TRAIL LOG ANALYSIS SYSTEM, MEDIUM STORING TRAIL LOG ANALYSIS PROGRAM, AND TRAIL LOG ANALYSIS METHOD

US 20130117294A1
Filed: 12/19/2012
Published: 05/09/2013
Est. Priority Date: 06/30/2010
Status: Active Grant

First Claim

Patent Images

1. A trail log analysis system, comprising:

a processor to realize functions comprising;

an information development unit configured to define as comparison targets a subject, an object, and an action in a trail log of an information system, count an event occurrence number for each time zone corresponding to a event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and generate an information development table;

an accumulation unit configured to generate an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed; and

a comparison unit configured to compare the information development table with the accumulative information development table, and output a comparison result.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trail log analysis system detects a fraudulent operation from a trail log of an information system, and confirms the correctness of a system action. An information development device generates an information development table from a trail log to be analyzed. The information development table defines a subject (who), an object (what), and an action (what is to be done) as comparison targets, and counts and record an event occurrence number corresponding to an event occurrence time recorded in a trail log for each combination of comparison targets. An accumulation device generates an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed. A comparison device compares the information development table with the accumulative information development table, and outputs a comparison result.

Citations

19 Claims

1. A trail log analysis system, comprising:
- a processor to realize functions comprising;
  
  an information development unit configured to define as comparison targets a subject, an object, and an action in a trail log of an information system, count an event occurrence number for each time zone corresponding to a event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and generate an information development table;
  
  an accumulation unit configured to generate an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed; and
  
  a comparison unit configured to compare the information development table with the accumulative information development table, and output a comparison result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system according to claim 1, further comprising an analysis definition information setting unit configured to set analysis definition information for regulation of a configuration and a comparison condition of the information development table.
  - 3. The system according to claim 2, wherein the information development unit counts the event occurrence number for each day according to the analysis definition information to generate the information development table.
  - 4. The system according to claim 2, wherein the information development unit counts the event occurrence number for each day of week according to the analysis definition information to generate the information development table.
  - 5. The system according to claim 2, wherein the information development unit counts the event occurrence number for each hour according to the analysis definition information to generate the information development table.
  - 6. The system according to claim 1, wherein the comparison unit detects an event corresponding to a combination A as a newly performed operation and outputs the comparison result when the combination A of the comparison targets included in the information development table does not exist in combinations of the comparison targets of the accumulative information development table.
  - 7. The system according to claim 1, wherein the comparison unit makes a comparison with an event occurrence number in each time zone of a combination of comparison targets corresponding in the information development table and outputs the comparison result when an event occurrence number corresponding to a combination of the comparison targets is defined as a specified frequency in the analysis definition information.
  - 8. The system according to claim 1, wherein the comparison unit obtains an occurrence rate using an event occurrence number in each time zone of a combination of comparison targets corresponding in the information development table and a corresponding accumulative event occurrence number, compares the occurrence rate with a specified rate, and outputs the comparison result when an event occurrence rate corresponding to a combination of the comparison targets is defined as a specified rate in the analysis definition information.
  - 9. The system according to claim 1, further comprisingan application information development unit configured to generate an information development table corresponding to an operation as an application information development table when an irregular operation which is not normally performed is entered in advance, whereinthe comparison unit compares the information development table with the accumulative information development table, and when there is an event detected as a newly performed operation, the comparison device further compares the application information development table with the information development table, and when it is determined that the operation has been entered in advance, the comparison unit determines that the event is not a fraudulent operation.
  - 10. The system according to claim 1, wherein when an event occurrence rate corresponding to a combination of the comparison targets is defined as a specified rate in the analysis definition information, and there is no combination of corresponding comparison targets in the information development table, the comparison unit outputs information that a normal operation is not being performed, and correctness of a system operation is not confirmed.
  - 11. The system according to claim 10, wherein the comparison unit adds a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the information development table to the accumulative information development table with attached information that the record corresponds to a last acquired trail log to be analyzed, and makes a comparison by reference to the accumulative information development table only.
  - 12. The system according to claim 1, wherein the accumulation unit does not accumulate a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the information development table when it is determined that the record does not refer to a normal operation.
  - 13. The system according to claim 1, further comprising an operation prohibit information reflection unit configured to use the comparison unit to report to and make an entry with an existing fraudulent operation guard function for prohibiting execution of a fraudulent operation about a combination of comparison targets which has been determined as a fraudulent operation, and prohibiting execution of a similar fraudulent operation in subsequent processes.

14. A non-transitory computer readable storage medium storing a trail log analysis program used to direct an information processing device to perform:
- an information developing to define as comparison targets a subject, an object, and an action in a trail log of an information system, to count an event occurrence number for each time zone corresponding to a event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and to generate an information development table;
  
  an accumulating to generate an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed; and
  
  a comparing to compare the information development table with the accumulative information development table, and to output a comparison result.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The medium according to claim 14, further directing the information processing device to perform an analysis definition information setting to set analysis definition information for regulation of a configuration and comparison information of the information development table.
  - 16. The medium according to claim 14,further directing the information processing device to perform an application information developing to generate an information development table corresponding to an operation as an application information development table when an irregular operation which is not normally performed is entered in advance,wherein the comparing compares the information development table with the accumulative information development table, and when there is an event detected as a newly performed operation, the comparing further compares the application information development table with the information development table, and when it is determined that the operation has been entered in advance, the comparing determines that the event is not a fraudulent operation.
  - 17. The medium according to claim 14, wherein the comparing adds a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the information development table to the accumulative information development table with attached information that the record corresponds to a last acquired trail log to be analyzed, and makes a comparison by reference to the accumulative information development table only.
  - 18. The medium according to claim 14, wherein the accumulating does not accumulate a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the information development table when it is determined that the record does not refer to a normal operation.

19. A trail log analysis method conducted by an information processing device, the method comprising:
- defining as comparison targets a subject, an object, and an action in a trail log of an information system, counting an event occurrence number for each time zone corresponding to a event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and generating an information development table;
  
  generating an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed; and
  
  comparing the information development table with the accumulative information development table, and outputting a comparison result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
ARAO, Hidekazu

Granted Patent

US 9,262,473 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/758
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/245   Query processing

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

TRAIL LOG ANALYSIS SYSTEM, MEDIUM STORING TRAIL LOG ANALYSIS PROGRAM, AND TRAIL LOG ANALYSIS METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

TRAIL LOG ANALYSIS SYSTEM, MEDIUM STORING TRAIL LOG ANALYSIS PROGRAM, AND TRAIL LOG ANALYSIS METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links