Correlating status information generated in a computer network

US 9,794,144 B1
Filed: 07/25/2014
Issued: 10/17/2017
Est. Priority Date: 02/15/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computing system and for each particular application program in a group of application programs that are executing on computers in a group of computers, application status information that identifies a status of the particular application program at each of various times;

using the application status information for each particular application program in the group of application programs to generate, by the computing system, multiple network signatures for multiple respective times,wherein each particular network signature of the multiple network signatures identifies, for a respective one of the multiple times, multiple statuses including a status of each of the application programs in the group of application programs,wherein a first network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a first time of the multiple times and a second network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a second time of the multiple times,wherein each particular network signature of the multiple network signatures includes data that identifies, for a respective one of the multiple times, which application programs in the group of application programs were executing on which computers in the group of computers at the respective one of the multiple times, andwherein each particular network signature of the multiple network signatures includes data that identifies, for a respective one of the multiple times, which of the application programs in the group of application programs were in communication with identified other application programs at the respective one of the multiple times;

detecting, by the computing system and during a monitoring of the multiple network signatures, an anomaly in the generated multiple network signatures by identifying that at least one of the multiple network signatures does not conform to established normal behavior of the application programs in the group of application programs, as a result of an analysis of information in the at least one of the multiple network signatures, including;

(a) an identification of statuses of the application programs in the group of application programs at a specific time,(b) an identification of which application programs in the group of application programs were executing on which computers in the group of computers at the specific time, and(c) an identification of which of the application programs in the group of application programs were in communication with identified other application programs at the specific time; and

in order to avoid further anomalies, reconfiguring relationships between (i) which application programs in the group of application programs are to execute on which computers in the group of computers, or (ii) which application programs in the group of application programs are to communicate with identified other application programs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the subject matter described in this specification can be embodied in methods, systems, and program products for correlating status information generated in a computer network. A computing system receives, for each particular computer server or application program in a group of computer servers and application programs that are executing on the computer servers, information that identifies statuses of the particular computer server or application program at a plurality of times. The computing system generates, using the information received, network signatures that each represent statuses of the computer servers and application programs in the group for a particular time, the network signatures being for multiple times. The computer system stores the network signatures along with data that identifies relationships, for each of the multiple times, between (i) application programs and the computer servers on which they were executing, and (ii) application programs that were in communication with each other.

71 Citations

View as Search Results

14 Claims

1. A computer-implemented method, comprising:
- receiving, by a computing system and for each particular application program in a group of application programs that are executing on computers in a group of computers, application status information that identifies a status of the particular application program at each of various times;
  
  using the application status information for each particular application program in the group of application programs to generate, by the computing system, multiple network signatures for multiple respective times,wherein each particular network signature of the multiple network signatures identifies, for a respective one of the multiple times, multiple statuses including a status of each of the application programs in the group of application programs,wherein a first network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a first time of the multiple times and a second network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a second time of the multiple times,wherein each particular network signature of the multiple network signatures includes data that identifies, for a respective one of the multiple times, which application programs in the group of application programs were executing on which computers in the group of computers at the respective one of the multiple times, andwherein each particular network signature of the multiple network signatures includes data that identifies, for a respective one of the multiple times, which of the application programs in the group of application programs were in communication with identified other application programs at the respective one of the multiple times;
  
  detecting, by the computing system and during a monitoring of the multiple network signatures, an anomaly in the generated multiple network signatures by identifying that at least one of the multiple network signatures does not conform to established normal behavior of the application programs in the group of application programs, as a result of an analysis of information in the at least one of the multiple network signatures, including;
  
  (a) an identification of statuses of the application programs in the group of application programs at a specific time,(b) an identification of which application programs in the group of application programs were executing on which computers in the group of computers at the specific time, and(c) an identification of which of the application programs in the group of application programs were in communication with identified other application programs at the specific time; and
  
  in order to avoid further anomalies, reconfiguring relationships between (i) which application programs in the group of application programs are to execute on which computers in the group of computers, or (ii) which application programs in the group of application programs are to communicate with identified other application programs.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - generating the multiple network signatures for the multiple respective times uses (i) a single status from a first application program in the group of application programs, and (ii) a plurality of statuses from a second application program in the group of application programs;
      
      the single status is included in each of the multiple network signatures without the computing system having received an updated status from the first application program for each of the multiple network signatures; and
      
      the plurality of statuses are included among the multiple network signatures due to the computing system having received an updated status from the second application program for each of the multiple network signatures.
  - 3. The computer-implemented method of claim 1, wherein the anomaly is determined to represent an operational failure of a first application program from the group of application programs;
    - andfurther comprising preventing the first application program from affecting operation of a second application program by transferring requests by the second application program that were intended for receipt by the first application program to a third application program,wherein the first application program executes on a first computer, the second application program executes on a second computer and the third application program executes on a third computer.
  - 4. The computer-implemented method of claim 1, wherein the anomaly is determined to represent an operational failure of a first application program from the group of application programs;
    - andfurther comprising preventing the first application program from affecting operation of a third application program by transferring requests by the third application program that were intended for receipt by a second application program to a fourth application program,wherein the second application program is sending requests that are for receipt by the first application program,wherein the first application program executes on a first computer, the second application program executes on a second computer, the third application program executes on a third computer, and the fourth application program executes on a fourth computer.
  - 5. The computer-implemented method of claim 1, further comprising analyzing the multiple network signatures with a machine learning system to determine that a predicted anomaly in operation of a specific application program from the group of application programs is likely to occur in the future.
  - 6. The computer-implemented method of claim 5, further comprising, in order to avoid the predicted anomaly, reconfiguring relationships between both (i) which application programs in the group of application programs are executing on which computers in the group of computers, and (ii) which of the application programs in the group of application programs are in communication with each other.
  - 7. The computer-implemented method of claim 5, further comprising providing to the machine learning system, before determining that the predicted anomaly is likely to occur, to train the machine learning system:
    - (i) multiple previous anomalies in operation of application programs from the group of application programs, and(ii) network signatures for times that correspond to the multiple previous anomalies.

