US20220376968A1 - Triggering recovery actions based on corroborating anomalies - Google Patents

Abstract

The present application describes a detect, alert and recovery system for various cloud-based and/or network-based services. The detect, alert and recovery system receives network performance data associated with a particular namespace from various network information sources. The network performance data may be aggregated based on various scopes. The aggregated data is then analyzed to determine whether an anomaly exists. If an anomaly exists, the detect, alert and recovery system may cause the performance of various actions in order to address the anomaly.

Description

BACKGROUND
• Cloud computing offers various computing devices a number of different services. However, if a portion of a network associated with a particular cloud service is down or is congested, an end user's experience with the cloud service is negatively impacted.
SUMMARY
• The present application describes a detect, alert and recovery system for various cloud-based and/or network-based services. The detect, alert and recovery system receives network performance data associated with a particular namespace (e.g., www.microsoft.com, www.outlook.office365.com) from various network information sources. The network performance data may be aggregated based on various scopes (e.g., region or network). The aggregated data is analyzed to determine whether an anomaly exists. If an anomaly exists, the detect, alert and recovery system may cause performance of various actions in order to address or otherwise remedy the anomaly.
• Accordingly, the present application describes a method in which network performance information associated with a namespace is received from a plurality of network information sources. The network performance information associated with the namespace from each of the plurality of network information sources is aggregated into data sets of varying scope. Each of the data sets of varying scope is analyzed to detect an anomaly associated with the namespace. The anomaly may be analyzed in view of one or more rules in a hierarchy of rules. In an example, the hierarchy of rules is based, at least in part, on one or more of a scope associated with the anomaly and the namespace. An action to address the anomaly may then be performed. In an example, the action to be taken is specified by the one or more rules in the hierarchy of rules.
• The present application also describes a system that includes a processor and a memory coupled to the processor. The memory stores instructions that, when executed by the processor, perform operations. In an example, these operations include receiving network performance information associated with a namespace from a plurality of network information sources. The network performance information associated with the namespace is aggregated into data sets of varying scope. Each of the data sets of varying scope are analyzed to detect an anomaly associated with the namespace. Based on detecting an anomaly, an action to address the anomaly is performed. In an example, the action is specified by one or more rules of a rule hierarchy.
• Also described is a method that includes receiving a first set of network performance information associated with a namespace from a first plurality of network information sources. The first set of network performance information associated with the namespace from each of the first plurality of network information sources is aggregated into first data sets of varying scope. Each of the first data sets of varying scope are analyzed to determine a presence of an anomaly associated with the namespace. A second set of network performance information associated with the namespace is received from a second plurality of network information sources. The second set of network performance information associated with the namespace from each of the second plurality of network information sources is aggregated into second data sets of varying scope that correspond to the varying scopes of the first data sets. Each of the second data sets of varying scope are analyzed to determine the presence of the anomaly associated with the namespace. Based on the presence of the anomaly being determined using the first data sets and the second data sets, an action to address the anomaly is performed. In an example, the action is specified by the one or more rules in the hierarchy of rules.
• This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
• Non-limiting and non-exhaustive examples are described with reference to the following figures.
• FIG. 1A illustrates an example system for detecting anomalies in a cloud-based and/or network-based service according to an example.
• FIG. 1B illustrates the example system ofFIG. 1A in which network information is provided to a detection alert and recovery system from one or more network telemetry information systems according to an example.
• FIG. 1C illustrates the system ofFIG. 1A in which the detection alert and recovery system provides instructions to various computing devices that access the system according to an example.
• FIG. 1D illustrates the various computing devices providing results information to the detection alert and recovery system according to an example.
• FIG. 2 illustrates a server registering with the detection alert and recovery system according to an example.
• FIG. 3A illustrates an example network connectivity path between a computing device and an endpoint associated with a namespace according to an example.
• FIG. 3B illustrates an alternate network connectivity path between the computing device and the endpoint associated with the namespace according to an example.
• FIG. 3C illustrates another alternate network connectivity path between the computing device and a different endpoint associated with the namespace according to an example.
• FIG. 4 illustrates a method for detecting an anomaly in a cloud-based and/or network-based environment according to an example.
• FIG. 5 is a block diagram of a computing device according to an example.
DETAILED DESCRIPTION
• In the following detailed description, references are made to the accompanying drawings that form a part hereof, and in which are shown by way of illustrations specific embodiments or examples. These aspects may be combined, other aspects may be utilized, and structural changes may be made without departing from the present disclosure. Examples may be practiced as methods, systems or devices. Accordingly, examples may take the form of a hardware implementation, an entirely software implementation, or an implementation combining software and hardware aspects. The following detailed description is therefore not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims and their equivalents.
