Patent Application
20200112475
The present disclosure relates to processing of alarm messages in computing systems, and in particular to the clustering of alarm messages.
Computer networks, particularly large, distributed computer networks, are managed by computer network management systems that receive and process alarm messages from various network elements. Alarm messages may be presented to computer administrators, who may determine what caused the alarm message and how to address it. In a large computer network, the volume of messages can become large to the point of being intractable, particularly if multiple issues arise in the computer network in a short period of time.
In such instances, it is helpful for the computer administrators to have the alarm messages organized in a manner such that related messages are grouped together so that they can be processed and addressed together, rather than as unrelated incidents. The process of grouping related alarm messages is referred to as “clustering.” Unfortunately, however, it may be difficult to determine which alarm messages are related, as many alarm messages have similar structure and content.
Some efforts have been undertaken to computationally cluster documents for various purposes, such as searching for related documents. Historically, grouping of documents has been performed by measuring relationships between the documents using schemes such as a term frequency-inverse document frequency (TF-IDF) weighting scheme. In a TF-IDF approach, both the frequency of appearance of individual words in a document and the frequency of appearance of the word in the overall corpus of documents is measured. The relative importance of a particular word in a document is determined based on its frequency of appearance in the document and its inverse frequency in the overall corpus. Thus, if a term appears frequently in a given document but infrequently overall, then the document in question is deemed to be more relevant to that term.
Using a TF-IDF approach, each document is represented as a vector of terms, and a similarity function that compares similarity of the document vectors is used to group documents into related clusters. Latent Semantic Analysis (LSA) is a technique that employs TF-IDF to analyze relationships between documents. Latent Semantic Analysis assumes that the cognitive similarity between any two words is reflected in the way they co-occur in small subsamples of the language. LSA is implemented by constructing a matrix with rows corresponding to the documents in the corpus, and the columns labeled by the attributes (words, phrases). The entries are the number of times the column attribute occurs in the row document. The entries are then processed by taking the logarithm of the entry and dividing it by the number of documents the attribute occurred in, or some other normalizing function. This results in a sparse but high-dimensional matrix A. Typical approaches to LSA then attempt to reduce the dimensionality of the matrix by projecting it into a subspace of lower dimension using singular value decomposition. Subsequently, the cosine between vectors is evaluated as an estimate of similarity between the terms. However, application of LSA on large datasets may be computationally challenging, and may not adequately capture semantic relationships between documents.
Some embodiments are directed to methods of processing alarm messages in a computer network administration system. Such methods may include receiving a substantially real time alarm message stream that includes multiple alarm messages. For each alarm message, operations may include performing a message preprocessing operation to remove low message content portions of the alarm message, determining message term relevance corresponding to message terms in the alarm message, converting the plurality message terms into a message vector. Operations may include generating multiple scenarios that represent respective message clusters based on varied similarity between given ones of message vectors.
Some embodiments include transmitting the scenarios that are based on the message clusters to a system operator via an external interface.
In some embodiments, performing the message preprocessing operation includes removing ascii characters from the alarm messages, removing special characters from the alarm messages, excluding stop words from the alarm messages by excluding words other than nouns and verbs from the terms in the alarm messages, and performing a natural language based tokenization on the alarm messages. The preprocessing operation may further include performing a stemming operation on the alarm messages to convert message terms that include variations of the same root term into a single stem term, and performing a lemmatization operation on the alarm messages to convert message terms that are synonyms with one another to a single term.
In some embodiments, determining message term relevance includes determining a frequency of use of ones of the message terms within each of the of alarm messages and determining a frequency of use of the message terms in all of the alarm messages. In some embodiments, the frequency of use is negatively correlated with the message term relevance.
In some embodiments, generating the scenarios includes generating the scenarios without receiving a similarity threshold.
Some embodiments provide that generating the scenarios include determining a similarity matrix using a distance function, wherein the similarity matrix corresponding to N messages comprises N rows and N columns. Some embodiments provide that each element in the similarity matrix is a similarity value corresponding to the message row and the message column of that element.
