JP2012069021A - Analysis program, analyzer and analysis method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enhance analysis accuracy of operation status in a system.SOLUTION: Reception means 1b acquires communication information transmitted/received between terminal devices 3 and 4 and an information processor 2, and stores it in storage means 1a. If the acquired communication information is a suspension request 5d of processing, extraction means 1c extracts communication information indicating an execution request 5c of the processing to be suspended due to the suspension request 5d from the storage means 1a, generates suspension pair information 6 indicating a combination of the suspension request 5d and the execution request 5c, and stores it in the storage means 1a. Analysis means 1d analyzes execution status of processing in the information processor 2 by using pieces of suspension pair information 6, 6a, ... that are stored in the storage means 1a.

Description

  The present invention relates to an analysis program, an analysis apparatus, and an analysis method for analyzing data transmitted / received via a network.

  Conventionally, an information processing system (referred to as a multi-tier system) in which a plurality of computers share processing hierarchically has been used. As a multi-tier system, for example, a three-tier system having a Web server that provides an interface for using the system, an App (Application) server that executes processing on the system, and a DB (Database) server that manages data is known. . Each server executes a process in cooperation with a process execution request from a terminal device used by the user, and responds to the execution request. In this way, the reliability and responsiveness of the system can be improved by having each computer share the processing.

  Here, in the information processing system, operation management for stable operation is performed. For example, there is a method of acquiring a program operation / stop history in a target computer and detecting the occurrence of a failure in the computer.

  Also, in a multi-tier system, there is a method for monitoring the operation of a system by acquiring a combination of an execution request and a process response transmitted / received between servers and assembling a transaction to be executed across the hierarchies from the acquired combination. is there.

  By the way, in a computer system such as a multi-tier system, a process being executed in the system may be forcibly interrupted. For example, when the Web server receives a process interruption instruction from the terminal device or when the browser of the terminal device is closed.

JP 2006-202076 A JP 2006-011683 A JP 2007-304647 A

  However, the conventional method is based on the assumption that a combination of an execution request and a processing response is extracted between servers, and does not consider a case where the processing is forcibly interrupted. The fact that the processing that was forcibly interrupted is excluded from the monitoring target causes a deterioration in the analysis accuracy of the operating status of the system based on the monitoring.

  In one aspect, an object of the present invention is to provide an analysis program, an analysis apparatus, and an analysis method that can improve the analysis accuracy of the operating status of a system.

  In one scheme, the following analysis program is provided. A computer that executes the analysis program acquires communication information transmitted and received between the plurality of terminal devices and the information processing device, and stores the communication information in the storage unit. If the acquired communication information is a process interruption request, the communication information indicating the execution request of the process interrupted by the interruption request is extracted from the storage unit, and information indicating the combination of the interruption request and the execution request Is generated and stored in the storage means. Furthermore, the execution status of the processing by the information processing apparatus is analyzed using the interrupted pair information stored in the storage means.

In one proposal, an analysis device having the same function as a computer that executes the analysis program is provided.
In one proposal, an analysis method is provided that performs the same processing as a computer that executes the analysis program.

  The analysis accuracy of the system operation status is improved.

It is a figure which shows the analyzer which concerns on 1st Embodiment. It is a figure which shows the whole structure of the information processing system of 2nd Embodiment. It is a figure which shows the hardware constitutions of the analyzer of 2nd Embodiment. It is a figure which shows the function structure of the analyzer of 2nd Embodiment. It is a figure which shows the time difference of a message. It is a figure which shows the data structure example of a packet. It is a figure which shows the specific example of a restoration message. It is a figure which shows the example of a data structure of a message log management table. It is a figure which shows the example of a data structure of a normal pair table. It is a figure which shows the data structure example of a normal system time difference table. It is a figure which shows the example of a data structure of an interruption pair table. It is a figure which shows the example of a data structure of an interruption type | system | group time difference table. It is a flowchart which shows a pair extraction process. It is a flowchart which shows the analysis process of 2nd Embodiment. It is a figure which shows the specific example of the analysis process of 2nd Embodiment. It is a figure which shows the example of a data structure of the URL management table of 3rd Embodiment. It is a flowchart which shows the analysis process of 3rd Embodiment. It is a figure which shows the specific example of the analysis process of 3rd Embodiment. It is a figure which shows the example of a data structure of the interruption frequency table of 4th Embodiment. It is a flowchart which shows the analysis process of 4th Embodiment. It is a 1st figure which shows the specific example of the analysis process of 4th Embodiment. It is a 2nd figure which shows the specific example of the analysis process of 4th Embodiment. It is a 3rd figure which shows the specific example of the analysis process of 4th Embodiment.

Hereinafter, the present embodiment will be described in detail with reference to the drawings.
[First Embodiment]
FIG. 1 is a diagram illustrating an analysis apparatus according to the first embodiment. The analysis device 1 detects a failure of each information processing device in an information processing system in which a plurality of information processing devices are connected. It is assumed that the information processing system includes the information processing apparatus 2. The information processing device 2 is connected to the terminal devices 3 and 4 via a network.

The analysis apparatus 1 includes a storage unit 1a, a reception unit 1b, an extraction unit 1c, and an analysis unit 1d.
The storage unit 1a stores a communication history 5 that is a history of communication information (messages) transmitted and received between information processing apparatuses in the information processing system. The communication history 5 includes an execution request 5a and a processing response 5b transmitted / received between the information processing device 2 and the terminal device 3. Further, the communication history 5 includes an execution request 5 c and an interruption request 5 d transmitted and received between the information processing device 2 and the terminal device 4.

  The execution request 5 a is an execution request transmitted from the terminal device 3 to the information processing device 2. The process response 5b is a process response transmitted to the terminal device 3 after the information processing apparatus 2 executes the process according to the execution request 5a. The execution request 5 c is an execution request transmitted from the terminal device 4 to the information processing device 2. The interruption request 5 d is a processing interruption request transmitted from the terminal device 4 to the information processing apparatus 2.

Here, the communication history 5 includes identification information indicating a series of processes related to the message for each message and information indicating the date and time when each message is acquired.
Moreover, the memory | storage means 1a memorize | stores the interruption pair information 6, 6a, ... extracted by the extraction means 1c. Here, the interruption pair information is information indicating a combination of an execution request transmitted from the terminal device 3 to the information processing apparatus 2 and a corresponding interruption request.

  The receiving unit 1b receives the message and records the message content in the communication history 5 stored in the storage unit 1a. In addition, when the received message is an interruption request, the reception unit 1b notifies the extraction unit 1c to that effect.

  When the acquired communication information is a process interruption request, the extraction unit 1c extracts communication information indicating a process execution request interrupted by the interruption request from the storage unit 1a. For example, when there is a notification that the interruption request 5d has been received from the reception unit 1b, the extraction unit 1c refers to the communication history 5 stored in the storage unit 1a and obtains information on the execution request 5c that satisfies the following requirements. Extract.

