System, method and computer program product for reading, correlating, processing, categorizing and aggregating events of any type

Abstract

A system, method and computer program product are provided for handling network accounting information. Initially, records indicative of network events are received from an input source. Next, action events are selected based on the input source. Such selected action events are then executed on the records for reading, correlating, processing, categorizing, and/or aggregating network accounting information associated with the records.

Claims

1. A method for handling network accounting information, comprising:

(a) receiving records indicative of network events from an input source:

(b) storing data associated with the records in a table, wherein the table includes a plurality of rows each containing a plurality of columns each including data of a different type, the data of each of the rows expiring after a predetermined time period;

(c) selecting action events based on the input source; and

(d) executing the selected action events on the records;

(e) wherein at least one of the action events is executed to delete the data of each of the rows upon expiring;

(f) wherein multiple action events are executed in parallel;

(g) wherein the action events operate on the network accounting information and are selected from the group consisting of usage metering, reading, tracking, correlating, and aggregating;

(h) wherein the execution of the selected action events includes: discarding records stored dunng the execution of previous action events, parsing configuration data associated with the selected action events, and utilizing the parsed configuration data to repeat at least one of operations (a)-(d);

(i) wherein a configuration event defines a plurality of action events by specifying code capable executing each action event.

2. The method as recited in claim 1, wherein the network accounting information Includes a session source, destination, user name, duration, time, date, type of server, and volume of data transferred.

3. The method as recited in claim 1, wherein an initialization event is executed fir preparing for the receipt of the records.

4. The method as recited in claim 3, wherein the initialization event includes reading the configuration data, creating tables, and creating input sources.

5. The method as recited in claim 4, wherein creating the input sources utilizes the configuration data.

6. A method for handling network accounting information of any type, comprising:

(a) reading configuration data which defines a table by specifying at least one field identifier and a timeout type and period, the configuration data further defining a plurality of input sources by specifying at least one parameter for each input source, the configuration data further defining a plurality of action events by specifying code capable of executing each action event;

(b) creating the table defined by the field identifier of the configuration data;

(c) initializing the input sources;

(d) receiving records indicative of network events from the initialized input sources;

(e) storing the records in the table;

(f) selecting action events based on the input source associated with the received records;

(g) executing the selected action events on the records utilizing event handlers; and

(h) deleting the records upon expiring in accordance with the timeout type and period of the configuration data;

(i) wherein at least one of the action events is executed to determine whether the data of each of the rows is deleted upon expiring;

(j) wherein multiple action events are executed in parallel;

(k) wherein the action events operate on the network accounting information and are selected from the group consisting of usage metering, reading, tracking, correlating, and aggregating;

(l) wherein the execution of the selected action events includes: discarding records stored during the execution of previous action events, parsing configuration data associated with the selected action events, and utilizing the parsed configuration data to repeat at least one of operations (a)-(h);

(m) wherein a configuration event defines a plurality of action events by specifying code capable of executing each action event.

7. The method as recited in claim 6, wherein the configuration data is written in an XML format.

8. The method as recited in claim 6, wherein the configuration data includes an XML header, a tables section, an input section, and an events section.

9. The method as recited in claim 8, wherein the tables section includes a name attribute, a poolsize attribute, and a flushhandlers attribute.

10. The method as recited in claim 8, wherein the input section includes a name attribute, a type attribute, and a handlers attribute.

11. The method as recited in claim 10, wherein the handlers attribute contains a list of events that are triggered when each record arrives at the input source.

12. The method as recited in claim 8, wherein the events section includes a name attribute.

13. The method as recited in claim 6, wherein the configuration data includes a fields section.

14. The method as recited in claim 13, wherein the fields section includes a name attribute, a type attribute, a key attribute, all overflow attribute, and a comment attribute.

15. The method as recited in claim 6, wherein the configuration data includes a timeouts section.

16. The method as recited in claim 15, wherein the timeouts section includes a type attribute and a period attribute.

17. The method as recited in claim 6, wherein the configuration data includes a params section.

18. The method as recited in claim 17, wherein the params section includes a name attribute and a value attribute.

19. A data structure embodied on a computer readable medium for handling network accounting information of any type, comprising:

(a) a configuration data object which defines a table by specifying at least one field identifier and a timeout type and period, the configuration data object further defining a plurality of input sources by specifying at least one parameter for each input source, the configuration data object further defining a plurality of action events by specifying code capable of executing each action event;

(b) wherein the configuration data object is adapted for being used to create the table defined by the field identifier of the configuration data object, initialize the input sources, and load event handlers with the code included with the configuration data object;

(c) wherein Multiple action events are capable of being executed in parallel;

(d) wherein the action events are capable of operating, on the network accounting information and are selected from the group consisting of usage metering, reading, tracking, correlating, and aggregating;

(e) wherein the execution of the selected action events includes: discarding records stored during the execution of previous action events and parsing configuration data associated with the selected action events;

(f) wherein a configuration event defines a plurality of action events by specifying code capable of executing each action event.