In some embodiments, generating the scenarios includes generating a connected graph as an adjacency matrix representation of data in the similarity matrix. Some embodiments provide generating a minimum spanning tree based on the connected graph. In some embodiments, the minimum spanning tree includes an arrangement of the messages and the distances therebetween that includes a minimum total distance of the messages. Some embodiments provide generating a broken cluster tree having the minimum spanning tree arranged in an order from a first distance to a second distance that is greater than the first distance. In some embodiments, generating the scenarios includes removing clusters that do not include at least two nodes in the broken cluster tree. Some embodiments include determining similarity distances between starting and ending nodes of ones of the message clusters. Some embodiments include determining a rate of change of similarity at each of multiple similarity distance levels.
Some embodiments include receiving a new alarm message, determining a varied similarity between the new alarm message and given ones of the message vectors, grouping the new alarm message into an existing scenario, and displaying the new alarm message in association with the existing cluster of alarm messages.
Some embodiments herein are directed to a network management server that includes a processing circuit and a memory coupled to the processing circuit, the memory including machine-readable instructions that, when executed by the processing circuit cause the processing circuit to receive a substantially real time alarm message stream that includes multiple alarm messages. The processor further performs a message preprocessing operation to remove low message content portions of the alarm message, determines message term relevance corresponding to multiple message terms in the alarm message and converts the message terms into a message vector. Scenarios that represent respective ones of multiple message clusters are generated based on varied similarity between given ones of multiple message vectors. The scenarios that are based on the message clusters are transmitted to a system operator via an external interface.
In some embodiments, the preprocessing operation includes removing ascii characters from the alarm messages, removing special characters from the alarm messages, excluding stop words from the alarm messages by excluding words other than nouns and verbs from the terms in the alarm messages, performing a natural language based tokenization on the alarm messages, performing a stemming operation on the alarm messages to convert message terms that include variations of the same root term into a single stem term, and performing a lemmatization operation on the alarm messages to convert message terms that are synonyms with one another to a single term.
Some embodiments provide that determining message term relevance includes determining a frequency of use of ones of the message terms within each of the alarm messages and determining a frequency of use of ones of the message terms in all of the alarm messages. Some embodiments provide that frequency of use is negatively correlated with the message term relevance.
In some embodiments, generating the scenarios includes generating the scenarios without receiving a similarity threshold.
Some embodiments provide determining a similarity matrix using a distance function, wherein the similarity matrix corresponding to N messages comprises N rows and N columns, wherein each element in the similarity matrix comprises a similarity value corresponding to the message row and the message column of that element. In some embodiments, a connected graph may be generated as an adjacency matrix representation of data in the similarity matrix and a minimum spanning tree based on the connected graph is generated. In some embodiments, the minimum spanning tree includes an arrangement of the messages and the distances therebetween that include a minimum total distance of the plurality of messages. A broken cluster tree having the minimum spanning tree arranged in an order from a first distance to a second distance that is greater than the first distance may be generated. Clusters that do not include at least two nodes in the broken cluster tree may be removed. Similarity distances between starting and ending nodes of ones of the message clusters may be determined, and a rate of change of similarity at each of similarity distance levels is determined.
Other methods, devices, and computers according to embodiments of the present disclosure will be or become apparent to one with skill in the art upon review of the following drawings and detailed description. It is intended that all such methods, mobile devices, and computers be included within this description, be within the scope of the present inventive subject matter, and be protected by the accompanying claims.
Other features of embodiments will be more readily understood from the following detailed description of specific embodiments thereof when read in conjunction with the accompanying drawings, in which:
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention. It is intended that all embodiments disclosed herein can be implemented separately or combined in any way and/or combination.
Some embodiments provide systems and/or methods include a streaming/on-line platform that will create scenarios from real-time messages. Such methods may reduce initial noise by deduplicating the messages. Custom natural language methods may be used to tokenize and reduce data noise corresponding to the messages. Significant data may be identified using text mining techniques. Different messages may be correlated and/or connected using grouping techniques that may address noise at varied similarity to identify scenarios.
