Method and system for improved in-line management of an information technology network

US 8,032,620 B2
Filed: 06/24/2004
Issued: 10/04/2011
Est. Priority Date: 06/24/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing a network of computer devices comprising the steps of:

a. receiving a plurality of status messages from the network, wherein a status message includes a key performance indicator, wherein the key performance indicator is a variable, numerical value that correlates to a parameter of the network state, wherein said numerical value is descriptive of the network state;

b. forming a current incident state when a status message indicates a problem with the network, wherein the current incident state contains a key management indicator that is a plurality of key performance indicators arranged according to a syntax;

c. accessing an incident report from a library of previous incident reports, wherein an incident report stores information associated with an incident of the network, and wherein the information includes a key management indicator and a network action associated with the incident of the network, wherein said incident report further comprises automatically observed human initiated network action associated with the incident;

d. calculating a similarity value based on a comparison of a key management indicator from the incident report from the library of previous incident reports to the key management indicator of the current incident state;

e. identifying a similar incident report when the similarity value satisfies a similarity threshold requirement;

f. selecting a network action from the similar incident report, wherein said network action is provided to an Automation Engine for automatic execution;

g. executing the selected network action;

h. compiling information of the current incident state and information of the selected network action into a current incident report;

i. storing the current incident report in the library of previous incident reports;

wherein step (d) calculating a similarity value and step (e) identifying a similar incident report comprise traversing a decision tree;

testing key performance indicators of the current incident state at decision nodes of the decision tree; and

identifying an incident report from the library of previous incident reports that satisfies a set degree of matching compared in execution of the decision tree, wherein said set degree of matching is variable;

wherein step (d) includes comparing the key performance indicators of two key management indicators with a Boolean operator.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method for leveraging human knowledge held by system administrators to support improved or optimal management of an information technology network. The present invention monitors and records the states and values key management indicators related to actions taken by a human system administrator in improving a perceived sub-optimal state of the information technology network. The present invention predicts the effect of command in situations later occurring, and optionally suggests actions to a system administrator. The method of the present invention optionally enables embodiments of the present invention to automatically select one or more preferred system commands and execute the selected command or commands.

Citations

20 Claims

1. A method for managing a network of computer devices comprising the steps of:
- a. receiving a plurality of status messages from the network, wherein a status message includes a key performance indicator, wherein the key performance indicator is a variable, numerical value that correlates to a parameter of the network state, wherein said numerical value is descriptive of the network state;
  
  b. forming a current incident state when a status message indicates a problem with the network, wherein the current incident state contains a key management indicator that is a plurality of key performance indicators arranged according to a syntax;
  
  c. accessing an incident report from a library of previous incident reports, wherein an incident report stores information associated with an incident of the network, and wherein the information includes a key management indicator and a network action associated with the incident of the network, wherein said incident report further comprises automatically observed human initiated network action associated with the incident;
  
  d. calculating a similarity value based on a comparison of a key management indicator from the incident report from the library of previous incident reports to the key management indicator of the current incident state;
  
  e. identifying a similar incident report when the similarity value satisfies a similarity threshold requirement;
  
  f. selecting a network action from the similar incident report, wherein said network action is provided to an Automation Engine for automatic execution;
  
  g. executing the selected network action;
  
  h. compiling information of the current incident state and information of the selected network action into a current incident report;
  
  i. storing the current incident report in the library of previous incident reports;
  
  wherein step (d) calculating a similarity value and step (e) identifying a similar incident report comprise traversing a decision tree;
  
  testing key performance indicators of the current incident state at decision nodes of the decision tree; and
  
  identifying an incident report from the library of previous incident reports that satisfies a set degree of matching compared in execution of the decision tree, wherein said set degree of matching is variable;
  