Description

FIELD OF THE INVENTION

The present invention relates to network accounting, and more particularly to collecting and processing network accounting information.

BACKGROUND OF THE INVENTION

As Internet Service Providers (ISPs) continue to differentiate themselves by providing additional services, enterprise information technology managers face similar problems in accounting for the escalating Internet operating costs. Therefore, ISPs and enterprise information technology managers want to account for session logging, bandwidth usage, directory data and application session information from a variety of sources.

Due to the diversity of IP data sources (e.g. routers, hubs, etc.), the need for effect tracking far exceeds the problems addressed by telephone companies. Telephone companies track information such as circuit usage so it can be correlated with account information. For example, businesses may use leased lines, consumers may have "Friends and Family" plans, cellular users have different roaming charges according to the location of the user, etc. Typically, the phone company captures all of the data and uses batch processing to aggregate the information into specific user accounts. For example, all the long distance calls made during a billing period are typically correlated with the Friends and Family list for each phone account at the end of a billing period for that account. This requires a significant amount of computing power. However, this type of problem is significantly simpler than attempting to track and bill for every transaction in an IP network. Therefore, what is desired is a system that allows for accounting and billing of transactions on IP based networks.

The problem is even more difficult in an IP network because many information sources can exist at many different levels of the OSI network model, throughout heterogeneous networks. Potential sources of information include packets generated by routers, firewall authentication logging, email data, ISP session logging, and application layer use information.

One proposed solution is described in PCT application WO9927556A2 entitled "NETWORK ACCOUNTING AND BILLING SYSTEM AND METHOD" and published Jun. 3, 1999. Such system includes gatherer devices that gather detailed information from various information source devices and convert the information into standardized information. The gatherer devices can correlate the gathered information with account information for network transaction accounting. Manager devices manage the gatherer devices and store the gathered standardized information. The manager devices eliminate duplicate network information that may exist in the standardized information. The manager devices also consolidate the information. Importantly, the information stored by the manager devices represents the consolidated, account correlated, network transaction information that can be used for billing or network accounting. The system thereby provides a distributed network accounting and billing system.

While the foregoing system is effective, it lacks efficiency since it may treat information from different data input sources in a similar manner. This often results in a reduction in overall system speed and performance. There is therefore a need for a technique of dealing with information from different data input sources in a more tailored, dynamic and efficient manner in order to effect improvements in system speed and performance.

DISCLOSURE OF THE INVENTION

A system, method and computer program product are provided for handling network accounting information. Initially, records indicative of network events are received from an input source. Next, action events are selected based on the input source. Such selected action events are then executed on the records for reading, correlating, processing, categorizing, and/or aggregating network accounting information associated with the records.

The present invention thus acts as an efficient, fast correlator and aggregator. It is meant to handle a very high flow of input records by performing the entire correlation and aggregation stages inside one module, using a specialized language and compiler process.

In one embodiment of the present invention, the action events may include computer code for executing a process involving the records. Further, the computer code may be compiled prior to the execution thereof. In order to accelerate processing, multiple action events may be executed in parallel.

In another embodiment of the present invention, data associated with the records may be stored in a table. Such table may include a plurality of rows each containing a plurality of columns each including data of a different type. Optionally, the data of each of the rows may expire after a predetermined time period. Upon the expiration of the data, an action event may be executed to determine whether the data of each of the rows is deleted.

In one specific embodiment of the present invention, a method is provided for handling network accounting information of any type, including: reading configuration data which defines a table by specifying at least one field identifier and a timeout type and period, the configuration data further defining a plurality of input sources by specifying at least one parameter for each input source, the configuration data further defining a plurality of action events by specifying code capable of executing each action event; creating the table defined by the field identifier of the configuration data; initializing the input sources; loading event handlers with the code included with the configuration data; receiving records indicative of network events from the initialized input sources; storing the records in the table; selecting action events based on the input source associated with the received records; executing the selected action events on the records utilizing the event handlers; and deleting the records upon expiring in accordance with the timeout type and period of the configuration data; wherein at least one of the action events is executed to determine whether the data of each of the rows is deleted upon expiring. The execution of the selected action events includes: discarding records stored during the execution of previous action events, parsing the configuration data associated with the selected action events, and utilizing the parsed configuration data to repeat the initialization operations.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a method for handling network accounting information;

FIG. 2 illustrates a flowchart setting forth additional information regarding the initialization operation of FIG. 1;

FIG. 3 shows a flowchart setting forth additional information regarding the execution of the selected action events set forth in FIG. 1;

FIG. 3A illustrates an exemplary environment in which the present invention may be implemented;

FIG. 4 illustrates a complete list of supported operators in accordance with one embodiment of the present invention;

FIG. 5 shows a table that summarizes the allowed comparison operators for each data type; and

FIG. 6 is a table that summarizes the allowed bitwise operators for each data type.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 illustrates a method 100 for handling network accounting information. Examples of such network accounting information may include, but are not limited to a session's source, destination, user name, duration, time, date, type of server, volume of data transferred, etc. It should be noted that the network accounting information may be handled for any reason including, but not limited to usage metering, reading, tracking, correlating, aggregating, or any other process associated with the network accounting information.

Initially, in operation 101, an initialization procedure is executed for preparing the present invention for the receipt of records. Additional information regarding the initialization operation 101 will be set forth in greater detail during reference to FIG. 2. Thereafter, in decision 102, the receipt of records is monitored.

Upon incoming records being detected, such records are received from an input source. Note operation 103. Next, in operation 104, action events are selected based on the input source. As an option, the action events may include computer code for executing a process using the records. Further, the computer code may be compiled prior to the execution thereof.

In operation 106, such selected action events are then executed on the records for usage metering, reading, tracking, correlating, aggregating, or any other process associated with the network accounting information. In order to accelerate processing, multiple action events may be executed in parallel. Additional information regarding the execution of action events will be set forth in greater detail during reference to FIG. 3.

It should be understood that the initialization procedure and configuration data structure permit the creation of the tables in which the records are stored, initialization of the input sources from which the records are received, and defining of action events. The initialization procedure and configuration data structure thus enable the present invention to specifically tailor the computer code of the action events as a function of a particular "type" of the input source. As such, the present invention effectively accommodates a variety of received records. Resulting is a correlator and aggregator system that is efficient and fast.

FIG. 2 illustrates a flowchart setting forth additional information regarding the initialization operation 101 of FIG. 1. As shown, initialization begins by reading configuration data, as indicated in operation 202. Additional information regarding the initialization procedure 101 and configuration data structure will be set forth hereinafter during reference to the section entitled "Configuration File."

Next, in operation 204, proper tables are created and/or initialized in memory utilizing the configuration data. As will soon become apparent, data associated with the records may be stored in such tables. Such tables may include a plurality of rows each containing a plurality of columns each including data of a different type. Optionally, the data of each of the rows may expire after a predetermined time period. Upon the expiration of the data, an action event may be executed to determine whether the data of each of the rows is deleted.

In operation 206, the input sources may be created and/or initialized utilizing the configuration data for receiving the records therefrom. Subsequently, event handlers may be loaded utilizing the configuration data for dealing with records when received. Note operation 208.

FIG. 3 illustrates a flowchart setting forth additional information regarding the execution of the selected action events in operation 106 of FIG. 1. As shown, any current results, i.e. aggregations, of previous processing are discarded, or flushed. Note operation 302. Next, configuration data associated with the selected action event(s) is parsed, as set forth in operation 304.

Based on the parsing in operation 304, the minimal set of entities that have changed are re-initialized. See operation 306. As will soon become apparent, such entities may refer to a table, input source, and/or an action event (as defined by the configuration data). Further, the re-initialization process of operation 306 may be similar to operation 101 of FIG. 1 which is described in detail during reference to FIG. 2.

FIG. 3A illustrates an exemplary environment in which the present invention may be implemented. It should be noted that the present invention may be implemented in any desired system environment, and the system of FIG. 3A is presented for illustrative purposes. As shown, a number of information source modules (ISMs) are provided including an ISM 310, an ISM 320, an ISM 330, an ISM 340, and an ISM 350.

The system further includes a number of network devices, such as a proxy server 301, a domain name server (DNS) 302, a firewall 303, an LDAP 306, a CISCO Netflow 304, and a radius server 305. The system also includes a number of gatherers 361 including a gatherer 362, a gatherer 363, a gatherer 364, a gatherer 365, and a gatherer 366. The system of FIG. 3A also includes a central event manager (CEM) 370 and a central database 375. The system also includes a user interface server 385 and a number of terminals or clients 380. Such system components are coupled, as shown in FIG. 3A.

In use, the various ISMs 310 may gather records by way of the gatherers 361 in a manner that is well known to those of ordinary skill. Upon gathering such records, the CEM 370 may process the information in accordance with FIGS. 1-3. For further information on possible workings of the various components of FIG. 3A, reference may be made to PCT application WO9927556A2 entitled "NETWORK ACCOUNTING AND BILLING SYSTEM AND METHOD" published Jun. 3, 1999, which is incorporated herein by reference in its entirety.

In one embodiment, the foregoing exemplary system may employ an operating system such as the Microsoft Windows NT or Windows/95 Operating System (OS), the IBM OS/2 operating system, the MAC OS, or UNIX operating system. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned. One preferred embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.

Additional information will now be set forth regarding a specific exemplary implementation, i.e. configuration, of the present invention. In one embodiment, the present invention defines a plurality of entities. Table 1 sets forth such entities.