Method and apparatus for correlating events in a network

US 7,631,222 B2
Filed: 08/23/2004
Issued: 12/08/2009
Est. Priority Date: 08/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for correlating events occurring in a network, wherein the network is represented as a graph of interconnected nodes with interconnections between nodes representing dependencies between the entities represented by the nodes, the method comprising the computer-implemented steps of:

creating a first data structure that is associated with a first entity, wherein the first data structure comprises;

a first set of data that comprises a list of events that originated in association with the first entity, wherein the list of events comprises a first event that originated in association with the first entity, anda second set of data that comprises a list of records, wherein the list of records comprises a record which incorporates by reference a different, second event that originated in association with a different, second entity that has a dependency relationship with the first entity;

wherein the second event is obtained by the first entity through incorporation by reference, without the second entity initiating propagation of the second event to the first entity; and

determining, based at least in part on the first data structure, a likelihood that the second event caused the first event or was caused by the first event;

wherein the method is performed by a computing device comprising one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A uniquely configured data structure is used to store event information for each network entity, where logical and physical dependency relationships among entities are captured in the data structure. For each entity, the data structure is configured to store (a) a “genuine event set”, which includes a list of events that originated in association with the entity; and (b) a “derived event set”, which includes a list of records in which each record is associated with an event that originated in association with an entity that has a dependency relationship (e.g., layering or topological) with the entity. The derived event set may simply comprise references to the genuine event sets for entities that have a dependency relationship with the entity.

Citations

60 Claims

1. A method for correlating events occurring in a network, wherein the network is represented as a graph of interconnected nodes with interconnections between nodes representing dependencies between the entities represented by the nodes, the method comprising the computer-implemented steps of:
- creating a first data structure that is associated with a first entity, wherein the first data structure comprises;
  
  a first set of data that comprises a list of events that originated in association with the first entity, wherein the list of events comprises a first event that originated in association with the first entity, anda second set of data that comprises a list of records, wherein the list of records comprises a record which incorporates by reference a different, second event that originated in association with a different, second entity that has a dependency relationship with the first entity;
  
  wherein the second event is obtained by the first entity through incorporation by reference, without the second entity initiating propagation of the second event to the first entity; and
  
  determining, based at least in part on the first data structure, a likelihood that the second event caused the first event or was caused by the first event;
  
  wherein the method is performed by a computing device comprising one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the first data structure comprises:
    - for the record listed in the second set of data, information that indicates how many nodes away, from a first node that represents the first entity, is a second node that represents the second entity from which the second event incorporated by reference in that record originated.
  - 3. The method of claim 2, wherein the step of determining comprises:
    - determining, based at least in part on the first data structure, the likelihood that the second event caused the first event.
  - 4. The method of claim 2, wherein the step of determining comprises:
    - determining, based at least in part on the first data structure, the likelihood that the second event was caused by the first event.
  - 5. The method of claim 2,wherein a data structure configured like the first data structure is associated with each entity in the network, andwherein, for each data structure, the list of records in the second set of data comprises a reference to the first set of data associated with each of one or more entity that has a dependency relationship with the entity associated with the data structure.
  - 6. The method of claim 5, further comprising the computer-implemented step of:
    - in response to an event originating from the first entity,determining that the event occurred at the first entity; and
      
      adding, only to the list in the first set of data in the first data structure, a record of the event that originated in association with the first entity.
  - 7. The method of claim 5, further comprising the computer-implemented step of:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have caused the first event.
  - 8. The method of claim 7, further comprising the computer-implemented step of:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 9. The method of claim 5, further comprising the computer-implemented step of:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have been caused by the first event.
  - 10. The method of claim 9, further comprising the computer-implemented step of:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 11. The method of claim 2,wherein the second set of data comprises a list of records in which each record incorporates by reference an event that originated in association with an entity that is one node away from the node that represents the first entity;
    - andwherein n additional sets of data in the first data structure each comprise a list of records in which each record incorporates by reference an event that originated in association with an entity (a) that has a dependency relationship with the node that represents the first entity and (b) that is n+1 nodes away from the node that represents the first entity.
  - 12. The method of claim 11,wherein the second and the n sets of data are configured as an array of data;
    - andwherein the position of each set of data in the array is the information that indicates how many nodes away, from the node that represents the first entity, are the entities from which the associated events originated.
  - 13. The method of claim 1, wherein the events occurring in the network are associated with faults occurring in the network.
  - 14. The method of claim 1, wherein the network is a packet-switched network.