• Cloud-based and/or network-based services receive and process a number of requests from various computing devices. Often, these requests originate from various parts of the world and are received at a specific namespace (e.g., www.microsoft.com). The namespace may be resolved at different endpoints depending on where the request originated. For example, a computing device that is located in Seattle, may access the endpoint www.seattle.microsoft.com when a request for the namespace www.microsoft.com is provided by a browser of the computing device. Likewise, a computing device located in Atlanta may access the endpoint www.atlanta.microsoft.com when it seeks to access the namespace www.microsoft.com.
• When a computing device (e.g., mobile phone, desktop computing device, laptop computing device, gaming machine, smart watch) accesses a particular namespace, an IP address associated with the namespace is determined and the computing device may subsequently connect to that IP address. However, given that various endpoints may be associated with and/or otherwise enable a computing device to access a namespace, it is currently difficult to identify connectivity issues with a particular namespace. For example, it may be difficult to determine whether a namespace connectivity issue is worldwide or regional or whether the namespace connectivity issues originates with an interne service provider.
• Accordingly, the present application describes a detect, alert and recovery system for various cloud-based and/or network-based services. The detect, alert and recovery system receives network performance data associated with a particular namespace from various network information sources. The network information sources may be computing devices that access the namespace and/or network telemetry information systems.
• When the network performance data is collected (e.g., by various computing devices, by network telemetry information systems and/or by the detect, alert and recovery system), the network performance data may be aggregated into various data sets. In an example, the data sets may be divided or organized based on a scope. In an example, the scope may be based on geographic information associated with the computing device that is seeking to access the namespace, geographic information associated with an endpoint associated with the namespace, and/or network information (e.g., network topology, network service provider information).
• The aggregated data is analyzed to determine the presence of an anomaly. In an example, the aggregated data may be compared against previously collected network performance data having the same or a similar scope. In an example, if a difference in performance metrics between the network performance data and the previously collected network performance data is over a threshold, it may be determined that an anomaly exists. As such, the detect, alert and recovery system may initiate various actions in order to address or otherwise remedy the anomaly. The number and/or type of actions that are initiated may vary depending on various factors. These factors include, but are not limited to, the severity of the anomaly, whether the anomaly is corroborated across different data sets and/or between different network telemetry information systems, hierarchical rules, a time at which the anomaly occurs, an amount of time the anomaly has been occurring, and a namespace.
• Accordingly, the technical benefits described herein include, but are not limited to, better detection of network-based and/or cloud-based outages when compared with current solutions and an ability to escalate outage alerts and/or to more quickly and efficiently initiate automated recovery actions. Additionally, the systems and methods described herein reduce mean-time-to-detection and mean-time-to-recovery for network and cloud services as the system collects and monitors network data and performs anomaly detection in real-time, near real-time, or at periodic intervals. The system of the present disclosure also enables more accurate detection of anomalies due to anomaly corroboration between various network telemetry information systems.
• FIG. 1A illustrates anexample system100 for detecting anomalies of various scopes in a cloud-based and/or network-based service according to an example. When an anomaly is detected or is otherwise identified, thesystem100 may invoke alerts and/or recovery actions to enable various computing devices to access a namespace (e.g., an identity namespace) associated with the cloud-based and/or network-based service.
• For example, if data from one network telemetry information system or computing device (e.g., first computing device105) indicates the presence of an anomaly (e.g., the network-based and/or cloud-based service is unreachable, slow, not responsive), certain alerts and/or actions may be invoked by a detection alert andrecovery system125. However, if data from only one network telemetry information system or computing device indicates the presence of anomaly, the detection alert andrecovery system125 may determine that no action is to be taken.
• In an effort to increase the reliability of and confidence in the detection alert andrecovery system125, the detection alert andrecovery system125 may utilizes a corroboration technique in which data sets from various network telemetry information systems and/or computing devices may be combined and/or analyzed to determine the presence of an anomaly. This information may also be used to determine a severity of an anomaly and how to address or rectify the anomaly. For example, if data sets from two (or more) network telemetry information systems and/or computing devices indicate the presence of an anomaly, certain alerts and/or actions (or additional alerts and/or actions) may be invoked in order to address the anomaly.
• As shown inFIG. 1A, thesystem100 may include afirst computing device105 and/or asecond computing device120. Each computing device may submit arequest185 to access a particular namespace (e.g., www.microsoft.com) hosted by or otherwise associated with aserver180. Therequest185 may be transmitted to theserver180 via anetwork115. Although thefirst computing device105 and thesecond computing device120 are shown accessing thesame network115 and thesame server180, each computing device may access adifferent network115 and/or adifferent server180. Additionally, each of thefirst computing device105 and thesecond computing device120 may provide the same request, similar requests or different requests.
