Method for monitoring abnormal behavior in a computer system

US 7,136,918 B2
Filed: 06/13/2002
Issued: 11/14/2006
Est. Priority Date: 11/07/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A computer monitoring system comprising:

a manager computer; and

a plurality of agent computers coupled to the manager computer over a network,wherein said manager computer, in response to an abnormal state occurring on one of said plurality of agents computers;

presumes a first cause of said abnormal state;

requests said plurality of agent computers to collect logs to prove said presumed first cause;

receives said collected log from each of said plurality of agent computers;

compares said collected logs with each other;

presumes a second cause which caused the first cause; and

requests said plurality of agent computers to collect logs to prove said presumed second cause; and

wherein each of said plurality of agent computers;

collects a log to prove said presumed first cause in response to a request from said manager computer;

sends said collected log to said manager computer, andcollects a log to prove said presumed second cause in response to a request from said manager computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method for monitoring a computer system in which one manager computer is connected to a plurality of agent computers over a network. The manager computer sends information on the types of log to be collected to the plurality of agent computers. In response, the plurality of agent computers collect the specified types of log. Then, the plurality of agent computers send the collected logs to the manager computer. Thus, the plurality of agent computers are able to collect the types of log specified by the manager computer.

31 Citations

View as Search Results

19 Claims

1. A computer monitoring system comprising:
- a manager computer; and
  
  a plurality of agent computers coupled to the manager computer over a network,wherein said manager computer, in response to an abnormal state occurring on one of said plurality of agents computers;
  
  presumes a first cause of said abnormal state;
  
  requests said plurality of agent computers to collect logs to prove said presumed first cause;
  
  receives said collected log from each of said plurality of agent computers;
  
  compares said collected logs with each other;
  
  presumes a second cause which caused the first cause; and
  
  requests said plurality of agent computers to collect logs to prove said presumed second cause; and
  
  wherein each of said plurality of agent computers;
  
  collects a log to prove said presumed first cause in response to a request from said manager computer;
  
  sends said collected log to said manager computer, andcollects a log to prove said presumed second cause in response to a request from said manager computer.
- View Dependent Claims (2)
- - 2. The computer monitoring system according to claim 1,wherein said manager computer displays an area of said computer system on the display, said area indicating a portion where the abnormal state is present, when presuming said first and second cause.

3. A computer monitoring system comprising:
- a manager computer; and
  
  (n+1) agent computers coupled to said manager computer over a network,wherein said manager computer;
  
  divides a collected log into n pieces of log information;
  
  generates appendage information which recovers said log based on pieces of log information less than n;
  
  distributes said n pieces of information and said appendage information to said (n+1) agent computers, respectively; and
  
  wherein each of said (n+1) agent computers encrypts and memorizes respective one of said distributed log information and said appendage information.

4. A computer monitoring system comprising:
- a manager computer; and
  
  a plurality of computers coupled to said manager computer over a network,wherein said manager computer monitors logs collected from said plurality of computers to be managed and detects suspicious behavior by comparing said logs or checking inconsistency of said logs,wherein said manager computer;
  
  displays icons of said computers to be managed on the monitor screen of said manager computer; and
  
  changes an alarm sound or a color on said monitor screen according to a degree of suspicion for said computers to be managed performing suspicious behavior or a range of a display section showing possibility of existence of said computers to be managed performing suspicious behavior.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The computer monitoring system according to claim 4,wherein said suspicious behavior comprises at least one of a person other than regular users utilizing a computer to be managed illegally, and a person impersonating another person, and a person operating a computer to be managed beyond his/her permitted limit of operation.
  - 6. The computer monitoring system according to claim 4, wherein each of said computers to be managed:
    - stores logs;
      
      reports to said manager computer an alarm or a log more significant than a management level; and
      
      changes said managed level in response to an instruction from said manager computer; and
      
      wherein said manager computer sets said management level in each of said computers to be managed.
  - 7. The computer monitoring system according to claim 6, wherein each of said computers to be managed reports to said manager computer an alarm or a log requested by said manager computer;
    - andwherein said manager computer;
      
      presumes causes resulting in contents from the contents of the reported alarm or log; and
      
      collects a more detailed log to prove the presumption; and
      
      narrows down said presumed causes.
  - 8. The computer monitoring system according to claim 4, wherein each of said computers to be managed:
    - adds a digital signature before storing or transferring a log;
      
      adds redundant data to the log; and
      
      recovers data of said log by using said redundant data when a part of said log is lost or altered.
  - 9. A computer monitoring system according to claim 4, wherein each of said computers to be managed divides a log into divided logs and have other computers among said plurality of computers store the divided logs;
    - andrecovers data of said log by using the stored divided logs when a part of the divided logs is lost or altered.