15. A computer-readable volatile or non-volatile storage medium storing one or more sequences of instructions for correlating events occurring in a network, wherein the network is represented as a graph of interconnected nodes with interconnections between nodes representing logical dependencies between the entities represented by the nodes, which instructions, when executed by one or more processors, cause the one or more processors to perform:
- creating a first data structure that is associated with a first entity, wherein the first data structure comprises;
  
  a first set of data that comprises a list of events that originated in association with the first entity, wherein the list of events comprises a first event that originated in association with the first entity, anda second set of data that comprises a list of records, wherein the list of records comprises a record which incorporates by reference a different, second event that originated in association with a different, second entity that has a dependency relationship with the first entity;
  
  wherein the second event is obtained by the first entity through incorporation by reference, without the second entity initiating propagation of the second event to the first entity; and
  
  determining, based at least in part on the first data structure, a likelihood that the second event caused the first event or was caused by the first event.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The computer-readable medium of claim 15, wherein the first data structure comprises:
    - for the record listed in the second set of data, information that indicates how many nodes away, from a first node that represents the first entity, is a second node that represents the second entity from which the second event incorporated by reference in that record originated.
  - 17. The computer-readable medium of claim 16, wherein the instructions cause the one or more processors to perform the step of determining by determining, based at least in part on the first data structure, the likelihood that the second event caused the first event.
  - 18. The computer-readable medium of claim 16, wherein the instructions cause the one or more processors to perform the step of determining by determining, based at least in part on the first data structure, the likelihood that the second event was caused by the first event.
  - 19. The computer-readable medium of claim 16,wherein a data structure configured like the first data structure is associated with each entity in the network, andwherein, for each data structure, the list of records in the second set of data comprises a reference to the first set of data associated with each of one or more entity that has a dependency relationship with the entity associated with the data structure.
  - 20. The computer-readable medium of claim 19, wherein the instructions cause the one or more processors to perform:
    - in response to an event originating from the first entity,determining that the event occurred at the first entity; and
      
      adding, only to the list in the first set of data in the first data structure, a record of the event that originated in association with the first entity.
  - 21. The computer-readable medium of claim 19, wherein the instructions cause the one or more processors to perform:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have caused the first event.
  - 22. The computer-readable medium of claim 21, wherein the instructions cause the one or more processors to perform:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 23. The computer-readable medium of claim 19, wherein the instructions cause the one or more processors to perform:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have been caused by the first event.
  - 24. The computer-readable medium of claim 23, wherein the instructions cause the one or more processors to perform:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 25. The computer-readable medium of claim 16,wherein the second set of data comprises a list of records in which each record incorporates by reference an event that originated in association with an entity that is one node away from the node that represents the first entity;
    - andwherein n additional sets of data in the first data structure each comprise a list of records in which each record incorporates by reference an event that originated in association with an entity (a) that has a dependency relationship with the node that represents the first entity and (b) that is n+1 nodes away from the node that represents the first entity.
  - 26. The computer-readable medium of claim 25,wherein the second and the n sets of data are configured as an array of data;
    - andwherein the position of each set of data in the array is the information that indicates how many nodes away, from the node that represents the first entity, are the entities from which the associated events originated.
  - 27. The computer-readable medium of claim 15, wherein the network is a packet-switched network.

28. A system comprising:
- a processor;
  
  means for creating a first data structure that is associated with a first entity, wherein the first data structure comprises,a first set of data that comprises a list of events that originated in association with the first entity, wherein the list of events comprises a first event that originated in association with the first entity, anda second set of data that comprises a list of records, wherein the list of records comprises a record which incorporates by reference a different, second event that originated in association with a different, second entity that has a dependency relationship with the first entity;
  
  wherein the second event is obtained by the first entity through incorporation by reference, without the second entity initiating propagation of the second event to the first entity; and
  
