Method, computer program element and a system for processing alarms triggered by a monitoring system

Assignee

• International Business Machines Corporation · US

Inventors

• Marc Dacier · Mouans-Sartoux, FR
• Klaus Julisch · Bonstetten, CH

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L43/00
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method and system is designed for processing alarms, that have been triggered by a monitoring system such as an intrusion detection system, a firewall, or a network management system, comprising the steps of entering the triggered alarms into an alarm log, evaluating similarity between alarms, grouping similar alarms into alarm clusters, summarizing alarm clusters by means of generalized alarms, counting the covered alarms for each generalized alarm and forwarding generalized alarms for further processing if the number of alarms covered satisfies a predetermined criterion. In the event of high rates of alarm messages, possibly containing many false alarms, a system administrator will therefore not be confronted with a flood of messages with little significance. Instead, only generalized alarms, more meaningful and smaller in number, are presented. The method can further comprise copying the alarm log to a cluster log and for each generalized alarm in the cluster log counting the number of covered alarms that are identical to the generalized alarm or more specific than the generalized alarm, and, if the number of covered alarms exceeds a predetermined minimum number, then terminat…