• Thefirst computing device105 may be associated with a first geographic area and thesecond computing device120 may be associated with the first geographic area or a second geographic area. For example, thefirst computing device105 and thesecond computing device120 may be located in Washington State. In another example, thefirst computing device105 may be located in Washington State while thesecond computing device120 is located in Colorado.
• Thefirst computing device105 and thesecond computing device120 may be associated with the same network service providers. In another example, thefirst computing device105 and thesecond computing device120 may be associated with different network service providers. Although two different computing devices are shown and described, thesystem100 may include any number of computing devices that provide requests to access various servers in thesystem100.
• As therequest185 is transmitted from thefirst computing device105 and/or thesecond computing device120 to theserver180,network performance information110 may be collected. Each of thefirst computing device105 and thesecond computing device120 may provide differentnetwork performance information110 to theserver180. For example,network performance information110 from thefirst computing device105 may indicate that thefirst computing device105 is not experiencing any issues whilenetwork performance information110 from thesecond computing device120 may indicate that thesecond computing device120 is experiencing connectivity issues.
• In an example, thenetwork performance information110 may be associated with a particular namespace (e.g., www.microsoft.com), endpoint and/or server. Thenetwork performance information110 may be provided to the detection alert andrecovery system125 in real-time or substantially real-time. In another example, thenetwork performance information110 may be collected by the detection alert andrecovery system125 periodically.
• Thenetwork performance information110 may be requested by the detection alert andrecovery system125. In another example, thenetwork performance information110 may be automatically provided to the detection alert andrecovery system125 by thefirst computing device105 and/or thesecond computing device120. For example, as thefirst computing device105 submits therequest185 to theserver180 via thenetwork115, thefirst computing device105 may also provide thenetwork performance information110 to the detection alert andrecovery system125 via thenetwork115.
• In another example, one or more network telemetry information systems may provide thenetwork performance information110 to the detection alert andrecovery system125. In another example,network performance information110 may be provided to the detection alert andrecovery system125 in response to thefirst computing device105 executing various connection tests to one or more endpoints and/or namespaces. For example, the detection alert andrecovery system125 may request that thefirst computing device105 connect to various namespaces. When the request is received, thefirst computing device105 will attempt to connect to the various namespaces and will subsequently providenetwork performance information110 for each of the namespaces to the detection alert andrecovery system125 such as previously described.
• Thenetwork performance information110 may include information regarding if and/or how thefirst computing device105 connected to the endpoint, the namespace and/or theserver180. In another example, thenetwork performance information110 may include information regarding a location of the endpoint, theserver180 and/or information regarding whatserver180 thefirst computing device105 connected to when accessing the namespace. For example, thenetwork performance information110 may include information as to whether thefirst computing device105 connected to aserver180 in Seattle, Denver, Hong Kong, etc. Thenetwork performance information110 may also include information regarding a round-trip time, latency, and other network-based performance information, network topology information, network service provider information and the like.
• In an example, thenetwork performance information110 may be provided to the detection alert andrecovery system125 via a web interface executing on thefirst computing device105. Thenetwork performance information110 may be automatically provided to or otherwise received by the detection alert andrecovery system125 in real-time, substantially real-time or at periodic intervals. In an example, thenetwork performance information110 is provided to the detection alert andrecovery system125 via one or more background processes and/or threads executing on or otherwise associated with the various computing devices in thesystem100 so as to not be visible to the end user and/or negatively affect a user's experience with the network-based and/or cloud-based services.
• In another example, thenetwork performance information110 may be collected or otherwise transmitted to the detection alert andrecovery system125 when the first computing device105 (and/or the second computing device120) connects to a particular website or namespace. For example, when thefirst computing device105 connects to a particular website, a browser associated with thefirst computing device105 may collectnetwork performance information110 regarding if and/or how thefirst computing device105 was able to connect to the particular website. Thenetwork performance information110 may then be provided to the detection alert andrecovery system125. In an example, this information is provided in real-time, substantially real time and/or periodically (e.g., every five minutes, every ten minutes, every fifteen minutes).
• In some examples, successful connections to a particular website are periodically included in thenetwork performance information110. In other examples, errors or other failures to connect to the particular website are always collected and included with thenetwork performance information110.
• Thenetwork performance information110 may be provided to the detection alert andrecovery system125 via other means such as, for example, external data and/or internal data. For example, a network monitoring system associated with a network service provider may providenetwork performance information110 to the detection alert andrecovery system125. In another example, a namespace monitoring system may providenetwork performance information110 to the detection alert andrecovery system125.
