System and method for correlating fingerprints for automated intelligence

US 8,631,117 B2
Filed: 08/19/2008
Issued: 01/14/2014
Est. Priority Date: 08/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing a first fingerprint of at least a portion of an information technology (IT) infrastructure associated with a certain event relating to the IT infrastructure;

capturing a second fingerprint of at least a portion of the IT infrastructure associated with an event relating to the IT infrastructure; and

determining whether a correlation exists between the first and second fingerprints such that the first and second fingerprints each provide an indication of at least a portion of the same event relating to the IT infrastructure, wherein each of the first and second fingerprints includes a set of rules for a set of time cuts, respectively, wherein each rule in the set of rules includes a probability that a symptom of the event occurs for a specific time cut, wherein the symptom includes a metric and a reason that the event is generated, wherein determining whether a correlation exists comprises determining the degree of match between rules of the first fingerprint against rules of the second fingerprint across the various time cuts.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for correlating fingerprints in an Information Technology (IT) infrastructure for automated intelligence, where a fingerprint provides an indication of the activity and operation of the IT infrastructure immediately preceding an event. It is determined whether a correlation exists between multiple fingerprints to determine whether such fingerprints separately indicate the occurrence of the event for the same reason. If a degree of match is found to exist between the rule sets of multiple fingerprints that exceeds a certain threshold, the fingerprints are determined to indicate the occurrence of the event for the same reason and the rule sets for those fingerprints can be merged together with the probabilities that such rules will indicate the occurrence of the event adjusted accordingly. In one or more embodiments, the fingerprint matching correlation procedures are implemented to account for time or phase shifts between the rule sets in two fingerprints.

Citations

14 Claims

1. A method comprising:
- capturing a first fingerprint of at least a portion of an information technology (IT) infrastructure associated with a certain event relating to the IT infrastructure;
  
  capturing a second fingerprint of at least a portion of the IT infrastructure associated with an event relating to the IT infrastructure; and
  
  determining whether a correlation exists between the first and second fingerprints such that the first and second fingerprints each provide an indication of at least a portion of the same event relating to the IT infrastructure, wherein each of the first and second fingerprints includes a set of rules for a set of time cuts, respectively, wherein each rule in the set of rules includes a probability that a symptom of the event occurs for a specific time cut, wherein the symptom includes a metric and a reason that the event is generated, wherein determining whether a correlation exists comprises determining the degree of match between rules of the first fingerprint against rules of the second fingerprint across the various time cuts.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising merging the first and second fingerprints together when it is determined that the first and second fingerprints correlate to each other.
  - 3. The method of claim 1, further comprising:
    - iteratively shifting a phase shift in time cuts between the sets of rules in the first and second fingerprints;
      
      determining a degree of match between the rules of the first fingerprint against rules of the second fingerprint across for each iteration of phase shift; and
      
      determining the phase shift for which a maximum degree of match exists between the sets of rules of the first and second fingerprints and determining a value of the associated maximum degree of match.
  - 4. The method of claim 3, further comprising:
    - determining whether the value for the maximum degree of match exceeds a certain threshold, andmerging the sets of rules for the first and second fingerprints together when the value for the maximum degree of match exceeds the certain threshold.
  - 5. The method of claim 4, further comprising adjusting the probabilities of the merged sets of rules, wherein the rules having a degree of match between the first and second thresholds have their probabilities increased while rules that do not have a degree of match between the first and second thresholds have their probabilities decreased.
  - 6. The method of claim 1, wherein the first and second fingerprints are captured prior to the occurring event.

7. A non-transitory machine-readable medium having program instructions stored thereon executable by a processing unit of a special-purpose network monitoring server for performing the steps of:
- capturing a first fingerprint of at least a portion of an information technology (IT) infrastructure associated with a certain event relating to the IT infrastructure;
  
  capturing a second fingerprint of at least a portion of the IT infrastructure associated with an event relating to the IT infrastructure; and
  
  determining whether a correlation exists between the first and second fingerprints such that the first and second fingerprints each provide an indication of at least a portion of the same event relating to the IT infrastructure, wherein each of the first and second fingerprints includes a set of rules for a set of time cuts, respectively, wherein each rule in the set of rules includes a probability that a symptom of the event occurs for a specific time cut, wherein the symptom includes a metric and a reason that the event is generated, wherein determining whether a correlation exists comprises determining the degree of match between rules of the first fingerprint against rules of the second fingerprint across the various time cuts.
- View Dependent Claims (8, 9, 10)
- - 8. The non-transitory machine-readable medium of claim 7, further comprising program instructions stored thereon for:
    - iteratively shifting a phase shift in time cuts between the sets of rules in the first and second fingerprints;
      
      determining a degree of match between the rules of the first fingerprint against rules of the second fingerprint across for each iteration of phase shift; and
      
      determining the phase shift for which a maximum degree of match exists between the sets of rules of the first and second fingerprints and determining a value of the associated maximum degree of match.
  - 9. The non-transitory machine-readable medium of claim 8, further comprising program instructions stored thereon for:
    - determining whether the value for the maximum degree of match exceeds a certain threshold, andmerging the sets of rules for the first and second fingerprints together when the value for the maximum degree of match exceeds the certain threshold.
  - 10. The non-transitory machine-readable medium of claim 9, further comprising program instructions stored thereon for adjusting the probabilities of the merged sets of rules, wherein the rules having a degree of match between the first and second thresholds have their probabilities increased while rules that do not have a degree of match between the first and second thresholds have their probabilities decreased.

11. A system comprising:
- a fingerprint capturing module for capturing a first fingerprint of at least a portion of an information technology (IT) infrastructure associated with a certain event relating to the IT infrastructure,the fingerprint capturing module further capturing a second fingerprint of at least a portion of the IT infrastructure associated with an event relating to the IT infrastructure; and
  
  a fingerprint correlation module for determining whether a correlation exists between the first and second fingerprints such that the first and second fingerprints each provide an indication of at least a portion of the same event relating to the IT infrastructure, wherein each of the first and second fingerprints includes a set of rules for a set of time cuts, respectively, wherein each rule in the set of rules includes a probability that a symptom of the event occurs for a specific time cut, wherein the symptom includes a metric and a reason that the event is generated, wherein the fingerprint correlation module is further configured to determine the degree of match between rules of the first fingerprint against rules of the second fingerprint across the various time cuts.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the fingerprint correlation module further:
    - iteratively shifts a phase shift in time cuts between the sets of rules in the first and second fingerprints;
      
      determines a degree of match between the rules of the first fingerprint against rules of the second fingerprint across for each iteration of phase shift; and
      
      determines the phase shift for which a maximum degree of match exists between the sets of rules of the first and second fingerprints and determines a value for the associated maximum degree of match.
  - 13. The system of claim 12, wherein the fingerprint correlation module further:
    - determines whether the value for the maximum degree of match exceeds a certain threshold, andmerges the sets of rules for the first and second fingerprints together when the value for the maximum degree of match exceeds the certain threshold.
  - 14. The system of claim 13, wherein the fingerprint correlation module further adjusts the probabilities of the merged sets of rules, wherein the rules having a degree of match between the first and second thresholds have their probabilities increased while rules that do not have a degree of match between the first and second thresholds have their probabilities decreased.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Marvasti, Mazda A.
Primary Examiner(s)
BATES, KEVIN T

Application Number

US12/194,197
Publication Number

US 20100046809A1
Time in Patent Office

1,974 Days
Field of Search

709/224, 714/26, 714/39
US Class Current

709/224
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 63/14   for detecting or protecting...

System and method for correlating fingerprints for automated intelligence

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating fingerprints for automated intelligence

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links