Apparatus and Method for Graphically Displaying Transaction Logs

US 20170004188A1
Filed: 06/30/2015
Published: 01/05/2017
Est. Priority Date: 06/30/2015
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining, by a processing circuit, a log file comprising a plurality of log entries from a memory circuit, wherein each log entry is identified by a corresponding line number;

generating, by the processing circuit, a list that maps the line number of each log entry to a corresponding pattern of log entries, wherein each corresponding pattern of log entries is identified by a pattern number and represents a task performed by the computing device;

computing, by the processing circuit, a pattern value for each pattern in the list;

detecting, by the processing circuit, an anomalous pattern in the list; and

outputting, by the processing circuit, an interactive graph to a display device, wherein the interactive graph plots the pattern value for a pattern in the list to the line number of a representative log entry in that pattern, and visually indicates the anomalous pattern to the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device obtains and analyzes the log entries of a log file, and generates an interactive graph that visually represents the results of the analysis to output to a display device. More particularly, the device groups each log entry in the log file into a corresponding pattern, and then generates the graph to plot the line numbers of the log entries to their corresponding patterns. The plot is formed as a wave to make it easy for a user to identify patterns of commands and actions that are executed in the performance of a given task, as well as for determining whether an underlying system is exhibiting anomalous behavior.

14 Citations

View as Search Results

19 Claims

1. A computer-implemented method comprising:
- obtaining, by a processing circuit, a log file comprising a plurality of log entries from a memory circuit, wherein each log entry is identified by a corresponding line number;
  
  generating, by the processing circuit, a list that maps the line number of each log entry to a corresponding pattern of log entries, wherein each corresponding pattern of log entries is identified by a pattern number and represents a task performed by the computing device;
  
  computing, by the processing circuit, a pattern value for each pattern in the list;
  
  detecting, by the processing circuit, an anomalous pattern in the list; and
  
  outputting, by the processing circuit, an interactive graph to a display device, wherein the interactive graph plots the pattern value for a pattern in the list to the line number of a representative log entry in that pattern, and visually indicates the anomalous pattern to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the log entries of each pattern in the list are related to the task represented by the pattern.
  - 3. The method of claim 1 wherein generating, by the processing circuit, a list that maps the line number of each log entry to a corresponding pattern of log entries comprises:
    - computing a dice coefficient for first and second log entries read from the log file;
      
      assigning the first and second log entries to a first pattern in the list if the dice coefficient exceeds a predetermined threshold value.
  - 4. The method of claim 1 wherein computing, by the processing circuit, a pattern value for each pattern in the list comprises:
    - for each pattern in the list;
      
      scaling the pattern number of the pattern by a predetermined scaling factor; and
      
      computing a ratio of the scaled pattern number to a total number of patterns in the list as the pattern value.
  - 5. The method of claim 4 further comprising, for each pattern in the list, associating the representative log entry of the pattern to the pattern value computed for the pattern.
  - 6. The method of claim 1 wherein detecting, by the processing circuit, an anomalous pattern in the list comprises determining whether a selected pattern in the list diverges from a baseline pattern based on a distribution of the log entries in the selected pattern and a distribution of the log entries in the baseline pattern.
  - 7. The method of claim 1 wherein detecting, by the processing circuit, an anomalous pattern in the list comprises:
    - computing a baseline probability value for a baseline pattern based on a ratio of the number of log entries in the baseline pattern to a total number of log entries in the log file;
      
      defining a time window comprising a plurality of selected patterns;
      
      for each selected pattern in the time window, computing a probability value based on a ratio of the number of log entries in the selected pattern to a total number of log entries in the log file; and
      
      computing a divergence value indicating an amount of divergence between the number of log entries in each of the selected patterns in the time window and the number of log entries in the baseline pattern.
  - 8. The method of claim 7 wherein computing a divergence value comprises:
    - scaling a ratio of the baseline probability value to the probability values of each of the selected patterns;
      
      summing the scaled ratio for each of the selected patterns; and
      
      determining that the selected patterns comprise an anomalous pattern if the divergence value for the selected patterns exceeds a predetermined divergence value threshold.
  - 9. The method of claim 1 further comprising:
    - receiving, at the interactive graph, user input selecting the line number of a selected log entry; and
      
      annotating the interactive graph with text extracted from the log entries in the pattern associated with the selected log entry.

