User state tracking and anomaly detection in software-as-a-service environments
First Claim
1. A method for improving a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, comprising:
- obtaining, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state;
for a given cloud application in the set, mapping the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application;
monitoring requests between or among the set of cloud applications;
building a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and
outputting the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies.
1 Assignment
0 Petitions
Accused Products
Abstract
A user state tracking and anomaly detector for multi-tenant SaaS applications operates in association with a log management solution, such as a SIEM. A given SaaS application has many user STATES, and the applications often have dependencies on one another that arise, for example, when a particular application makes a request (typically on behalf of a user) to take some action with respect to another application. The detector includes a mapper that maps the large number of user STATES to a reduced number of mapped states (e.g., “red” and “green”), and a dependency module that generates user-resource dependency graphs. Using a dependency graph, a SaaS modeler in the detector checks whether a particular dependency-based request associated with a SaaS application is valid. State and dependency information generated by the mapper and dependency module are reported back to the log management solution to facilitate improved logging and anomaly detection.
64 Citations
18 Claims
-
1. A method for improving a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, comprising:
-
obtaining, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state; for a given cloud application in the set, mapping the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application; monitoring requests between or among the set of cloud applications; building a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and outputting the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to improve a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, the computer program instructions comprising program code configured to; obtain, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state; for a given cloud application in the set, map the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application; monitor requests between or among the set of cloud applications; build a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and provide the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to improve a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, the computer program instructions comprising program code operative to:
-
obtain, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state; for a given cloud application in the set, map the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application; monitor requests between or among the set of cloud applications; build a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and provide the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification