Ranking network anomalies in an anomaly cluster

US 10,454,753 B2
Filed: 04/23/2017
Issued: 10/22/2019
Est. Priority Date: 07/28/2013
Status: Active Grant

First Claim

Patent Images

1. A system including one or more processors coupled to memory, the memory loaded with computer instructions to rank anomalies in an anomaly cluster, the instructions, when executed on the processors, implement actions comprising:

accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data, wherein the anomalous instance data are grouped in a cluster of operation anomalies that are interrelated as cascading failures traced over active network communication paths among resources, wherein the communication paths propagate anomalous performances;

constructing a map that graphically depicts propagation of the anomalous performances along the active network communication paths as edges between nodes representing the resources; and

calculating impact rankings for the nodes, based at least on attributes of the resources exhibiting anomalous performances.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to organizing network performance metrics into historical anomaly dependency data. In particular, it relates to calculating cascading failure relationships between correlated anomalies detected in a network. It also relates to illustrating to a network administrator causes of system failure by laying out the graph to show a progression over time of the cascading failures and identify root causes of the cascading failures. It also relates to ranking anomalies and anomaly clusters in the network based on attributes of the resources exhibiting anomalous performances and attributes of the anomalous performances. It further relates to depicting evolution of resource failures across a network by visually coding impacted resources and adjusting the visual coding over time and allowing replay over time to visualize propagation of anomalous performances among the impacted resource.

Citations

19 Claims

1. A system including one or more processors coupled to memory, the memory loaded with computer instructions to rank anomalies in an anomaly cluster, the instructions, when executed on the processors, implement actions comprising:
- accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data, wherein the anomalous instance data are grouped in a cluster of operation anomalies that are interrelated as cascading failures traced over active network communication paths among resources, wherein the communication paths propagate anomalous performances;
  
  constructing a map that graphically depicts propagation of the anomalous performances along the active network communication paths as edges between nodes representing the resources; and
  
  calculating impact rankings for the nodes, based at least on attributes of the resources exhibiting anomalous performances.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein resource attributes include predetermined importance values assigned to the resources exhibiting anomalous performances.
  - 3. The system of claim 1, wherein resource attributes include visibility of the resources exhibiting anomalous performances.
  - 4. The system of claim 1, wherein resource attributes include conditions of service level agreements violated by anomalous performances of the resources.
  - 5. The system of claim 1, further implementing actions comprising ranking anomaly clusters by:
    - accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data;
      
      grouping the anomalous instance data into an anomaly cluster including anomaly nodes that represent detected anomalies that compromise respective resources and probability weighted directed edges connecting correlated anomaly nodes, wherein the probability weighted directed edges express strength of a correlation between the correlated anomaly nodes that are connected by the edges;
      
      scoring importance of the anomaly cluster by calculating anomaly node importance values for anomaly nodes in the cluster, propagating the anomaly node importance values to terminal nodes in the anomaly cluster and aggregating the propagated anomaly values of the terminal nodes; and
      
      repeating the scoring for a plurality of anomaly clusters and reporting at least relative scoring of the anomaly clusters for further processing.

6. A system including one or more processors coupled to memory, the memory loaded with computer instructions to depict evolution of resource failures across a network, the instructions, when executed on the processors, implement actions comprising:
- constructing a resource connectivity graph with services indicated grouped within resource blocks, wherein the resource blocks are connected to represent an active communication network path among the resources;
  
  visually coding record instances in resource blocks and resource blocks to indicate impaired performance due to anomalies occurred at the services; and
  
  adjusting the visual coding over time and allowing replay over time to visualize propagation of anomalous performances among the resource blocks.

7. A system including one or more processors coupled to memory, the memory loaded with computer instructions to organize network performance metrics into historical anomaly dependency data, the instructions, when executed on the processors, implement actions comprising:
- accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data;
  
  constructing a map of active network communication paths that carry communications among first and second resources subject to anomalous performance and representing the active network communication paths as edges between nodes representing first and second resources, thereby forming connected node pairs;
  
  calculating cascading failure relationships from time-stamped anomalous instance data for the connected node pairs, wherein the cascading failure relationships are based at least in part on whether conditional probabilities of anomalous performance of the second resources given prior anomalous performance of the first resources exceed a predetermined threshold;
  
  wherein calculating the conditional probabilities makes use of a statistical measure of likelihood;
  
  conditional probability=p(anomalous second service|anomalous first service); and
  
  automatically representing the anomalous performance of the second resource as a cascading failure resulting from the anomalous performance of the first resource based on the calculated cascading failure relationships.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the time-stamped anomalous instance data identify at least start times of anomalous performances of the first and second resources that are within a predetermined time period, further including automatically representing anomalous performance of the second resource as a cascading failure resulting from the anomalous performance of the first resource.
  - 9. The system of claim 7, wherein the time-stamped anomalous instance data identify at least end times of anomalous performances of the first and second resources that are within a predetermined time period, further including automatically representing anomalous performance of the second resource as a cascading failure resulting from the anomalous performance of the first resource.
  - 10. The system of claim 7, further including calculating cascading failure relationships based at least in part on historical frequency of anomalous performance of the second resources given prior anomalous performance of the first resources.
  - 11. The system of claim 7, further implementing actions comprising illustrating to a network administrator causes of system failure by:
    - generating for display a cluster of operation anomalies that are interrelated as cascading failures in an anomaly impact graph, including;
      
      depicting anomalous instance data in the cluster as nodes in a plot;
      
      representing active network communication paths that carry communications among first and second resources subject to anomalous performances as edges between the nodes, thereby forming connected node pairs; and
      
      depicting at least part of the plot to show a progression over time of the cascading failures for the connected node pairs and to identify one or more root causes of the cascading failures.
  - 12. The system of claim 7, further implementing actions comprising illustrating to a network administrator causes of system failure by:
    - generating for display an anomaly impact graph interface that depicts a cluster of operation anomalies that are interrelated as cascading failures, including;
      
      nodes in a diagram that represent anomalous instance data for different resources in the cluster;
      
      edges between the nodes that represent active network communication path data for communications among first and second resources, wherein the edges and nodes form connected node pairs; and
      
      arrangement of the diagram that shows progression over time of cascading failure result links between anomalous performances of the first and second resources occurring within a predetermined time period.