(1) An execution request transmitted to the information processing apparatus 2 by the terminal device 4 that has transmitted the suspension request 5d before the suspension request 5d.
(2) A processing response is not transmitted from the information processing device 2 to the terminal device 4 in response to the execution request.

Then, the extracting unit 1c stores in the storage unit 1a interrupted pair information 6 that is a combination of the information of the execution request 5c and the information of the interrupt request 5d.
The analysis unit 1d analyzes the execution status of the processing by the information processing apparatus 2 using the interrupted pair information 6, 6a,... Stored in the storage unit 1a.

  According to the analysis device 1, communication information transmitted and received between the terminal devices 3 and 4 and the information processing device 2 is acquired and stored in the storage unit 1a. If the acquired communication information is the interruption request 5d, communication information indicating the execution request 5c of the process interrupted by the interruption request 5d is extracted from the storage unit 1a, and the combination of the interruption request 5d and the execution request 5c is obtained. The interrupted pair information 6 shown is generated and stored in the storage means 1a. Further, the execution status of the processing by the information processing apparatus 2 is analyzed using the interrupted pair information 6, 6a,... Stored in the storage unit 1a.

  Thus, the analysis apparatus 1 records the combination of the execution request 5c and the interruption request 5d as the interruption pair information 6 in the storage unit 1a. Therefore, the operation monitoring of the information processing system using the interrupted pair information 6, 6a,.

  For example, the analysis unit 1d also stores information (normal pair information 7, 7a,...) Indicating a combination of an execution request and a processing response from the communication history 5 in the storage unit 1a. , 6a,... Here, the normal pair information 7 is, for example, a combination of an execution request 5a and a processing response 5b. Such a combination can be acquired by the time inclusion relationship between each execution request and each process response made between the terminal apparatuses 3 and 4 and the information processing apparatus 2.

  The analysis means 1d can compare distributions of time differences obtained from messages included in each pair information by using the interrupted pair information 6, 6a,... And the normal pair information 7, 7a,. . For example, the time difference Ta between the execution request 5c and the interruption request 5d included in the interruption pair information 6 is acquired. Similarly, the time difference is acquired for the other suspended pair information, and the frequency distribution of the time difference of the suspended system is calculated. On the other hand, for the normal pair information 7, the time difference Tb between the execution request 5a and the processing response 5b is acquired. Similarly, the time difference is acquired for other normal pair information, and the frequency distribution of the time difference of the normal system is calculated. Then, for example, the time difference distribution of the interrupted system and the time difference distribution of the normal system are compared to monitor in which time difference range the time difference distribution of the interrupted system appears. Thereby, the abnormality which generate | occur | produced in the information processing apparatus 2 is detectable.

  Abnormality detection can be performed by such analysis because interruption requests are often transmitted from the terminal devices 3 and 4 when the response of the information processing device 2 is delayed. For example, a user who uses the terminal devices 3 and 4 can cause the terminal devices 3 and 4 to transmit an interruption request when the screen contents provided by the information processing device 2 cannot be viewed within a predetermined time.

  Moreover, the analysis apparatus 1 can acquire the interruption pair information 6, 6a,... For each information processing apparatus included in the information processing system. Then, by comparing the time difference between messages included in the interrupted pair information acquired for each information processing device, the occurrence frequency of the interrupted pair information, and the like, it is possible to detect an abnormality in each information processing device.

  As described above, the analysis apparatus 1 includes the processing interruption event in each information processing apparatus that has been conventionally overlooked as an operation monitoring target. Thereby, the analysis accuracy of the operation status of each information processing apparatus of the information processing system can be improved. As a result, more accurate abnormality detection is possible.

In the following embodiment, a case where the analysis apparatus 1 is applied to a Web three-tier system will be described as an example and more specifically described.
[Second Embodiment]
Hereinafter, a second embodiment will be described in detail with reference to the drawings.

  FIG. 2 is a diagram illustrating an overall configuration of an information processing system according to the second embodiment. The information processing system includes a load distribution device 10, a switch device 10a, terminal devices 21, 22, 23, an analysis device 100, Web servers 200, 300, 400, AP servers 500, 600, and a DB server 700. The load distribution device 10, the analysis device 100, the Web servers 200, 300, and 400, the AP servers 500 and 600, and the DB server 700 are connected to each other via the switch device 10a. The load balancer 10 is connected to the terminal devices 21, 22 and 23 via the network 20.

  The load distribution apparatus 10 provides the terminal devices 21, 22, and 23 with URLs (Uniform Resource Locators) of services provided by the Web servers 200, 300, and 400. The load balancer 10 associates this URL with the Web server 200, 300, 400. The load distribution apparatus 10 distributes access to this URL so that each load of the Web servers 200, 300, and 400 is distributed. As a method of load distribution, for example, a method according to round robin, the minimum number of held sessions, the minimum processing time, and the like can be applied.

  The switch device 10a relays communication among the load distribution device 10, the analysis device 100, the Web servers 200, 300, and 400, the AP servers 500 and 600, and the DB server 700.

The network 20 is an intranet or Internet communication network.
The terminal devices 21, 22, and 23 can access the Web servers 200, 300, and 400 via the network 20 and the load distribution device 10. A user of the terminal device 21, 22, 23 can operate a GUI (Graphical User Interface) provided by the Web server 200, 300, 400 from a browser on the terminal device 21, 22, 23. Thereby, the user can use the service provided by the information processing system.

  Here, it is assumed that message transmission / reception between the terminal devices 21, 22, 23 and the Web servers 200, 300, 400 is performed by HTTP (HyperText Transfer Protocol). However, other protocols may be used. In the following, an execution request message transmitted from the terminal device 21, 22, 23 to the Web server 200, 300, 400 is simply referred to as a request. In addition, a processing response message that the Web server 200, 300, 400 transmits to the terminal device 21, 22, 23 in response to the request is simply referred to as a response.

  The analysis device 100 detects an abnormality in the Web servers 200, 300, and 400. The analysis apparatus 100 acquires information for that purpose from the load distribution apparatus 10. Specifically, the switch device 10a has a port mirroring function, and transmits a packet transmitted / received between the load distribution device 10 and the Web servers 200, 300, and 400 to the analysis device 100 as well. The analysis device 100 receives and stores the packet transmitted from the switch device 10a. The information indicated by the packet includes a request that the terminal devices 21, 22, and 23 transmit to the Web servers 200, 300, and 400 and a response that the Web server 200, 300, and 400 transmits to the terminal devices 21, 22, and 23. The information indicated by the packet includes an RST (Reset) packet transmitted from the terminal devices 21, 22, and 23 to the Web servers 200, 300, and 400.

  Here, the RST packet is a packet that the terminal devices 21, 22, and 23 transmit to disconnect the session with the Web server 200, 300, 400. Specifically, the RST packet is a packet in which an RST flag of a TCP (Transmission Control Protocol) header is set to ON. By sending out the RST packet, the session between the terminal devices 21, 22, 23 and the Web servers 200, 300, 400 is disconnected, and the transaction established through the session is forcibly interrupted.

