Trail log analysis system, medium storing trail log analysis program, and trail log analysis method

US 9,262,473 B2
Filed: 12/19/2012
Issued: 02/16/2016
Est. Priority Date: 06/30/2010
Status: Active Grant

First Claim

Patent Images

1. A trail log analysis system comprising:

a processor that;

defines as comparison targets a subject, an object, and an action in a trail log of an information system, count an event occurrence number for each time zone corresponding to an event occurrence time recorded on a trail log to be analyzed which was last collected for each combination of the comparison targets, and generates a first information development table;

generates a second information development table by accumulating the event occurrence number of the first information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed when the event occurrence number of the first information development table corresponds to a normal event, wherein the processor does not accumulate the event occurrence number of the first information development table in the second information development table when the event occurrence number of the first information development table corresponds to an abnormal event; and

compares the first information development table with the second information development table, and outputs a comparison result,wherein the processor detects an event corresponding to a combination A as a newly performed operation and outputs the comparison result when the combination A of the comparison targets included in the first information development table does not exist in combinations of the comparison targets of the second information development table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trail log analysis system detects a fraudulent operation from a trail log of an information system, and confirms the correctness of a system action. An information development device generates an information development table from a trail log to be analyzed. The information development table defines a subject (who), an object (what), and an action (what is to be done) as comparison targets, and counts and record an event occurrence number corresponding to an event occurrence time recorded in a trail log for each combination of comparison targets. An accumulation device generates an accumulative information development table by accumulating the information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed. A comparison device compares the information development table with the accumulative information development table, and outputs a comparison result.

Citations

18 Claims

1. A trail log analysis system comprising:
- a processor that;
  
  defines as comparison targets a subject, an object, and an action in a trail log of an information system, count an event occurrence number for each time zone corresponding to an event occurrence time recorded on a trail log to be analyzed which was last collected for each combination of the comparison targets, and generates a first information development table;
  
  generates a second information development table by accumulating the event occurrence number of the first information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed when the event occurrence number of the first information development table corresponds to a normal event, wherein the processor does not accumulate the event occurrence number of the first information development table in the second information development table when the event occurrence number of the first information development table corresponds to an abnormal event; and
  
  compares the first information development table with the second information development table, and outputs a comparison result,wherein the processor detects an event corresponding to a combination A as a newly performed operation and outputs the comparison result when the combination A of the comparison targets included in the first information development table does not exist in combinations of the comparison targets of the second information development table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system according to claim 1, wherein the processor sets analysis definition information for regulation of a configuration and a comparison condition of the first information development table.
  - 3. The system according to claim 2, wherein the processor counts the event occurrence number for each day according to the analysis definition information to generate the first information development table.
  - 4. The system according to claim 2, wherein the processor counts the event occurrence number for each day of week according to the analysis definition information to generate the first information development table.
  - 5. The system according to claim 2, wherein the processor counts the event occurrence number for each hour according to the analysis definition information to generate the first information development table.
  - 6. The system according to claim 2, wherein the processor makes a comparison with an event occurrence number for each time zone of a combination of comparison targets corresponding in the first information development table and outputs the comparison result when an event occurrence number corresponding to a combination of the comparison targets is defined as a specified frequency in the analysis definition information.
  - 7. The system according to claim 2, wherein the processor obtains an occurrence rate using an event occurrence number for each time zone of a combination of comparison targets corresponding in the first information development table and a corresponding accumulative event occurrence number, compares the occurrence rate with a specified rate, and outputs the comparison result when an event occurrence rate corresponding to a combination of the comparison targets is defined as the specified rate in the analysis definition information.
  - 8. The system according to claim 1, whereinthe processor generates a third information development table corresponding to an operation when an irregular operation which is not normally performed is entered in advance,when there is an event detected as a newly performed operation in the comparison result, the processor further compares the third information development table with the first information development table, andwhen it is determined that the newly performed operation has been entered in advance, the processor determines that the event is not a fraudulent operation.
  - 9. The system according to claim 1, wherein when an event occurrence rate corresponding to a combination of the comparison targets is defined as a specified rate in the analysis definition information, and there is no combination of corresponding comparison targets in the information development table, the processor outputs information that a normal operation is not being performed, and correctness of a system operation is not confirmed.
  - 10. The system according to claim 9, wherein the processor adds a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the first information development table to the second information development table with attached information that the record corresponds to a last acquired trail log to be analyzed, and makes a comparison by reference to the second information development table only.
  - 11. The system according to claim 1, wherein the processor does not accumulate a record obtained by counting and recording the event occurrence number for each time zone in the first information development table in the second information development table when it is determined that the record does not refer to a normal operation.
  - 12. The system according to claim 1, wherein the processor reports to and makes an entry with an existing fraudulent operation guard function for prohibiting execution of a fraudulent operation about a combination of comparison targets which has been determined as a fraudulent operation, and prohibits execution of a similar fraudulent operation in subsequent processes.

