RANKING THE IMPORTANCE OF ALERTS FOR PROBLEM DETERMINATION IN LARGE SYSTEMS

US 20090292954A1
Filed: 10/28/2008
Published: 11/26/2009
Est. Priority Date: 05/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method for prioritizing alerts, comprising:

extracting invariants to determine a stable set of models for determining relationships among monitored system data;

computing equivalent thresholds for a plurality of rules using an invariant network developed by extracting the invariants;

for a given time window, receiving a set of alerts from a system being monitored;

comparing a measurement value of the alerts with a vector of equivalent thresholds; and

ranking the set of alerts.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for prioritizing alerts includes extracting invariants to determine a stable set of models for determining relationships among monitored system data. Equivalent thresholds for a plurality of rules are computed using an invariant network developed by extracting the invariants. For a given time window, a set of alerts are received from a system being monitored. A measurement value of the alerts is compared with a vector of equivalent thresholds, and the set of alerts is ranked.

Citations

21 Claims

1. A method for prioritizing alerts, comprising:
- extracting invariants to determine a stable set of models for determining relationships among monitored system data;
  
  computing equivalent thresholds for a plurality of rules using an invariant network developed by extracting the invariants;
  
  for a given time window, receiving a set of alerts from a system being monitored;
  
  comparing a measurement value of the alerts with a vector of equivalent thresholds; and
  
  ranking the set of alerts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein extracting invariants includes:
    - computing a fitness score for monitored data models in a given time window;
      
      filtering out the monitored data models below a fitness threshold; and
      
      over a plurality of time windows, considering remaining monitored data models as invariants.
  - 3. The method as recited in claim 1, wherein the invariant network includes nodes which represent measurements and further comprising propagating values between the nodes of the invariant network to estimate other measurements.
  - 4. The method as recited in claim 1, wherein propagating values includes mapping thresholds from other nodes to provide equivalent thresholds.
  - 5. The method as recited in claim 1, wherein comparing a measurement value of the alerts with a vector of equivalent thresholds includes comparing equivalent thresholds to determine an importance of an alert corresponding to the measurement value.
  - 6. The method as recited in claim 1, wherein the importance includes a probability of reporting a true positive.
  - 7. The method as recited in claim 1, wherein ranking includes handling the alerts in order of importance.
  - 8. The method as recited in claim 1, wherein comparing a measurement value of the alerts with a vector of equivalent thresholds includes determining a number of threshold violations (NTVs);
    - and sorting the NTVs to rank the set of alerts.
  - 9. A computer readable medium comprising a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform the steps of claim 1.

10. A method for prioritizing alerts, comprising:
- collecting historical monitoring data from one or more system components;
  
  extracting invariants to determine a stable set of models for determining relationships among the historical monitoring system data;
  
  collecting management rules from system components being monitored;
  
  computing equivalent thresholds for the management rules using an invariant network developed by extracting the invariants;
  
  for a given time window, receiving a set of alerts from the system components being monitored;
  
  comparing a measurement value of the alerts with a vector of equivalent thresholds to compute a number of threshold violations (NTVs); and
  
  sorting the NTVs to rank the set of alerts.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method as recited in claim 10, wherein extracting invariants includes:
    - computing a fitness score for monitored data models in a given time window;
      
      filtering out the monitored data models below a fitness threshold; and
      
      over a plurality of time windows, considering remaining monitored data models as invariants.
  - 12. The method as recited in claim 10, wherein the invariant network includes nodes which represent measurements and further comprising propagating values between the nodes of the invariant network to estimate other measurements.
  - 13. The method as recited in claim 12, wherein propagating values includes mapping thresholds from other nodes to provide equivalent thresholds.
  - 14. The method as recited in claim 10, wherein comparing a measurement value of the alerts with a vector of equivalent thresholds includes comparing equivalent thresholds to determine an importance of an alert corresponding to the measurement value.
  - 15. The method as recited in claim 10, wherein the importance includes a probability of reporting a true positive.
  - 16. The method as recited in claim 10, wherein sorting includes handling the alerts in order of importance.
  - 17. A computer readable medium comprising a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform the steps of claim 10.

18. A system for prioritizing alerts, comprising:
- a program storage media configured to store an invariants network constructed using measurements as nodes and an edges to represent invariant relationships among monitored system data, the invariant network being configured to compute equivalent thresholds for a plurality of rules;
  
  an alert generator configured to generate alerts, for a given time window for a system being monitored; and
  
  a peer review mechanism configured to compare a measurement value to a local threshold and to equivalent thresholds mapped from other rules to determine the importance of the alerts.
- View Dependent Claims (19, 20, 21)
- - 19. The system as recited in claim 18, wherein the invariant network includes nodes which represent measurements and values are propagated between the nodes of the invariant network to estimate other thresholds or measurements.
  - 20. The system as recited in claim 18, wherein the importance includes a probability of reporting a true positive.
  - 21. The system as recited in claim 18, wherein the measurement value of the alerts includes a vector of equivalent thresholds having a number of threshold violations (NTVs).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Laboratories America Inc (NEC Corporation)
Inventors
Jiang, Guofei, Chen, Haifeng, Yoshihira, Kenji

Granted Patent

US 8,098,585 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/47.2
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0781   Error filtering or prioriti...

G06F 21/552   involving long-term monitor...

H04L 41/0681   Configuration of triggering...

H04L 41/16   using machine learning or a...

H04L 43/16   Threshold monitoring

RANKING THE IMPORTANCE OF ALERTS FOR PROBLEM DETERMINATION IN LARGE SYSTEMS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

RANKING THE IMPORTANCE OF ALERTS FOR PROBLEM DETERMINATION IN LARGE SYSTEMS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links