Method for monitoring abnormal behavior in a computer system

US 6,289,379 B1
Filed: 11/05/1998
Issued: 09/11/2001
Est. Priority Date: 11/07/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for monitoring a computer system in which a manager computer and a plurality of agent computers are connected over a network, comprising:

in response to an abnormal state occurring on one of said plurality of agent computers, presuming on said manager computer a first cause of said abnormal state;

sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed first cause;

collecting a log to prove said presumed first cause on each of said plurality of agent computers;

sending said collected log from each of said plurality of agent computers to said manager computer;

comparing on said manager computer said collected logs with each other to presume, as a result of comparison thereof, a second cause which caused the first cause; and

sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed second cause.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method for monitoring a computer system in which one manager computer is connected to a plurality of agent computers over a network. The manager computer sends information on the types of log to be collected to the plurality of agent computers. In response, the plurality of agent computers collect the specified types of log. Then, the plurality of agent computers send the collected logs to the manager computer. Thus, the plurality of agent computers are able to collect the types of log specified by the manager computer.

57 Citations

View as Search Results

11 Claims

1. A method for monitoring a computer system in which a manager computer and a plurality of agent computers are connected over a network, comprising:
- in response to an abnormal state occurring on one of said plurality of agent computers, presuming on said manager computer a first cause of said abnormal state;
  
  sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed first cause;
  
  collecting a log to prove said presumed first cause on each of said plurality of agent computers;
  
  sending said collected log from each of said plurality of agent computers to said manager computer;
  
  comparing on said manager computer said collected logs with each other to presume, as a result of comparison thereof, a second cause which caused the first cause; and
  
  sending a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed second cause.
- View Dependent Claims (2)
- - 2. The method for monitoring as claimed in claim 1, wherein at each of a step at which said manager computer supposes said first cause and a step at which said manager computer supposes said second cause, said manager computer displays an area of said computer system on a display, said area indicating a portion where the abnormal state is present.

3. A method for monitoring a computer system in which a manager computer and (n+1) agent computers are connected over a network, comprising:
- dividing a log collected on said manager computer into n pieces of log information;
  
  on said manager computer, generating appendage information which recovers said log based on pieces of log information less than n;
  
  distributing said n pieces of information and said appendage information to said (n+1) agent computers, respectively; and
  
  on each of said (n+1) agent computers, encrypting and memorizing respective one of said distributed log information and said appendage information.

4. A method for monitoring a computer system in which a plurality of computers to be managed and a manager computer are connected to a network, comprising:
- monitoring, by said manager computer, logs collected from said plurality of computers to be managed; and
  
  detecting, by said manager computer, suspicious behavior by comparing said logs or checking inconsistency of said logs.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The method according to claim 4, wherein said suspicious behavior comprises at least one of a person other than regular users utilizing a computer to be managed illegally, and a person impersonating another person, and a person operating a computer to be managed beyond his/her permitted limit of operation.
  - 6. The method according to claim 4, wherein each of said computers to be managed comprises:
7. The method according to claim 6, each of said computers to be managed reporting to said manager computer an alarm or a log requested by said manager computer, said manager computer:
- presuming, from contents of the reported alarm or log, causes resulting in the contents;
  
  collecting a more detailed log to prove the presumption; and
  
  narrowing down said presumed causes.
8. The method according to claim 4, wherein said manager computer comprises:
- displaying icons of said computers to be managed on a monitor screen; and
  
  changing an alarm sound or a color on said monitor screen according to a degree of suspicion for a computer performing suspicious behavior or a range of a display section showing possibility of existence of a computer performing suspicious behavior.
9. The method according to claim 4, further comprising:
- adding a digital signature before storing or transferring a log;
  
  adding redundant data to the log; and
  
  recovering data of said log by using said redundant data when a part of said log is lost or altered.
10. The method according to claim 4, further comprising:
- dividing a log into divided logs and storing the divided logs in computers to be managed; and
  
  recovering data of said log by using the stored divided logs when a part of the divided logs is lost or altered.
11. The method according to claim 9, further comprising:
- dividing a log into divided logs and storing the divided logs in computers to be managed; and
  
  recovering data of said log by using the stored divided logs when a part of the divided logs is lost or altered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Sato, Toshio, Hirata, Toshiaki, Urano, Akihiro, Fujino, Shuji
Primary Examiner(s)
WILEY, DAVID ARMAND

Application Number

US09/186,076
Time in Patent Office

1,041 Days
Field of Search

709/202, 709/223-224, 709/704, 345/334, 714/25, 714/31
US Class Current

709/223
CPC Class Codes

H04L 41/0681   Configuration of triggering...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/0817   by checking functioning

Method for monitoring abnormal behavior in a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method for monitoring abnormal behavior in a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links