Event Correlation in Integrated Management: Lessons Learned and Outlook

When event correlation was first used in integrated management, in the early 1980s, several techniques devised by the artificial intelligence and database communities were applied to network element management for analyzing alarms sent by expensive, self-monitoring telephone switches. Today, it is used for detecting faults in wireless networks, for monitoring the performance of commodity, often non-self-aware devices in enterprise networks, for detecting intrusions in firewalls, for ascribing breaches in service level agreements to specific problems in the underlying IT infrastructure, etc. In other words, the problem to be solved has changed completely. Can today’s event correlators still meet customers’ expectations? If not, how should they evolve to meet them? In this paper, we try to capture the main lessons learned by the integrated management community in event correlation in the past 25 years, and to identify important challenges that we are faced with. By doing this, we hope to streamline and encourage research in this field, which needs better models, algorithms and systems to deal with ever more complex and integrated networks, systems and services.