Pattern discovery in a network system
First Claim
Patent Images
1. A method for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the method comprising:
- using a processor to create a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events;
generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, andwherein each non-root node represents an event;
traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node;
observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and
determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node.
11 Assignments
0 Petitions
Accused Products
Abstract
Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.
83 Citations
26 Claims
-
1. A method for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the method comprising:
-
using a processor to create a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for generating a rule, comprising:
-
displaying a pattern discovery tool configured to enable a user to select a subset of previously stored events; in response to the user selection; using a processor to create a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the selected events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node; displaying a rule generation tool configured to enable a user to perform an action; and in response to the user action, converting the event pattern into a correlation rule. - View Dependent Claims (14)
-
-
15. A system for discovering an event pattern in an event stream, the event stream comprising a plurality of events, the system comprising
creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of the plurality of events; -
generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory machine-readable storage medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
creating a plurality of transactions based on a transaction parameter, wherein each transaction represents a subset of a plurality of events; generating a transaction tree based on the plurality of transactions, wherein the transaction tree includes one root node and a plurality of non-root nodes, and wherein each non-root node represents an event; traversing a branch of the transaction tree starting at the root node, wherein the branch extends from the root node through a first non-root node to a second non-root node; observing a drop in support from the first non-root node to the second non-root node, wherein a support of a non-root node represents a number of transactions that include the event represented by the non-root node; and determining that the event pattern includes the event represented by the first non-root node and does not include the event represented by the second non-root node. - View Dependent Claims (23, 24, 25, 26)
-
Specification