Method and system for reducing false alarms in network fault management systems

US 6,966,015 B2
Filed: 03/22/2001
Issued: 11/15/2005
Est. Priority Date: 03/22/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for improving diagnosis of a complex problem, wherein a plurality of indicators expected to relate to the problem are correlated over a window of time, the window of time comprising a plurality of time slices in each of which a state of each indicator is determined, the method comprising:

determining which indicator or indicators changed state during a fist time slice in the window and which indicator or indicators did not change state during the first time slice;

computing a time slice transition factor based upon a number of indicators whose state changed and a number of indicators whose state did not change during the first time slice; and

adjusting the correlation of the indicators over the window of time using the time slice transition factor.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are described for reducing the number of false alarms in fault correlation software used to detect and diagnose faults in computer networks and similar systems. The fault correlation software includes rules that monitor a number of indicators that, if occurring together over a window of time, are known to cause or reflect the occurrence of a fault. The method involves monitoring the transition of these indicators from one state to another over the time window and determining the extent of the correlation of the transitions of the indicators. The determination that indicators monitored by a rule do not correlate closely in their transitions is used to reduce the likelihood of the rule finding correlation of the indicators as a whole. This in turn reduces the number of false alarms which the rule-based system might otherwise have transmitted.

183 Citations

59 Claims

1. A method for improving diagnosis of a complex problem, wherein a plurality of indicators expected to relate to the problem are correlated over a window of time, the window of time comprising a plurality of time slices in each of which a state of each indicator is determined, the method comprising:
- determining which indicator or indicators changed state during a fist time slice in the window and which indicator or indicators did not change state during the first time slice;
  
  computing a time slice transition factor based upon a number of indicators whose state changed and a number of indicators whose state did not change during the first time slice; and
  
  adjusting the correlation of the indicators over the window of time using the time slice transition factor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein determining state changes in each of the indicators comprises determining the state changes of each indicator in each of a plurality of time slices in the window.
  - 3. The method of claim 2, wherein computing a time slice transition factor comprises computing a plurality of time slice transition factors, and wherein adjusting the correlation of the indicators comprises adjusting the correlation using the plurality of time slice transition factors.
  - 4. The method of claim 1, wherein determining state changes comprises comparing the state of each of the indicators in the first time slice with the state of the respective indicator in a second time slice preceding the first time slice.
  - 5. The method of claim 4, wherein the second time slice immediately precedes the first time slice.
  - 6. The method of claim 1, wherein indicators have a plurality of possible states including a low state and a high state, and wherein determining state changes in the indicators in the first time slice comprises determining which indicator or indicators changed state from low to high and which indicator or indicators changed state from high to low.
  - 7. The method of claim 6, wherein computing the time slice transition factor comprises computing the transition factor further based upon a number of indicators whose state changed from low to high and a number of indicators whose slate changed from high to low.
  - 8. The method of claim 7, wherein computing the time slice transition factor comprises identifying a maximum among the number of indicators whose state did not change, the number of indicators whose state changed from low to high, and the number of indicators whose state changed from high to low, and dividing the maximum by the number of indicators.
  - 9. The method of claim 1, wherein indicators arc correlated based on the states or the indicators in each time slice, and wherein adjusting the correlation comprises applying the time slice transition factor to the correlation for the first time slice.
  - 10. The method of claim 1, wherein the indicators are grouped into two or more groups of indicators, and wherein computing the time slice transition factor comprises computing a time slice transition factor for each group based upon the numbers of indicators in each group whose state changed or did not change during the time slice.
  - 11. The method of claim 1, wherein determining indicator state changes comprises adjusting the first time slice to account for potential delays in determining states of the indicators.
  - 12. The method of claim 11, wherein adjusting the first time slice to account for potential delays comprises:
    - determining which indicator, if any, changed state last in time during the first time slice;
      
      determining whether any other indicators changed state during a predefined period preceding the time of last indicator state change; and
      
      considering such other indicators whose state changed during the predefined period as having occurred during the first time slice.
  - 13. The method of claim 1, comprising storing a transition relevance factor in association with each indicator representing whether the indicator is relevant, and wherein determining state changes comprises determining the changes only for relevant indicators.

