Using parallel distributed reasoning for monitoring computing networks

We describe a distributed reasoning system called Otto-Mate that is used to detect, reason about, and respond to incidents on a computing network. Events for monitoring computing networks occur at different system levels. Some information might relate to data, some might be operating system specific, some application or service related, some could be network related, and from each there will be compound events that describe incident effects and information about the situation context. All together there can be thousands of events per second. Today´s approaches to monitoring networks are typically centralized, sending events over the network to a single engine for analysis. Centralized monitoring ultimately cannot scale to address the volume of events that one would ideally like to be able to monitor, so techniques of today often make severe compromises relating to the events that they ingest. Centralized monitoring creates a single point of failure and also generates significant network load. To overcome these deficiencies we have developed a more distributed, approach: our reasoner agents can (in theory) be installed on every monitored resources and the reasoner language (used for programming the reasoners) enables knowledge in a reasoner´s working memory to be synchronized over multiple reasoners enabling them to implement parallel distributed reasoning algorithms that are able detect event patterns irrespective of whether the events are local or remote. Distributing the reasoning makes the system extremely resilient. Additionally, since the knowledge shared between the reasoning agents represents summary information, and because many on-line event correlation algorithms often suppress reporting once an incident has been reported, the amount of network load needed to support the distributed monitoring can actually be reduced. To demonstrate our approach we describe its application to the monitoring of a computing network that has been instrumented to protect it - - against 0-day email virus attacks.