  The analysis apparatus 100 uses, for abnormality detection, the RST packet transmitted from the terminal apparatuses 21, 22, and 23 to the Web servers 200, 300, and 400 as one of the messages. Specifically, abnormality detection is performed based on the time from the request to the transmission of the RST packet.

  Abnormality detection can be performed in this way because the terminal devices 21, 22, and 23 often transmit RST packets when the responses of the Web servers 200, 300, and 400 are delayed.

  For example, when the display of the system response screen is delayed on the browsers of the terminal devices 21, 22, and 23, the user operates a predetermined button (for example, cancel or reload) provided on the browser, and the browser Often send an RST packet. Alternatively, there are cases where the user terminates the browser due to a delay in the display of the browser, and an RST packet is transmitted. Therefore, by analyzing the time from the request to the RST packet, it is possible to obtain an index related to the processing delay of each Web server.

In the following description, the function of the analysis apparatus 100 that analyzes an RST packet and detects an abnormality will be described in more detail.
Here, in the following description, each Web server indicates the Web server 200, 300, 400. In addition, the term “terminal devices” refers to the terminal devices 21, 22, and 23.

  FIG. 3 is a diagram illustrating a hardware configuration of the analysis apparatus according to the second embodiment. The analysis device 100 includes a CPU (Central Processing Unit) 101, a ROM (Read Only Memory) 102, a RAM (Random Access Memory) 103, an HDD (Hard Disk Drive) 104, a graphic processing device 105, an input interface 106, and a recording medium reading device. 107 and a communication interface 108.

The CPU 101 controls the entire analysis apparatus 100.
The ROM 102 stores a BIOS (Basic Input / Output System) program on the analysis apparatus 100.

  The RAM 103 temporarily stores at least part of an OS (Operating System) program and application programs to be executed by the CPU 101. The RAM 103 stores various data necessary for processing by the CPU 101.

  The HDD 104 stores an OS program and an application program. The HDD 104 stores various data necessary for processing by the CPU 101. Instead of the HDD 104 (or in combination with the HDD 104), another type of storage device such as an SSD (Solid State Drive) may be used.

The graphic processing device 105 is connected to the monitor 11. The graphic processing device 105 displays an image on the screen of the monitor 11 in accordance with a command from the CPU 101.
The input interface 106 is connected to the keyboard 12 and the mouse 13. The input interface 106 transmits a signal sent from the keyboard 12 or the mouse 13 to the CPU 101.

  The recording medium reading device 107 is a reading device that reads data stored in the recording medium 14. For example, the function that the analysis apparatus 100 should have can be realized by causing a computer to execute a program describing the processing content of the function. Such a program can be recorded on a computer-readable recording medium 14 and distributed. Further, the program may be stored in a program distribution server (not shown) connected to the switch device 10a. In this case, the analysis apparatus 100 can download the program from the program distribution server.

  As the recording medium 14, for example, a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory can be used. Magnetic recording devices include HDDs, flexible disks (FD), magnetic tapes, and the like. Optical disks include CD (Compact Disc), CD-R (Recordable) / RW (ReWritable), DVD (Digital Versatile Disc), DVD-R / RW / RAM, and the like. Magneto-optical recording media include MO (Magneto-Optical disk). Semiconductor memory includes flash memory such as USB (Universal Serial Bus) memory.

  The communication interface 108 is connected to the switch device 10a by a TP (Twisted Pair) cable, an optical cable, or the like. The communication interface 108 performs data communication with other information processing apparatuses via the switch device 10a. Further, the communication interface 108 receives, from the switch device 10a, a packet transmitted / received between each terminal device and each Web server.

Each terminal device, Web server 200, 300, 400, AP server 500, 600, and DB server 700 can also be realized by the same hardware configuration as the analysis device 100.
FIG. 4 is a diagram illustrating a functional configuration of the analysis apparatus according to the second embodiment. The analysis apparatus 100 includes a packet storage unit 110, a message log storage unit 120, a normal pair information storage unit 130, an interrupted pair information storage unit 140, a control information storage unit 150, a packet reception unit 160, a message restoration unit 170, and a pair extraction unit 180. And an analysis unit 190 and a notification unit 195. These functions are realized by the CPU 101 executing a predetermined program. Note that at least a part or all of these functions may be realized by dedicated hardware.

The packet storage unit 110 stores the packet information received by the packet reception unit 160.
The message log storage unit 120 stores the message log generated by the message restoration unit 170. Here, the message log is generated based on the packet information and represents a communication history between each terminal device and each Web server.

  The normal pair information storage unit 130 stores information on the normal pair generated by the pair extraction unit 180. Here, the normal pair is a set of messages corresponding to processing that is considered to have been normally completed in each Web server among the messages included in the message log stored in the message log storage unit 120. The normal pair includes a request transmitted by each terminal device and a response transmitted by each Web server in response to the request. One normal pair corresponds to one normal end process.

  The interrupted pair information storage unit 140 stores information related to the interrupted pair generated by the pair extraction unit 180. Here, the interruption pair is a set of messages corresponding to processing that is considered to be interrupted halfway due to session disconnection in each Web server among the messages included in the message log stored in the message log storage unit 120. The interrupt pair includes a request transmitted by each terminal device and an RST packet transmitted by each terminal device. One interruption pair corresponds to one interruption process.

The control information storage unit 150 stores control information used by the analysis unit 190 for analysis processing.
The packet receiving unit 160 receives a packet transmitted / received via the load balancer 10 from the load balancer 10. The packet receiving unit 160 stores the received packet in the packet storage unit 110 as packet information. The packet receiver 160 continues to acquire packets while the information processing system is operating, for example.

  The message restoration unit 170 restores a message included in the packet information based on the packet information stored in the packet storage unit 110. Then, the message restoration unit 170 generates a message log based on the restored message and stores it in the message log storage unit 120.

  The pair extraction unit 180 extracts a normal pair with reference to the message log stored in the message log storage unit 120, and stores information indicating the normal pair in the normal pair information storage unit 130. Further, the pair extraction unit 180 calculates the time difference between the messages included in the normal pair with reference to the information indicating the normal pair. The pair extraction unit 180 generates normal system time difference information in which each normal pair is associated with the time difference based on the time difference calculation result, and stores the normal system time difference information in the normal pair information storage unit 130.

  Also, the pair extraction unit 180 extracts a suspended pair by referring to the message log, and stores information indicating the suspended pair in the suspended pair information storage unit 140. Further, the pair extraction unit 180 calculates the time difference between the messages included in the suspended pair with reference to information indicating the suspended pair. The pair extraction unit 180 generates suspended system time difference information in which each suspended pair is associated with the time difference based on the time difference calculation result, and stores the suspended system time difference information in the suspended pair information storage unit 140.