  means for determining, based at least in part on the first data structure, a likelihood that the second event caused the first event or was caused by the first event.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 29. The system of claim 28, wherein the first data structure is configured to store,for the record listed in the second set of data, information that indicates how many nodes away, from a first node that represents the first entity, is a second node that represents the second entity from which the second event incorporated by reference in that record originated.
  - 30. The system of claim 29, wherein the means for determining comprise:
    - means for determining, based at least in part on the first data structure, the likelihood that the second event caused the first event.
  - 31. The system of claim 29, wherein the means for determining comprise:
    - means for determining, based at least in part on the first data structure, the likelihood that the second event was caused by the first event.
  - 32. The system of claim 29,wherein a data structure configured like the first data structure is associated with each entity in the network, andwherein, for each data structure, the list of records in the second set of data comprises a reference to the first set of data associated with each of one or more entity that has a dependency relationship with the entity associated with the data structure.
  - 33. The system of claim 32, further comprising:
    - means for determining that an event occurred at the first entity, in response to the event originating from the first entity; and
      
      means for adding, only to the list in the first set of data in the first data structure, a record of the event that originated in association with the first entity.
  - 34. The system of claim 32, further comprising:
    - means for identifying, based at least in part on the data structures, a set of one or more events in the network that may have caused the first event.
  - 35. The system of claim 34, further comprising:
    - means for providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 36. The system of claim 32, further comprising:
    - means for identifying, based at least in part on the data structures, a set of one or more events in the network that may have been caused by the first event.
  - 37. The system of claim 36, further comprising:
    - means for providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 38. The system of claim 29,wherein the second set of data comprises a list of records in which each record incorporates by reference an event that originated in association with an entity that is one node away from the node that represents the first entity;
    - andwherein n additional sets of data in the first data structure each comprise a list of records in which each record incorporates by reference an event that originated in association with an entity (a) that has a dependency relationship with the node that represents the first entity and (b) that is n+1 nodes away from the node that represents the first entity.
  - 39. The system of claim 38,wherein the second and the n sets of data are configured as an array of data;
    - andwherein the position of each set of data in the array is the information that indicates how many nodes away, from the node that represents the first entity, are the entities from which the associated events originated.
  - 40. The system of claim 28, wherein the network is a packet-switched network.

41. An apparatus for correlating events occurring in a network, wherein the network can be represented as a graph of interconnected nodes with interconnections between nodes representing logical dependencies between the entities represented by the nodes the apparatus comprising:
- a network interface that is coupled to the network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  creating a first data structure that is associated with a first entity, wherein the first data structure comprises,a first set of data that comprises a list of events that originated in association with the first entity, wherein the list of events comprises a first event that originated in association with the first entity, anda second set of data that comprises a list of records, wherein the list of records comprises a record which incorporates by reference a different, second event that originated in association with a different, second entity that has a dependency relationship with the first entity;
  
  wherein the second event is obtained by the first entity through incorporation by reference, without the second entity initiating propagation of the second event to the first entity; and
  
  determining, based at least in part on the first data structure, a likelihood that the second event caused the first event or was caused by the first event.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 42. The apparatus of claim 41, wherein the first data structure is configured to store,for the record listed in the second set of data, information that indicates how many nodes away, from a first node that represents the first entity, is a second node that represents the second entity from which the second event incorporated by reference in that record originated.
  - 43. The apparatus of claim 42, wherein the instructions further cause the processor to perform the step of determining by:
    - determining, based at least in part on the first data structure, the likelihood that the second event caused the first event.
  - 44. The apparatus of claim 42, wherein the instructions further cause the processor to perform the step of determining by:
    - determining, based at least in part on the first data structure, the likelihood that the second event was caused by the first event.
  - 45. The apparatus of claim 42,wherein a data structure configured like the first data structure is associated with each entity in the network, andwherein, for each data structure, the list of records in the second set of data comprises a reference to the first set of data associated with each of one or more entity that has a dependency relationship with the entity associated with the data structure.
  - 46. The apparatus of claim 45, and wherein the instructions further cause the processor to perform the step of:
    - in response to an event originating from the first entity, determining that the event occurred at the first entity; and
      
