Method, apparatus and computer program for analysing events in a computer system

US 9,727,393 B2
Filed: 11/14/2014
Issued: 08/08/2017
Est. Priority Date: 05/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for analysing events in a computer system, the method comprising:

receiving an event;

splitting the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;

non-letter/number character, colon (;

), semicolon (;

), space ( ) comma (,), tab ( ), and a cryptographic hash;

comparing the meta part by matching the meta part with meta parts from previous events for determining that the meta part is new, and wherein when the meta part is determined new;

storing the meta part and the content part;

whereinwhen the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part for determining that the content part is new,comparing the content part with other content parts with the same meta part as said content part,determining existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same,labelling the at least one parameter of said content part as a dynamic parameter,determining that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter, andwhen the content part is determined new, storing the content part, thereby enabling analysing events in a computer system and presenting events as new.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus and computer program for analyzing events in a computer system, the method comprises receiving an event, splitting the event into a meta part and a content part. The method further comprises comparing the meta part by matching the meta part with meta parts from previous events. The method further comprises determining that the meta part is new, and when the meta part is determined new storing the meta part and the content part. The method further comprises wherein when the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part. The method further comprises determining that the content part is new, and when the content part is determined new, storing the content part, thereby enabling analyzing events in a computer system and presenting events as new.

10 Citations

20 Claims

1. A method for analysing events in a computer system, the method comprising:
- receiving an event;
  
  splitting the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;
  
  non-letter/number character, colon (;
  
  ), semicolon (;
  
  ), space ( ) comma (,), tab ( ), and a cryptographic hash;
  
  comparing the meta part by matching the meta part with meta parts from previous events for determining that the meta part is new, and wherein when the meta part is determined new;
  
  storing the meta part and the content part;
  
  whereinwhen the meta part is determined not new, comparing the content part by matching with previous content parts with the same meta part for determining that the content part is new,comparing the content part with other content parts with the same meta part as said content part,determining existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same,labelling the at least one parameter of said content part as a dynamic parameter,determining that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter, andwhen the content part is determined new, storing the content part, thereby enabling analysing events in a computer system and presenting events as new.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, comprising:
    - determining that the parameter of said content part is labelled as dynamic if said parameter is within a predefined interval;
      
      orcomparing the parameter of said content part with stored parameters for determining that the parameter is within an interval defined by the stored parameters; and
      
      whereinwhen the parameter of said content part is either labelled as dynamic or within said interval defined by the stored parameters labelling said parameter as normal.
  - 3. The method according to claim 1, comprising:
    - analysing the content part and meta part of an event and determining similarities and/or differences to content parts and meta parts of previous events, and giving a time stamp label to the event including a frequency of occurrence of the event and a possible change in frequency of occurrence of the event;
      
      presenting on a Man Machine Interface the time stamp label of content parts and meta parts having differences to content parts and meta parts of previous events;
      
      presenting on a Man Machine Interface the time stamp label of content parts and meta parts having similarities to content parts and meta parts of previous events;
      
      comparing the time stamp of an event having the same content part and meta part as previous events for determining that the time stamp is within a time interval defined by the previous events; and
      
      when the time stamp is within said time interval defined by the previous events labelling the event as normal.
  - 4. The method according to claim 3, comprising:
    - storing the event for a predefined time interval, when the event is not labelled as normal; and
      
      changing the time interval defined by previous events to a time interval comprising the stored event, when the number of stored events not labelled as normal has reached a predefined number.
  - 5. The method according to claim 4, comprising:
    - comparing the time stamp of an event not labelled as normal with a predefined time interval for determining that the event is within said predefined time interval;
      
      storing said event in connection with the predefined time interval; and
      
      presenting on a Man Machine Interface at least one event having the first time stamp occurring in time on said predefined time interval;
      
      orcomparing the time stamp of an event not labelled as normal with a time interval defined by stored events not labelled as normal for determining that the time stamp of the event is within said time interval;
      
      storing said event in connection with said time interval defined by stored events; and
      
      presenting on a Man Machine Interface at least one event having the first time stamp occurring approximately in time on said time interval defined by stored events.
  - 6. The method according to claim 1, comprising:
    - incrementing a counter when a meta part or content part is determined already stored.
  - 7. The method according to claim 1, comprising:
    - performing pre-processing of the event to a consistent encoding, comprising at least one of the steps;
      
      encoding normalisationnormalising the timenormalising the sourcedefining the structure of the meta partdefining the content partlookup in a learning databaseOptionally defining a differenceOptionally defining a dynamic parameter, andupdating a statistical profile.
  - 8. The method according to claim 1, comprising:
    - presenting on a Man Machine Interface at least one of said meta part, said content part, and said event, thereby enabling identification of an event deviating from previous events.
  - 9. The method according to claim 1, wherein:
    - received events are analysed independent of;
      
      format, structure, source or volume.
  - 10. The method according to claim 1, comprising:
    - operating in real time thereby detecting and updating incidents as approximately simultaneous.