  The analysis unit 190 calculates a normal system time difference distribution based on the normal system time difference information stored in the normal pair information storage unit 130. The analysis unit 190 calculates a suspended system time difference distribution based on the suspended system time difference information stored in the suspended pair information storage unit 140. The analysis unit 190 compares the normal system time difference distribution and the interrupt system time difference distribution to detect an abnormality in each Web server. The reference information used for the comparison is stored in the control information storage unit 150 in advance. The analysis unit 190 compares the normal system time difference distribution with the interrupted system time difference distribution based on the criteria stored in the control information storage unit 150, and can detect the presence or absence of abnormality depending on whether or not the criteria are met.

When the analysis unit 190 detects an abnormality, the analysis unit 190 outputs information indicating the corresponding Web server to the notification unit 195.
The notification unit 195 notifies that an abnormality has occurred for the Web server acquired from the analysis unit 190. The notification unit 195 notifies the abnormality by a method such as sending an e-mail to an administrator of the information processing system, recording the abnormality in an operation management log, or sounding an alarm lamp or a speaker.

  Next, the time difference between messages will be described. In the following description, a message transmitted / received between the terminal device 21 and the Web server 200 will be described, but the same applies to a message transmitted / received between another terminal device and another Web server.

  FIG. 5 is a diagram illustrating a time difference between messages. FIG. 5A illustrates the normal system time difference T1. FIG. 5B illustrates an interruption system time difference T2. FIG. 5C illustrates a case where neither the normal system nor the interrupted system is applicable.

  In FIG. 5A, a request message R11 and a response message R12 are shown. The request message R11 is a request that the terminal device 21 transmits to the Web server 200. The request message R11 is composed of a plurality of request packets. The response message R12 is a response in which the Web server 200 responds to the terminal device 21 with respect to the request message R11. The response message R12 is composed of a plurality of response packets.

  Here, the normal system time difference T1 is a time difference between the request message R11 and the response message R12. Specifically, it is the difference between the time when the last packet constituting the request message R11 is obtained and the time when the first packet constituting the response message R12 is obtained. When there is a response message R12 corresponding to the request message R11, the analysis apparatus 100 calculates a normal system time difference T1 for the normal pair based on the time difference between the two messages R11 and R12. The normal system time difference T1 can be associated with the execution time from the start to the completion of the process executed on the Web server 200 by the request message R11.

  FIG. 5B shows a request message R21 and an RST packet P1. The request message R21 corresponds to the request message R11. The RST packet P1 is a session disconnection packet that the terminal device 21 transmits to the Web server 200. When the terminal device 21 transmits the RST packet P1, the session between the terminal device 21 and the Web server 200 is forcibly disconnected. As a result, the transaction established in the Web server 200 via the session is interrupted.

  Here, the interruption time difference T2 is a time difference between the request message R21 and the RST packet P1. Specifically, the interruption system time difference T2 is a difference between the time when the last packet constituting the request message R21 is acquired and the time when the RST packet P1 is acquired. When the response message corresponding to the request message R21 does not exist and the RST packet P1 exists, the analysis apparatus 100 calculates the suspension system time difference T2 for the suspension pair based on the time difference between the messages R21 and P1. For the above-described reason, the suspension system time difference T2 can be associated with the execution time from the start to the suspension of the processing being executed in the Web server 200 by the request message R21.

  FIG. 5C shows a request message R31, a response message R32, and an RST packet P2. The request message R31 corresponds to the request message R11. The response message R32 is a part of a response that the Web server 200 responds to the terminal device 21 with respect to the request message R31. The RST packet P2 is a session disconnection packet that the terminal device 21 transmits to the Web server 200 during the transmission of the response message R32.

  Thus, the Web server 200 may receive the RST packet P2 from the terminal device 21 during transmission of the response message R32. In this case, since the analysis device 100 cannot acquire the response message R32, it is excluded from the analysis processing target. This is because the analysis device 100 cannot completely acquire a packet for assembling the response message R32 and cannot restore the message for the message. Therefore, in this case, message restoration is not performed for the response message R32 and the RST packet P2. By excluding incomplete information from the analysis target in this way, the possibility of erroneously detecting an abnormality can be reduced, and the accuracy of operation monitoring can be further improved.

Next, an example of a data structure used for processing of the analysis apparatus 100 will be described.
FIG. 6 is a diagram illustrating an example of a data structure of a packet. The packet storage file 111 is a file that stores packets collected by the packet receiving unit 160. Each time the packet receiving unit 160 receives a packet, information on the newly received packet is added to the packet storage file 111. The packet storage file 111 is, for example, a binary format file.

The packet storage file 111 has a reception date storage unit 111a and a packet data storage unit 111b.
The reception date and time storage unit 111a is an area for setting the date and time when a packet stored in the packet data storage unit 111b is received. The packet receiving unit 160 stores a time stamp (for example, information indicating year / month / day / hour / minute / second) when the packet is received in the reception date / time storage unit 111a.

The packet data storage unit 111b is an area for storing the main body of the packet received by the packet receiving unit 160.
The message restoration unit 170 restores messages transmitted / received by each Web server based on the packet storage file 111 stored in the packet storage unit 110.

  FIG. 7 is a diagram illustrating a specific example of the restoration message. The restoration message 121 is generated based on the packet storage file 111 stored in the packet storage unit 110 by the message restoration unit 170 and stored in the message log storage unit 120. The restoration message 121 is data for generating a message log management table to be described later. Note that in the restoration message 121, only contents that conform to the following explanation are described, and illustrations of other messages are omitted.

Each row of the restoration message 121 includes a time field 121a, an address field 121b, and a protocol field 121c.
The time field 121a is a field indicating the time (for example, year / month / day / hour / minute / second) when the packet corresponding to the message is received. In the time field 121a, for example, time is set in units of microseconds. Here, the time set in the time field 121 a can be obtained by referring to the area of the reception date storage unit 111 a of the packet storage file 111 stored in the packet storage unit 110. Specifically, when the message is a request, it is set as the reception date and time of the last packet among a plurality of packets indicating the message in the packet storage file 111. Further, when the message is a response, the reception date and time of the first packet among a plurality of packets indicating the message in the packet storage file 111 is set.

The address field 121b is a field that indicates the IP (Internet Protocol) address and port number of the transmission source and transmission destination computers of the message.
The protocol field 121c is a field that indicates a message request / response type, a protocol, and the like.

In the following, description will be given by showing the line number attached to the restoration message 121 for convenience.
For example, in line number 1, information “2010/05/21 13: 00: 00.000000” is set in the time field 121a. This indicates that the message of line number 1 was received at that time.

  For example, in line number 1, information “1.2.3.4:1234->10.0.1:80” is set in the address field 121b. This is based on the port number “1234” of the terminal device 21 (IP address is “1.2.3.4”) and the Web server 200 (IP address is “10.0.0.11”). This indicates that a message has been transmitted to the port number “80”. The symbol “address A-> address B” is transmitted from the device indicated by A to the device indicated by B, and the symbol “address A <-address B” is indicated by A from the device indicated by B. Indicates sending a message to the device.

