Network aware distributed business transaction anomaly detection

US 9,531,614 B1
Filed: 10/30/2015
Issued: 12/27/2016
Est. Priority Date: 10/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring a distributed business transaction over a plurality of machines and at least one network, comprising:

monitoring, by a plurality of application agents, one or more applications that process requests and perform functions that make up the distributed business transaction to generate application data;

monitoring, by a plurality of network agents, network sockets that are used to process communications between the plurality of machines as part of the distributed business transaction to generate network flow data;

detecting, by one of the application agents, an application anomaly with the one or more monitored applications;

based on the detecting of the application anomaly, querying the plurality of network agents to determine whether one of the network agents has detected a network flow anomaly associated with the monitored network sockets, wherein the querying the plurality of network agents include providing to the network agents, parameters that specify which of the monitored network sockets to analyze to identify the network flow anomaly;

associating the detected network flow anomaly with the distributed business transaction;

correlating the detected application anomaly and the detected network flow anomaly to identify the application anomaly as being affected by the network flow anomaly; and

providing a snapshot displaying the correlated application anomaly and network flow anomaly associated with the distributed business transaction to indicate a relationship between the application anomaly and the network flow anomaly in the distributed business transaction.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system monitors applications and network flows used during the business transaction to determine distributed business transaction anomalies caused at least in part by network performance issues. A network flow associated with a business transaction is monitored by a network agent. The network agent may capture packets, analyze the packets and other network data to determine one or more baselines, and dynamically compare subsequent network flow performance to those baselines to determine an anomaly. When an anomaly in a network flow is detected, this information may be provided to a user along with other data regarding a business transaction that is utilizing the network flow. Concurrently with the network agent monitoring, application agents may monitor one or more applications performing the business transaction. The present system reports performance data for a business transaction in terms of application performance and network performance, all in the context of a distributed business transaction.

37 Citations

View as Search Results

23 Claims

1. A method for monitoring a distributed business transaction over a plurality of machines and at least one network, comprising:
- monitoring, by a plurality of application agents, one or more applications that process requests and perform functions that make up the distributed business transaction to generate application data;
  
  monitoring, by a plurality of network agents, network sockets that are used to process communications between the plurality of machines as part of the distributed business transaction to generate network flow data;
  
  detecting, by one of the application agents, an application anomaly with the one or more monitored applications;
  
  based on the detecting of the application anomaly, querying the plurality of network agents to determine whether one of the network agents has detected a network flow anomaly associated with the monitored network sockets, wherein the querying the plurality of network agents include providing to the network agents, parameters that specify which of the monitored network sockets to analyze to identify the network flow anomaly;
  
  associating the detected network flow anomaly with the distributed business transaction;
  
  correlating the detected application anomaly and the detected network flow anomaly to identify the application anomaly as being affected by the network flow anomaly; and
  
  providing a snapshot displaying the correlated application anomaly and network flow anomaly associated with the distributed business transaction to indicate a relationship between the application anomaly and the network flow anomaly in the distributed business transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the application anomaly is detected based on an application performance baseline.
  - 3. The method of claim 1, wherein the network flow anomaly is detected based on a network flow baseline.
  - 4. The method of claim 1, wherein associating the detected network flow anomaly with the distributed business transaction includes adding business transaction context information to the detected network flow anomaly portion of the network flow data.
  - 5. The method of claim 1, wherein monitoring the one or more applications include collecting metrics associated with performance of the one or more applications on the plurality of machines that process the distributed business transaction.
  - 6. The method of claim 1, wherein monitoring the network flow includes capturing packets of a given network flow associated with the distributed business transaction.
  - 7. The method of claim 1, wherein monitoring the network flow includes collecting metrics associated with performance of a given network flow between the plurality of machines that process the distributed business transaction.
  - 8. The method of claim 1, wherein correlating the detected application anomaly and the detected network flow anomaly includes grouping the application data and the network flow data by matching the address locations in the application data and the network flow data.
  - 9. The method of claim 1, including providing a call graph that displays the correlated application anomaly and network flow anomaly associated with the distributed business transaction.

10. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to cause operations for monitoring a business transaction, including:
- monitoring, by a plurality of application agents, one or more applications that process requests and perform functions that make up the distributed business transaction to generate application data;
  
  monitoring, by a plurality of network agents, network sockets that are used to process communications between the plurality of machines as part of the distributed business transaction to generate network flow data;
  
  detecting, by one of the application agents, an application anomaly with the one or more monitored applications;
  
  based on the detecting of the application anomaly, querying the plurality of network agents to determine whether one of the network agents has detected a network flow anomaly associated with the monitored network sockets, wherein the querying the plurality of network agents include providing to the network agents, parameters that specify which of the monitored network sockets to analyze to identify the network flow anomaly;
  
  associating the detected network flow anomaly with the distributed business transaction;
  
  correlating the detected application anomaly and the detected network flow anomaly to identify the application anomaly as being affected by the network flow anomaly; and
  
  providing a snapshot displaying the correlated application anomaly and network flow anomaly associated with the distributed business transaction to indicate a relationship between the application anomaly and the network flow anomaly in the distributed business transaction.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer readable storage medium of claim 10, wherein the program is executable by a processor to cause operations including detecting the application anomaly based on an application performance baseline.
  - 12. The non-transitory computer readable storage medium of claim 10, wherein the program is executable by a processor to cause operations including detecting the network flow anomaly based on a network flow baseline.
  - 13. The non-transitory computer readable storage medium of claim 10, wherein the program is executable by a processor to cause operations including associating the detected network flow anomaly with the distributed business transaction including adding business transaction context information to the detected network flow anomaly portion of the network flow data.
  - 14. The non-transitory computer readable storage medium of claim 10, wherein the program is executable by a processor to cause operations including correlating the detected application anomaly and the detected network flow anomaly including grouping the application data and the network flow data by matching the address locations in the application data and the network flow data.
  - 15. The non-transitory computer readable storage medium of claim 10, wherein the program is executable by a processor to cause operations including providing a call graph that displays the correlated application anomaly and network flow anomaly associated with the distributed business transaction.

16. A system for monitoring a business transaction performed by multiple computers, comprising:
- a server including a memory and a processor; and
  
  one or more modules stored in the memory and executable by the processor to perform operations including;
  
  monitoring, by a plurality of application agents, one or more applications that process requests and perform functions that make up the distributed business transaction to generate application data;
  
  monitoring, by a plurality of network agents, network sockets that are used to process communications between the plurality of machines as part of the distributed business transaction to generate network flow data;
  
  detecting, by one of the application agents, an application anomaly with the one or more monitored applications;
  
  based on the detecting of the application anomaly, querying the plurality of network agents to determine whether one of the network agents has detected a network flow anomaly associated with the monitored network sockets, wherein the querying the plurality of network agents include providing to the network agents, parameters that specify which of the monitored network sockets to analyze to identify the network flow anomaly;
  
  associating the detected network flow anomaly with the distributed business transaction;
  
  correlating the detected application anomaly and the detected network flow anomaly to identify the application anomaly as being affected by the network flow anomaly; and
  
  providing a snapshot displaying the correlated application anomaly and network flow anomaly associated with the distributed business transaction to indicate a relationship between the application anomaly and the network flow anomaly in the distributed business transaction.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including detecting the application anomaly based on an application performance baseline.
  - 18. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including detecting the network flow anomaly based on a network flow baseline.
  - 19. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including associating the detected network flow anomaly with the distributed business transaction including adding business transaction context information to the detected network flow anomaly portion of the network flow data.
  - 20. The system of claim 16, wherein the business transaction context information includes a business transaction identifier, tier identification for tiers involved in a given network flow, node identification information for nodes involved in the given network flow, or an identification of a portion of the distributed business transaction being executed over the given network flow.
  - 21. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including monitoring the network flow including collecting metrics associated with performance of a given network flow between the plurality of machines that process the distributed business transaction.
  - 22. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including correlating the detected application anomaly and the detected network flow anomaly including grouping the application data and the network flow data by matching the address locations in the application data and the network flow data.
  - 23. The system of claim 16, wherein the one or more modules stored in the memory is executable by the processor to perform operations including providing a call graph that displays the correlated application anomaly and network flow anomaly associated with the distributed business transaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
AppDynamics, Inc. (Cisco Systems, Inc.)
Inventors
Nataraj, Harish, Chandel, Ajay, Kaligotla, Prakash, Kondapalli, Naveen
Primary Examiner(s)
Maung, Zarni

Application Number

US14/928,982
Time in Patent Office

424 Days
Field of Search

709/203, 709223-229, 709/250
US Class Current

1/1
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

H04L 41/046   comprising network manageme...

H04L 41/0631   using root cause analysis; ...

H04L 41/22   comprising specially adapte...

H04L 43/04   Processing captured monitor...

H04L 43/062   related to network traffic

H04L 43/08   Monitoring or testing based...

H04L 43/087   Jitter

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/0888   Throughput

H04L 63/1408   by monitoring network traff...

H04L 69/329   in the application layer [O...

Network aware distributed business transaction anomaly detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Network aware distributed business transaction anomaly detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links