Network Monitor with a Brain

Computerworld - There's a lot not to like about conventional computer performance monitoring tools, say the product developers at NetScout Systems Inc.: They're much too slow, they flag problems without diagnosing them, and they give so many false alerts they are often ignored.

NetScout, a Computerworld Horizon Award winner, says the answer lies in its Progressive Analytics offering, a statistical tool that learns normal network behavior over time and spots and diagnoses anomalies long before conventional tools are aware of them. It will be introduced commercially by the end of the year, the company says.

Progressive Analytics is the brainchild of Ron Hiller, now director of engineering analytics at NetScout in Westford, Mass. Hiller worked on network anomaly detection years ago at Bell Laboratories and, he says, "it became obvious that the standard approaches really don't work."

So Hiller found some venture capital, launched Quantiva Inc. in 2000 and began applying the lessons learned from telephone network problems. In April, NetScout bought Quantiva and began incorporating Hiller's work into its nGenius family of performance management products.

Hiller says traditional products are based on simple rules, such as sounding an alarm if percentage utilization of a resource or response time rises to some predetermined level. Users are encouraged to set the thresholds high to avoid false alerts, and they often don't get an alert soon enough to diagnose and respond before a service outage occurs.

But Hiller says Progressive Analytics detects anomalies by analyzing network traffic in real time and comparing it to normal patterns of behavior. It then automatically diagnoses the cause of the problem, rather than leaving that to manual efforts.

He says conventional tools are often not trusted because of false alarms.

"The network operations guy will come in in the morning and delete all the ones from the night before," he says. "If the phone never rings, he still has his job." Progressive Analytics reduces the number of false alerts by a factor of 100, he says.

Hiller says NetScout tested the technique on the network traffic of a major financial services Web site. "It found anomalies caused by a mainframe in the back office that the company's network operations center had not detected with their conventional tools," he says.

"I don't see this as something routine in the marketplace yet, and I think that it could provide some tremendous advantages for NetScout over time," says Dennis Drogseth, an analyst at Enterprise Management Associates in Boulder, Colo. "Quantiva brings them ... toward a higher-level value proposition that includes application as well as network performance at a more strategic level. This can enable them to reach up the food chain in IT toward more executive buyers."