  For example, in line number 1, information “TCP Connect” is set in the protocol field 121c. This indicates that the message is a message for establishing a TCP session.

  Here, line numbers 2 and 3 correspond to the case of FIG. That is, the message of line number 2 corresponds to the request message R11. The message of line number 3 corresponds to the response message R12.

  Line numbers 12 and 13 correspond to the case of FIG. That is, the message of line number 12 corresponds to the request message R21. The message of line number 13 corresponds to the RST packet P1. Here, the IP address “1.2.3.5” is the IP address of the terminal device 22.

  FIG. 8 shows an example of the data structure of the message log management table. The message log management table 122 is generated by the message restoration unit 170 and stored in the message log storage unit 120. The message log management table 122 includes items of item number, date / time, message ID (IDentifier), client, server, type, protocol, and message. Information arranged in the horizontal direction of each item is associated with each other to indicate information related to one message.

  In the item number, an identification number for identifying the record is set. At the time of day, the time when the message is received is set. In the message ID, identification information for identifying a series of processes related to the message is set.

  Here, some message IDs are described as “xxxx” and “xxxx-y”. Hereinafter, the part “xxxx” is referred to as a session identification unit. The session identification unit is identification information for identifying a session established by TCP. The part “y” is referred to as a transaction identification unit. The transaction identification unit is identification information for identifying a transaction established on each Web server via the session.

  The IP address and port number of each terminal device are set in the client. The server is set with the IP address and port number of each Web server. In the type, information indicating either a request or a response is set. Information indicating a protocol such as TCP or HTTP is set in the protocol. In the message, the content of the message transmitted by the protocol is set.

  In the message log management table 122, for example, the item number is “1001”, the date and time is “2010/5/21 13: 00: 00.000000”, the message ID is “1234”, and the client is “1.2.3. 4: 1234 ”, the server is“ 10.0.0.11:80 ”, the type is“ − ”, the protocol is“ TCP ”, and the message is“ Connect ”.

  The record with the item number “1001” corresponds to the message with the row number “1” of the restoration message 121. The message restoration unit 170 adds the message ID “1234” to the message and registers it in the message log management table 122.

  In the message log management table 122, for example, the item number is “1002”, the date and time is “2010/5/21 13: 00: 00.000001”, the message ID is “1234-1”, and the client is “1. 2.3.4: 1234 ", server" 10.0.0.11:80 ", type" Request ", protocol" HTTP ", message" GET / index.html " .

  The record with the item number “1002” corresponds to the message with the row number “2” of the restoration message 121. The message restoration unit 170 adds the message ID “1234-1” to the message and registers it in the message log management table 122. Here, the session identification part “1234” of the message ID “1234-1” is the same as the record of the item number “1001”. This indicates that the HTTP message indicated by the item number “1002” is transmitted via the session established by the TCP packet indicated by the item number “1001”.

  Note that the same message ID (in this case, only the session identification unit is set) is set for the TCP “Connect” and “Close” in the same client-server pair. Further, in the same client / server pair, TCP “Connect” and “Reset” set the same message ID (in this case, only the session identification unit is provided).

  The record with the item number “1003” has the message ID “1234-1” and is the same as the message ID of the record with the item number “1002”. This indicates that the response indicated by the record of the item number “1003” is a response corresponding to the request indicated by the record of the item number “1002” and is a message related to the same transaction.

  As described above, the analysis apparatus 100 assigns the same message ID to each message transmitted and received in the order of request and response for the same set of clients and servers. Thereby, a combination of a request and a response made for processing on the Web server 200 can be clearly managed.

Note that a plurality of requests may be transmitted from the terminal device 21 to the Web server 200 as indicated by the records of the item numbers “1022” to “1025”.
The analysis apparatus 100 may give a message ID as follows assuming such a case. That is, after the analysis apparatus 100 assigns a message ID (“3235-1”) to the request received first, a different message ID (“3235-2”) is assigned to the next received request. In this example, the transaction identification unit is incremented. Further, the message ID (“3235-1”) given to the request received earlier is given to the response received first by the analysis apparatus 100, and the next message ID (“3235-2”) is given to the next received response. Is granted.

  In this way, even if a plurality of requests are transmitted from the terminal device 21 to the Web server 200, the combination of the request and the response to the request can be managed appropriately. Here, the combination of the request and the response can be managed in this way because the processing executed by the Web server 200 is generally performed in the order of the received request. That is, it is common that a response to a request transmitted first is responded first.

  Here, in the message log management table 122, the records with the item numbers “1001” to “1004” correspond to the messages with the row numbers “1” to “4” of the restoration message 121, respectively. The records with the item numbers “1011” to “1013” correspond to the messages with the row numbers “11” to “13” of the restoration message 121, respectively. The records with the item numbers “1021” to “1026” correspond to the messages with the row numbers “21” to “26” of the restoration message 121, respectively.

  FIG. 9 is a diagram illustrating a data structure example of a normal pair table. The normal pair table 131 is generated by the pair extraction unit 180 and stored in the normal pair information storage unit 130. The pair extraction unit 180 refers to the message ID, type, and protocol in the message log management table 122, and sets a pair that has the same message ID, protocol “HTTP”, type “Request”, and “Response” as a normal pair. Extract as Note that a protocol whose protocol is “TCP” is not included in a normal pair selection target. This is because the processing time of each Web server is analyzed in units of HTTP processing.

  The normal pair table 131 includes items of item number, request date / time, response date / time, message ID, client, server, protocol, request, and response. Information arranged in the horizontal direction of each item is associated with each other to indicate information regarding one normal pair.

  In the item number, an identification number for identifying the record is set. In the request date and time, the time when the message corresponding to the request in the normal pair is received is set. In the response date and time, the time when the message corresponding to the response in the normal pair is received is set. In the message ID, the message ID of the process corresponding to the record is set. The IP address and port number of each terminal device are set in the client. The server is set with the IP address and port number of each Web server. Information indicating the protocol is set in the protocol. Information indicating the content of the request is set in the request. Information indicating the content of the response is set in the response.

  In the normal pair table 131, for example, the item number is “1001”, the request date is “2010/5/21 13: 00: 00.000001”, and the response date is “2010/5/21 13: 00: 00.001001”. ”, Message ID“ 1234-1 ”, client“ 1.2.3.4:1234 ”, server“ 10.0.0.11:80 ”, protocol“ HTTP ”, request“ GET / The information “index.html” and the response “200” are set.

  The record of item number “1001” in the normal pair table 131 indicates a normal pair of request and response indicated by the records of item numbers “1002” and “1003” in the message log management table 122.

  Similarly, the record of item number “1021” in the normal pair table 131 indicates a normal pair of request and response indicated by the records of item numbers “1022” and “1023” in the message log management table 122. The record of item number “1022” in the normal pair table 131 indicates a normal pair of request and response indicated by the records of item numbers “1024” and “1025” in the message log management table 122.