11. An apparatus for analysing events in a computer system, comprising a processor and a memory, said memory containing instructions executable by said processor, whereby:
- the apparatus is arranged to receive an event;
  
  the apparatus is arranged to split the event into a meta part and a content part, the meta part comprising non-content of the event including at least one of;
  
  non-letter/number character, colon (;
  
  ), semicolon (;
  
  ), space H, comma (,), tab ( ), and a cryptographic hash;
  
  the apparatus is arranged to compare the meta part by matching the meta part with meta parts from previous events to determine that the meta part is new, and wherein when the meta part is determined new;
  
  the apparatus is arranged to store the meta part and the content part;
  
  wherein when the meta part is determined not new, the apparatus is arranged to compare the content part by matching with previous content parts with the same meta part to determine that the content part is new,the apparatus being arranged to compare the content part with other content parts with the same meta part as said content part;
  
  the apparatus being arranged to determine existence of at least one parameter of said content part being different from a number of corresponding parameters of said other content parts, and when a difference is determined for the at least one parameter determine a parameter variation between content parts which are otherwise the same;
  
  the apparatus being arranged to label the at least one parameter of said content part as a dynamic parameter;
  
  the apparatus is arranged to determine that said content part is new when said content part has at least one new parameter different from said at least one dynamic parameter; and
  
  wherein when the content part is determined new;
  
  the apparatus is arranged to store the content part, thereby enabling to analyse events in a computer system and to present events as new.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to determine that the parameter of said content part is labelled as dynamic if said parameter is within a predefined interval;
      
      orthe apparatus is arranged to compare the parameter of said content part with stored parameters to determine that the parameter is within an interval defined by the stored parameters; and
      
      whereinwhen the parameter of said content part is either labelled as dynamic or within said interval defined by the stored parameters, the apparatus is arranged to label said parameter as normal.
  - 13. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to analyse the content part and meta part of an event and determine similarities and/or differences to content parts and meta parts of previous events, and give a time stamp label to the event including a frequency of occurrence of the event and a possible change in frequency of occurrence of the event;
      
      the apparatus is arranged to present on a Man Machine Interface the time stamp label of content parts and meta parts having differences to content parts and meta parts of previous events;
      
      the apparatus is arranged to present on a Man Machine Interface the time stamp label of content parts and meta parts having similarities to content parts and meta parts of previous events;
      
      the apparatus is arranged to compare the time stamp of an event having the same content part and meta part as previous events to determine that the time stamp is within a time interval defined by the previous events; and
      
      when the time stamp is within said time interval defined by the previous events, the apparatus is arranged to label the event as normal.
  - 14. The apparatus according to claim 13, wherein:
    - the apparatus is arranged to store the event for a predefined time interval, when the event is not labelled as normal; and
      
      the apparatus is arranged to change the time interval defined by previous events to a time interval comprising the stored event, when the number of stored events not labelled as normal has reached a predefined number.
  - 15. The apparatus according to claim 14, wherein:
    - the apparatus is arranged to compare the time stamp of an event not labelled as normal with a predefined time interval to determine that the event is within said predefined time interval;
      
      the apparatus is arranged to store said event in connection with the predefined time interval; and
      
      the apparatus is arranged to present on a Man Machine Interface at least one event having the first time stamp occurring in time on said predefined time interval;
      
      orthe apparatus is arranged to compare the time stamp of an event not labelled as normal with a time interval defined by stored events not labelled as normal, the apparatus is arranged to determine that the time stamp of the event is within said time interval;
      
      the apparatus is arranged to store said event in connection with said time interval defined by stored events; and
      
      the apparatus is arranged to present on a Man Machine Interface at least one event having the first time stamp occurring approximately in time on said time interval defined by stored events.
  - 16. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to increment a counter when a meta part or content part is determined already stored.
  - 17. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to perform pre-processing of the event to a consistent encoding, comprising at least one of the steps wherein;
      
      the apparatus is arranged to encode normalisationthe apparatus is arranged to normalise the timethe apparatus is arranged to normalise the sourcethe apparatus is arranged to define the structure of the meta partthe apparatus is arranged to define the content partthe apparatus is arranged to lookup in a learning databasethe apparatus is arranged to optionally define a differencethe apparatus is arranged to optionally define a dynamic parameter, andthe apparatus is arranged to update a statistical profile.
  - 18. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to present on a Man Machine Interface at least one of said meta part, said content part, and said event, thereby enabling identification of an event deviating from previous events.
  - 19. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to analyse received events independent of;
      
      format, structure, source or volume.
  - 20. The apparatus according to claim 11, wherein:
    - the apparatus is arranged to operate in real time thereby detecting and updating incidents as approximately simultaneous.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unomaly AB (LogicMonitor, Inc.)
Original Assignee
Unomaly AB (LogicMonitor, Inc.)
Inventors
Weiderman Sandahl, Gran, Gustafsson, Johan
Primary Examiner(s)
Ho, Andy
Assistant Examiner(s)
SEYE, ABDOU K

Application Number

US14/541,402
Publication Number

US 20150095921A1
Time in Patent Office

998 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 11/3072   where the reporting involve...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/907   Retrieval characterised by ...

G06F 2201/805   Real-time

G06F 2201/835   Timestamp

G06F 9/542   Event management; Broadcast...

Method, apparatus and computer program for analysing events in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus and computer program for analysing events in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links