Complex systems such as information technology (IT) networks and environments are composed of numerous machines and processes that are connected in various different ways to source and sink data for each other. It is inevitable that unusual behavior, such as fault conditions, performance anomalies, outages, network breaches/attacks, and so on occur during the operational life of such large-scale networks. Network devices are thus monitored at different levels by various tools, some of which produce vast amounts of logs that are hard to digest and analyze. Understanding the cause of unusual behavior in such complex systems is often a very challenging and resource intensive process relying on trained system administrators and analysts. These analysts need to use their working experience and knowledge about the relationships between the different devices and network assets. Their tasks usually involve manually exploring logs or use other tools for different subsystems to try and locate the cause of any abnormality.
Graphical user interface (GUI) tools have been developed to help facilitate such manual analysis procedures. For example, GUI-based tools are currently used to help visualize and display single time-series information while also finding and presenting the anomalies of that time-series. However, these tools do not look at the system as a whole, nor do they fully utilize the relationships between the different system components. Moreover, some of the relationships are non-trivial and thus, cannot be captured by standard tools that look only for correlation rather than causality.
What is needed, therefore, is a way to improve fault monitoring and analysis by providing a prioritized list of possible causes to an observed anomaly. What is further needed is an analysis tool that allows analysts to explore and verify the real cause of abnormal network or device behavior in real time or near real time.
The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.