System for decomposing events from managed infrastructures using a topology proximity engine, graph topologies, and k-means clustering

US 9,529,890 B2
Filed: 04/28/2014
Issued: 12/27/2016
Est. Priority Date: 04/29/2013
Status: Active Grant

First Claim

Patent Images

1. An event clustering system, comprising:

an extraction engine in communication with a managed infrastructure, the extraction engine in operation receiving messages from the managed infrastructure and produces events that relate to the managed infrastructure and converts the events into words and subsets used to group the events into clusters that relate to failures or errors in the managed infrastructure, including managed infrastructure physical hardware, the managed infrastructure supporting the flow and processing of information;

a sigalizer engine that includes one or more of an Non-negative Matrix Factorization NMF engine, a k-means clustering engine and a topology proximity engine, the sigalizer engine determining one or more common steps from events and produces clusters relating to events, the sigalizer engine determining one or more common characteristics of events and producing clusters of events relating to the failure or errors in the managed infrastructure, where membership in a cluster indicates a common factor of the events that is a failure or an actionable problem in the physical hardware managed infrastructure directed to supporting the flow and processing of information;

the topology proximity engine using a source address for each event and a graph topology of the managed infrastructure which represents node to node connectivity of the topology proximity engine and to assign a graph coordinate to the event with an optional subset of attributes being extracted for each event and turned into a vector, the topology engine inputs a list of devices and a list a connections between components or nodes in the managed infrastructure;

the k-means clustering engine using the graph coordinates and optionally a subset of attributes assigned to each event to generate cluster to bring together events whose characteristics are similar;

the NMF engine factoring the matrix M into A and B, where A is inspected and substantially significant clusters are extracted, and B is used to assign a start and end time to each cluster, wherein an output of clusters is produced; and

wherein in response to production of the clusters one or more physical changes in a managed infrastructure hardware is made.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An event clustering system includes an extraction engine in communication with an infrastructure. The extraction engine receives data from the infrastructure and produces events. An alert engine receives the events and creates alerts mapped into a matrix, M. A sigalizer engine includes one or more of an NMF engine, a k-means clustering engine and a topology proximity engine. The sigalizer engine determines one or more common steps from events and produces clusters relating to the alerts and or events.

36 Citations

View as Search Results

48 Claims

1. An event clustering system, comprising:
- an extraction engine in communication with a managed infrastructure, the extraction engine in operation receiving messages from the managed infrastructure and produces events that relate to the managed infrastructure and converts the events into words and subsets used to group the events into clusters that relate to failures or errors in the managed infrastructure, including managed infrastructure physical hardware, the managed infrastructure supporting the flow and processing of information;
  
  a sigalizer engine that includes one or more of an Non-negative Matrix Factorization NMF engine, a k-means clustering engine and a topology proximity engine, the sigalizer engine determining one or more common steps from events and produces clusters relating to events, the sigalizer engine determining one or more common characteristics of events and producing clusters of events relating to the failure or errors in the managed infrastructure, where membership in a cluster indicates a common factor of the events that is a failure or an actionable problem in the physical hardware managed infrastructure directed to supporting the flow and processing of information;
  
  the topology proximity engine using a source address for each event and a graph topology of the managed infrastructure which represents node to node connectivity of the topology proximity engine and to assign a graph coordinate to the event with an optional subset of attributes being extracted for each event and turned into a vector, the topology engine inputs a list of devices and a list a connections between components or nodes in the managed infrastructure;
  
  the k-means clustering engine using the graph coordinates and optionally a subset of attributes assigned to each event to generate cluster to bring together events whose characteristics are similar;
  
  the NMF engine factoring the matrix M into A and B, where A is inspected and substantially significant clusters are extracted, and B is used to assign a start and end time to each cluster, wherein an output of clusters is produced; and
  
