In accordance with the teachings of the present disclosure, a method of generating a computer alarm is disclosed. The method includes determining a new instance of a characteristic of an element of a computing network to be monitored, identifying a relationship of the element to other elements of the computing network, and automatically creating an alarm threshold for the new instance of the characteristic based upon the relationship of the element to the other elements of the computing network.

Event management system and method. Events comprise physical and logical attributes. Tuples are created to identify a set of logical attributes. The tuples are arranged in hierarchized relations by creating binarized co-occurrence matrices, each co-occurrence matrix reflecting different time intervals and indicate occurrence of tuples in time windows of the time intervals. Tuple pairs are analyzed to determine probabilistic score related to co-occurrence, and tuple families are created from tuple pairs based on the probabilistic score. From tuple families, events are used to extract tuple instances including physical attributes, which are arranged as tuple-instance families using the corresponding tuple families as reference.

An example method comprises receiving flow packets from network traffic analyzing platforms, for each particular flow packet: identify the particular flow packet as belonging to one of at least two flow packet types based on a format, if the particular flow packet is sFlow, determine if the particular flow packet is an sFlow sample, counter record, or a third packet type, if the particular flow packet is the sFlow sample or counter record, identify a flow source of the particular flow packet and at least one metric, and update a flow source data structure else ignore the particular flow packet, and if the particular flow packet is a second flow packet type: if the particular flow packet is of a format that matches a template, identify the flow source, and update the flow source data structure to include the identified flow source and the at least one metric.

Embodiments of the present invention disclose an alarm information processing method, including: acquiring, by an EMS, a first alarm information set reported by a VNFM, where the first alarm information set is generated after the VNFM performs correlation analysis on at least one piece of NFVI alarm information and at least one piece of VIM alarm information; acquiring, by the EMS, a second alarm information set reported by a VNF, where the second alarm information set includes at least one piece of VNF alarm information; and performing, by the EMS, correlation analysis on the first alarm information set and the second alarm information set, and dispatching a configured work order for alarm information that has a correlation relationship. By using the present invention, a cross-layer association between alarm information can be implemented to reduce a quantity of work orders.

Generally described, systems and methods are provided for monitoring and detecting causes of failures of network paths. The system collects performance information from a plurality of nodes and links in a network, aggregates the collected performance information across paths in the network, processes the aggregated performance information for detecting failures on the paths, analyzes each of the detected failures to determine at least one root cause, and initiates a remedial workflow for the at least one root cause determined. In some aspects, processing the aggregated information may include performing a statistical regression analysis or otherwise solving a set of equations for the performance indications on each of a plurality of paths. In another aspect, the system may also include an interface which makes available for display one or more of the network topology, the collected and aggregated performance information, and indications of the detected failures in the topology.

Systems and methods for processing alerts indicative of conditions of nodes of a computing infrastructure are herein disclosed as comprising, in an implementation, generating a node hierarchy comprising nodes associated with a service model, wherein relationships between the nodes are based on impact rules, identifying alerts related to the node hierarchy, wherein the alerts are indicative of impairments affecting at least a portion of the node hierarchy, and performing impact calculation for nodes of the node hierarchy based on the identified alerts. In an implementation, the impact values may be calculated in parallel for nodes indicated for processing. In an implementation, the nodes associated with the service model represent infrastructure or applicative resources and comprise nodes included in the service model and nodes related to, but not included in, the service model.

Systems, methods, and apparatuses are provided for clustering incidents in a computing environment. An incident notification relating to an event (e.g., a potential cyberthreat or any other alert) in the computing environment is received and a set of features may be generated based on the incident notification. The set of features may be provided as an input to a machine-learning engine to identify a similar incident notification in the computing environment. The similar incident notification may include a resolved incident notification or an unresolved incident notification. An action to resolve the incident notification may be received, and the received action may thereby be executed. In some implementations, in addition to resolving the received incident notification, the action may be executed to resolve a similar unresolved incident notification identified by the machine-learning engine.

Methods and systems to detect power outage are provided herein. The system includes a Cable Modem Termination System (CMTS) to periodically poll cable modems and determine cable modems of the plurality of cable modems that are offline based on the poll. The system correlates and aggregates locations of the cable modems that are offline to determine a geographic area where a percentage of the cable modems that are offline is higher than a predetermined threshold. A report is generated indicating a power outage in the geographic area when the percentage is above the predetermined threshold.

There is provided a method for adapting components of a network, comprising: providing graphs each indicative of a respective sequential snapshot of a dynamic graph obtained over a historical time interval, wherein nodes of the graphs denote entities, and edges of the graphs denote interactions between the entities over a network, computing community graphs according to the graphs, computing meta-community graphs according to the community graphs, analyzing dynamics of the community graphs to detect changes between two temporally adjacent community graphs, analyzing dynamics of the meta-community graphs to detect changes between two temporally adjacent meta-community graphs, identifying at least one entity corresponding to node(s) of the dynamic graph according to a predicted likelihood of performing an anomalous action during a future time interval, and generating instructions for adapting component(s) of the network for ensuring availability of network resources for interactions between entities during the future time interval.

Described herein are systems, methods, and software to enhance the management of responses to incidents in an information technology (IT) environment. In one example, a management system identifies an incident in an IT environment, identifies an initial status for the incident for an analyst of the IT environment, and provides the initial status for display to the analyst. The management system further monitors state information for the incident in the IT environment, identifies a second status of the incident based on the monitored state, and provides the second status for display to the analyst.