14. In a system for analyzing faults in devices by correlating a plurality of indicators over a window of time and generating alarms based upon the correlation, the window of time comprising a plurality of time slices in each of which a state of each indicator is probed, a method for reducing false alarms comprising:
- determining which of the indicators changed state in similar fashion during a first time slice in the window or did not change state during the first time slice;
  
  computing a time slice transition factor that relates a number of the indicators whose state changed in similar fashion or did not change during the first time slice to a total number of the indicators; and
  
  adjusting the correlation of the indicators over the window of time using the time slice transition factor.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein determining state changes in each of the indicators comprises determining the state changes of each indicator in each of a plurality of time slices in the window.
  - 16. The system of claim 15, wherein computing a time slice transition factor comprises computing a plurality of time slice transition factors, and wherein adjusting the correlation of the indicators comprises adjusting the correlation using the plurality of time slice transition factors.
  - 17. The system of claim 14, wherein determining state changes comprises comparing the state of each of the indicators in the first time slice with the state of the respective indicator in a second time slice preceding the first time slice.
  - 18. The system of claim 17, wherein the second time slice immediately precedes the first time slice.
  - 19. The system of claim 14, wherein indicators have a plurality of possible states including a low state and a high state, and wherein determining state changes in the indicators in the first time slice comprises determining which indicator or indicators changed state from low to high and which indicator or indicators changed state from high to low.
  - 20. The system of claim 19, wherein computing the time slice transition factor comprises computing the transition factor further based upon a number of indicators whose state changed from low to high and a number of indicators whose state changed from high to low.
  - 21. The system of claim 20, wherein computing the time slice transition factor comprises identifying a maximum among the number of indicators whose state did not change, the number of indicators whose state changed from low to high, and the number of indicators whose state changed from high to low, and dividing the maximum by the number of indicators.
  - 22. The system of claim 14, wherein indicators are correlated based on the states of the indicators in each time slice, and wherein adjusting the correlation comprises applying the time slice transition factor to the correlation for the first time slice.
  - 23. The system of claim 14, wherein the indicators ate grouped into two or more groups of indicators, and wherein computing the time slice transition factor comprises computing a time slice transition factor for each group based upon the numbers of indicators in each group whose state changed or did not change during the time slice.
  - 24. The system of claim 14, wherein determining indicator state changes comprises adjusting the first time slice to account for potential delays in determining states of the indicators.
  - 25. The system of claim 24, wherein adjusting the first time slice to account for potential delays comprises:
    - determining which indicator, if any, changed state last in time during the first time slice;
      
      determining whether any other indicators changed state during a predefined period preceding the time of last indicator state change; and
      
      considering such other indicators whose state changed during the predefined period as having occurred during the first time slice.
  - 26. The system of claim 14, comprising storing a transition relevance factor in association with each indicator representing whether the indicator is relevant, and wherein determining state changes composes determining the changes only for relevant indicators.

27. A computer readable medium storing program code which, when executed, causes a computer to perform a method for reducing false alarms in a system for analyzing problems by correlating a plurality of indicators over a window of time and generating alarms based upon the correlation, the window of time comprising a plurality of time slices in each of which a slate of each indicator is probed, the method comprising:
- determining which of the indicators changed state in similar fashion during a first time slice in the window or did not change state during the first time slice;
  
  computing a time slice transition factor that relates a number of the indicators whose state changed in similar fashion or did not change during the first time slice to a total number of the indicators; and
  
