SYSTEMS AND METHODS FOR DETECTING NETWORK CONDITIONS BASED ON CORRELATION BETWEEN TREND LINES

US 20110078301A1
Filed: 09/30/2009
Published: 03/31/2011
Est. Priority Date: 09/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring a network, comprising:

capturing a set of network operation data from a managed network;

identifying a set of trend line data for at least two conditions of the managed network represented in the set of network operation data;

generating a comparison of the trend line data for the at least two conditions to determine a correlation between the at least two conditions; and

identifying a set of potential events in the set of trend line data based on the determined correlation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate systems and methods for detecting network conditions based on a correlation between trend lines. In embodiments, a network management server can monitor the status and operation of network machines, such as servers or targets, as well as network transmission hardware (e.g. routers). Streams of network operation data from those sources can be captured and stored. The management server or other logic can examine the network operation data to identify trend lines for network conditions, such as application faults, attempted intrusions, or other events or conditions. Trend line data can be treated to generate second or other higher-order derivatives, such as third-order derivatives or others. A time correlation between two or more trend lines and/or their higher order derivatives, for instance, the occurrence of a peak value in the same time window, can be used to identify an event, state or condition.

93 Citations

View as Search Results

23 Claims

1. A method of monitoring a network, comprising:
- capturing a set of network operation data from a managed network;
  
  identifying a set of trend line data for at least two conditions of the managed network represented in the set of network operation data;
  
  generating a comparison of the trend line data for the at least two conditions to determine a correlation between the at least two conditions; and
  
  identifying a set of potential events in the set of trend line data based on the determined correlation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19, 21, 22)
- - 2. The method of claim 1, wherein the set of trend line data for each of the at least two conditions comprises a time series of a frequency of detected occurrences of the at least one condition.
  - 3. The method of claim 2, wherein the generating a comparison comprises generating a comparison of the trend line data for the at least two conditions within an event window.
  - 4. The method of claim 3, wherein the generating a comparison comprises—
    - generating a derivative of at least second order for each of the at least two conditions, andcomparing the derivative of at least second order for each of the at least two conditions in the event window.
  - 5. The method of claim 4, further comprising generating a notification of a potential event based on the correlation between the at least two conditions equaling or exceeding a predetermined threshold.
  - 6. The method of claim 1, wherein identifying a set of potential events further comprises identifying at least one event termination based on the correlation between the at least two conditions.
  - 7. The method of claim 1, wherein the identifying a set of potential events comprises analyzing the set of network operation data in at least substantially real-time.
  - 8. The method of claim 1, further comprising storing the set of network operation data to a log.
  - 9. The method of claim 8, wherein the identifying a set of potential events comprises—
    - retrieving the set of network operation data from the log, andanalyzing the set of network operation data in less than substantially real-time.
  - 10. The method of claim 1, wherein the set of network operation data comprises at least one of machine configuration data, intrusion detection data, machine fault data, network fault data, user security data, network traffic data, and network port data.
  - 11. The method of claim 1, wherein the set of network operation data comprises at least one of—
    - data captured from a set of target machines in the network related to a state of the set of target machines, anddata captured from network transmission hardware related to network traffic.
  - 19. The system of claim 8, wherein the identifying a set of potential events comprises—
    - retrieving the set of network operation data from a log, andanalyzing the set of network operation data in less than substantially real-time.
  - 21. The system of claim 1, wherein the set of network operation data comprises at least one of machine configuration data, intrusion detection data, machine fault data, network fault data, user security data, network traffic data, and network port data.
  - 22. The system of claim 1, wherein the set of network operation data comprises at least one of—
    - data captured from a set of target machines in the network related to a state of the set of target machines, anddata captured from network transmission hardware related to network traffic.

12. A network management system, comprising:
- an interface to a managed network; and
  
  a management server, communicating with the managed network via interface, the management server being configured to—
  
  capture a set of network operation data from a managed network,identify a set of trend line data for at least two conditions of the managed network represented in the set of network operation data,generate a comparison of the trend line data for the at least two conditions to determine a correlation between the at least two conditions, andidentify a set of potential events in the set of trend line data based on the determined correlation.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the set of trend line data for each of the at least two conditions comprises a time series of a frequency of detected occurrences of the at least one condition.
  - 14. The system of claim 13, wherein the generating a comparison comprises generating a comparison of the trend line data for the at least two conditions within an event window.
  - 15. The system of claim 14, wherein the generating a comparison comprises—
    - generating a derivative of at least second order for each of the at least two conditions, andcomparing the derivative of at least second order for each of the at least two conditions in the event window.
  - 16. The system of claim 15, wherein the management server is further configured to generate a notification of a potential event based on the correlation between the at least two conditions equaling or exceeding a predetermined threshold.
  - 17. The system of claim 12, wherein identifying a set of potential events further comprises identifying at least one event termination based on the correlation between the at least two conditions.
  - 18. The system of claim 12, wherein the identifying a set of potential events comprises analyzing the set of network operation data in at least substantially real-time.

23. A computer readable storage medium, the computer readable storage medium storing a set of identified potential events generated via a method of:
- capturing a set of network operation data from a managed network;
  
  identifying a set of trend line data for at least two conditions of the managed network represented in the set of network operation data;
  
  generating a comparison of the trend line data for the at least two conditions to determine a correlation between the at least two conditions; and
  
  identifying a set of potential events in the set of trend line data based on the determined correlation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
VIDAL, Seth Kelby, LIKINS, Adrian Karstan, DEHAAN, Michael Paul

Granted Patent

US 9,967,169 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/16   using machine learning or a...

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

SYSTEMS AND METHODS FOR DETECTING NETWORK CONDITIONS BASED ON CORRELATION BETWEEN TREND LINES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS AND METHODS FOR DETECTING NETWORK CONDITIONS BASED ON CORRELATION BETWEEN TREND LINES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others