Method, computer program element and system for processing alarms triggered by a monitoring system

US 20030101260A1
Filed: 10/31/2002
Published: 05/29/2003
Est. Priority Date: 11/29/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for processing alarms that have been triggered by a monitoring system, in a subsequent system of a type employing a model representing normal alarm behavior of the monitoring system, the method comprising the steps of:

a) counting a number of alarms that have been triggered, and a number of alarms that have been filtered by the model, within at least one time-interval;

b) calculating a ratio between the number of alarms that have been filtered, and the number of alarms that have been triggered; and

c) updating the model in response to the ratio reaching a threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system is proposed that allow to process alarms, that have been triggered by a monitoring system, by means of a model representing the normal alarm behavior of the monitoring system. The number of alarms, that have been triggered, and the number of alarms, that have been filtered by means of the model, are counted. Then the ratio between the number of alarms, that have been filtered, and the number of alarms, that have been triggered, is calculated; and the update of the model is started whenever the ratio has reached a first or a second threshold value. Thus in order to efficiently achieve an optimal over-all performance, an update of the model is always performed, whenever a decline in the model'"'"'s performance is detected. In a preferred embodiment, alarms that have been triggered, are grouped depending on source address information contained therein. Groups of alarms, that display diverse behavior, are flagged and forwarded for closer investigation in order to identify suspicious source systems.

61 Citations

View as Search Results

11 Claims

1. A method for processing alarms that have been triggered by a monitoring system, in a subsequent system of a type employing a model representing normal alarm behavior of the monitoring system, the method comprising the steps of:
- a) counting a number of alarms that have been triggered, and a number of alarms that have been filtered by the model, within at least one time-interval;
  
  b) calculating a ratio between the number of alarms that have been filtered, and the number of alarms that have been triggered; and
  
  c) updating the model in response to the ratio reaching a threshold value.
- View Dependent Claims (2, 3, 4, 10)
- - 2. The method according to claim 1, wherein a first threshold value is used to indicate an absolute lower bound for the ratio and a second threshold value is used to limit the maximum decline that the ratio may experience within a given time-interval without initiating an update of the model.
  - 3. The method according to claim 2, further comprising the step of comparing the ratio with the first and the second threshold value.
  - 4. The method according to claim 1, wherein multiple of said threshold values and different time-intervals are used which are one of statically set and dynamically calculated.
  - 10. A computer program element comprising computer program code which, when loaded in a processor of a data processing system, configures the processor to perform a method as claimed in claim 1.

5. A method for processing alarms, that have been triggered by a monitoring system, the method comprising the steps of:
- a) grouping alarms, that have been triggered, according to source address information, b) detecting groups of alarms that display diverse behavior and c) forwarding detected groups of alarms for further processing.
- View Dependent Claims (6, 7, 8, 9, 11)
- - 6. The method according to claim 5, wherein said detecting step further comprises a step of grouping alarms that contain different values for critical alarm attributes.
  - 7. The method according to claim 6, further comprising the step of assigning at least one threshold value that is one of statically set and dynamically calculated, to each said critical alarm attribute.
  - 8. The method according to claim 7, wherein said grouping step further comprises the step of grouping alarms with pairwise different values for a critical alarm attribute such that a number of alarms exceeds an assigned threshold value.
  - 9. The method according to claim 5, wherein said detecting step further comprises the step of investigating said groups in order to identify a root cause.
  - 11. A computer program element comprising computer program code which, when loaded in a processor of a data processing system, configures the processor to perform a method as claimed in claim 5.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Julisch, Klaus, Dacier, Marc

Application Number

US10/286,708
Publication Number

US 20030101260A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/0622   based on time

H04L 43/00   Arrangements for monitoring...

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

Method, computer program element and system for processing alarms triggered by a monitoring system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method, computer program element and system for processing alarms triggered by a monitoring system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links