Some Cyclops users have been asking questions about the “Mark as False Alert” feature, so I would like to spend some time here trying to explain how this works. Cyclops triggers a variety of alerts based on conditions that each user inputs - “My Prefixes”, “My ASNs” and “My Neighbors”. These three lists is what Cyclops calls the user configuration. Ideally, Cyclops would discover and mirror the routing objects of each network automatically, so that the user configuration mirrors the network configuration. Unfortunately, Cyclops is still far from this point, and it still requires manual intervention to reduce both false positives and false negatives in alerting. That means that some alerts that users receive are false alerts, in the sense that the condition that triggered them is not aligned with  their current network configuration. The “Mark as False Alert” feature allow users to change the user configuration to reduce the false positives.

For example, if I have “New Prefix” alert condition ON  for AS52, I will receive alerts every time AS52 announces a prefix that is not present in “My Prefixes” list. If I click on “Mark as False Alert” for a “New Prefix” alert, i’m implicitly adding the prefix that triggered the alert to “My Prefixes” list, so that alerts on this prefix will stop. So basically, “Mark as False Alert” feature changes the user configuration to avoid future alerts from being triggered from the same condition, and thus reduce the number of false positives. We are still researching ways of how to deal with false negatives, more to come soon. –Ricardo

This entry was posted on Tuesday, September 8th, 2009 at 6:49 pm and is filed under 1. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.