Pattern Discovery in a Network System
First Claim
Patent Images
1. A method for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the method comprising:
- creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events;
generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event;
traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node;
observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and
determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node.
11 Assignments
0 Petitions
Accused Products
Abstract
Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.
-
Citations
26 Claims
-
1. A method for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the method comprising:
-
creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for generating a rule, comprising:
-
displaying a pattern discovery tool configured to enable a user to select a subset of previously stored events; in response to the user selection; creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the selected events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node; displaying a rule generation tool configured to enable a user to perform an action; and in response to the user action, converting the event pattern into a correlation rule. - View Dependent Claims (14)
-
-
15. A system for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the system comprising a processor configured to execute a method, the method comprising:
-
creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A machine-readable storage medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of a plurality of events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (23, 24, 25, 26)
-
Specification