  FIG. 10 is a diagram illustrating a data structure example of a normal system time difference table. The normal system time difference table 131 a is generated by the pair extraction unit 180 and stored in the normal pair information storage unit 130. The normal system time difference table 131a includes items of item number, request date and time, response date and time, message ID, client, server, protocol, and time difference. Information arranged in the horizontal direction of each item is associated with each other to indicate information regarding one normal pair.

  Here, the information set in the items of item number, request date / time, response date / time, message ID, client, server, and protocol are the same as those in the normal pair table 131, and thus description thereof is omitted.

In the time difference, a difference between the request date and time and the response date and time is set.
In the normal system time difference table 131a, for example, the item number is “1001”, the request date is “2010/5/21 13: 00: 00.000001”, and the response date is “2010/5/21 13:00:00. 00101 ”, message ID“ 1234-1 ”, client“ 1.2.3.4:1234 ”, server“ 10.0.0.11:80 ”, protocol“ HTTP ”, time difference“ 0 ” .001000 "(seconds) information is set. This indicates that the time difference between the request and the response is “0.001000” seconds for the normal pair corresponding to the record of the item number “1001”. This time difference can be calculated from the difference between the time set for the request date and time and the time set for the response date. This time difference can be associated with the processing time in the Web server 200 (or a series of processing times by the Web server 200, the AP servers 500 and 600, and the DB server 700).

  FIG. 11 is a diagram illustrating an example of the data structure of the interruption pair table. The suspended pair table 141 is generated by the pair extraction unit 180 and stored in the suspended pair information storage unit 140. When the RST packet is received, the pair extraction unit 180 refers to the message log management table 122 and detects a request having no response paired with the same session identification unit of the message ID as the RST packet. Then, the request and the RST packet are extracted as an interrupted pair.

  The interruption pair table 141 includes items of item number, request date / time, interruption date / time, message ID, client, server, protocol, request, and message. Information arranged in the horizontal direction of each item is associated with each other to indicate information regarding one interrupted pair.

  Here, the contents of the data set in the item number, request date / time, message ID, client, server, protocol, and request items are the same as those in the normal pair table 131, and thus description thereof is omitted.

The time when the RST packet is received is set as the suspension date and time. In the message, “Reset” indicating that the RST flag of the packet is on is set.
In the suspended pair table 141, for example, the item number is “1001”, the request date and time is “2010/5/21 13: 00: 01.000001”, and the response date and time is “2010/5/21 13: 00: 31.000001”. ”, Message ID“ 2234-1 ”, client“ 1.2.3.5:1234 ”, server“ 10.0.0.11:80 ”, protocol“ HTTP ”, request“ GET / Information indicating “index.html” and a message “Reset” is set.

  The record of the item number “1001” in the interruption pair table 141 indicates an interruption pair of the request and the RST packet indicated by the records of the item numbers “1012” and “1013” in the message log management table 122.

  FIG. 12 is a diagram illustrating an example of a data structure of the interruption system time difference table. The suspended system time difference table 141 a is generated by the pair extracting unit 180 and stored in the suspended pair information storage unit 140. The interruption system time difference table 141a is provided with items indicating item number, request date and time, interruption date and time, message ID, client, server, protocol, and time difference. Information arranged in the horizontal direction of each item is associated with each other to indicate information regarding one interrupted pair.

  Here, the contents of the data set in the items of item number, request date / time, interruption date / time, message ID, client, server, and protocol are the same as those in the interruption pair table 141, and thus description thereof is omitted.

As the time difference, a difference between the request date and time and the suspension date and time is set.
In the suspension system time difference table 141a, for example, the item number is “1001”, the request date is “2010/5/21 13: 00: 01.00001”, and the response date is “2010/5/21 13:00:31. “000001”, message ID “2234-1”, client “1.2.3.5:1234”, server “10.0.0.11:80”, protocol “HTTP”, time difference “30” Information of .000000 "(seconds) is set. This indicates that the time difference between the request and the RST packet is “30.000000” seconds for the interrupted pair corresponding to the record of the item number “1001”. This time difference can be calculated from the difference between the time set for the request date and time and the time set for the interruption date. This time difference can be associated with the processing time until interruption in the Web server 200 (or a series of processing times by the Web server 200, the AP servers 500 and 600, and the DB server 700).

Next, the processing procedure of the analysis apparatus 100 will be described.
FIG. 13 is a flowchart showing the pair extraction process. Hereinafter, each process is demonstrated along a step number.

  [Step S11] The packet receiver 160 receives a packet from the load balancer 10. The packet receiving unit 160 adds the reception date and time to the received packet, adds the received date and time to the packet storage file 111, and stores the packet in the packet storage unit 110.

  [Step S12] The message restoration unit 170 refers to the packet storage unit 110 to determine whether or not the RST flag of the newly received packet is on, that is, whether or not the packet is an RST packet. If it is an RST packet, the process proceeds to step S13. If it is not an RST packet, the process proceeds to step S16.

  [Step S13] The message restoration unit 170 refers to the message log management table 122 to determine whether there is a request that has not been paired with a request transmitted in the past by the terminal device that has transmitted the RST packet. judge. If it exists, the process proceeds to step S14. If not, the process proceeds to step S16.

  For example, it is assumed that an RST packet corresponding to the line number 13 of the restoration message 121 is received from the terminal device 21. In this case, there is a request with line number 12 as a request transmitted by the terminal device 21 before the RST packet and having no response. In this case, the message restoration unit 170 determines that there is a request having no paired response.

  Note that if the response to be paired is currently being assembled by accumulating packets, the existence of the request / response pair including the response is determined. For example, in consideration of the response message R32 being assembled as shown in FIG. 5C, if there is no request without a response to be paired, the process proceeds to step S16.

  [Step S14] The message restoration unit 170 generates a message indicating that the received packet is an RST packet, and registers the message in the message log management table 122 stored in the message log storage unit 120. For example, the record of item number “1013” in the message log management table 122 corresponds.

  [Step S15] The pair extraction unit 180 extracts the message indicating the RST packet and the request having no response detected in step S13 as a suspended pair, and stores the suspended pair stored in the suspended pair information storage unit 140. Register in the table 141. For example, the request with the item number “1012” and the RST packet with the item number “1013” in the message log management table 122 are extracted as an interrupted pair. This corresponds to the record of the item number “1001” in the interruption pair table 141. Then, the process proceeds to step S21.

[Step S16] The message restoration unit 170 attempts to assemble a message using a newly received packet and a received packet.
When the RST packet is received during the assembly of the response between each terminal device and each Web server and the assembly is interrupted, the message restoration unit 170 receives the response during the assembly and the received RST packet. Is discarded.

  [Step S17] The message restoration unit 170 determines whether the message has been restored by the received packet. If the message can be restored, the process proceeds to step S18. If the message has not been restored, the process is completed after waiting for reception of the next packet.

[Step S18] The message restoration unit 170 registers the newly restored message in the message log management table 122.
[Step S19] The pair extraction unit 180 refers to the message log management table 122 to determine whether or not the registered message is a response. If it is a response, the process proceeds to step S20. If it is not a response, the process is completed.

