Log analysis system, method and apparatus

US 20060259968A1
Filed: 11/14/2005
Published: 11/16/2006
Est. Priority Date: 05/12/2005
Status: Active Grant

First Claim

Patent Images

1. A log analysis system for analyzing a state of incidents occurred in a network and comprising a security unit connected to the network, a collection unit connected to the security unit and an analysis unit connected to the collection unit;

the security unit including detection means for detecting illegal packets flowing in the network and first transmission means for transmitting event information concerning the packets to the collection unit when illegal packets are detected;

the collection unit including event database storage means for obtaining the event information from the security unit to be stored therein, first search means for receiving from the analysis unit an event obtainment request message for obtaining events occurred in a specified period and coincident with specified conditions to search the event database for the events having the specified conditions, and second transmission means for transmitting the searched events to the analysis unit;

the analysis unit including third transmission means for transmitting the event obtainment request message to the collection unit, analysis means for analyzing the event information obtained from the collection unit in response to the event obtainment request message, analysis database means for storing information of the analyzed result, event statistical information preparation means for preparing event statistical information on the basis of the obtained event information, frequency component information preparation means for subjecting the prepared event statistical information to frequency analysis processing to prepare frequency component information including frequency information and strength information, and decision means for making analysis on the basis of the frequency component to judge occurrence tendency of incidents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An analysis unit which effectively detects incidents on the basis of events detected by a security unit such as an intrusion detection system (IDS) or a firewall (FW) installed in a network stores statistical information that is frequency-distributed information of event information obtained from the collection unit, frequency component information obtained by frequency-analyzing the statistical information and the result obtained by making analysis on the basis of the frequency component. The collection unit collects and normalizes event log information outputted by IDS or FW to be stored in an event database (DB). An alert notification unit includes an alert database (DB) for storing an alert instruction transmitted from the analysis unit and an alert notification destination and reports occurrence of incidents to a manager or the like in accordance with the instruction.

38 Citations

View as Search Results

11 Claims

1. A log analysis system for analyzing a state of incidents occurred in a network and comprising a security unit connected to the network, a collection unit connected to the security unit and an analysis unit connected to the collection unit;
- the security unit including detection means for detecting illegal packets flowing in the network and first transmission means for transmitting event information concerning the packets to the collection unit when illegal packets are detected;
  
  the collection unit including event database storage means for obtaining the event information from the security unit to be stored therein, first search means for receiving from the analysis unit an event obtainment request message for obtaining events occurred in a specified period and coincident with specified conditions to search the event database for the events having the specified conditions, and second transmission means for transmitting the searched events to the analysis unit;
  
  the analysis unit including third transmission means for transmitting the event obtainment request message to the collection unit, analysis means for analyzing the event information obtained from the collection unit in response to the event obtainment request message, analysis database means for storing information of the analyzed result, event statistical information preparation means for preparing event statistical information on the basis of the obtained event information, frequency component information preparation means for subjecting the prepared event statistical information to frequency analysis processing to prepare frequency component information including frequency information and strength information, and decision means for making analysis on the basis of the frequency component to judge occurrence tendency of incidents.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A log analysis system according to claim 1, further comprising an alert notification unit for notifying the result analyzed by the analysis unit to a relevant network manager or user.
  - 3. A log analysis system according to claim 1, wherein the analysis unit includes second search means for searching the analysis information for the event statistical information having similar frequency components and first display means for designating one of the event statistical information to thereby display a list of event statistical information having similar frequency components in a display unit in order.
  - 4. A log analysis system according to claim 1, wherein the analysis unit includes verification means for verifying similarity of all the event statistical information out of the analysis information and second display means for displaying a list of event statistical information pairs having high similarity in a display unit in order.
  - 5. A log analysis system according to claim 1, wherein the analysis unit includes third search means for searching the analysis information for the event statistical information based on strength of specified frequency and third display unit for designating one or plural frequencies to thereby display a list of event statistical information having the frequency in a display unit in order.
  - 6. A log analysis system according to claim 1, wherein the analysis unit includes fourth search means for searching the analysis information for the event statistical information having increased strength of the specified frequency and fourth display means for displaying a list of event statistical information in a display unit in order.

7. A log analysis method in a log analysis system for analyzing a state of incidents occurred in a network;
- the log analysis system comprising a security unit, a collection unit and an analysis unit;
  
  the log analysis method comprising;
  
  a step of, in the security unit, detecting illegal packets flowing in the network and transmitting event information to the collection unit when illegal packets are detected;
  
  a step of, in the collection unit, obtaining event information from the security unit to be stored in an event database and receiving an event obtainment request from the analysis unit to search the event database for event having specified conditions and transmit the searched event to the analysis unit; and
  
  a step of, in the analysis unit, transmitting a request for obtaining events occurred in a specified period and coincident with specified conditions to the collection unit and analyzing the event information obtained from the collection unit in response to the request to store information of the analyzed result in an analysis database, preparing event statistical information on the basis of the obtained event information, subjecting the prepared event statistical information to frequency analysis processing to prepare frequency component information including frequency information and strength information, making analysis based on the frequency component to judge occurrence tendency of incidents.
- View Dependent Claims (8, 9, 10)
- - 8. A log analysis method according to claim 7, wherein the log analysis system further comprises an alert notification unit, and the analysis unit produces alert information expressing the occurrence tendency of incidents as table and graph after the analysis unit judges the occurrence tendency of incidents on the basis of the frequency component information and transmits the alert information to the alert notification unit, the alert notification unit notifying the received alert information to a network manager or user.
  - 9. A log analysis method according to claim 7, wherein the analysis unit expresses similarity between the frequency component information produced from one piece of the event statistical information and that produced from other event statistical information as numerical correlation values and ranks the event statistical information in order on the basis of the obtained correlation values to be displayed.
  - 10. A log analysis method according to claim 7, wherein the analysis unit searches the frequency component information for that having increased strength of the specified frequency and ranks the event statistic information relative to the frequency component in order on the basis of the strength to be displayed.

11. A log analysis apparatus for analyzing a state of incidents occurred in a network, comprising:
- means for transmitting a request for obtaining events occurred in a specified period and coincident with specified conditions to a collection unit which obtains from a security unit event information which the security unit obtains by detecting illegal packets flowing in the network and stores the event information in an event database;
  
  means for analyzing the event information obtained from the collection unit in response to the request;
  
  an analysis database for storing information of the analyzed result;
  
  means for preparing event statistical information on the basis of the obtained event information;
  
  means for subjecting the prepared event statistical information to frequency analysis processing to prepare frequency component information including frequency information and strength information; and
  
  means for making analysis based on the frequency component to judge occurrence tendency of incidents.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Sakamoto, Kenichi, Nakakoji, Hirofumi, Terada, Masato

Granted Patent

US 7,752,663 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/145 the attack involving the pr...

Log analysis system, method and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Log analysis system, method and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links