0
3.9kviews
List & describe various event correlation techniques
1 Answer
1
99views

• Several correlation techniques are used to isolate and localize fault in networks.

• All are based on (1) Detecting and filtering of events (2) Correlating observed events to isolate and localize the fault either topologically or functionally (3) Identifying the cause of the problem. In all three cases, different reasoning methods distinguish one technique from another.

• Six approaches to correlation techniques:

(1) Rule-based reasoning (4) Codebook (2) Model-based reasoning (5) State transition graph model (3) Case-based reasoning (6) Finite state machine model

(1) Rule-Based Reasoning :

• Rule-based reasoning (RBR) is the earliest form of correlation technique. It is also known by many other names, including rule-based expert system, expert system, production system, and blackboard system.

• It has a working memory, an inference engine and a knowledge base. The three levels representing the three components are the data level, control level, and knowledge level, respectively.

• The knowledge base contains expert knowledge as to

(1) definition of a problem in the network and

(2) action that needs to be taken if a particular condition occurs.

• The knowledge base information is rule-based in the form of if-then or condition-action, containing rules that indicate which operations are to be performed when.

• The working memory contains(as working memory elements) the topological and state information of the network being monitored.

• The working memory recognizes when the network goes into a faulty state.

• The inference engine, in cooperation with the knowledge base, compares the current state with the left side of the rule-base and finds the closest match to output the right side of the rule. The knowledge base then executes an action on the working memory element.

• In Figure1, the rule-based paradigm is interactive among the three components and is iterative. Several strategies are available for the rule-based paradigm.

figure1

• A specific strategy is implemented in the inference engine. When a specific rule has been chosen, an action is performed on the working memory element, which can then initiate another event. This process continues until the correct state is achieved in the working memory.

• Rules are established in the knowledge base from the expertise of people in the field. The rule is an exact match and the action is very specific.

• If the antecedent and action in the rule do not match, the paradigm breaks and it is called brittle. However, it can be fixed by adding more rules, but doing so increases the database size and degrades performance, called a knowledge acquisition bottleneck.

• As the number of working memory elements grows, memory requirements grow exponentially. In addition, the action is specific, which can cause unwanted behavior.

• For example, we can define the alarm condition for packet loss as follows:

If packet loss < 10% alarm green

If packet loss => 10% < 15% alarm yellow

If packet loss => 15% alarm red

• The left side conditions are the working memory elements, which if detected would execute the appropriate rule defined in the rule-base

• This action could cause the alarm condition to flip back and forth in boundary cases. An application of fuzzy logic is used to remedy this problem, but it is difficult to implement.

• An RBR-Based Correlation Example :

• Figure2 is used here to illustrate an implementation of RBR. It shows a four-layer network.

• Backbone router A is linked to router B. Hub C is connected to router B and has four servers, D1-D4, in its LAN.

• Without a correlation engine, failure in the interface of router A will generate an alarm. This fault then propagates to router B, hub C, and finally to servers D1 -D4, Time delay is involved in alarm generation.

figure2

• In general, propagation of faults and the time delay associated with them need to be fully recognized in fault management.

• Four correlation rules are specified in Figure3.

• Rule 0 has no associated condition with, but rules 1-3 are conditional. To allow for propagation time, a correlation window of 20 seconds is set.

Figure 3

Please log in to add an answer.