13. A non-transitory computer readable storage medium storing a trail log analysis program used to direct an information processing device to perform:
- an information developing to define as comparison targets a subject, an object, and an action in a trail log of an information system, to count an event occurrence number for each time zone corresponding to an event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and to generate a first information development table;
  
  an accumulating to generate a second information development table by accumulating the event occurrence number of the first information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed when the event occurrence number of the first information development table corresponds to a normal event, wherein the accumulating does not accumulate the event occurrence number of the first information development table in the second information development table when the event occurrence number of the first information development table corresponds to an abnormal event; and
  
  a comparing to compare the first information development table with the second information development table, and to output a comparison result,wherein the comparing detects an event corresponding to a combination A as a newly performed operation and outputs the comparison result when the combination A of the comparison targets included in the first information development table does not exist in combinations of the comparison targets of the second information development table.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The medium according to claim 13, further directing the information processing device to perform an analysis definition information setting to set analysis definition information for regulation of a configuration and comparison information of the first information development table.
  - 15. The medium according to claim 13, further directing the information processing device to perform an application information developing to generate a third information development table corresponding to an operation when an irregular operation which is not normally performed is entered in advance,wherein when there is an event detected as a newly performed operation in the comparison result, the comparing further compares the third information development table with the information development table, and when it is determined that the newly performed operation has been entered in advance, the comparing determines that the event is not a fraudulent operation.
  - 16. The medium according to claim 13, wherein the comparing adds a record obtained by counting and recording an event occurrence number for each time zone corresponding to a combination of comparison targets configuring the first information development table to the accumulative second information development table with attached information that the record corresponds to a last acquired trail log to be analyzed, and makes a comparison by reference to the second information development table only.
  - 17. The medium according to claim 13, wherein the accumulating does not accumulate a record obtained by counting and recording an event occurrence number for each time zone in the first information development table in the second information development table when it is determined that the record does not refer to a normal operation.

18. A trail log analysis method conducted by an information processing device, the method comprising:
- defining as comparison targets a subject, an object, and an action in a trail log of an information system, counting an event occurrence number for each time zone corresponding to an event occurrence time recorded on a trail log to be analyzed which has last collected for each combination of the comparison targets, and generating a first information development table;
  
  generating a second information development table by accumulating the even occurrence number of the first information development table corresponding to a trail log recorded previously and up to a time point immediately before the last collected trail log to be analyzed when the event occurrence number of the first information development table corresponds to a normal event, wherein the generating does not accumulate the event occurrence number of the first information development table in the second information development table when the event occurrence number of the first information development table corresponds to an abnormal event; and
  
  comparing the first information development table with the second information development table, and outputting a comparison result,wherein the comparing detects an event corresponding to a combination A as a newly performed operation and the outputting outputs the comparison result when the combination A of the comparison targets included in the first information development table does not exist in combinations of the comparison targets of the second information development table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Arao, Hidekazu
Primary Examiner(s)
CHEEMA, AZAM M

Application Number

US13/720,063
Publication Number

US 20130117294A1
Time in Patent Office

1,154 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3476   Data logging G06F11/14, G06...

G06F 16/245   Query processing

G06F 21/552   involving long-term monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

Trail log analysis system, medium storing trail log analysis program, and trail log analysis method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Trail log analysis system, medium storing trail log analysis program, and trail log analysis method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links