  wherein step (d) includes comparing the key performance indicators of two key management indicators with a Boolean operator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the numerical value of the key performance indicator is a Boolean value.
  - 3. The method of claim 2, wherein the status messages further includes error reports from a computer device of the network.
  - 4. The method of claim 3, wherein step (d) includes comparing a plurality of key performance indicators from the plurality of status messages to a trigger signature.
  - 5. The method of claim 1, wherein step (g) automatically executing a network action.
  - 6. The method of claim 5, further comprising the steps of:
    - j. presenting information of the current incident state and information of the common network action to a system administrator;
      
      k. receiving edits to the current incident report from the system administrator; and
      
      wherein step (i) stores the edited incident report in the library of previous incident reports.
  - 7. The method of claim 6, wherein steps (j) and (k) are performed prior to step (i).
  - 8. The method of claim 6, wherein step (k) includes an action selected from the list:
    - adding information to the current incident report, modifying information of the current incident report, and removing information from the current incident report.
  - 9. The method of claim 8, wherein an incident report additionally stores information related to performance data of the incident;
    - and the method further comprises;
      
      calculating a measure of the degree of similarity of the current incident report compared to the key performance indicators of the similar incident reports; and
      
      comparing performance data of the current incident report to performance data of an incident report from the library of previous incident reports.
  - 10. The method of claim 6, wherein the common network action is selected from the list:
    - modifying a computer device, requesting more information from the network, and executing syslog information.
  - 11. The method of claim 5, wherein step (d) is performed for at least a subset of the previous reports.
  - 12. The method of claim 11, wherein step (e) includes identifying a plurality of similar incident reports.
  - 13. The method of claim 12, wherein the selected network action further satisfies a second threshold that is based on the frequency of occurrence in a plurality of similar incident reports.
  - 14. The method of claim 12, wherein an incident report additionally stores information related to a plurality of command citations;
    - and wherein the steps (f), (g), and (h) further include performing command analysis that includes the steps;
      
      calculating the frequency of commands from the command citations;
      
      selecting a command that satisfies a command frequency threshold;
      
      executing the selected command when the identified command is allowed to be automatically executed;
      
      recording network results of the executed command; and
      
      compiling information related to the selected command in the current incident report.
  - 15. The method of claim 14, wherein the compiled information related to the selected command includes the selected command, the executed command, and the network results of the executed command.
  - 16. The method of claim 15, wherein the network results of the executed command is stored as a new key management indicator, wherein the key management indicator includes a plurality of key performance indicators from after the executed commands.
  - 17. The method of claim 12, wherein an incident report additionally stores information related to a syslog list;
    - and wherein the steps (f), (g), and (h) further include performing a syslog analysis that includes the steps;
      
      a. processing the syslog list of the similar incident report with a regular expression analyzer;
      
      b. tagging syslog information where the output of the regular expression analyzer and a current syslog database share substantial similarity;
      
      c. executing tagged syslog information;
      
      d. recording results of the executed syslog information; and
      
      e. compiling information related to the syslog information in the current incident report.
  - 18. The method of claim 12, wherein an incident report stores information related to an alarm record, a syslog list, a plurality of command citations, and performance data.
  - 19. The method of claim 12, wherein a plurality of network actions is selected, executed, and compiled, and wherein the plurality of network actions is composed of different types of network actions.
  - 20. The method of claim 19, wherein the analysis of two different types of network actions from the plurality of network actions are performed substantially simultaneously.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Insitesource Corporation
Original Assignee
Bluehawk Networks, Inc.
Inventors
Scott, Marlin, Britton, Ron, Hand, Roger, Meyer, Stephen
Primary Examiner(s)
Bayard, Djenane
Assistant Examiner(s)
DONABED, NINOS J

Application Number

US10/876,360
Publication Number

US 20060015597A1
Time in Patent Office

2,658 Days
Field of Search

709/223, 709/224, 709/225, 709/226
US Class Current

709/223
CPC Class Codes

H04L 41/0631 using root cause analysis; ...

Method and system for improved in-line management of an information technology network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for improved in-line management of an information technology network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links