      adding, only to the list in the first set of data in the first data structure, a record of the event that originated in association with the first entity.
  - 47. The apparatus of claim 45, and wherein the instructions further cause the processor to perform the step of:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have caused the first event.
  - 48. The apparatus of claim 47, and wherein the instructions further cause the processor to perform the step of:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 49. The apparatus of claim 45, and wherein the instructions further cause the processor to perform the step of:
    - identifying, based at least in part on the data structures, a set of one or more events in the network that may have been caused by the first event.
  - 50. The apparatus of claim 49, and wherein the instructions further cause the processor to perform the step of:
    - providing the set of one or more events to an inference engine that performs fault analysis of the network.
  - 51. The apparatus of claim 42,wherein the second set of data comprises a list of records in which each record incorporates by reference an event that originated in association with an entity that is one node away from the node that represents the first entity;
    - andwherein n additional sets of data in the first data structure each comprise a list of records in which each record incorporates by reference an event that originated in association with an entity (a) that has a dependency relationship with the node that represents the first entity and (b) that is n+1 nodes away from the node that represents the first entity.
  - 52. The apparatus of claim 51,wherein the second and the n sets of data are configured as an array of data;
    - andwherein the position of each set of data in the array is the information that indicates how many nodes away, from the node that represents the first entity, are the entities from which the associated events originated.
  - 53. The apparatus of claim 41, wherein the network is a packet-switched network.

54. A method for correlating events that occurred in a communications network comprising a plurality of entities, wherein the method comprises the computer-implemented steps of:
- logically representing the network as a graph of interconnected nodes with interconnections between nodes representing logical or physical dependency relationships between the plurality of entities represented by the nodes;
  
  for each of the plurality of entities, creating, based on the graph, a data structure that comprisesa genuine event set that comprises a list of event records about fault-related events issued by the entity, anda derived event set that comprises a list of event records that are each associated with a fault-related event issued by an entity that has a dependency relationship with the entity,wherein each record in the list of records in the derived event set comprises a reference to the genuine event set for each entity that has a dependency relationship with the entity,for each record listed in the second set of data, information that indicates how many nodes away, from a node that represents the first entity, is a node that represents the entity from which the associated event originated,populating each data structure with data for the genuine event set, the derived event set, the references, and the information;
  
  wherein populating each data structure with the derived event set comprises obtaining at least one event in the derived event set from an event originating entity through incorporation by reference, without the event originating entity initiating propagation of the at least one event;
  
  for one or more of the plurality of entities, reading at least some of the data structures to generate one or more candidate sets of events, wherein each candidate set of events contains a plurality of events that are likely related; and
  
  providing the one or more candidate sets of events for performing fault analysis of the network;
  
  wherein the method is performed by a computing device comprising one or more processors.
- View Dependent Claims (55, 56)
- - 55. The method of claim 54, wherein, for a first entity of the plurality of entities, the plurality of events in a candidate event set likely caused one or more particular events to issue by the first entity.
  - 56. The method of claim 54, wherein, for a first entity of the plurality of entities, the plurality of events in a candidate event set were likely caused by one or more particular events issued by the first entity.

57. A computer-readable volatile or non-volatile storage medium storing one or more sequences of instructions for correlating events that occurred in a communications network comprising a plurality of entities, which instructions, when executed by one or more processors, cause the one or more processors to perform:
- logically representing the network as a graph of interconnected nodes with interconnections between nodes representing logical or physical dependency relationships between the plurality of entities represented by the nodes;
  
  for each of the plurality of entities, creating, based on the graph, a data structure that is configured to storea genuine event set that comprises a list of event records about fault-related events issued by the entity, anda derived event set that comprises a list of event records that are each associated with a fault-related event issued by an entity that has a dependency relationship with the entity,wherein each record in the list of records in the derived event set comprises a reference to the genuine event set for each entity that has a dependency relationship with the entity,for each record listed in the second set of data, information that indicates how many nodes away, from a node that represents the first entity, is a node that represents the entity from which the associated event originated,populating each data structure with data for the genuine event set, the derived event set, the references, and the information;
  
  wherein populating each data structure with the derived event set comprises obtaining at least one event in the derived event set from an event originating entity through incorporation by reference, without the event originating entity initiating propagation of the at least one event;
  
  for one or more of the plurality of entities, reading at least some of the data structures to generate one or more candidate sets of events, wherein each candidate set of events contains a plurality of events that are likely related; and
  
  providing the one or more candidate sets of events for performing fault analysis of the network.