  adjusting the correlation of the indicators over the window of time using the time slice transition factor.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The computer readable medium of claim 27 wherein the method performed by the program comprises determining the state changes of each indicator in each of a plurality of time slices in the window.
  - 29. The computer readable medium of claim 28 wherein the method performed by the program comprises computing a plurality of time slice transition factors and adjusting the correlation using the plurality of time slice transition factors.
  - 30. The computer readable medium of claim 27, wherein indicators have a plurality of possible states including a low state and a high state, and wherein the method performed by the program comprises determining which indicator or indicators changed state from low to high and which indicator or indicators changed state from high to low.
  - 31. The computer readable medium of claim 30 wherein the method performed by the program comprises computing the transition factor further based upon a number of indicators whose state changed from low to high and a number of indicators whose state changed from high to low.
  - 32. The computer readable medium of claim 27 wherein the method performed by the program comprises computing the time slice transition factor by identifying a maximum among the number of indicators whose state did not change, the number of indicators whose state changed from low to high, and the number of indicators whose state changed from high to low, and dividing the maximum by the number of indicators.
  - 33. The computer readable medium of claim 27, wherein the indicators are grouped into two or more groups of indicators, and wherein the method performed by the program comprises computing a time slice transition factor for each group based upon the numbers of indicators in each group whose state changed or did not change during the time slice.
  - 34. The computer readable medium of claim 27, wherein a transition relevance factor is stored in association with each indicator representing whether the indicator is relevant, and wherein the method performed by the program comprises determining state changes only for relevant indicators.
  - 35. The computer readable medium of claim 27, wherein the method performed by the program to determine state changes comprises comparing the state of each of the indicators in the first time slice with the state of the respective indicator in a second time slice preceding the first time slice.
  - 36. The computer readable medium of claim 35, wherein the second time slice immediately precedes the first time slice.
  - 37. The computer readable medium of claim 27, wherein the method performed by the program comprises correlating indicators based on the states of the indicators in each time slice, and wherein the method performed by the program for adjusting the correlation comprises applying the time slice transition factor to the correlation for the first time slice.
  - 38. The computer readable medium of claim 27, wherein the method performed by the program for determining indicator state changes comprises adjusting the fast time slice to account for potential delays in determining states of the indicators.
  - 39. The computer readable medium of claim 38, wherein the method performed by the program for adjusting the first time slice to account for potential delays comprises:
    - determining which indicator, if any, changed state last in time during the first time slice;
      
      determining whether any ocher indicators changed state during a predefined period preceding the time of last indicator state change; and
      
      considering such other indicators whose state changed during the predefined period as having occurred during the first time slice.

40. A method for correlating a number of indicators in a rules-based correlation system, wherein a plurality of indicators each having multiple possible values and expected to relate to a problem are correlated over a window of time, the method comprising:
- dividing the window of time into a plurality of time slices;
  
  determining a value for each indicator during each of a plurality of the time slices;
  
  determining a transition state for each indicator during each of the plurality of time slices, the transition state representing whether and bow the indicator changed state during the time slice; and
  
  correlating the indicators over the window of time based upon the determined indicator values and transitions states.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The method of claim 40, wherein determining state changes comprises comparing the state of each of the indicators in a first time slice in tie plurality of time slices with the state of the respective indicator in a second time slice in the plurality of time slices preceding the first time slice.
  - 42. The method of claim 41, wherein the second time slice immediately precedes the first time slice.
  - 43. The method of claim 40, wherein the transition state for each indicator is a plurality of possible states including a low state and a high state, and wherein determining the transition state for die indicators in a first time slice in the plurality of time slices comprises determining which indicator or indicators changed state from low to high and which indicator or indicators changed state from high to low.
  - 44. The method of claim 43, wherein determining the transition state is further based upon a number of indicators whose state changed from low to high and a number of indicators whose state changed from high to low.
  - 45. The method of claim 44, wherein determining the transition state comprises identifying a maximum among the number of indicators whose state did not change, the number of indicators whose state changed from low to high, and the number of indicators whose state changed from high to low, and dividing the maximum by the number of indicators.
  - 46. The method of claim 40, wherein the indicators are grouped into two or more groups of indicators, and wherein determining the transition state for each indicator comprises determining the transition state for each group based upon the numbers of indicators in each group whose state changed or did not change during each of the plurality of time slices.
  - 47. The method of claim 40, wherein determining a transition state for each indicator comprises adjusting a first time slice to account for potential delays in determining states of each indicator.
  - 48. The method of claim 47, wherein adjusting the first time slice to account for potential delays comprises:
    - determining which indicator, if any, changed state last in time during the first time slice;
      