  [Step S20] The pair extraction unit 180 extracts a request having the same message ID as the response as a normal pair, and registers the request in the normal pair table 131 stored in the normal pair information storage unit 130. For example, the request with the item number “1002” and the response with the item number “1003” in the message log management table 122 are extracted as a normal pair. This corresponds to the record of item number “1001” in the normal pair table 131.

  [Step S21] The pair extraction unit 180 calculates a time difference for the newly extracted normal pair or interrupted pair. The pair extraction unit 180 registers the calculated time difference in the normal system time difference table 131a or the interrupted system time difference table 141a.

  In this way, the pair extraction unit 180 extracts a normal pair and an interrupted pair based on the message log management table 122. Further, for each message of the normal pair, a time difference T1 between the request and the response is calculated, and a normal system time difference table 131a is generated. Also, for each message in the suspended pair, a time difference T2 between the request and the RST packet is calculated, and an interrupted system time difference table 141a is generated.

  The analysis unit 190 can detect an abnormality of each Web server based on these pieces of information. Next, analysis processing for that purpose will be described. The following processing is started at a predetermined cycle. Or you may perform, for example, when the predetermined operation of a system administrator is received.

FIG. 14 is a flowchart illustrating analysis processing according to the second embodiment. Hereinafter, each process is demonstrated along a step number.
[Step S31] The analysis unit 190 acquires the normal system time difference table 131a stored in the normal pair information storage unit 130.

[Step S <b> 32] The analysis unit 190 acquires the interrupted system time difference table 141 a stored in the interrupted pair information storage unit 140.
[Step S33] The analysis unit 190 selects a Web server to be analyzed. For example, a Web server to which an RST packet is transmitted is set as an analysis target. In addition, for example, one of the Web servers associated with the received URL may be sequentially selected as an analysis target.

  [Step S34] The analysis unit 190 calculates a frequency distribution (normal system time difference distribution) of the time difference T1 for the selected Web server based on the normal system time difference table 131a. Further, the analysis unit 190 calculates a frequency distribution (interrupt system time difference distribution) of the time difference T2 for the selected Web server based on the interrupt system time difference table 141a. The analysis unit 190 can appropriately refer to the time difference information of the target Web server by the IP address set in the server item of the normal time difference table 131a and the interrupt time difference table 141a.

  [Step S <b> 35] The analysis unit 190 obtains a time difference value S <b> 1 from the time difference 0 to a predetermined percentile (X percentile) for the normal system time difference distribution. Here, X can be appropriately determined depending on the operation status of the system. For example, X = 90. The value of X is stored in advance in the control information storage unit 150, and the analysis unit 190 can refer to this.

[Step S36] The analysis unit 190 obtains the next determination value S2 for the interruption time difference distribution.
S2 = (Average value of interrupted time difference distribution) + Constant P
Here, the constant P can be appropriately determined according to the operation status of the system. For example, P = α × (standard deviation of interruption system time difference distribution). However, the coefficient α is a real number of −1 or more and 1 or less. The value of α is stored in advance in the control information storage unit 150, for example, and can be referred to by the analysis unit 190. Further, instead of the average value of the interruption time difference distribution, another reference value determined for the distribution may be used. For example, a median value or a mode value may be used.

  [Step S37] The analysis unit 190 determines whether or not S1 ≦ S2. If S1 ≦ S2, the process proceeds to step S38. If S1> S2, the process is completed. Here, S1 ≦ S2 indicates that the value of the time difference included in the interruption time difference distribution is the same as or larger than that of the normal time difference distribution. On the other hand, S1> S2 indicates that the value of the time difference included in the interruption time difference distribution is within an allowable range as compared with the normal time difference distribution.

  [Step S38] The analysis unit 190 notifies the notification unit 195 that an abnormality has occurred with respect to the Web server to be analyzed. The notification unit 195 notifies the abnormality of the Web server based on this notification. The notification unit 195 notifies the abnormality by a method such as sending an e-mail to an administrator of the information processing system, recording the abnormality in an operation management log, or sounding an alarm lamp or a speaker.

  [Step S39] The analysis unit 190 determines whether there is another Web server to be analyzed. If it exists, the process proceeds to step S33. If not, complete the process.

In this way, the analysis unit 190 can detect an abnormality of each Web server based on the normal system time difference distribution and the interrupt system time difference distribution. Next, a specific example of the analysis process will be described.
FIG. 15 is a diagram illustrating a specific example of analysis processing according to the second embodiment. A graph 810 illustrated in FIG. 15A illustrates the time difference distribution at the normal time. A graph 820 illustrated in FIG. 15B illustrates the time difference distribution at the time of abnormality. In the following description, it is assumed that X = 90 (percentile), P = α × (standard deviation of interrupted time difference distribution), and α = + 1 are stored in the control information storage unit 150 in advance.

  A graph 810 in FIG. 15A shows a normal system time difference distribution 811 and an interrupted system time difference distribution 812. In the normal system time difference distribution 811, it is assumed that the time difference S1 that is the 90th percentile is 9.4 seconds. In the interruption system time difference distribution 812, it is assumed that the S2 value is 4.8 seconds. Then, since S1> S2, the analysis unit 190 does not determine that this state is abnormal.

  The reason why this case is not determined to be abnormal is that the delay on the Web server side is often not reflected in the transmission of the RST packet. More specifically, there may be cases where the user selects the wrong link, selects the wrong data, or the like. That is, in such a case, the user can recognize his / her erroneous operation and often causes the browser to immediately transmit an RST packet to cancel the erroneous operation.

  A graph 820 in FIG. 15B shows a normal system time difference distribution 821 and an interrupted system time difference distribution 822. In the normal system time difference distribution 821, the time difference S1 that is the 90th percentile is assumed to be 9.4 seconds. In the interruption system time difference distribution 822, it is assumed that the S2 value is 9.8 seconds. Then, since S1 ≦ S2, the analysis unit 190 determines that this state is abnormal. Then, the notification unit 195 is notified of the abnormality.

As described above, the analysis apparatus 100 detects an abnormality of each Web server based on the packet received from the load distribution apparatus 10.
As described above, the analysis apparatus 100 includes the event of processing interruption in each Web server that has been conventionally overlooked as an operation monitoring target. Thereby, the accuracy of operation monitoring of each Web server can be improved. As a result, more accurate abnormality detection is possible.

  Further, when the Web server receives an RST packet while each Web server is transmitting a response, the analysis apparatus 100 excludes the response and the RST packet from the analysis target. In this way, the accuracy of operation monitoring can be further improved by excluding incomplete messages from the analysis target.

  Note that if an RST packet is received while each Web server is transmitting a response, it is unlikely that this is due to a processing delay of the Web server 200. For example, there is a possibility that the purpose is to stop processing due to an erroneous operation of the user, such as when the user selects an incorrect link on the browser or tries to open an incorrect file. For this reason, the analysis process may be performed by treating the case where an RST packet is received while each Web server is transmitting a response as a normal system.