• As shown inFIG. 1A, the detection alert andrecovery system125 may include various systems. Each system works together to detect an anomaly associated with a namespace. When an anomaly is detected, the detection alert andrecovery system125 provides alerts and/or actions (if needed) to address the anomaly. In an example, the various systems shown and described with respect to the detection alert andrecovery system125 may be separate systems. In another example, some (or all) of the systems may be combined. In yet another example, some of the functionality of the systems may be provided by one or more remote computing devices or systems.
• The detection alert andrecovery system125 may include a networkdata collection system145. In an example, the networkdata collection system145 collects and/or stores thenetwork performance information110. In one example, whennetwork performance information110 is received and/or stored, anaggregation system135 aggregates thenetwork performance information110.
• Theaggregation system135 may aggregatenetwork performance information110 into various data sets based, at least in part, on a determined or specified scope. For example, a scope may be a geographic area (e.g., based on an IP address associated with thefirst computing device105 and/or the second computing device120) from which thenetwork performance information110 is received. In another example, the scope may be associated with a particular network and/or network service provider. In yet another example, the scope may be boundary —geographic or otherwise—in which an anomaly is detected and/or in which an endpoint or server is located. Although specific examples are given, thesystem100 may support any number of different types of scopes.
• Additionally, various scopes may be added to the detection alert andrecovery system125 and removed from the detection alert andrecovery system125. In an example, a network technician may add or remove a scope. In another example, an endpoint, a namespace, and/or one or more rules provided by the endpoint or namespace may specify a scope as part of a namespace, endpoint or server registration process (such as described below with respect toFIG. 2).
• In an example, various scopes may be associated with a hierarchy. For example, a scope associated with one geographic area (e.g., Seattle) may be a child scope for another geographic area (e.g., Washington State).
• As briefly described above, theaggregation system135 may aggregatenetwork performance information110 from different computing devices into various data sets. For example, asnetwork performance information110 is received from the first computing device and thesecond computing device120, theaggregation system135 may aggregate the information into a first data set in order to get a better understanding of a status of the cloud-based and/or network-based service. In an example, the network performance information may be aggregated based on a determined scope or scopes.
• For example, theaggregation system135 may aggregatenetwork performance information110 based on a determined geographic location of thefirst computing device105 and thesecond computing device120. In another example, theaggregation system135 may aggregatenetwork performance information110 based on a network service provider associated with thefirst computing device105 and thesecond computing device120. In either example, the scope that is used to aggregate thenetwork performance information110 may be the same or similar between thefirst computing device105 and thesecond computing device120. In another example, the scope may be different. For example, thefirst computing device105 may be located in Seattle and have a first network service provider while thesecond computing device120 may be located in Denver and have a second network service provider.
• Theaggregation system135 may also aggregatenetwork performance information110 from different network telemetry information systems. For example and referring toFIG. 1B, thesystem100 may also include network telemetry information system(s)170. In an example, the network telemetry information system(s)170 may be separate from, but communicatively coupled to, the detection alert andrecovery system125. In another example, the network telemetry information system(s)170 may be part of or otherwise integrated with the detection alert andrecovery system125.
• The network telemetry information system(s)170 output or otherwise provide information and/or signals (e.g., network telemetry information) at a high volume and at a high frequency to various databases (e.g., the networkdata collection system145 or other databases associated with the network telemetry information system(s)170). For example and as discussed above, rich clients and/or web interfaces executing on thefirst computing device105 and/or thesecond computing device120 may upload raw telemetry signals to the detection alert andrecovery system125. This may occur on a regular basis via background threads.
• When the telemetry signals are received, the telemetry signals may be enriched with an IP address (or other information associated with or provided by a client computing device and/or network telemetry information system(s)170 associated with the signal). Ananomaly detection system130 of the detection alert andrecovery system125 may apply a machine learning algorithm to the telemetry signals and/or the various aggregated data sets to compute anomaly score.
• The anomaly score may be monitored. When the anomaly score reaches or exceeds a threshold, anaction system155, either alone or in combination with arules system150, may determine whether an action should be taken to remedy the anomaly. Although specific examples have been given, signals from various network telemetry information system(s)170 may be received, combined, and/or used to determine or otherwise detect the presence of an anomaly.
• Referring back toFIG. 1A, as network performance information is received110 and/or aggregated, thenetwork performance information110 may be compared against historical or otherwise previously receivednetwork performance information110. The historical network performance information may be stored in the networkdata collection system145. Theanomaly detection system130 may analyze or otherwise compare the receivednetwork performance information110 with the historical received network performance information in order to detect or otherwise determine an existence of an anomaly.
