In this example, the CAS is monitoring a public website providing an electronic channel for selling goods to a global customer base. Customers access the service through the Internet with Web browsers. All users are tracked individually by IP address.
Gathering requirements from observations
The following requirements for alerts were defined:
Detect problems when HTTP servers are not able to serve pages quickly enough.
Detect and inform about spiders/competition trying to harvest prices from our price pages.
Detect and inform about missing products.
These requirements were derived from the following observations and assumptions:
From time to time, due to internal design of server processes, the Web servers have internal processing problems leading to slower execution of transactions and, over time, to application slow-down. Typically the servers respond to HTTP requests in around 150-200 ms, but when problem appear this increases to 500 ms, which is still not noticeable by users, and after 30-45 minutes, if no action is taken, response times reach 1 s, 5 s, and finally servers stop responding after 1 h. This does not concern any particular URL, is not related to the load, and is detectable on the server level.
The competition runs spider software on external computers with anonymous IP addresses. The software is trying to gather information about pricing by loading many different price pages (pages that contain the
action=showprice parameter/string in the URL). Because the website is public and anonymous, there is no other way to prevent such situations than by automatically detecting IP addresses that load many price pages in short periods of time. Such addresses can then be banned.
Typical website users load no more than 25 pages in 5 minutes; anything above that is suspicious. If, in addition to that, most (>70%) pages are price pages, this indicates that we are dealing with a suspect address.
Sometimes, when there is a bad referral or a mistake in the page logic, the website user may ask to buy or quote a non-existent product. This causes the server to display the message
The requested product does not exist and ask the user to start over again. To detect such errors, we will use metric alert reporting on Operation attributes(1).