1) Field of the Invention
The present invention relates to an apparatus, a method, and a computer product for detecting pattern of occurrence of an event from event data storing information on events occurred.
2) Description of the Related Art
Event analyzing systems have been known. These event analyzing systems analyzes occurrences of various events, such as illegal transaction to an accounting system of a bank, illegal access to a web site on Internet. These event analyzing systems also detect signs of failure in a network system to take measures to avoid an accident or a trouble in advance.
FIG. 16 is a schematic of an event analyzing system 2 that analyzes an occurrence pattern of an event, and FIG. 17 is a diagram of one example of an event log recording an occurred event. The event analyzing system 2 acquires an event log from a customer system 1 to detect an occurrence pattern of an event confirmed noticeably when a failure occurs and accumulate the same as know-how.
The term “event log”, shown in FIG. 17, means a log where information or data on events such as errors occurred in the customer system 1 has been written. Specifically, the event log is recorded with an occurrence time of an event, a kind of the event, and other additional information pieces.
Referring to FIG. 1, the event analyzing system 2 analyzes an event log in the customer system 1 to monitor whether an occurrence pattern of a detected event is included in the event log according to a pattern matching and diagnose an occurrence situation of a failure. An administrator of the customer system 1 takes appropriate measures against a failure in the customer system 1 from the result of diagnosis of the event analyzing system 2.
Conventionally, there have been known methods for detecting an occurrence pattern of events. For example, R. Agrawal, R. Srikant, “Fast Algorithms for Mining Association Rules”, Proceedings of the 20th International Conference on Very Large Databases, Santiago, Chile, September 1994 discloses an algorithm, so-called “a-priori”, that detects an occurrence pattern of an event that occurs at a high frequency from an event log.
FIG. 18 is schematic for explaining the a-priori algorithm. Characters “A” to “D” in FIG. 18 represent individual events, and AB, ABC, or ABCD represents two, three, or four events.
In the a-priori algorithm, a candidate for an occurrence pattern of an event is produced by combining individual events, and only an occurrence pattern(s) of an event with a high occurrence frequency is detected by removing a pattern(s) of an event with a low occurrence frequency. Therefore, it is difficult to detect an occurrence pattern of such an event that, though an occurrence frequency is low but a serious accident or trouble may be caused.
Japanese Patent Application Laid-Open No. H10-134086 discloses a countermeasure of the drawbacks of the a-priori algorithm. What is disclosed is a casual event pair detecting device that finds possible events which may be an event pattern and determines whether two of the found events have causality using a statistical approach, so that an occurrence pattern of event pair that is considered to have a low occurrence frequency but a high relationship.
S. Ma, J. Hellerstein, “Mining Mutually Dependent Patterns”, 2001 IEEE International Conference on Data Mining, San Jose, Calif., Nov. 29-Dec. 2, 2001 discloses a method for detecting a set of events that are thought to have a high relationship by calculating a conditional probability instead of detecting the occurrence pattern of events based upon an occurrence frequency.
However, the conventional techniques only detect a collection of events occurring with a high frequency or a simple collection of events having a high relationship among them as an occurrence pattern from an event log. In other words, in the conventional techniques it is difficult to strongly support a work for extracting further detailed information from the event log to allow an administrator to avoid an accident or a trouble in advance.
Specifically, information obtained by an administrator from the conventional technique is information on an event that has a high possibility that the event occurs in response to occurrence of another event, and there is a problem that it is difficult to provide detailed information to an occurrence pattern of an event in order to allow an administrator to handle an accident or a trouble more properly.