Management apparatus and management method

US 10,430,582 B2
Filed: 07/15/2016
Issued: 10/01/2019
Est. Priority Date: 08/17/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform a process comprising:

obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus;

accumulating the execution start time and the execution end time of the first process or the first command as record information;

creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task;

receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus;

calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone;

determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and

discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An information processing apparatus sends a management apparatus execution information about processes that the information processing apparatus has executed while performing a task in response to an instruction from the management apparatus. The management apparatus stores the received execution information in a storage unit. A security detection program monitors the information processing apparatus, and when detecting an alert, sends alert information including information about a process or command being executed by the information processing apparatus, to the management apparatus. The management apparatus receives the alert information, and performs filtering of determining, on the basis of a schedule and the execution information, whether the alert information relates to a task that the management apparatus has instructed the information processing apparatus to perform.

Citations

6 Claims

1. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform a process comprising:
- obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus;
  
  accumulating the execution start time and the execution end time of the first process or the first command as record information;
  
  creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task;
  
  receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus;
  
  calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone;
  
  determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and
  
  discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.
- View Dependent Claims (2, 3, 4)
- - 2. The non-transitory computer-readable recording medium according to claim 1, wherein:
    - the execution information includes process tree information about a process tree of the first process or the first command executed by the information processing apparatus in response to the execution instruction;
      
      the process further includes comparing malware information indicating a process tree of the second process or the second command with the process tree information of the first process or the first command registered in the scheduled task list to determine whether or not the second process has been generated in response to the execution instruction, the malware information being included in the alert information; and
      
      the process further includes comparing the malware information with the process tree information of the first process or the first command registered in the scheduled task list to determine whether or not the second command has been executed in response to the execution instruction.
  - 3. The non-transitory computer-readable recording medium according to claim 1, wherein:
    - the execution information includes a hash value of a first module activated by the first process or the first command executed by the information processing apparatus in response to the execution instruction; and
      
      the process further includes obtaining a hash value of a second module activated by the second process or the second command identified based on malware information included in the alert information, and comparing the hash value of the second module with the hash value of the first module registered in the scheduled task list to determine whether or not the second process or the second command has been generated or executed in response to the execution instruction.
  - 4. The non-transitory computer-readable storage medium according to claim 1, wherein:
    - the execution information includes communication destination information of a communication process performed by the first process or the first command executed by the information processing apparatus in response to the execution instruction; and
      
      the process further includes comparing communication destination information of a communication process performed by the second process or the second command indicated by the alert information with the communication destination information of the communication process performed by the first process or the first command registered in the scheduled task list, to determine whether or not the second process or the second command has been generated or executed in response to the execution instruction.

5. A management apparatus comprising:
- a processor configured to perform a process including;
  
  obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus;
  
  accumulating the execution start time and the execution end time of the first process or the first command as record information;
  
  creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task;
  
  receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus;
  
  calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone;
  
  determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and
  
  discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.

6. A management method comprising:
- obtaining, by a processor, execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus;
  
  accumulating, by the processor, the execution start time and the execution end time of the first process or the first command as record information;
  
  creating, by the processor, a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task;
  
  receiving, by the processor, alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus;
  
  calculating, by the processor, a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone;
  
  determining, by the processor, whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and
  
  discarding, by the processor, the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Mori, Toshitsugu, Kitayama, Toru, Kawagata, Ryota, Takaishi, Akinobu, Kouge, Kiyoshi, Ebine, Naoto
Primary Examiner(s)
Patel, Ashokkumar B
Assistant Examiner(s)
Jones, William B

Application Number

US15/211,225
Publication Number

US 20170053117A1
Time in Patent Office

1,173 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

G06F 2221/031 Protect user input by softw...

Management apparatus and management method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Management apparatus and management method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links