Storm detection, analysis, remediation, and other network behavior

US 10,348,549 B1
Filed: 03/23/2016
Issued: 07/09/2019
Est. Priority Date: 08/24/2015
Status: Active Grant

First Claim

Patent Images

1. Apparatus includinga network monitoring device coupleable to a communications network, said communication network providing network status information;

said network monitoring device coupleable to one or more management rules defining a behavior of said communication network, and including one or more instructions directing said network monitoring device to learn from behavior of said communication network;

said network monitoring device coupled to at least one of;

a remedial element coupled to said communication network, said remedial element accepting instructions from said network monitoring device;

an alert element coupled to one or more users of said communication network, said users being selected from;

users of resources coupleable to said communication network or managers or operators of said communication network,whereinsaid network monitoring device coupleable to a communication network is coupleable to at least one first type of device sending network data on their own behest, and at least one second type of device sending network status data upon the request of said network monitoring device;

said network monitoring device including a buffer of network status data, being divided into a plurality of clock ticks, each clock tick representing status data from a discernable past time;

when said network monitoring device maintains status data from said network at least temporarily in said buffer, at a location associated with said discernable past time; and

when said discernable past time exceeds a selected threshold, said network monitoring device reduces an effect of said status data from a particular discernable past time associated with said selected threshold.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring device responds to status data to detect storms, analysis, and to attempt to remediate those storms. The monitoring device several types of storms, for each of which it has a technique for analysis of the storm. The monitoring device can determine if the storm is due to resource contention, excess or unbalanced performance activity, or network degradation. Once analyzed, the monitoring device analyzes the storm, and attempts to remediate the cause of the storm.

16 Citations

View as Search Results

20 Claims

1. Apparatus includinga network monitoring device coupleable to a communications network, said communication network providing network status information;
- said network monitoring device coupleable to one or more management rules defining a behavior of said communication network, and including one or more instructions directing said network monitoring device to learn from behavior of said communication network;
  
  said network monitoring device coupled to at least one of;
  
  a remedial element coupled to said communication network, said remedial element accepting instructions from said network monitoring device;
  
  an alert element coupled to one or more users of said communication network, said users being selected from;
  
  users of resources coupleable to said communication network or managers or operators of said communication network,whereinsaid network monitoring device coupleable to a communication network is coupleable to at least one first type of device sending network data on their own behest, and at least one second type of device sending network status data upon the request of said network monitoring device;
  
  said network monitoring device including a buffer of network status data, being divided into a plurality of clock ticks, each clock tick representing status data from a discernable past time;
  
  when said network monitoring device maintains status data from said network at least temporarily in said buffer, at a location associated with said discernable past time; and
  
  when said discernable past time exceeds a selected threshold, said network monitoring device reduces an effect of said status data from a particular discernable past time associated with said selected threshold.

2. Apparatus includinga network monitoring device, the network monitoring device responsive to network status data from one or more reporting devices coupled to a distributed network monitoring environment, the distributed network monitoring environment having a plurality of endpoints coupled thereto, the endpoints disposed to access resources available using the distributed network monitoring environment;
- the network monitoring device including an alert storm detection element, an alert storm including an unusually large number of alerts all relating to the same resource at an endpoint, wherein the resource includes one or more of;
  
  processor time, memory utilization, storage utilization, network bandwidth utilization, application delivery utilization;
  
  the network monitoring device including an alert storm analysis element;
  
  the network monitoring device including an alert storm amelioration element.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 3. Apparatus as in claim 2,wherein the resource includes processor time, and the alert storm is responsive to a hypervisor at a device using sufficient processor time that virtual machines at that device are starved for resources.
  - 4. Apparatus as in claim 2,wherein the resource includes processor time, and the alert storm is responsive to resource contention between a hypervisor at a device and virtual machines hosted at that device.
  - 5. Apparatus as in claim 2,wherein the resource includes memory utilization, and the alert storm is responsive to a hypervisor at a device using sufficient memory that virtual machines at that device are starved for resources.
  - 6. Apparatus as in claim 2,wherein the resource includes memory utilization, and the alert storm is responsive to resource contention between a hypervisor at a device and virtual machines hosted at that device.
  - 7. Apparatus as in claim 2,wherein the resource includes storage utilization, and the alert storm is responsive to one or more of:
    - a data storage element at a device exhibits large latency, and virtual machines attempting to use that data storage element show a large number of disk operations per second;
      