  wherein in response to production of the clusters one or more physical changes in a managed infrastructure hardware is made.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 2. The system of claim 1, wherein the columns are slices in time and the rows are alerts.
  - 3. The system of claim 1, wherein the alerts are collected into time buckets.
  - 4. The system of claim 1, wherein the system interacts with the infrastructure of an organization.
  - 5. The system of claim 4, wherein the infrastructure includes, computers, network devices, appliances, mobile devices, text or numerical values from which those text or numerical values indicate a state of any hardware or software component of the infrastructure.
  - 6. The system of claim 5, wherein the infrastructure generates data that include attributes selected from at least one of, time, source a description of the event, textural or numerical values from which those text or numerical values indicate a state of any hardware or software component of the infrastructure.
  - 8. The system of claim 4, wherein the subsets of messages are grouped into clusters.
  - 9. The system of claim 1, further comprising:
    - a publication message bus.
  - 10. The system of claim 1, further comprising:
    - a data bus web server coupled to one or more user interfaces.
  - 11. The system of claim 9, wherein a plurality of link access modules are in communication with the data bus.
  - 12. The system of claim 11, further comprising:
    - a database.
  - 13. The system of claim 9, wherein the extraction engine and server extract text components from the events and converts them into word and subtext.
  - 14. The system of claim 13, wherein the extraction engine reformats data from the events to create reformatted data.
  - 15. The system of claim 14, wherein the reformatted data is received at the system bus.
  - 16. The system of claim 14, further comprising:
    - a database.
  - 17. The system of claim 14, wherein a dictionary is generated with the word and subtexts using Shannon Entropy, −
    - In(1/NGen) and normalizes the words and subtexts.
  - 18. The system of claim 17, wherein normalized words and subtexts are mapped from a common 0.0 to a non-common 1.0.
  - 19. The system of claim 18, further comprising:
    - an entropy database that in operation normalizes entropy for events.
  - 20. The system of claim 1, wherein normalized entropy for events is mapped to a common, 0.0 and a non-common, 1.0.
  - 21. The system of claim 1, wherein entropy is assigned to alerts.
  - 22. The system of claim 21, wherein alerts are run in parallel with the activities of the extraction engine.
  - 23. The system of claim 22, wherein the alerts are passed to a sigalizer engine.
  - 24. The system of claim 23, wherein the sigalizer engine generates clusters of alerts.
  - 25. The system of claim 24, wherein membership in a cluster indicates a common underlying failure or fault in the infrastructure.
  - 26. The system of claim 21, further comprising:
    - a deduplication engine that is used for event messages of data streams received from the client.
  - 27. The system of claim 26, further comprising:
    - a computer scripting language that alters the events or flow of events.
  - 28. The system of claim 27, wherein scripting languages are selected from at least one of, Java, C, C++, C#, Objective-C, PHP, VB, Python, Pearl, Ruby, and Javascript.
  - 29. The system of claim 25, wherein the deduplication engine eliminates duplicate copies of repeating data.
  - 30. The system of claim 26, wherein the deduplication engine reduces a number of bytes in network data transfers that need to be sent.
  - 31. The system of claim 30, further comprising:
    - a comparison and merger engine, wherein three sigalizer algorithms are used with the comparison or merger engine and clusters are published on the system bus for display in a system situation room.
  - 32. The system of claim 1, wherein the sigalizer engine determines sigalizer common steps to ascertain how many clusters to extract from events.
  - 33. The system of claim 32, wherein entropy and a severity of an event are used for clustering.
  - 34. The system of claim 33, wherein evaluated events are either discarded or passed to clusters where alerts are collected into time buckets and mapped to a matrix M.
  - 35. The system of claim 34, wherein a bucket width is a parameter.
  - 36. The system of claim 35, wherein the matrix, M, is created off alert/time with a fixed number of common alerts.
  - 37. The system of claim 36, wherein the matrix is dynamic.
  - 38. The system of claim 36, wherein alerts are collected into time buckets that are mapped in the matrix.
  - 39. The system of claim 36, wherein the matrix includes rows that are unique alerts.
  - 40. The system of claim 37, wherein the matrix includes columns that are time buckets, and a number of occurrences is plotted.
  - 41. The system of claim 38, further comprising:
    - an independent failure count detection engine that in operation is used for the production of common steps designated as “
      
      k”
      
      from events.
  - 42. The system of claim 1, wherein the topology proximity receives the coordinate'"'"'s mapping, and clusters are generated, V base nodes calculate a minimum hops to every other node which gives coordinate and the coordinates are mapped.
  - 43. The system of claim 1, wherein one or more of the NMF, K-means, and/or topology proximity algorithms are optionally repeated.
  - 44. The system of claim 1, wherein generated clusters are tested against a quality function supplied by the system which evaluates a cluster'"'"'s uniformity.
  - 45. The system of claim 44, wherein the system selects a best set against the uniformity test.
  - 46. The system of claim 45, further comprising:
    - examining clusters against a customer supplied configuration database for each source of an event.
  - 47. The system of claim 46, wherein the examining is performed to determine:
    - a type of device;
      
      impacted users; and
      
      relevant support experts.
  - 48. The system of claim 47, further comprising:
    - a situation room.

7. The system 1, wherein the extraction engine creates from events subsets of events that relate to failures or errors in the infrastructure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dell Products LP (Dell Technologies Inc.)
Original Assignee
Moogsoft Inc. (Dell Technologies Inc.)
Inventors
Tee, Philip, Harper, Robert Duncan, Silvey, Charles Mike
Primary Examiner(s)
VINCENT, DAVID ROBERT

Application Number

US14/262,870
Publication Number

US 20140324866A1
Time in Patent Office

974 Days
Field of Search

706/12, 706/45, 706/62
US Class Current

1/1
CPC Class Codes

G06F 11/0709   in a distributed system con...

G06F 11/0751   Error or fault detection no...

G06F 11/0769   Readable error formats, e.g...

G06F 11/0772   Means for error signaling, ...

G06F 11/079   Root cause analysis, i.e. e...

G06F 16/285   Clustering or classification

G06F 16/358   Browsing; Visualisation the...

G06F 16/904   Browsing; Visualisation the...

G06F 3/0481   based on specific propertie...

G06Q 10/00   Administration; Management

H04L 41/0631   using root cause analysis; ...

H04L 41/065   involving logical or physic...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 51/216   Handling conversation histo...

H04L 51/224   providing notification on i...

System for decomposing events from managed infrastructures using a topology proximity engine, graph topologies, and k-means clustering

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

System for decomposing events from managed infrastructures using a topology proximity engine, graph topologies, and k-means clustering

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links