User state tracking and anomaly detection in software-as-a-service environments

US 10,200,387 B2
Filed: 11/30/2015
Issued: 02/05/2019
Est. Priority Date: 11/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for improving a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, comprising:

obtaining, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state;

for a given cloud application in the set, mapping the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application;

monitoring requests between or among the set of cloud applications;

building a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and

outputting the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user state tracking and anomaly detector for multi-tenant SaaS applications operates in association with a log management solution, such as a SIEM. A given SaaS application has many user STATES, and the applications often have dependencies on one another that arise, for example, when a particular application makes a request (typically on behalf of a user) to take some action with respect to another application. The detector includes a mapper that maps the large number of user STATES to a reduced number of mapped states (e.g., “red” and “green”), and a dependency module that generates user-resource dependency graphs. Using a dependency graph, a SaaS modeler in the detector checks whether a particular dependency-based request associated with a SaaS application is valid. State and dependency information generated by the mapper and dependency module are reported back to the log management solution to facilitate improved logging and anomaly detection.

64 Citations

View as Search Results

18 Claims

1. A method for improving a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, comprising:
- obtaining, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state;
  
  for a given cloud application in the set, mapping the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application;
  
  monitoring requests between or among the set of cloud applications;
  
  building a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and
  
  outputting the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 wherein user state data is collected for a single tenant enterprise in the SaaS environment.
  - 3. The method as described in claim 1 further including assessing whether a dependency request is valid according to the dependency graph by executing a graph path traversal algorithm that identifies a subset of nodes reached from a dependency request starting point and determines whether a last node reached from the dependency request starting point is a given dependency.
  - 4. The method as described in claim 3 further including providing an indication that the dependency request has been determined to be valid.
  - 5. The method as described in claim 1 wherein the logging operation is provided by the log management system.
  - 6. The method as described in claim 1 wherein the user state data is obtained by receiving user state data provided by the given cloud application or by polling the given cloud application to provide such data.

7. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to improve a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, the computer program instructions comprising program code configured to;
  
  obtain, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state;
  
  for a given cloud application in the set, map the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application;
  
  monitor requests between or among the set of cloud applications;
  
  build a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and
  
  provide the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein user state data is collected for a single tenant enterprise in the SaaS environment.
  - 9. The apparatus as described in claim 7 wherein the program code also assesses whether a dependency request is valid according to the dependency graph by executing a graph path traversal algorithm that identifies a subset of nodes reached from a dependency request starting point and determines whether a last node reached from the dependency request starting point is a given dependency.
  - 10. The apparatus as described in claim 9 wherein the program code provides an indication that the dependency request has been determined to be valid.
  - 11. The apparatus as described in claim 7 wherein the logging operation is provided by the log management system.
  - 12. The apparatus as described in claim 7 wherein the user state data is obtained by receiving user state data provided by the given cloud application or by polling the given cloud application to provide such data.

13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to improve a log management system in a Software-As-A-Service (SaaS) environment having a plurality of cloud applications, the log management system normally configured to consolidate log source event data to detect anomalies, the computer program instructions comprising program code operative to:
- obtain, from each of a set of cloud applications, user state data with respect to one or more resources as users interact with the cloud application, wherein given cloud applications in the set have operating dependencies on one another based at least in part on a user state;
  
  for a given cloud application in the set, map the user state data to a reduced set of states, the reduced set of states including at least a first state indicating an acceptable functioning state with respect to a user and resource at the given cloud application, and a second state indicating a malfunctioning state with respect to the user and resource at the given cloud application;
  
  monitor requests between or among the set of cloud applications;
  
  build a dependency graph based on dependency relationships between respective ones of the cloud applications, the dependency graph being a directed graph of nodes and edges, wherein a node in the directed graph represents a cloud application user and resource, and an edge in the directed graph represents a dependency link between resources, the dependency relationships discovered by monitoring the requests; and
  
  provide the reduced set of states together with dependency information derived from the dependency graph to improve performance of the log management system to facilitate a logging operation and detect anomalies.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product as described in claim 13 wherein user state data is collected for a single tenant enterprise in the SaaS environment.
  - 15. The computer program product as described in claim 13 wherein the program code also assesses whether a dependency request is valid according to the dependency graph by executing a graph path traversal algorithm that identifies a subset of nodes reached from a dependency request starting point and determines whether a last node reached from the dependency request starting point is a given dependency.
  - 16. The computer program product as described in claim 15 wherein the program code provides an indication that the dependency request has been determined to be valid.
  - 17. The computer program product as described in claim 13 wherein the logging operation is provided by the log management system.
  - 18. The computer program product as described in claim 13 wherein the user state data is obtained by receiving user state data provided by the given cloud application or by polling the given cloud application to provide such data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Muthukrishnan, Ravi Krishnan, Hoy, Jeffrey Robert, Iyer, Sreekanth Ramakrishna, Kapadia, Kaushal Kiran, Nagaratnam, Nataraj
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US14/954,676
Publication Number

US 20170155672A1
Time in Patent Office

1,163 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/125   involving control of end-de...

H04L 67/30   Profiles

H04L 67/535   Tracking the activity of th...

User state tracking and anomaly detection in software-as-a-service environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

User state tracking and anomaly detection in software-as-a-service environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links