Apparatus and method for event correlation and problem...

Data processing: measuring – calibrating – or testing – Measurement system – Performance or efficiency evaluation

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C702S181000, C702S185000, C702S196000

Reexamination Certificate

active

06249755

ABSTRACT:

BACKGROUND OF THE INVENTION
1. Technical Field
This invention relates to the field of event correlation and, more particularly, to a method and apparatus for efficiently determining the occurrence of and the source of problems in a complex system based on observable events. The invention has broad application to any type of complex system including computer networks, satellites, communication systems, weapons systems, complex vehicles such as spacecraft, medical diagnosis, and financial market analysis.
2. Related Information
As computer networks and other systems have become more complex, their reliability has become dependent upon the successful detection and management of problems in the system. Problems can include faults, performance degradation, intrusion attempts and other exceptional operational conditions requiring handling. Problems generate observable events, and these events can be monitored, detected, reported, analyzed and acted upon by humans or by programs. However, as systems have become more complex, the rate at which observable events occur has increased super-linearly, making problem management more difficult.
As an example, when the number of computer nodes in a network increases, the network complexity increases super-linearly with the number of nodes, with a concomitant increase in the fault rate. Compounding this problem of network complexity is fault propagation between both machines and network protocol layers; these propagated faults can generate additional events.
Automated management systems can help to cope with this increase in the number and complexity of events by (1) automating the collection and reporting of events, thereby reducing the load on human operators or programs; (2) using event correlation techniques to group distinct events, thereby compressing the event stream into a form more easily managed by human operators; (3) mapping groups of events to their underlying causes, thus reducing the time between faults and repairs; and (4) automatically correcting diagnosed problems, thereby minimizing operator intervention.
Event correlation and management techniques are a particularly important method of reducing the number of symptoms in a system which need to be analyzed and accurately determining the number and identity of discrete problems which need to be rectified. Unless events are correlated, a single problem in a single subsystem could result in multiple, uncoordinated corrective actions. This can lead to wasteful resources spent on duplicate efforts and inconsistent corrective actions which result in an escalation of problems.
Conventional and previously proposed approaches to managing faults in a system have failed to fully address the increase in complexity and have failed to provide adequate performance for large systems, as outlined more particularly herein. In order to discuss these problems, it is first necessary to understand these other approaches.
Event correlation and management approaches can be generally grouped into five categories: (1) rule-based reasoning; (2) case-based reasoning; (3) reasoning with generic models; (4) probability networks; and (5) model-based reasoning. In addition, a number of different architectures have been considered to carry out event correlation and management. In order to review these approaches, the following terminology is defined:
KNOWLEDGE REPRESENTATION: The format and means for representing knowledge about the system being monitored, such as the types of network components and the network topology. Such knowledge maybe stored in a hierarchical relational or object-oriented database.
KNOWLEDGE ACOUISITION: The methods and means for acquiring the knowledge about the system to be monitored. Ideally, knowledge is automatically obtained during system operation to minimize human resource requirements. However, in actuality much knowledge acquisition involves humans familiar with the operation and idiosyncrasies of a system.
EVENT CORRELATION: The methods and means for detecting the occurrence of exceptional events in a complex system and identifying which particular event occurred and where it occurred. The set of events which occur and can be detected in the system over a period of time will be referred to as an “event stream.” It will be noted that the location of the event is not necessarily the location where it is observed, because events can propagate across related entities in a system. Although every possible reportable measurement (such as voltage level, disk error, or temperature level) could be considered to be an “event”, many of these measurements do not contribute to identifying exceptional events in the system. Event correlation takes as input an event stream, detects occurrence of exceptional events, identifies the particular events that have occurred, and reports them as an output.
Event correlation can take place in both the space and time dimensions. For example, two events whose sources are determined to be in the same protocol layer in the same network element may be related spatially. However, they may not be correlated if they occur on different days, because they would not be related temporally.
1. Rule-Based Reasoning Methods
One approach for correlating events in complex systems involves rule- based reasoning, such as expert systems. Rule-based expert systems generally contain two components:
(1) a working memory which represents knowledge of the current state of tee system being monitored; and
(2) a rule base which contains expert knowledge in the form of “if-then” or “condition-action” rules. The condition part of each rule determines whether the rule can be applied based on the current state of the working memory; the action part of a rule contains a conclusion which can be drawn from the rule when the condition is satisfied.
Rule-based reasoning can proceed in one of two possible modes of operation. In FORWARD CHAINING mode, the working memory is constantly scanned for facts which can be used to satisfy the condition part of each rule. When a condition is found, the rule is executed. Executing a rule means that the working memory is updated based on the conclusion contained in the rule. These newly updated data can be used to satisfy the conditions of other rules, resulting in a “chain reaction” of rule executions.
In BACKWARD CHAINING mode, the system is presented with a “goal” working memory datum, which it is asked to either confirm or deny. The system searches for rules whose action part could assert the goal; for each such rule, the condition corresponding to the action is checked against the working memory to see if it is satisfied. The conditions can be satisfied by either finding the appropriate working memory data or by finding other rules whose conditions are satisfied which could assert the desired working memory data.
Rule-based expert systems benefit from straightforward knowledge acquisition because the “if-then” format of the rules often mimics the format of expert knowledge. The knowledge base can be incrementally modified because rules can be added or modified easily. However, attempts to automate knowledge acquisition for such systems have produced limited results.
Rule-based expert systems can be used to perform event detection and event correlation by providing a link between the working memory and the event stream. However, there are several inherent disadvantages. For example, for a very large knowledge base, the performance of the system can suffer exponentially with the number of condition parts of the rules. The search associated with rule-based systems can be of exponential complexity in the number of rules (size of knowledge base). It is difficult to ensure that firing sequences of a complex rule-based system actually terminate. The complexity of the search is also exponential in the size of the working memory. The working memory includes the events to be correlated. If the system involves a large number of events, the working memory (and therefore the search) may be unbounded. A rule based system can be very sensitive to lost or spur

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Apparatus and method for event correlation and problem... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Apparatus and method for event correlation and problem..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for event correlation and problem... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2526282

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.