• In an example, theanomaly detection system130 applies various algorithms to detect an anomaly. In an example, some algorithms may be applied to one data set (e.g., a data set having a first scope) while other algorithms may be applied to a second data set (e.g., a data set having a second scope).
• The anomaly may be detected based on lack of signal or a significant variance in a metric against an endpoint for a scope. In an example, the algorithms used to detect an anomaly may be based on machine learning. In another example, the algorithms may be based on aggregations and thresholds. Theanomaly detection system130 may also apply various algorithms based on the namespace associated with thenetwork performance information110. A timeframe associated with thenetwork performance information110 may also be considered when determining whether an anomaly exists.
• For example, the detection alert andrecovery system125 may determine that on a given day at a given time, and based onnetwork performance information110, that .001% of computing devices in a particular area (e.g., Seattle) cannot access a particular endpoint. However, asnetwork performance information110 is received and analyzed by theanomaly detection system130, it may be determined that at a given time-period, 3% of computing devices in that area cannot reach the endpoint. As such, theanomaly detection system130 may determine that an anomaly exists. Although a jump from .001% to 3 percent is specifically mentioned, any threshold may be used.
• In one example, when an anomaly is detected, the anomaly may be compared against other data sets of the same scope and/or data sets received from other sources. This comparison/corroboration may increase a confidence score that an anomaly does exist.
• The detection alert andrecovery system125 may initiate or invoke different actions based on the confidence score. For example, if data from a first network telemetry information system indicates the presence of anomaly, a first set of actions (or no actions) may be taken. However, if data from a second network telemetry information system also indicates the presence of the anomaly, the confidence score may increase. Accordingly, the first set of action, or a different set of actions may be performed to remedy or otherwise address the anomaly.
• When theanomaly detection system130 detects an anomaly, the anomaly may be compared or otherwise analyzed in light of one or more rules in arules system150. Each rule or set of rules in therule system150 may be specific to a particular endpoint and/or to a particular anomaly. For example, one endpoint or namespace may have a first rule or set of rules when an anomaly is detected. A second endpoint or namespace may have a second rule or set of rules when an anomaly is detected. In another example, the first endpoint may have a first rule or set of rules when a first type of anomaly is detected and a second rule or set of rules when a second type of anomaly is detected.
• In another example, a first rule or set of rules may be applied to the anomaly when information from a single data set (e.g., information from a network telemetry information system170) indicates the presence of an anomaly. A second rule or set of rules may be applied to the anomaly when information from a multiple data sets (e.g., information from multiple network telemetry information systems170) indicate the presence of an anomaly. In yet another example, different rules or sets of rules may be applied based on a determined severity, end-user impact and/or scope of the anomaly. In an example, some of the rules may be arranged in a hierarchy. Thus, some rules may take precedence over other rules.
• In an example, the following rule may be executed when an anomaly is detected by the anomaly detection system130: At country level______(scope), for______namespace, if an anomaly is detected by the first network telemetry information system (e.g., FootPrint signals or other network telemetry information) and a second network telemetry information system (e.g., Network Error Logging signals or other network telemetry information), take actions A, B, and C. In another example, the following rule may be executed when an anomaly is detected by the anomaly detection system130: For network service provider______(scope) and for______ namespace, if an anomaly is detected by a first network telemetry information system, take action A and B; if an anomaly is detected by a second network telemetry information system, take action A and C; if an anomaly is detected by a first network telemetry information system and a second telemetry information system, take actions A, B, C, and D. Although specific rules are mentioned, these are for example purposes only.
• If the detected anomaly satisfies one or more rules, theaction system155 determines an action to address the anomaly. In an example, the action may be a single action or a series of actions. The actions may occur simultaneously, substantially simultaneously or in sequence. Example actions include, but are not limited to, one or more of the following: generating and sending (or otherwise providing a notification to) a message to a network technician, triggering a network traffic shift, trigger additional data collection, and/or triggering a network health status enquiry.
• Once an action is determined, the detection alert andrecovery system125 provides theaction160 to the various computing devices that are affected by the anomaly. For example and as shown inFIG. 1C, the detection alert andrecovery system125 provides theaction160 tofirst computing device105 and thesecond computing device120. When theaction160 is received, each computing device may provideresults175 to the detection alert and recovery system such as shown inFIG. 1D. The results may be used by the detection alert and recovery system to determine whether the provided action addressed the anomaly. This information may be subsequently used to change and/or update rules and/or actions when various anomalies are detected.
• FIG. 2 illustrates asystem200 in which aserver210 registers with the detection alert andrecovery system125 ofFIG. 1A-FIG. 1D according to an example. In an example, thesystem200 may be similar to thesystem100 shown and described with respect toFIG. 1A-FIG. 1D. For example,server210 may be similar to theserver180 ofFIG. 1A.