      the data storage element at the device itself exhibits a large number of disk operations per second.
  - 8. Apparatus as in claim 2,wherein the resource includes storage utilization, and the alert storm is responsive to resource contention between a particular virtual machine and each other element attempting to use the data storage element.
  - 9. Apparatus as in claim 2,wherein the resource includes network bandwidth utilization, and the alert storm is responsive to a network interface that is exhibiting large utilization, and there are one or more paths between a computing device and a portion of the communications network that is exhibiting large latency.
  - 10. Apparatus as in claim 2,wherein the resource includes network bandwidth utilization, and the alert storm is responsive to resource contention between a particular computing device attempting to use the communication network and each other device attempting to use the communication network.
  - 11. Apparatus as in claim 2,wherein the resource includes application delivery utilization, and the alert storm is responsive to one or more of:
    - multiple application users are each using a particular remote application and exhibiting large application-specific traffic round-trip latency, exhibiting large jitter, or exhibiting large processing latency;
      
      the particular remote application is showing a larger number of sessions than rated, or is itself exhibiting large traffic round-trip latency, large jitter, or large processing delay.
  - 12. Apparatus as in claim 2,wherein the alert storm analysis element is responsive to one or more of:
    - unusual performance activity with respect to email, uploading, downloading, file-sharing, one or more application servers, one or more application clients;
      
      degradation of one or more of;
      
      a particular virtual machine, a particular application user, a particular desktop user.
  - 13. Apparatus as in claim 2,wherein the alert storm analysis element is responsive to one or more of:
    - identification of a particular set of endpoints responsible for the alert storm;
      
      identification of saturation of the distributed network monitoring environment.
  - 14. Apparatus as in claim 13,wherein when the identified particular set of endpoints includes all endpoints in the distributed network monitoring environment, the alert storm analysis element takes no action to restrain any of those endpoints.
  - 15. Apparatus as in claim 13,wherein when the identified particular set of endpoints includes all endpoints in the distributed network monitoring environment, the alert storm analysis element restrains all of those endpoints in like manner.
  - 16. Apparatus as in claim 13,wherein when the identified particular set of endpoints includes all endpoints in the distributed network monitoring environment, the alert storm analysis element selects a subset of endpoints to restrain.
  - 17. Apparatus as in claim 13,wherein when the identified particular set of endpoints is fewer than all endpoints in the distributed network monitoring environment, the alert storm analysis element restrains the identified particular set of endpoints.
  - 18. Apparatus as in claim 13,whereinthe alert storm analysis element is disposed to identify a second particular set of endpoints as suffering from a cause of the alert storm;
    - when the second particular set of endpoints includes all endpoints in the distributed network monitoring environment, the alert storm analysis element determines that the distributed network monitoring environment is underprovisioned.
  - 19. Apparatus as in claim 13,wherein when the alert storm analysis element identifies saturation of the distributed network monitoring environment, the alert storm analysis element sends a message to an operator of the distributed network monitoring environment.
  - 20. Apparatus as in claim 2, whereinthe network monitoring device is coupleable to one or more management rules defining a behavior of the distributed network monitoring environment, and including one or more instructions directing the network monitoring device to learn from behavior of the distributed network monitoring environment;
    - said network monitoring device coupled to at least one of;
      
      a remedial element coupled to said distributed network monitoring environment, said remedial element accepting instructions from said network monitoring device;
      
      an alerting element coupled to one or more users of said distributed network monitoring environment, said users being selected from;
      
      users of resources coupleable to said distributed network monitoring environment or managers or operators of said distributed network monitoring environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virtual Instruments Worldwide, Inc.
Original Assignee
Virtual Instruments Corp.
Inventors
Jagannathan, Rangaswamy, Lee, Rosanna, Sanders, Darek, Lui, Jing, Kakatkar, Kishor
Primary Examiner(s)
Zand, Davoud A

Application Number

US15/079,039
Time in Patent Office

1,203 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/042   comprising distributed mana...

H04L 41/064   involving time analysis

H04L 41/065   involving logical or physic...

H04L 41/0681   Configuration of triggering...

H04L 41/0686   Additional information in t...

H04L 41/16   using machine learning or a...

H04L 43/16   Threshold monitoring

Storm detection, analysis, remediation, and other network behavior

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Storm detection, analysis, remediation, and other network behavior

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links