Management apparatus and management method
First Claim
1. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform a process comprising:
- obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus;
accumulating the execution start time and the execution end time of the first process or the first command as record information;
creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task;
receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus;
calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone;
determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and
discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.
1 Assignment
0 Petitions
Accused Products
Abstract
An information processing apparatus sends a management apparatus execution information about processes that the information processing apparatus has executed while performing a task in response to an instruction from the management apparatus. The management apparatus stores the received execution information in a storage unit. A security detection program monitors the information processing apparatus, and when detecting an alert, sends alert information including information about a process or command being executed by the information processing apparatus, to the management apparatus. The management apparatus receives the alert information, and performs filtering of determining, on the basis of a schedule and the execution information, whether the alert information relates to a task that the management apparatus has instructed the information processing apparatus to perform.
-
Citations
6 Claims
-
1. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform a process comprising:
-
obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus; accumulating the execution start time and the execution end time of the first process or the first command as record information; creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task; receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus; calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone; determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone. - View Dependent Claims (2, 3, 4)
-
-
5. A management apparatus comprising:
-
a processor configured to perform a process including; obtaining execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus; accumulating the execution start time and the execution end time of the first process or the first command as record information; creating a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task; receiving alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus; calculating a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone; determining whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and discarding the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.
-
-
6. A management method comprising:
-
obtaining, by a processor, execution information about a first process generated or a first command executed by an information processing apparatus that performs a task in response to an execution instruction for executing the task, the execution information including an execution start time and an execution end time of the first process or the first command executed by the information processing apparatus; accumulating, by the processor, the execution start time and the execution end time of the first process or the first command as record information; creating, by the processor, a scheduled task list of the first process or the first command that the information processing apparatus is scheduled to execute during a predetermined time period, based on the execution information obtained about the first process or the first command, as well as based on a schedule of the execution instruction for the task; receiving, by the processor, alert information including information about a second process being generated or a second command being executed by the information processing apparatus when a security incident indicating an unauthorized action is detected in the information processing apparatus; calculating, by the processor, a scheduled execution time zone in which the first process or the first command is expected to be executed, based on the scheduled task list, the schedule, and the record information, and comparing detected date and time of the second process or the second command indicated by the alert information against the scheduled execution time zone; determining, by the processor, whether or not the detected date and time of the second process or the second command is included in the scheduled execution time zone calculated based on the scheduled task list that has been created based on the execution information and the schedule; and discarding, by the processor, the received alert information when the determining concludes that the detected date and time of the second process or the second command is included in the scheduled execution time zone.
-
Specification