초록 ▼

Methods and apparatus are provided to monitor and analyze activity occurring on a networked computer system. In some embodiments, a method is provided for capturing, in a data structure, at least a portion of a notification describing a network event provided by a node on a computer network, identif

Methods and apparatus are provided to monitor and analyze activity occurring on a networked computer system. In some embodiments, a method is provided for capturing, in a data structure, at least a portion of a notification describing a network event provided by a node on a computer network, identifying a data element (e.g., an IP address of the node) within the notification, and updating an index and/or summary based on the data element. The data structure may be stored in a file system maintained on a site, and sites may exchange information related to the notification data stored on each. In some embodiments, a query which is issued to a site may be processed using data transferred from other sites, and/or may be split into one or more additional queries which may be transmitted for processing to other sites.

대표청구항 ▼

1. A method, comprising: collecting and storing a plurality of transmission events as network event data elements in a plurality of data structures, each transmission event being reported by one or more nodes of a network and stored in compressed form in at least one storage site;extracting said plu

1. A method, comprising: collecting and storing a plurality of transmission events as network event data elements in a plurality of data structures, each transmission event being reported by one or more nodes of a network and stored in compressed form in at least one storage site;extracting said plurality of transmission events stored as network event data elements in said plurality of data structures;based on a set of predefined network event characteristics and the extracted plurality of transmission events, creating indices which identify data structures and locations of network event data elements within those data structures, wherein each index identifies a data structure and a respective location of a network event data element within that data structure;receiving a query that requests particular transmission event information;based on the query, accessing the indices to identify a location of at least one network event data element by apportioning said query into multiple partial queries that request the particular transmission event information and sending the multiple partial queries to different storage sites which store said plurality of data structures; andin response to the multiple partial queries, receiving query results from the different storage sites and combining the query results to form an analyzable aggregation of transmission event information;wherein the query results contain particular transmission events in the compressed form to maximize the amount of data conveyed in each disk cycle. 2. The method of claim 1, wherein said collecting, said extracting, and said creating is performed by a site of a plurality of sites comprised in said network. 3. The method of claim 1, wherein said network event data elements are stored at offsets within said data structures. 4. The method of claim 1, wherein said collecting comprises creating observation records generated from one or more characteristics of said plurality of the transmission events reported by said one or more nodes;storing said observation records in said data structures, such that at least one data structure comprises one or more observation records; anddetermining the presence of at least one of said one or more characteristics in said observation records. 5. The method of claim 4, wherein said one or more characteristics include: a period during which a transmission event has occurred, andan internet protocol address of a node that reported said transmission even. 6. The method of claim 4, wherein at least one data structure includes an index created using said observation records. 7. The method of claim 1, wherein at least one network event data element includes an index comprising one or more of: a type of or an importance level for one or more transmission events of said plurality of the transmission events,an internet protocol address of a node having reported said transmission events, andan internet protocol address of a node that is a destination of said transmission events. 8. The method of claim 1, wherein at least one index identifies a location of a network data element for a transmission event which is in an unabridged form. 9. The method of claim 1, wherein at least one data structure includes a summary of said transmission events. 10. The method of claim 1, wherein at least one of said plurality of the transmission events is a notification. 11. The method of claim 1, wherein one or more network event data elements comprise partial or complete data comprised in at least one transmission event. 12. The method of claim 1, further comprising: storing one or more data structures in a volatile memory, in a non-volatile memory or in a data storage. 13. The method of claim 1, further comprising: storing one or more data structures with corresponding characterization records as a non-hierarchical file system or as a hierarchical file system. 14. The method of claim 1, wherein one or more network event data elements comprise an aggregate summary of at least one data structure and one or more other data structures. 15. The method of claim 1, wherein said network is configured to provide network activity data in a computer system comprising a plurality of nodes interconnected for communicating via said network. 16. The method of claim 1, wherein all or selected transmission events of said plurality of the transmission events are notifications reported by all or selected nodes of one or more nodes of said network. 17. The method of claim 1, wherein said locations of the network event data elements are in one or more data structures. 18. The method of claim 1, further comprising: creating a digital signature of at least one data structure. 19. An apparatus comprising: a first controller processor, configured to collect and store a plurality of transmission events as network event data elements in a plurality of data structures, each transmission event being reported by one or more nodes of a network and stored in compressed form in at least one storage site;a second controller processor, configured to extract said plurality of transmission events stored as network event data elements in said plurality of data structures; anda third controller processor, configured to create indices which identify data structures and locations of network event data elements within those data structures based on a set of predefined network event characteristics and the extracted plurality of transmission events, wherein each index identifies a data structure and a respective location of a network event data element within that data structure;a forth control processor, configured to: receive a query that requests particular transmission event information;based on the query, access the indices to identify a location of at least one network event data element by apportioning said query into multiple partial queries that request the particular transmission event information and sending the multiple partial queries to different storage sites which store said plurality of data structures; andin response to the multiple partial queries, receive query results from the different storage sites and combine the query results to form an analyzable aggregation of transmission even information;wherein the query results contain particular transmission events in the compressed form to maximize the amount of data conveyed in each disk cycle. 