10. A computing device comprising:
- a communications interface circuit configured to communicatively connect to a communications network; and
  
  a processing circuit operatively connected to the communications interface circuit and configured to;
  
  obtain a log file comprising a plurality of log entries, wherein each log entry is identified by a corresponding line number;
  
  generate a list that maps the line number of each log entry to a corresponding pattern of log entries, wherein each corresponding pattern of log entries is identified by a pattern number and represents a corresponding task performed by a computer;
  
  compute a pattern value for each pattern in the list;
  
  detect an anomalous pattern in the list; and
  
  output an interactive graph to a display device, wherein the interactive graph plots the pattern value for a pattern in the list to the line number of a representative log entry in that pattern, and visually indicates the anomalous pattern to the user.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computing device of claim 10 wherein the processing circuit is further configured to:
    - compute a dice coefficient for first and second log entries read from the log file;
      
      assign the first and second log entries to a first pattern in the list if the dice coefficient exceeds a predetermined threshold value.
  - 12. The computing device of claim 10 wherein, for each pattern in the list, the processing circuit is further configured to:
    - scale the pattern number of the pattern by a predetermined scaling factor; and
      
      compute a ratio of the scaled pattern number to a total number of patterns in the list as the pattern value.
  - 13. The computing device of claim 12 wherein, for each pattern in the list, the processing circuit is further configured to associate the representative log entry of the pattern to the pattern value computed for the pattern.
  - 14. The computing device of claim 10 wherein the processing circuit is further configured to detect whether a selected pattern diverges from a baseline pattern based on a distribution of the log entries in the selected pattern and a distribution of the log entries in the baseline pattern.
  - 15. The computing device of claim 14 wherein the baseline pattern represents a plurality of patterns.
  - 16. The computing device of claim 10 wherein the processing circuit is further configured to:
    - compute a baseline probability value for a baseline pattern based on a ratio of the number of log entries in the baseline pattern to a total number of log entries in the log file;
      
      define a time window comprising a plurality of selected patterns;
      
      for each selected pattern in the time window, compute a probability value based on a ratio of the number of log entries in the selected pattern to a total number of log entries in the log file; and
      
      compute a divergence value indicating an amount of divergence between the number of log entries in each of the selected patterns in the time window and the number of log entries in the baseline pattern.
  - 17. The computing device of claim 16 wherein computing a divergence value comprises:
    - scaling a ratio of the baseline probability value to the probability values of each of the selected patterns;
      
      summing the scaled ratio for each of the selected patterns; and
      
      determining that the selected patterns comprise an anomalous pattern if the divergence value for the selected patterns exceeds a predetermined divergence value threshold.
  - 18. The computing device of claim 10 wherein the processing circuit is further configured to:
    - receive user input selecting the line number of a selected log entry represented on the interactive graph; and
      
      annotate the interactive graph with text extracted from the log entries in the pattern associated with the selected log entry.

19. A computer-readable storage medium comprising computer program code stored thereon that, when executed by a processing circuit of a computing device, configures the processing circuit to:
- obtain a log file comprising a plurality of log entries, wherein each log entry is identified by a corresponding line number;
  
  generate a list that maps the line number of each log entry to a corresponding pattern of log entries, wherein each corresponding pattern of log entries is identified by a pattern number and represents a corresponding task performed by the computing device;
  
  compute a pattern value for each pattern in the list;
  
  detect an anomalous pattern in the list; and
  
  display an interactive graph on a display device for a user, wherein the interactive graph plots the pattern value for a pattern in the list to the line number of a representative log entry in that pattern, and visually indicates the anomalous pattern to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Gupta, Vishal

Application Number

US14/754,880
Publication Number

US 20170004188A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/21 Design, administration or m...

Apparatus and Method for Graphically Displaying Transaction Logs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and Method for Graphically Displaying Transaction Logs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links