58. A system that correlates events that occurred in a communications network comprising a plurality of entities, the system comprising:
- a processor;
  
  means for logically representing the network as a graph of interconnected nodes with interconnections between nodes representing logical or physical dependency relationships between the plurality of entities represented by the nodes;
  
  means for creating for each of the plurality of entities, based on the graph, a data structure that is configured to storea genuine event set that comprises a list of event records about fault-related events issued by the entity, anda derived event set that comprises a list of event records that are each associated with a fault-related event issued by an entity that has a dependency relationship with the entity,wherein each record in the list of records in the derived event set comprises a reference to the genuine event set for each entity that has a dependency relationship with the entity,for each record listed in the second set of data, information that indicates how many nodes away, from a node that represents the first entity, is a node that represents the entity from which the associated event originated,means for populating each data structure with data for the genuine event set, the derived event set, the references, and the information;
  
  wherein means for populating each data structure with the derived event set comprises means for obtaining at least one event in the derived event set from an event originating entity through incorporation by reference, without the event originating entity initiating propagation of the at least one event;
  
  means for reading, for one or more of the plurality of entities, at least some of the data structures to generate one or more candidate sets of events, wherein each candidate set of events contains a plurality of events that are likely related; and
  
  means for providing the one or more candidate sets of events for performing fault analysis of the network.

59. An apparatus for correlating events occurring in a network, the apparatus comprising:
- a network interface that is coupled to the network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  logically representing the network as a graph of interconnected nodes with interconnections between nodes representing logical or physical dependency relationships between the plurality of entities represented by the nodes;
  
  for each of the plurality of entities, creating, based on the graph, a data structure that is configured to storea genuine event set that comprises a list of event records about fault-related events issued by the entity, anda derived event set that comprises a list of event records that are each associated with a fault-related event issued by an entity that has a dependency relationship with the entity,wherein each record in the list of records in the derived event set comprises a reference to the genuine event set for each entity that has a dependency relationship with the entity,for each record listed in the second set of data, information that indicates how many nodes away, from a node that represents the first entity, is a node that represents the entity from which the associated event originated,populating each data structure with data for the genuine event set, the derived event set, the references, and the information;
  
  wherein populating each data structure with the derived event set comprises obtaining at least one event in the derived event set from an event originating entity through incorporation by reference, without the event originating entity initiating propagation of the at least one event;
  
  for one or more of the plurality of entities, reading at least some of the data structures to generate one or more candidate sets of events, wherein each candidate set of events contains a plurality of events that are likely related; and
  
  providing the one or more candidate sets of events for performing fault analysis of the network.

60. A computer-readable volatile or non-volatile storage medium on which is stored a data structure configured for determining, based on the data structure, the likelihood that an event in a network that is represented as a graph of interconnected nodes with interconnections between nodes representing dependencies between the entities represented by the nodes, other than a first event reported in association with a first entity, caused the first event or was caused by the first event, wherein the data structure is configured to store:
- a first set of data that comprises a list of events that originated in association with a first entity,a second set of data that comprises a list of records in which each record incorporates by reference an event that originated in association with an entity that has a dependency relationship with the first entity;
  
  wherein a record in the list of records incorporates by reference an event that originated in association with a second entity that has a dependency relationship with the first entity and wherein the first entity obtains the record from the second entity through incorporation by reference, without the second entity initiating propagation of the event to the first entity; and
  
  for each record listed in the second set of data, information that indicates how many nodes away, from a node that represents the first entity, is a node that represents the entity from which the event originated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Clemm, L. Alexander, Dini, Petre, Hasan, Masum Z.
Primary Examiner(s)
Baderman; Scott T
Assistant Examiner(s)
Leibovich; Yair

Application Number

US10/924,702
Publication Number

US 20060041659A1
Time in Patent Office

1,933 Days
Field of Search

714/47, 714/26
US Class Current

714/26
CPC Class Codes

H04L 41/0631 using root cause analysis; ...

Method and apparatus for correlating events in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for correlating events in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links