10. An apparatus for monitoring a computer system in which a manager computer and a plurality of agent computers are connected over a network, comprising:
- a software portion configured, in response to an abnormal state occurring on one of said plurality of agent computers, to presume on said manager computer a first cause of said abnormal state;
  
  a software portion configured to send a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed first cause;
  
  a software portion configured to collect a log to prove said presumed first cause on each of said plurality of agent computers;
  
  a software portion configured to send said collected log from each of said plurality of agent computers to said manager computer;
  
  a software portion configured to compare on said manager computer said collected logs with each other to presume, as a result of comparison thereof, a second cause which caused the first cause; and
  
  a software portion configured to send a request from said manager computer to said plurality of agent computers, said request requesting to collect logs to prove said presumed second cause.
- View Dependent Claims (11)
- - 11. The apparatus of claim 10, whereinsaid manager computer displays an area of said computer system on a display, said area indicating a portion where the abnormal state is present when said manager computer supposes said first cause and said second cause.

12. An apparatus for monitoring a computer system in which a manager computer and (n+1) agent computers are connected over a network, comprising:
- a software portion configured to divide a log collected on said manager computer into n pieces of log information;
  
  on said manager computer, a software portion configured to generate appendage information that recovers said log based on pieces of log information less than n;
  
  a software portion configured to distribute said n pieces of information and said appendage information to said (n+1) agent computers, respectively; and
  
  on each of said (n+1) agent computers, a software portion configured to encrypt and to memorize respective one of said distributed log information and said appendage information.

13. An apparatus for monitoring a computer system in which a plurality of computers to be managed and a manager computer are connected to a network, comprising:
- a software portion configured to monitor, by said manager, logs collected from said plurality of computers to be managed; and
  
  a software portion configured to detect, by said manager computer, suspicious behavior by comparing said logs or checking inconsistency of said logs,wherein said manager computer comprises;
  
  a software portion configured to display icons of said computers to be managed on a monitor screen; and
  
  a software portion configured to chance an alarm sound or a color on said monitor screen according to a degree of suspicion for a computer performing suspicious behavior or a range of a display section showing possibility of existence of a computer performing suspicious behavior.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The apparatus of claim 13, whereinsaid suspicious behavior comprises at least one of a person other than regular users utilizing a computer to be managed illegally, and a person impersonating another person, and a person operating a computer to be managed beyond his/her permitted limit of operation.
  - 15. The apparatus of claim 13, wherein each of said computers to be managed, comprises:
    - a software portion configured to store logs;
      
      a software portion configured to report to said manager computer an alarm or a log more significant than a management level; and
      
      a software portion configured to change said management level in response to an instruction from said manager computer, said manager computer setting said management level in each of said computers to be managed.
  - 16. The apparatus of claim 15, whereineach of said computers to be managed reporting to said manager computer an alarm or a log requested by said manager computer, said manager computer:
    - a software portion configured to presume, from contents of the reported alarm or log, causes resulting in the contents;
      
      a software portion configured to collect a more detailed log to prove the presumption; and
      
      a software portion configured to narrow down said presumed causes.
  - 17. The apparatus of claim 13, further comprising:
    - a software portion configured to add a digital signature before storing or transferring a log;
      
      a software portion configured to add redundant data to the log; and
      
      a software portion configured to recovering data of said log by using said redundant data when a part of said log is lost or altered.
  - 18. The apparatus of claim 13, further comprising:
    - a software portion configured to divide a log into divided logs and to store the divided logs in computers to be managed; and
      
      a software portion configured to recover data of said log by using the stored divided logs when a part of the divided logs is lost or altered.
  - 19. The apparatus of claim 17, further comprising:
    - a software potion configured to divide a log into divided logs and to store the divided logs in computers to be managed; and
      
      a software portion configured to recover data of said log by using the stored divided logs when a part of the divided logs is lost or altered.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Hirata, Toshiaki, Urano, Akihiro, Fujino, Shuji, Sato, Toshio
Primary Examiner(s)
Wiley, David
Assistant Examiner(s)
Doan, Duyen

Application Number

US10/167,584
Publication Number

US 20020165959A1
Time in Patent Office

1,615 Days
Field of Search

709223-224, 709/202
US Class Current

709/223
CPC Class Codes

H04L 41/0681   Configuration of triggering...

H04L 41/16   using machine learning or a...

H04L 43/00   Arrangements for monitoring...

H04L 43/0817   by checking functioning

Method for monitoring abnormal behavior in a computer system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method for monitoring abnormal behavior in a computer system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others