8. A system comprising:
- one or more processors; and
  
  one or more computer-readable devices including instructions that, when executed by the one or more processors, cause performance of operations that comprise;
  
  receiving, by a computing system and for each particular application program in a group of application programs that are executing on computers in a group of computers, application status information that identifies a status of the particular application program at each of various times;
  
  using the application status information for each particular application program in the group of application programs to generate, by the computing system, multiple network signatures for multiple respective times,wherein each particular network signature of the multiple network signatures identifies, for a respective one of the multiple times, multiple statuses including a status of each of the application programs in the group of application programs,wherein a first network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a first time of the multiple times and a second network signature of the multiple network signatures identifies statuses of the application programs in the group of application programs at a second time of the multiple times,wherein each particular network signature of the multiple network signatures includes data that identifies, at a corresponding one of the multiple times, which application programs in the group of application programs were executing on which computers in the group of computers at the corresponding one of the multiple times, andwherein each particular network signature of the multiple network signatures includes data that identifies, at a corresponding one of the multiple times, which of the application programs in the group of application programs were in communication with identified other application programs at the corresponding one of the multiple times;
  
  detecting, by the computing system and during a monitoring of the multiple network signatures, an anomaly in the generated multiple network signatures, by identifying that at least a specific one of the multiple network signatures does not conform to established normal behavior of the application programs in the group of application programs, as a result of an analysis of the at least one network signature that involves analysis of information in the at least one network signature, that includes;
  
  (a) the statuses of the application programs in the group of application programs at a specific time,(b) which application programs in the group of application programs were executing on which computers in the group of computers at the specific time, and(c) which of the application programs in the group of application programs were in communication with identified other application programs at the specific time; and
  
  in order to avoid further anomalies, reconfiguring relationships between (i) which application programs in the group of application programs are executing on which computers in the group of computers, or (ii) which of the application programs in the group of application programs are in communication with each other.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - generating the multiple network signatures for the multiple respective times uses (i) a single status from a first application program in the group of application programs, and (ii) a plurality of statuses from a second application program in the group of application programs;
      
      the single status is included in each of the multiple network signatures without the computing system having received an updated status from the first application program for each of the multiple network signatures; and
      
      the plurality of statuses are included among the multiple network signatures due to the computing system having received an updated status from the second application program for each of the multiple network signatures.
  - 10. The system of claim 8, wherein:
    - the anomaly is determined to represent an operational failure of a first application program from the group of application programs; and
      
      the operations further comprise preventing the first application program from affecting operation of a second application program by transferring requests by the second application program that were intended for receipt by the first application program to a third application program,wherein the first application program executes on a first computer, the second application program executes on a second computer, and the third application program executes on a third computer.
  - 11. The system of claim 8, wherein:
    - the anomaly is determined to represent an operational failure of a first application program from the group of application programs; and
      
      the operations further comprise preventing the first application program from affecting operation of a third application program by transferring requests by the third application program that were intended for receipt by a second application program to a fourth application program,wherein the second application program is sending requests that are for receipt by the first application program,wherein the first application program executes on a first computer, the second application program executes on a second computer, the third application program executes on a third computer, and the fourth application program executes on a fourth computer.
  - 12. The system of claim 8, wherein the operations further comprise analyzing the multiple network signatures with a machine learning system to determine that a predicted anomaly in operation of a specific application program from the group of application programs is likely to occur in the future.
  - 13. The system of claim 12, wherein the operations further comprise, in order to avoid the predicted anomaly, reconfiguring relationships between (i) which application programs in the group of application programs are executing on which computers in the group of computers, and (ii) which of the application programs in the group of application programs are in communication with each other.
  - 14. The system of claim 12, wherein the operations further comprise providing to the machine learning system, before determining that the predicted anomaly is likely to occur, to train the machine learning system:
    - (i) multiple previous anomalies in operation of application programs from the group of application programs, and(ii) network signatures for times that correspond to the multiple previous anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Kulkarni, Rahul S., Sahasranaman, Vivek, Jain, Rohit, Shenoy, Vittaldas Sachin, Risbood, Pankaj, Sarda, Parag Kacharulal
Primary Examiner(s)
Nguyen, Hanh N
Assistant Examiner(s)
Perez, Jose L

Application Number

US14/340,780
Time in Patent Office

1,180 Days
Field of Search

709203, 709223-226, 718100, 718102, 718105
US Class Current
CPC Class Codes

H04L 41/065   involving logical or physic...

H04L 41/069   using logs of notifications...

H04L 43/08   Monitoring or testing based...

H04L 67/10   in which an application is ...

Correlating status information generated in a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Correlating status information generated in a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others