      determining whether any other indicators changed state during a predefined period preceding the time of last indicator state change; and
      
      considering such other indicators whose state changed during the predefined period as having occurred during the first time slice.
  - 49. The method of claim 40, comprising storing a transition relevance factor in association with each indicator representing whether the indicator is relevant, and wherein determining a transition state for each indicator comprises determining transition state changes only for relevant indicators.

50. A computer readable medium storing program code which, when executed, causes a computer to perform a method for correlating a number of indicators in a rules-based correlation system, wherein a plurality of indicators each having multiple possible values and expected to relate to a problem arc correlated over a window of limit, the method comprising:
- dividing the window of time into a plurality of time slices;
  
  determining a value for each indicator during each of a plurality of the time slices;
  
  determining a transition state for each indicator during each of the plurality of time slices, the transition state representing whether and how the indicator changed state during the time slice; and
  
  correlating the indicators over the window of time based upon the determined indicator values and transitions states.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 51. The computer readable medium of claim 50, wherein determining state changes comprises comparing the state of each of the indicators in a first time slice in the plurality of time slices with the state of the respective indicator in a second time slice in the plurality of time slices preceding the first time slice.
  - 52. The computer readable medium of claim 51, wherein the second time slice immediately precedes the first time slice.
  - 53. The computer readable medium of claim 50, wherein the transition state for each indicator is a plurality of possible states including a low suite and a high state, and wherein determining the transition state for the indicators in a first time slice in the plurality of time slices comprises determining which indicator or indicators changed state from low to high and which indicator or indicators changed state from high to low.
  - 54. The computer readable medium of claim 53, wherein determining the transition state is further based upon a number of indicators whose state changed from low to high and a number of indicators whose state changed from high to low.
  - 55. The computer readable medium of claim 54, wherein determining the transition state comprises identifying a maximum among the number of indicators whose state did not change, the number of indicators whose state changed from low to high, and the number of indicators whose state changed from high to low, and dividing the maximum by the number of indicators.
  - 56. The computer readable medium of claim 50, wherein the indicators are grouped into two or more groups of indicators, and wherein determining the transition state for each indicator comprises determining the transition state for each group based upon the numbers of indicators in each group whose state changed or did not change during each of the plurality of time slices.
  - 57. The computer readable medium of claim 50, wherein determining a transition state for each indicator comprises adjusting a first time slice to account for potential delays in determining states of each indicator.
  - 58. The computer readable medium of claim 57, wherein adjusting the first time slice to account for potential delays comprises:
    - determining which indicator, if any, changed state last in time during the first time slice;
      
      determining whether any other indicators changed state during a predefined period preceding the time of last indicator state change; and
      
      considering such other indicators whose state changed during the predefined period as having occurred during the first time slice.
  - 59. The computer readable medium of claim 50, comprising storing a transition relevance factor in association with each indicator representing whether the indicator is relevant, and wherein determining a transition state for each indicator comprises determining transition state changes only for relevant indicators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Micromuse Incorporated (International Business Machines Corporation)
Inventors
Deuel, John, Wetstone, Evan R., Steinberg, Louis A., Belousov, Arkadiy
Primary Examiner(s)
Baderman, Scott
Assistant Examiner(s)
LOHN, JOSHUA A

Application Number

US09/815,557
Publication Number

US 20020170002A1
Time in Patent Office

1,699 Days
Field of Search

714/47, 714/26
US Class Current

714/47.2
CPC Class Codes

H04L 41/0609 based on severity or priority

H04L 41/064 involving time analysis

Method and system for reducing false alarms in network fault management systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

183 Citations

59 Claims

Specification

Use Cases

Quick Links

Others

Method and system for reducing false alarms in network fault management systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

59 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others