Event-based automated diagnosis of known problems

US 7,171,337 B2
Filed: 06/21/2005
Issued: 01/30/2007
Est. Priority Date: 06/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for determining a cause of a problem occurring during operation of a computer system, comprising:

logging events processed by the computer system preceding the problem;

creating a representation of at least a portion of the events logged;

comparing the representation with a plurality of archived representations, each of the archived representations signifying a plurality of events associated with a known cause of a known problem;

identifying the cause of the problem as the known cause associated with a similar archived representation found to be comparable to the representation for use for solving the identified problem; and

wherein the creating of the representation includes sequentially aligning the events with occurrence of corresponding events included in a base sequence of events.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System events preceding occurrence of a problem are likely to be similar to events preceding occurrence of the same problem at other times or on other systems. Thus, the cause of a problem may be identified by comparing a trace of events preceding occurrence of the problem with previously diagnosed traces. Traces of events preceding occurrences of a problem arising from a known cause are reduced to a series of descriptive elements. These elements are aligned to correlate differently timed but otherwise similar traces of events, converted into symbolic representations, and archived. A trace of events leading to an undiagnosed a problem similarly is converted to a symbolic representation. The representation of the undiagnosed trace is then compared to the archived representations to identify a similar archived representation. The cause of the similar archived representation is presented as a diagnosis of the problem.

Citations

15 Claims

1. A method for determining a cause of a problem occurring during operation of a computer system, comprising:
- logging events processed by the computer system preceding the problem;
  
  creating a representation of at least a portion of the events logged;
  
  comparing the representation with a plurality of archived representations, each of the archived representations signifying a plurality of events associated with a known cause of a known problem;
  
  identifying the cause of the problem as the known cause associated with a similar archived representation found to be comparable to the representation for use for solving the identified problem; and
  
  wherein the creating of the representation includes sequentially aligning the events with occurrence of corresponding events included in a base sequence of events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the logging of events includes at least one of:
    - continually logging events processed by the computer system;
      
      continually logging events processed by the computer system, purging events logged longer than a predetermined duration before a most recently logged event;
      
      logging events upon direction of a user;
      
      orlogging events after occurrence of a catalogued problem while the user attempts to initiate another occurrence of the problem.
  - 3. The method of claim 1, wherein the creating of the representation includes removing from data describing the event information specific to a particular iteration of the event that does not describe substance of the event.
  - 4. The method of claim 1, wherein the method is implemented by using one or more processors to execute machine instructions stored in a computer readable media.
  - 5. The method of claim 1 wherein the creating of the representation includes generating a vector representing instances of correspondence and lack of correspondence of the aligned events with the base sequence.
  - 6. The method of claim 5, wherein identifying the cause of the encountered problem includes comparing the vector with a plurality of stored vectors, each of the stored vectors representing the plurality of stored representations.
  - 7. The method of claim 1, wherein the logging of events includes logging system calls.
  - 8. The method of claim 7, wherein the logging of events further includes logging at least one of:
    - process beginning events;
      
      process ending events;
      
      thread beginning events;
      
      orthread ending events.
  - 9. The method of claim 8, wherein the creating of the representation of the events logged includes ordering each of the system calls relative to one of a process and a thread invoking each of the system calls.

10. A method for developing an archive for diagnosing a cause of a problem, comprising:
- identifying a plurality of causes for at least one known problem;
  
  for each of the plurality of causes, creating a representation including;
  
  logging events processed by a computer system preceding at least one occurrence of the known problem attributable to a known cause;
  
  aligning the events with occurrence of corresponding events included in a base sequence of events;
  
  generating a vector representing instances of correspondence and lack of correspondence of the aligned events with the base sequence; and
  
  associating the vector with the known cause; and
  
  collecting the vectors in the archive such that the archive is searchable according to correspondence of an input vector with the vectors associated with the known cause for use for diagnosing a problem.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the events include system calls sorted according to one of a thread or a process invoking each of the system calls.
  - 12. The method of claim 10, further comprising storing the archive on at least one of:
    - on a client computer system potentially using the archive for diagnosis of the problem occurring operation of the client computing system;
      
      oron another computer system accessible by at least one client computer system potentially using the archive for diagnosis of the problem occurring operation of the client computing system.
  - 13. The method of claim 10, wherein the logging of events preceding occurrences of the known problem includes at least one of:
    - deliberately interposing the known cause of the known problem and logging events while directing the computer system so that the problem will manifest;
      
      collecting the events preceding an unintended occurrence of the problem once the known cause is discerned;
      
      orcollecting the events preceding an unintended occurrence of the problem where the known cause is diagnosed by comparison with the representations previously collected in the archive.
  - 14. The method of claim 13, wherein the logging of events preceding interposition of the known cause includes at least one of:
    - deliberately interposing the known cause on a single computer system and repeatedly directing the computer system in a manner causing the problem to reoccur;
      
      ordeliberately interposing the known cause on a plurality of computer systems and directing the plurality of computer system so that the problem will manifest on each of the plurality of computer systems.

15. A computer-readable media comprising a tangible component of machine instructions that, when executed on one or more processors, perform the actions comprising:
- developing an archive for diagnosing a cause of a problem;
  
  identifying a plurality of causes for at least one known problem;
  
  for each of the plurality of causes, creating a representation including;
  
  logging events processed by a computer system preceding at least one occurrence of the known problem attributable to a known cause;
  
  aligning the events with occurrence of corresponding events included in a base sequence of events;
  
  generating a vector representing instances of correspondence and lack of correspondence of the aligned events with the base sequence; and
  
  associating the vector with the known cause; and
  
  collecting the vectors in the archive such that the archive is searchable according to correspondence of an input vector with the vectors associated with the known cause for use for diagnosing a problem.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ma, Wei-Ying, Zhang, Zheng, Wang, Yi-Min, Wen, Ji-Rong, Yuan, Chun
Primary Examiner(s)
COSIMANO, EDWARD R

Application Number

US11/157,712
Publication Number

US 20060288261A1
Time in Patent Office

588 Days
Field of Search

738/659, 324/500, 340/500, 340/635, 340/3.1, 340/3.43, 382/100, 382/155, 382/159, 700/90, 700/108, 702/33, 702/34, 702/35, 702/127, 702/182, 702/183, 702/184, 702/185, 702/186, 702/187
US Class Current

702/185
CPC Class Codes

G06F 11/0715 in a system implementing mu...

G06F 11/079 Root cause analysis, i.e. e...

Event-based automated diagnosis of known problems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Event-based automated diagnosis of known problems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links