Send alerts to Slack, PagerDuty, etc.
- Email: Email notifications for critical alerts
Metrics:
-
patas_rule_precision_drop: Precision drop percentage -
patas_rule_false_positives: Number of false positives -
patas_rules_deprecated_total: Total deprecated rules
Best practices:
- Monitor rule evaluations daily
- Set up alerts for precision drops >10%
- Review deprecated rules weekly to understand degradation causes
Cost tracking:
CostGuard module:
- Tracks all LLM and embedding API calls
- Calculates costs based on provider pricing
- Provides cost reports and alerts
Cost factors:
- Embedding API: Cost per 1K tokens (varies by provider)
- LLM API: Cost per 1K tokens (varies by model)
- Infrastructure: Database, compute, storage costs
- On-premise: Only infrastructure costs (no API costs)
Cost optimization:
- Two-stage pipeline: 70-90% cost reduction
- Embedding cache: Reduces redundant API calls
- Disable LLM: Eliminates LLM costs (slight quality trade-off)
- On-premise: Zero API costs
Monitoring:
- Daily/weekly cost reports
- Budget alerts when costs exceed thresholds
- Cost breakdown by operation (mining, evaluation, etc.)
Configuration:
cost_guard:
enabled: true
budget_limit: 1000 # USD per month
alert_threshold: 0.80 # Alert at 80% of budgetThreshold calibration guide:
Key thresholds:
-
Pattern Mining Thresholds:
-
min_spam_count: Minimum spam messages for pattern (default: 10) -
min_spam_ratio: Minimum spam ratio (default: 0.05 = 5%) -
semantic_similarity_threshold: Clustering threshold (default: 0.75)
-
-
Rule Promotion Thresholds:
-
min_precision: Minimum precision for promotion (default: 0.95) -
max_ham_hits: Maximum false positives allowed (default: 5) -
min_sample_size: Minimum evaluation sample (default: 100)
-
Calibration process:
- Start with defaults: Use conservative defaults
- Run pattern mining: Discover initial patterns
- Evaluate rules: Check precision/recall metrics
- Adjust thresholds: Lower thresholds if missing patterns, raise if too many false positives
- Iterate: Repeat until optimal balance
Recommendations by spam type:
-
Concentrated spam (same pattern repeated): Lower
min_spam_count, highermin_spam_ratio -
Distributed spam (many variations): Lower
semantic_similarity_threshold, enable semantic mining -
High false positive tolerance: Lower
min_precision, highermax_ham_hits -
Low false positive tolerance: Higher
min_precision, lowermax_ham_hits
Tools:
- Use calibration scripts to find optimal thresholds
- See Configuration Guide for details
Custom aggressiveness profiles:
Current profiles:
- Conservative: Precision ≥ 0.95, max 5 false positives
- Balanced: Precision ≥ 0.90, max 10 false positives
- Aggressive: Precision ≥ 0.85, max 20 false positives
Creating custom profile:
from app.v2_promotion import AggressivenessProfile
custom_profile = AggressivenessProfile(
min_precision=0.92, # Between conservative and balanced
max_ham_hits=8, # Between conservative and balanced
min_coverage=0.01,
min_sample_size=100,
)Configuration:
rule_lifecycle:
promotion:
min_precision: 0.92
max_ham_hits: 8
min_coverage: 0.01
min_sample_size: 100API:
- Use promotion API with custom thresholds
- See API Reference for details
Semantic similarity threshold tuning:
Threshold ranges:
- 0.80-0.85: Very strict, only very similar messages (fewer false positives, may miss variations)
- 0.75-0.80: Balanced (recommended default)
- 0.70-0.75: More lenient, catches more variations (may include some false positives)
- <0.70: Very lenient, many variations (higher false positive risk)
Tuning process:
- Start with 0.75: Good default balance
- Evaluate clusters: Check if similar messages are grouped together
-
Adjust based on results:
- Too many small clusters → Lower threshold
- Too many false positives → Raise threshold
- Missing variations → Lower threshold
- Test on sample data: Validate before applying to full dataset
Tools:
- Use clustering visualization to inspect cluster quality
- Run calibration script to find optimal threshold
- See Configuration Guide for details
Recommendation: Start with 0.75, adjust ±0.05 based on results.
Alerting integration options:
Current support:
- Prometheus Alertmanager: Native integration
- Webhooks: HTTP webhooks for custom integrations
- Metrics export: Prometheus metrics for external alerting
Webhook configuration:
monitoring:
webhooks:
- url: "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
events: ["rule_degraded", "high_false_positives"]
- url: "https://api.pagerduty.com/incidents"
events: ["critical_errors"]Prometheus Alertmanager:
- Configure alert rules in Prometheus
- Route alerts to Slack, PagerDuty, email, etc.
- See Monitoring Guide for examples
Future enhancements:
- Direct Slack integration (planned)
- Direct PagerDuty integration (planned)
- More webhook event types
Yes, PATAS supports analysis-only mode:
Propose-only mode:
- Generate patterns and rules
- Evaluate rules in shadow mode
- Do not automatically promote to active
- Manual review and promotion required
Configuration:
modes:
propose_only: true # Generate but don't auto-activate
shadow_mode: true # Test rules before activation
safe_auto_ban: false # Disable automatic promotionWorkflow:
- Run pattern mining → Discover patterns
- Generate rules → Rules created as "candidate"
- Evaluate rules → Rules tested in shadow mode
- Manual review → Review metrics and decide
- Manual promotion → Promote rules that meet criteria
API:
- Use promotion API with
auto_promote: false - Review rules via API before promotion
- See API Reference for details
Custom rule export:
Current export formats:
- SQL: Standard SQL SELECT queries
- ROL: Rule Orchestrator Language (JSON format)
Creating custom backend:
from app.v2_rule_backend import RuleBackend
class CustomRuleBackend(RuleBackend):
def render_rule(self, rule: Rule) -> str:
# Convert rule to your custom format
return custom_format_string
def export_rules(self, rules: List[Rule]) -> Any:
# Export multiple rules
return custom_export_formatIntegration:
- Register custom backend in code
- Use export API with custom backend type
- See Rule Export Guide for details
Future enhancement:
- Plugin system for custom backends (planned)
- Quick Start Guide - Get started with PATAS
- API Reference - Complete API documentation
- Configuration Guide - Configuration options
- Deployment Guide - Production deployment
- Performance Guide - Performance optimization
- Monitoring Guide - Monitoring and alerting
For more questions or support, please open an issue on GitHub.