One or more of the nodes 130 may host one or more agents 120, which are software applications configured to perform functions in the nodes. In the distributed computing environment illustrated in
In the distributed computing network illustrated in
As noted above, one problem faced by a network management function 112 is that a very large number of alarm messages can be generated in a distributed communication network, and it can be very difficult for a network operator to process all of the alarm messages. Accordingly, in such instances, it is helpful for the computer administrators to have the alarm messages organized in a manner that related messages are grouped together so that they can be processed and addressed together, rather than as unrelated incidents, in a process known as clustering. Some embodiments described herein process alarm messages using a real time adaptive scenario identification using grouping at varied similarity thresholds to extract syntactic relationships between alarm messages that can be used to cluster the alarm messages in a meaningful way. Such clustered alarm messages may then be processed by a network management function in a more efficient manner.
Reference is now made to
In some embodiments, the preprocessing operation includes removing ascii and special characters from the alarm messages, excluding stop words from the alarm messages by excluding words other than nouns and verbs from the terms in the alarm messages, performing a natural language based tokenization on the alarm messages, performing a stemming operation on the alarm messages to convert message terms that include variations of the same root term into a single stem term, and performing a lemmatization operation on the alarm messages to convert message terms that are synonyms with one another to a single term.
The system 300 may include a message relevance measurer 304 that is configured to determine message term relevance corresponding to multiple message terms in the alarm message. Determining message term relevance may include determining a frequency of use of ones of the message terms within each of the alarm messages and determining a frequency of use of the message terms in all of the alarm messages. Some embodiments provide that the frequency of use is negatively correlated with the message term relevance.
The system 300 may include a vector space converter 306 that is configured to convert the message terms into a message vector and a varied similarity custom grouping engine 308 that is configured to generate multiple scenarios that represent respective message clusters based on varied similarity between ones of the message vectors, and transmit the scenarios that are based on the message clusters to a system operator via an external interface 310. The scenarios may be generated without receiving a similarity threshold value or input.
The varied similarity custom grouping engine 308 generates the multiple scenarios by determining a similarity matrix using a distance function. The similarity matrix corresponding to N messages includes N rows and N columns. Each element in the similarity matrix includes a similarity value corresponding to the message row and the message column of that element. A connected graph is generated as an adjacency matrix representation of data in the similarity matrix and a minimum spanning tree is generated based on the connected graph. The minimum spanning tree includes an arrangement of the messages and the distances therebetween that include a minimum total distance of the plurality of messages. A broken cluster tree having the minimum spanning tree arranged in an order from a first distance to a second distance that is greater than the first distance is generated and clusters that do not include at least two nodes in the broken cluster tree are removed. Similarity distances between starting and ending nodes of ones of the message clusters are determined, and a rate of change of similarity at each similarity distance level is determined.
Reference is now made to
Reference is made to
In some embodiments, a natural language based tokenization on the alarm message may be performed (block 508). Tokenization may include a process of demarcating and possibly classifying sections of a string of input characters. The process may be a sub-task of parsing the alarm messages. Operations may include performing a performing a stemming operation on the alarm messages (block 510). The tokenization may operate to convert message terms that include variations of the same root term into a single stem term. A lemmatization operation may be performed on the alarm messages (block 512). In some embodiments, the lemmatization may convert message terms that are synonyms with one another to a single term.
Briefly referring back to
In some embodiments, historical relevancy data may be received and/or retrieved, for example, from a data repository (block 608). The historical relevancy data may boost or suppress the relevancy of different terms. An inverse document frequency corresponding to the terms is performed (block 610) and a custom term frequency-inverse document frequency (TF-IDF) may be measured (block 612). The TF-IDF may be used as a numerical statistic that indicates how important a term is to the alarm messages.