13. A computer implemented method to rank anomalies in an anomaly cluster, including:
- accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data, wherein the anomalous instance data are grouped in a cluster of operation anomalies that are interrelated as cascading failures traced over active network communication paths among resources, wherein the communication paths propagate anomalous performances;
  
  constructing a map that graphically depicts propagation of the anomalous performances along the active network communication paths as edges between nodes representing the resources; and
  
  calculating impact rankings for the nodes, based at least on attributes of the resources exhibiting anomalous performances.
- View Dependent Claims (14)
- - 14. The computer implemented method of claim 13, further including ranking anomaly clusters by:
    - accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data;
      
      grouping the anomalous instance data into an anomaly cluster including anomaly nodes that represent detected anomalies that compromise respective resources and probability weighted directed edges connecting correlated anomaly nodes, wherein the probability weighted directed edges express strength of a correlation between the correlated anomaly nodes that are connected by the edges;
      
      scoring importance of the anomaly cluster by calculating anomaly node importance values for anomaly nodes in the cluster, propagating the anomaly node importance values to terminal nodes in the anomaly cluster and aggregating the propagated anomaly values of the terminal nodes; and
      
      repeating the scoring for a plurality of anomaly clusters and reporting at least relative scoring of the anomaly clusters for further processing.

15. A computer implemented method to rank anomalies in an anomaly cluster, including:
- accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data, wherein the anomalous instance data are grouped in a cluster of operation anomalies that are interrelated as cascading failures traced over active network communication paths among resources, wherein the communication paths propagate anomalous performances;
  
  constructing a map that graphically depicts propagation of the anomalous performances along the active network communication paths as edges between nodes representing the resources; and
  
  calculating impact rankings for the nodes, based at least on attributes of the anomalous performances.

16. A computer implemented method to depict evolution of resource failures across a network, the method including:
- constructing a resource connectivity graph with services indicated grouped within resource blocks, wherein the resource blocks are connected to represent an active communication network path among the resources;
  
  visually coding record instances in resource blocks and resource blocks to indicate impaired performance due to anomalies occurred at the services; and
  
  adjusting the visual coding over time and allowing replay over time to visualize propagation of anomalous performances among the resource blocks.

17. A computer implemented method to organize network performance metrics into historical anomaly dependency data, the method including:
- accessing performance data for a multiplicity of metrics across a multiplicity of resources on a network and automatically setting criteria based on the performance data over time that qualifies a subset of the performance data as anomalous instance data;
  
  constructing a map of active network communication paths that carry communications among first and second resources subject to anomalous performance and representing the active network communication paths as edges between nodes representing first and second resources, thereby forming connected node pairs;
  
  calculating cascading failure relationships from time-stamped anomalous instance data for the connected node pairs, wherein the cascading failure relationships are based at least in part on whether conditional probabilities of anomalous performance of the second resources given prior anomalous performance of the first resources exceed a predetermined threshold;
  
  wherein calculating the conditional probabilities makes use of a statistical measure of likelihood;
  
  conditional probability=p(anomalous second service|anomalous first service); and
  
  automatically representing the anomalous performance of the second resource as a cascading failure resulting from the anomalous performance of the first resource based on the calculated cascading failure relationships.
- View Dependent Claims (18, 19)
- - 18. The computer implemented method of claim 17, further including illustrating to a network administrator causes of system failure by:
    - generating for display a cluster of operation anomalies that are interrelated as cascading failures in an anomaly impact graph, including;
      
      depicting anomalous instance data in the cluster as nodes in a plot;
      
      representing active network communication paths that carry communications among first and second resources subject to anomalous performances as edges between the nodes, thereby forming connected node pairs; and
      
      depicting at least part of the plot to show a progression over time of the cascading failures for the connected node pairs and to identify one or more root causes of the cascading failures.
  - 19. The computer implemented method of claim 17, further including illustrating to a network administrator causes of system failure by:
    - generating for display an anomaly impact graph interface that depicts a cluster of operation anomalies that are interrelated as cascading failures, including;
      
      nodes in a diagram that represent anomalous instance data for different resources in the cluster;
      
      edges between the nodes that represent active network communication path data for communications among first and second resources, wherein the edges and nodes form connected node pairs; and
      
      arrangement of the diagram that shows progression over time of cascading failure result links between anomalous performances of the first and second resources occurring within a predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lightbend, Inc.
Original Assignee
Lightbend, Inc.
Inventors
Sasturkar, Amit, Ngai, Alan
Primary Examiner(s)
McCarthy, Christopher S

Application Number

US15/494,519
Publication Number

US 20170230229A1
Time in Patent Office

912 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/079   Root cause analysis, i.e. e...

G06F 11/3006   where the computing system ...

G06F 11/3409   for performance assessment

G06F 16/24578   using ranking

G06F 16/26   Visual data mining; Browsin...

G06F 16/285   Clustering or classification

H04L 41/0631   using root cause analysis; ...

H04L 41/064   involving time analysis

H04L 41/065   involving logical or physic...

H04L 41/145   involving simulating, desig...

H04L 41/22   comprising specially adapte...

H04L 43/04   Processing captured monitor...

Ranking network anomalies in an anomaly cluster

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Ranking network anomalies in an anomaly cluster

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links