• In an example, theserver210 may be associated with a namespace and/or an endpoint. As described above, each endpoint and/or namespace may specify its own unique set of rules and/or actions. However, in order to ensure the rules are analyzed in response to detection of an anomaly and the appropriate or desired action is taken to address the anomaly, theserver210 may register with the detection alert andrecovery system125. As such, theserver210 may provideregistration information220 to the detection alert andrecovery system125 via thenetwork115. Theregistration information220 may include types of actions to be taken when various anomalies are detected, a rule or set of rules to be followed when an anomaly is detected and so on.
• FIG. 3A illustrates an examplenetwork connectivity path300 between acomputing device310 and anendpoint350 associated with a namespace according to an example. As shown inFIG. 3A, the path between thecomputing device310 and theendpoint350 may consist of hops atpoint320,330 and340. However, a detection alert and recovery system may detect the presence of an anomaly caused, for example, by congestion or network failure betweenpoints320 and330 and points330 and340 (indicated by the X inFIG. 3B).
• In order to address this anomaly (and in response to one or more rules being satisfied), the detection alert and recovery system may instruct thecomputing device310 to use an alternate network connectivity path such as, for example, thenetwork connectivity path305 shown inFIG. 3B. As shown inFIG. 3B, thecomputing device310 may now connect to thesame endpoint350 usingpoints320,360 and340.
• In another example, the detection alert and recovery system may instruct the computing device to access a different endpoint associated with the namespace. The different endpoint may be in a different geographic region than the original endpoint. For example and as shown inFIG. 3C an alternatenetwork connectivity path315 between thecomputing device310 and adifferent endpoint370 associated with the namespace may include hops atpoints320,360 and340. Although network traffic rerouting is shown as an example action that may address a detected anomaly, alternative actions and/or additional actions may be taken.
• FIG. 4 illustrates amethod400 for detecting an anomaly in a cloud-based and/or network-based environment according to an example. Themethod400 may be executed by thesystem100 or the various systems described with respect toFIG. 1A-FIG. 1D.
• Method400 begins when network performance information is received. In an example the network performance information may be received by a detection alert and recovery system. In an example, the network performance information may be actively collected by the detection alert and recovery system. For example, the detection alert and recovery system may request that one or more client device connect to one or more namespaces and collect network performance information based on the attempted connections.
• In another example, one or more computing devices may provide network performance information to the detection alert and recovery system in response to various events. These events may include, but are not limited to, the computing device connecting to a particular endpoint and/or namespace, the computing device connecting to a particular cloud-based or network-based service, or an inability of the computing device to connect to a particular namespace and/or endpoint.
• In another example, network performance information may be provided to the detection alert and recovery system by one or more network telemetry information systems. In an example, each network telemetry information system may provide the same or similar network performance information data in the same or similar format. In another example, each network telemetry information system may provide different network performance information data in a different format. In such a case, an anomaly detection system may standardize the information as part of an anomaly detection process. In another example, the network telemetry information system may provide the network performance information in a format requested by an anomaly detection system associated with the detection alert and recovery system.
• In yet another example, network performance information may be provided to the detection alert and recovery system by individuals associated with various computing devices that access the system. For example, an individual may provide information that a particular segment of a network is down, that a cloud-based service is non-responsive or is congested, etc. In another example, network performance information may be provided to the detection alert and recovery system from a network service provider or other third party.
• The network performance data may include or otherwise be based on various scopes. These scopes may include region information (e.g., city, country, country, worldwide etc.) and/or network information. The network performance data may also include routing information between a computing device and an endpoint, performance metrics of a particular network or network segment, a geographical location of the endpoint, an amount of time it took to connect to the endpoint, a network topology, internet service providers, intermediate internet service providers, throughput and so on.
• Once the network performance information is received, the detection alert and recovery system may aggregate and/or analyze the network performance information to determine (430) whether an anomaly is detected. Although not required, data aggregation may occur over different data sets having the same scope or different scopes. Additionally, data sets from two different sources (e.g., computing devices, network telemetry information systems) may be aggregated and analyzed.
• In an example, an anomaly is detected by comparing the network performance information with historical network performance information. If the comparison indicates an anomaly (e.g., performance metrics associated with an endpoint have changed over a threshold amount), an anomaly may exist. In another example, the network performance information is provided to various anomaly detection algorithms that determine whether an anomaly exists. In yet another example, different data sets (of the same or similar scope, or data sets with different scopes) from different sources may be analyzed in view of each other. As such, different data sets may be used together in order to increase a confidence level that an anomaly exists.