Referring back to
Operations may further include generating multiple scenarios that represent different message clusters based on varied similarity between ones of the message vectors (block 410). In contrast with conventional similarity based techniques, embodiments herein may generate the scenarios that represent message clusters based on varied similarity between message vectors without receiving or predetermining a similarity threshold. Reference is now made to
Referring to block 704, a connected graph may be generated as an adjacency matrix representation of the data in the similarity matrix. Using the connected graph, a minimum spanning tree may be generated (block 706). For example, brief reference is now made to
Referring back to
Referring back to
Referring back to
R
ci=log(Dst/De)/log(Cst/Ce) [1]
where Dst is the similarity distance of the starting node, De is the similarity distance of the ending node, Cst is the similarity distance of a child starting node and Ce is the similarity distance of a child ending node. In circumstances in which the parent's rate of change is less than the rate of change of the sum of the children, the child clusters may be discarded and the parent's rate of change will be used. Otherwise, the childrens' rate of change may be adopted and the analysis may propagate upward until the root of the broken cluster tree is reached. The cluster labels corresponding to the resulting clusters may be returned as scenarios that include multiple alarm messages.
Referring back to
Reference is now made to
Messages corresponding to Example 1 were able to be clustered at the 0.2 similarity threshold and the varied similarity threshold but not at the 0.8 similarity threshold. Similarly, messages corresponding to Example 2 were able to be clustered at the 0.8 similarity threshold and the varied similarity threshold but not at the 0.2 similarity threshold. Messages corresponding to Example 2 were able to be clustered at the varied similarity threshold but not at the 0.2 or the 0.8 fixed similarity thresholds. Thus, in each example, the varied similarity threshold approach consistently performed relative to the combined performance of the fixed similarity threshold approaches.
The processor 800 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor) that may be collocated or distributed across one or more networks. The processor 800 is configured to execute computer program code in the memory 810, described below as a non-transitory computer readable medium, to perform at least some of the operations described herein. The computer 800 may further include a user input interface 820 (e.g., touch screen, keyboard, keypad, etc.) and a display device 822.
The memory 810 includes computer readable code that configures the network management server 50 to implement the data collection component 106, the alarm message processor 102, the alert queue 105 and the network management function 112. In particular, the memory 810 includes alarm message analysis code 812 that configures the network management server 50 to analyze and cluster alarm messages according to the methods described above and alarm message presentation code 814 that configures the network management server to present alarm messages for processing based on the clustering of alarm messages as described above.
In the above-description of various embodiments of the present disclosure, aspects of the present disclosure may be illustrated and described herein in any of a number of patentable classes or contexts including any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof. Accordingly, aspects of the present disclosure may be implemented in entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or combining software and hardware implementation that may all generally be referred to herein as a “circuit,” “module,” “component,” or “system.” Furthermore, aspects of the present disclosure may take the form of a computer program product comprising one or more computer readable media having computer readable program code embodied thereon.
Any combination of one or more computer readable media may be used. The computer readable media may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an appropriate optical fiber with a repeater, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable signal medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C++, C#, VB.NET, Python or the like, conventional procedural programming languages, such as the “C” programming language, Visual Basic, Fortran 2003, Perl, COBOL 2002, PHP, ABAP, dynamic programming languages such as Python, Ruby and Groovy, or other programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) or in a cloud computing environment or offered as a service such as a Software as a Service (SaaS).
Aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable instruction execution apparatus, create a mechanism for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that when executed can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions when stored in the computer readable medium produce an article of manufacture including instructions which when executed, cause a computer to implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable instruction execution apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatuses or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense expressly so defined herein.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various aspects of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The terminology used herein is for the purpose of describing particular aspects only and is not intended to be limiting of the disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items. Like reference numbers signify like elements throughout the description of the figures. The corresponding structures, materials, acts, and equivalents of any means or step plus function elements in the claims below are intended to include any disclosed structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present disclosure has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the disclosure in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the disclosure. The aspects of the disclosure herein were chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the disclosure with various modifications as are suited to the particular use contemplated.
