Path: utzoo!attcan!uunet!zaphod.mps.ohio-state.edu!sdd.hp.com!ucsd!ucbvax!EXXON-VALDEZ.FT.CS.CMU.EDU!cmaeda
From: cmaeda@EXXON-VALDEZ.FT.CS.CMU.EDU (Christopher Maeda)
Newsgroups: comp.protocols.tcp-ip
Subject: How can you tell when too many ethernet collisions are occuring?
Message-ID: <9010271814.AA17575@ucbvax.Berkeley.EDU>
Date: 27 Oct 90 16:04:32 GMT
References: <69374@lll-winken.LLNL.GOV>
Sender: daemon@ucbvax.BERKELEY.EDU
Reply-To: cmaeda@CS.CMU.EDU
Organization: The Internet
Lines: 18

Roy Maxion did a paper on this in the last Fault Tolerant Computing
Conference (FTCS-20).  Basically, he keeps a vector of expected values
for collisions (also load, packet counts, etc) for each monitoring
epoch (currently 1 minute).  Newly observed data is compared with the
expected values and alarms are triggered if the values are not
consistent with expectations.  Note that the meaning of "consistent
with expectations" is a topic of current research.  One heuristic is
if the number of collisions is 3 stds above the mean.  The models are
also updated to take new observations into account using a kind of
exponential regression

Chris

ps:

Maxion, Roy A., Anomaly Detection for Diagnosis.  In 20th
International Symposium on Fault-Tolerant Computing (FTCS20),
(1990) 20-27.