20. The apparatus of claim 19, wherein said first controller processor is configured to perform said collecting by creating observation records generated from one or more characteristics of said plurality of the transmission events, reported by said one or more nodes such that at least one data structure comprises one or more observation records; and determining the presence of one or more characteristics in said at least one data structure. 21. The apparatus of claim 20, further comprising: a memory, configured to store one or more data structures and to store, for said at least one data structure, said one or more observation records. 22. The apparatus of claim 20, wherein said one or more characteristics include: a period during which a transmission event has occurred, and an internet protocol address of a node that reported said transmission event. 23. The apparatus of claim 22, wherein said memory is a non-volatile memory or a data storage. 24. The apparatus of claim 22, wherein one or more data structures with corresponding characterization records are stored as a file system or as a hierarchical file system. 25. The apparatus of claim 20, wherein at least one data structure includes an index created using said observation records. 26. The apparatus of claim 19, further comprising: a memory, configured to store one or more data structures comprising one or more characterization records. 27. The apparatus of claim 19, wherein said locations of the network event data elements are in one or more data structures. 28. The apparatus of claim 19, wherein one or more network event data elements are stored within at least one data structure. 29. The apparatus of claim 19, wherein at least one network event data element includes an index comprising one or more of: a type of or an importance level for one or more transmission events of said plurality of the transmission events, an internet protocol address of a node having reported said transmission event, and an internet protocol address of a node that is a destination of said transmission event. 30. The apparatus of claim 19, wherein at least one characterization record is an index indicating said location of a network event data element for a transmission event in an unabridged form. 31. The apparatus of claim 19, wherein at least one data structure includes a summary of said plurality of the transmission events. 32. The apparatus of claim 19, wherein at least one of said plurality of the transmission events is a notification. 33. The apparatus of claim 19, wherein one or more network event data elements comprise partial or complete data comprised in at least one transmission event. 34. The apparatus of claim 19, wherein one or more network event data elements comprise an aggregate summary of at least one data structure and one or more other data structures. 35. The apparatus of claim 19, wherein all or selected transmission events of said plurality of the transmission events are notifications reported by all or selected nodes of one or more nodes of said network. 36. The apparatus of claim 19, wherein said locations of the network event data elements are in one or more data structures. 37. A non-transitory computer-usable medium comprising computer readable instructions stored thereon for execution by a processor to perform a method comprising: collecting and storing a plurality of transmission events as network event data elements in a plurality of data structures, each transmission event being reported by one or more nodes of a network and stored in compressed form in at least one storage site;extracting said plurality of transmission events stored as network event data elements in said plurality of data structures;based on a set of predefined network event characteristics and the extracted plurality of transmission events, creating indices which identify data structures and locations of network event data elements within those data structures, wherein each index identifies a data structure and a respective location of a network event data element within that data structure;receiving a query that requests particular transmission event information;based on the query, accessing the indices to identify a location of at least one network event data element by apportioning said query into multiple partial queries that request the particular transmission event information and sending the multiple partial queries to different storage sites which store said plurality of data structures; andin response to the multiple partial queries, receiving query results from the different storage sites and combining the query results to form an analyzable aggregation of transmission event informationwherein the query results contain particular transmission events in the compressed form to maximize the amount of data conveyed in each disk cycle. 38. The non-transitory computer-usable medium of claim 37, wherein one or more network event data elements are stored at offsets within at least one data structure. 39. The non-transitory computer-usable medium of claim 37, wherein said collecting comprises creating observation records generated from one or more characteristics of said plurality of the transmission events reported by said one or more nodes and storing said observation records in said data structures, such that at least one data structure comprises one or more observation records; anddetermining the presence of at least one of said one or more characteristics in said observation records. 40. The non-transitory computer-usable medium computer software product of claim 39, wherein said one or more characteristics include: a period during which a transmission event has occurred, and an internet protocol address of a node that reported said transmission event. 41. The non-transitory computer-usable medium of claim 39, wherein at least one data structure includes an index created using said observation records. 42. The non-transitory computer-usable medium of claim 37, wherein at least one network event data element includes an index comprising one or more of: a type of or an importance level for one or more transmission events of said plurality of the transmission events, an internet protocol address of a node having reported said transmission event, and an internet protocol address of a node that is a destination of said transmission event. 43. The non-transitory computer-usable medium of claim 37, wherein at least one index identifies a location of a network event data element for a transmission event which is in an unabridged form. 44. The non-transitory computer-usable medium of claim 37, wherein at least one data structure includes a summary of said plurality of the transmission events. 45. The non-transitory computer-usable medium of claim 37, wherein at least one of said plurality of the transmission events is a notification. 46. The non-transitory computer-usable medium of claim 37, wherein one or more network event data elements comprise partial or complete data comprised in at least one transmission event. 47. The non-transitory computer-usable medium of claim 37, wherein said method further comprises: storing one or more data structures in a memory, in a non-volatile memory or in a data storage. 48. The non-transitory computer-usable medium of claim 37, wherein said method further comprises: storing one or more data structures with corresponding characterization records as a file system or as a hierarchical file system. 49. The non-transitory computer-usable medium of claim 37, wherein one or more network event data elements comprise an aggregate summary of at least one data structure and one or more other data structures. 50. The non-transitory computer-usable medium of claim 37, wherein all or selected transmission events of said plurality of the transmission events are notifications reported by all or selected nodes of said one or more nodes of said network. 51. The non-transitory computer-usable medium of claim 37, wherein said locations of the network event data elements are in one or more data structures. 52. The non-transitory computer-usable medium of claim 37, wherein said method further comprises: creating a digital signature of at least one data structure.