• If an anomaly is not detected, flow returns tooperation410 and additional network performance information is collected and/or received. However, if an anomaly is detected, the anomaly is compared against one or more rules in a rules hierarchy to determine if one or more of the rules are satisfied (440). As discussed above, the rules in the rule hierarchy may be specific to an endpoint or a namespace. In addition, a rule or set of rules may be specific to a particular scope, a severity of an impact of the anomaly, an amount of time the anomaly has been occurring and so on.
• If one or more rules are not satisfied, flow returns tooperation410 and additional network information is received. However, if a rule is satisfied, the detection alert and recovery system may cause the performance or initiation (450) of one or more recovery actions. The recovery actions are initiated to address the anomaly. The recovery actions may be an alert and/or a notification action (e.g., notification of a network technician), a network traffic shifting action (e.g., such as shown inFIG. 3A-FIG. 3C), a network heath analysis action, a data collection action or a combination thereof
• Once an action is invoked, the detection alert and recovery system may receive additional information (460) regarding whether the recovery action addressed the anomaly or whether additional actions are needed.
• FIG. 5 is a system diagram of acomputing device500 according to an example. Thecomputing device500, or various components and systems of thecomputing device500, may be integrated or associated with a detection alert and recovery system, a computing device, a server as well as the various systems described herein. As shown inFIG. 5, the physical components (e.g., hardware) of the computing device are illustrated and these physical components may be used to practice the various aspects of the present disclosure.
• Thecomputing device500 may include at least oneprocessing unit510 and asystem memory520. Thesystem memory520 may include, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. Thesystem memory520 may also include anoperating system530 that controls the operation of thecomputing device500 and one ormore program modules540. Theprogram modules540 may be responsible for detecting anomalies, executing rules and/oractions550 and so on. A number of different program modules and data files may be stored in thesystem memory520. While executing on theprocessing unit510, theprogram modules540 may perform the various processes described above.
• Thecomputing device500 may also have additional features or functionality. For example, thecomputing device500 may include additional data storage devices (e.g., removable and/or non-removable storage devices) such as, for example, magnetic disks, optical disks, or tape. These additional storage devices are labeled as aremovable storage560 and anon-removable storage570.
• Examples of the disclosure may also be practiced in an electrical circuit comprising discrete electronic elements, packaged or integrated electronic chips containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, examples of the disclosure may be practiced via a system-on-a-chip (SOC) where each or many of the components illustrated inFIG. 5 may be integrated onto a single integrated circuit. Such a SOC device may include one or more processing units, graphics units, communications units, system virtualization units and various application functionality all of which are integrated (or “burned”) onto the chip substrate as a single integrated circuit.
• When operating via a SOC, the functionality, described herein, may be operated via application-specific logic integrated with other components of thecomputing device500 on the single integrated circuit (chip). The disclosure may also be practiced using other technologies capable of performing logical operations such as, for example, AND, OR, and NOT, including but not limited to mechanical, optical, fluidic, and quantum technologies.
• Thecomputing device500 may include one ormore communication systems580 that enable thecomputing device500 to communicate withother computing devices595 such as, for example, routing engines, gateways, signings systems and the like. Examples ofcommunication systems580 include, but are not limited to, wireless communications, wired communications, cellular communications, radio frequency (RF) transmitter, receiver, and/or transceiver circuitry, a Controller Area Network (CAN) bus, a universal serial bus (USB), parallel, serial ports, etc.
• Thecomputing device500 may also have one or more input devices and/or one or more output devices shown as input/output devices590. These input/output devices590 may include a keyboard, a sound or voice input device, haptic devices, a touch, force and/or swipe input device, a display, speakers, etc. The aforementioned devices are examples and others may be used.
• The term computer-readable media as used herein may include computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, or program modules.
• Thesystem memory520, theremovable storage560, and thenon-removable storage570 are all computer storage media examples (e.g., memory storage). Computer storage media may include RAM, ROM, electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture which can be used to store information and which can be accessed by thecomputing device500. Any such computer storage media may be part of thecomputing device500. Computer storage media does not include a carrier wave or other propagated or modulated data signal.
• Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and includes any information delivery media. The term “modulated data signal” may describe a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared, and other wireless media.
• The description and illustration of one or more aspects provided in this application are not intended to limit or restrict the scope of the disclosure as claimed in any way. The aspects, examples, and details provided in this application are considered sufficient to convey possession and enable others to make and use the best mode of claimed disclosure. The claimed disclosure should not be construed as being limited to any aspect, example, or detail provided in this application. Regardless of whether shown and described in combination or separately, the various features (both structural and methodological) are intended to be selectively rearranged, included or omitted to produce an embodiment with a particular set of features. Having been provided with the description and illustration of the present application, one skilled in the art may envision variations, modifications, and alternate aspects falling within the spirit of the broader aspects of the general inventive concept embodied in this application that do not depart from the broader scope of the claimed disclosure.

