Conference Paper

Composite events for network event correlation

Dept. of Comput. Sci., Texas Univ., Austin, TX
DOI: 10.1109/INM.1999.770687 Conference: Integrated Network Management, 1999. Distributed Management for the Networked Millennium. Proceedings of the Sixth IFIP/IEEE International Symposium on
Source: IEEE Xplore


With the increasing complexity of enterprise networks and the
Internet, event correlation is playing an increasingly important role in
network as well as integrated system management systems. Even though the
timing of events often reveals important diagnostic information about
event relationships and should therefore be represented in event
correlation rules or models, most extant approaches lack a formal
mechanism to define complex temporal relationships among correlated
events. In this paper, we discuss the formal use of composite events for
event correlation and present a composite event specification approach
that can precisely express complex timing constraints among correlated
event instances, for which efficient compilation and detection
algorithms have been developed in Mok et al., (1997). A Java
implementation of this approach, called Java Event Correlator (JECTOR),
is described, and some preliminary experimental results of using JECTOR
in an experimental network management environment are also discussed in
the paper

Download full-text


Available from: Aloysius Mok, Aug 18, 2014
28 Reads
    • "According to their judge, the customized knowledge allows to accurately isolate a fault from the selected group of system entities. The correlation rules are organized as composite event definitions, as another work suggested by Jector et al. [64]. In this approach, unlike others , the distinction is made between primitive events, i.e., alarms and composite events. "
    [Show abstract] [Hide abstract]
    ABSTRACT: As telecommunication networks evolve rapidly in terms of scalability, complexity, and heterogeneity, the efficiency of fault localization procedures and the accuracy in the detection of anomalous behaviors are becoming important factors that largely influence the decision making process in large management companies. For this reason, telecommunication companies are doing a big effort investing in new technologies and projects aimed at finding efficient management solutions. One of the challenging issues for network and system management operators is that of dealing with the huge amount of alerts generated by the managed systems and networks. In order to discover anomalous behaviors and speed up fault localization processes, alert correlation is one of the most popular resources. Although many different alert correlation techniques have been investigated, it is still an active research field. In this paper, a survey of the state of the art in alert correlation techniques is presented. Unlike other authors, we consider that the correlation process is a common problem for different fields in the industry. Thus, we focus on showing the broad influence of this problem. Additionally, we suggest an alert correlation architecture capable of modeling current and prospective proposals. Finally, we also review some of the most important commercial products currently available.
    Computer Networks 04/2013; 57:1289-1317. DOI:10.1016/j.comnet.2012.10.022 · 1.26 Impact Factor
  • Source
    • "Composite event [1] detection in WSNs is required in many applications such as health care [2], smart building [3] and intelligent transportation system [4]. For instance, in an intelligent transportation system, we may define traffic jam as an event when there are certain number of cars waiting on a road. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Although there are several works on providing event-based services in pervasive environment or WSN, most of them have not considered composite event detection in an energy-efficient fashion. Composite events consist of multiple primitive events with temporal and spatial relations and are much more difficult to manage. Because of the resource constraints in WSN, existing event detection algorithms may not be suitable for WSN when energy efficiency is considered. In this paper, we propose TED (Type-based composite Event Detection), a distributed composite event detection algorithm. The essential idea of TED is type-based event fusion, where some sensor nodes are selected as fusion points. Then lower-level events will be fused on these fusion points for detection of higher-level composite events. Each composite event type is assigned to certain fusion point for detection so that the composite events may be detected in-network instead of at the sink. Event fusion with minimum energy cost is an NP-complete problem. We propose a distributed randomized algorithm to solve the problem. We analyze the energy efficiency of TED to show both its effectiveness and efficiency. By carrying out both simulation and real world experiments on TED, we show that TED can reduce the energy cost by 10-20% in event-based WSN applications compared with naevent detection mechanism where the event relations are not considered.
    Distributed Computing in Sensor Systems, 7th IEEE International Conference and Workshops, DCOSS 2011, Barcelona, Spain, 27-29 June, 2011, Proceedings; 01/2011
  • Source
    • "There has been a tremendous amount of work towards network fault detection, the most relevant of which we mention here. We discussed both commercial [22] [23] and research [5] [17] [21] fault management systems in section I. While most of these focus on data-plane events, recent efforts [20] have tried to incorporate control-plane information into the correlation process. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Fault management in networks is difficult. We argue that a major contributor to the difficulty of debugging network faults is the sheer volume of semantically anemic details exposed by protocols. Unlike past approaches that try to cope with the deluge of information exposed, in this paper we explore how to reduce and structure the management information exposed by data-plane protocols and devices to make them more amenable to fault management. To this effect, we delineate two conditions that the management interface of data-plane protocols should satisfy: it should provide a structured description of protocol reality and it should support what we call a "conservation of bytes" invariant. Based on this, we propose an architecture wherein data- plane protocols expose management information satisfying these conditions. This allows management applications to detect, localize and (possibly) resolve faults in a structured fashion. We discuss the detection of a representative set of real-world faults to illustrate our approach. We implemented these fault management features into three protocols and built a management application that uses the features to debug faults. Apart from serving as a proof of concept, this exercise indicates that our proposal does indeed simplify debugging of a large fraction of network faults.
    INFOCOM 2009, IEEE; 05/2009
Show more