Claims (20)

1. A method, comprising:

receiving network performance information associated with a namespace from a plurality of network information sources, wherein the namespace can be resolved at a plurality of endpoints, including at least a first endpoint and a second endpoint;

aggregating the network performance information associated with the namespace from each of the plurality of network information sources into data sets of varying scope, wherein the plurality of network information sources includes at least a computing device that accesses the namespace, and the network performance information includes at least a round-trip time or a latency between the computing device and an endpoint of the namespace ;

analyzing each of the data sets of varying scope to detect an anomaly associated with the namespace;

analyzing the anomaly with respect to one or more rules in a hierarchy of rules, the hierarchy of rules being based, at least in part, on a geographic scope associated with (1) the anomaly and (2) at least one of the plurality of endpoints; and

causing performance of an action among a plurality of actions to address the anomaly, the action being specified by the one or more rules in the hierarchy of rules, and the plurality of actions including at least an action of causing network traffic from a client computing device to the first endpoint to be rerouted to the second endpoint.

2. The method ofclaim 1, further comprising associating the anomaly with a score.

3. The method ofclaim 2, wherein analyzing the anomaly with respect to one or more rules in the hierarchy of rules occurs when the score associated with the anomaly is above a threshold.

4. The method ofclaim 1, further comprising:

receiving additional network performance information associated with the namespace from a second plurality of network information sources;

aggregating the additional network performance information associated with the namespace from each of the second plurality of network information sources into additional data sets of varying scope; and

analyzing the additional data sets of varying scope to verify a presence of the anomaly.

5. The method ofclaim 4, wherein analyzing the anomaly with respect to one or more rules in the hierarchy of rules occurs when analysis of the data sets and analysis of the additional data sets verify the presence of the anomaly.

6. The method ofclaim 4, wherein the data sets of varying scope are provided by a first network telemetry information system and the additional data sets of varying scope are provided by a second network telemetry information system.

7. The method ofclaim 1, wherein the hierarchy of rules is specific to the namespace.

8. The method ofclaim 1, wherein the hierarchy of rules is specific to the anomaly.

9. The method ofclaim 1, wherein the action is associated with a determined severity of the anomaly.

10. The method ofclaim 1, wherein the network performance information includes network topology information.

11. The method ofclaim 1, wherein the scope is associated with a geographic region.

12. The method ofclaim 1, wherein the scope is associated with a network.

13. A system, comprising:

a processor; and

a memory coupled to the processor and storing instructions that, when executed by the processor, perform operations, comprising:

receiving network performance information associated with a namespace from a plurality of network information sources, wherein the namespace can be resolved at a plurality of endpoints, including at least a first endpoint and a second endpoint;

aggregating the network performance information associated with the namespace into data sets of varying scope, wherein the plurality of network information sources includes at least a computing device that accesses the namespace, and the network performance information includes at least a round-trip time or a latency between the computing device and an endpoint of the namespace;

analyzing each of the data sets of varying scope to detect an anomaly associated with the namespace;

analyzing the anomaly based, at least in part, on a geographic scope associated with (1) the anomaly, and (2) at least one of the plurality of endpoints; and

based on detecting the anomaly, causing performance of an action among a plurality of actions to address the anomaly, the action being specified by one or more rules of a rule hierarchy, and the plurality of actions including at least an action of causing network traffic from a client computing device to the first endpoint to be rerouted to the second endpoint.

14. The system ofclaim 13, wherein one of the plurality of network information sources is a computing device.

15. The system ofclaim 13, further comprising instructions for analyzing the anomaly with respect to one or more rules in the rule hierarchy.

16. The system ofclaim 15, wherein the rule hierarchy is based, at least in part, on one or more of a scope associated with the anomaly and the namespace.

17. The system ofclaim 13, further comprising instructions for:

receiving additional network performance information associated with the namespace from a second plurality of network information sources;

aggregating the additional network performance information associated with the namespace from each of the second plurality of network information sources into additional data sets of varying scope; and

analyzing the additional data sets of varying scope to verify a presence of the anomaly.

18. The system ofclaim 17, wherein the data sets of varying scope are provided by a first network telemetry information system and the additional data sets of varying scope are provided by a second network telemetry information system.

19. The system ofclaim 13, wherein the scope is associated with at least one a geographic region or a network.

20. A method, comprising:

receiving a first set of network performance information associated with a namespace from a first plurality of network information sources;

aggregating the first set of network performance information associated with the namespace from each of the first plurality of network information sources into first data sets of varying scope, wherein the first plurality of network information sources includes at least a first computing device that accesses the namespace, and the first set of network performance information includes at least a round-trip time or a latency between the first computing device and a first endpoint of the namespace;

analyzing each of the first data sets of varying scope to determine a presence of an anomaly associated with the namespace;

receiving a second set of network performance information associated with the namespace from a second plurality of network information sources;

aggregating the second set of network performance information associated with the namespace from each of the second plurality of network information sources into second data sets of varying scope that correspond to the varying scopes of the first data sets, wherein the second plurality of network information sources includes at least a second computing device that accesses the namespace, and the second set of network performance information includes at least a round-trip time or a latency between the second computing device and a second endpoint of the namespace;

analyzing each of the second data sets of varying scope to determine the presence of the anomaly associated with the namespace, wherein the namespace can be resolved at a plurality of endpoints, including at least the first endpoint and the second endpoint;

analyzing the anomaly with respect to one or more rules in a hierarchy of rules, the hierarchy of rules being based, at least in part, on a geographic scope associated with (1) the anomaly, and (2) at least one of the plurality of endpoints; and

based on the presence of the anomaly being determined using the first data sets and the second data sets, causing performance of an action among a plurality of actions to address the anomaly, the action being specified by the one or more rules in the hierarchy of rules, and the plurality of actions including at least an action of causing network traffic from a client computing device to the first endpoint to be rerouted to the second endpoint.

Images