[Third Embodiment]
Hereinafter, the third embodiment will be described in detail with reference to the drawings. Differences from the second embodiment will be mainly described, and description of similar matters will be omitted.

  The third embodiment assumes a case where processing corresponding to the same URL is executed by any of a plurality of servers. For example, content corresponding to the same URL is stored in the Web servers 200, 300, and 400, and the load distribution apparatus 10 distributes the content acquisition request specifying the corresponding URL to one of the Web servers 200, 300, and 400. This is the case. In such a case, for a single URL, there are a plurality of servers that execute the processing of that URL. Therefore, in the third embodiment, an interruption system time difference distribution in URL units is obtained. Then, a function for detecting an abnormality is provided by comparing the interruption system time difference distribution with the interruption system time difference distribution for each real server associated with the URL.

  Here, the overall configuration of the information processing system according to the third embodiment and the hardware configuration of the analysis apparatus are the same as the overall configuration of the information processing system according to the second embodiment described with reference to FIGS. Since the hardware configuration is the same, the description thereof is omitted.

  The functional configuration of the analysis apparatus according to the third embodiment is the same as the functional configuration of the analysis apparatus 100 according to the second embodiment described with reference to FIG. For this reason, the analysis apparatus according to the third embodiment will be described using the same reference numerals as those used for the components of the analysis apparatus 100. However, the function of the analysis unit 190 is different. The processing function of the analysis unit 190 of the third embodiment will be described in detail with reference to FIG.

  FIG. 16 is a diagram illustrating an example of a data structure of the URL management table according to the third embodiment. The URL management table 151 is stored in advance in the control information storage unit 150. The URL management table 151 includes items indicating a service providing URL, a server name, and a server address. Information arranged in the horizontal direction of each item indicates information related to one server.

  In the service provision URL, a URL for accessing the service is set. In the server name, the name of each Web server is set. As the server address, the IP address of each Web server is set.

  In the URL management table 151, for example, information that the service providing URL is “(domain name) / service” is set. In the “domain name”, a domain name assigned to a service function such as content distribution provided by the plurality of Web servers 200, 300, and 400 is set. The information set in the URL management table 151 indicates a common URL and IP address for accessing a service provided by the Web server 200, 300, 400. In the following description, this URL is abbreviated as “URL-A”. Further, in the URL management table 151, for example, information that the server name is “Server A1” and the server address is “10.0.0.11:80” is set. This indicates the server name and server address of the Web server 200 associated with “URL-A”.

“Server A2” corresponds to the Web server 300. “Server A3” corresponds to the Web server 400.
Thus, for each service provided by the information processing system, the URL and the corresponding Web server are defined in the URL management table 151.

  Next, a processing procedure of the analysis apparatus 100 according to the third embodiment will be described. Here, the pair extraction process is the same as the pair extraction process of the second embodiment shown in FIG. The analysis apparatus 100 performs the following analysis process using the interrupted pair obtained by the pair extraction process.

FIG. 17 is a flowchart illustrating analysis processing according to the third embodiment. Hereinafter, each process is demonstrated along a step number.
[Step S41] The analysis unit 190 identifies a URL to be analyzed. For example, the analysis unit 190 receives a URL selection input by the system administrator, and specifies the URL to be analyzed.

  [Step S42] The analysis unit 190 refers to the URL management table 151 stored in the control information storage unit 150, and identifies each Web server corresponding to the URL and its IP address. For example, when “URL-A” is selected, the analysis unit 190 selects the IPs of the Web servers 200, 300, and 400 corresponding to “server A1”, “server A2”, and “server A3” from the URL management table 151. Identify the address.

  [Step S43] The analysis unit 190 refers to the interrupted system time difference table 141a stored in the interrupted pair information storage unit 140, and acquires the time difference of each Web server by the specified IP address. And the analysis part 190 calculates interruption system time difference distribution per URL.

[Step S44] The analysis unit 190 obtains an average value M of the interruption time difference distribution in URL units.
[Step S45] The analysis unit 190 selects one of the Web servers corresponding to the URL as a processing target.

  [Step S46] The analysis unit 190 calculates the interruption time difference distribution of the selected Web server constituting the URL. Then, the analysis unit 190 acquires each average value m and each standard deviation d of the interruption time difference distribution of the Web server. Instead of each average value m of the interrupted time difference distribution, other reference values determined for each distribution may be used. For example, a median value or a mode value may be used.

  [Step S47] The analysis unit 190 determines whether or not the determination value md satisfies md <M + Q. Here, Q is a constant and can take an integer value of 0 or more. For example, let Q be the standard deviation of the interruption time difference distribution in URL units. Q may be a value obtained by multiplying the standard deviation by a predetermined coefficient, for example. If md <M + Q, the analysis unit 190 proceeds with the process to step S49. If not md <M + Q, the analysis unit 190 proceeds with the process to step S48.

[Step S48] The analysis unit 190 notifies the notification unit 195 that an abnormality has been detected for the Web server selected in step S45. The notification unit 195 notifies the abnormality.
[Step S49] The analysis unit 190 determines whether or not abnormality detection processing has been performed for all of the Web servers. If all have been processed, the process is completed. If there is an unprocessed Web server, the process proceeds to step S45.

  In this way, the analysis apparatus 100 compares the interruption time difference distribution in URL units with the interruption time difference distribution in Web servers constituting the URL. Then, when the interruption time difference distribution of the Web server unit does not exist within an allowable range with respect to the interruption time difference distribution of the URL unit, it is determined that the Web server is abnormal. Next, a specific example of the analysis process will be described.

  FIG. 18 is a diagram illustrating a specific example of the analysis processing according to the third embodiment. FIG. 18A illustrates an interruption system time difference distribution 830 in units of “URL-A”. FIG. 18B illustrates an interruption system time difference distribution 831 of the Web server 200 (server A1). FIG. 18C illustrates an interruption system time difference distribution 832 of the Web server 300 (server A2). In FIG. 18, the interruption system time difference distribution of the Web server 400 is not shown.

  In FIG. 18A, the interruption system time difference distribution 830 is a frequency distribution obtained by integrating the time differences of the interruption pairs acquired by the Web servers 200, 300, and 400. The interruption system time difference distribution 830 shows an average value M and a predetermined width Q of the distribution.

  In FIG. 18B, the interruption system time difference distribution 831 has an average value of m1 and a standard deviation of d1. Further, m1 and d1 are assumed to satisfy the condition of m1−d1 <M + Q. In this case, the analysis unit 190 determines that the Web server 200 is operating normally.

  In FIG. 18C, the interruption system time difference distribution 832 has an average value of m2 and a standard deviation of d2. Further, m2 and d2 are assumed to satisfy m2−d2 ≧ M + Q. That is, the condition of md <M + Q is not satisfied. In this case, the analysis unit 190 determines that the interruption time difference distribution 832 exceeds the allowable time difference and an abnormality has occurred in the Web server 300. Then, the analysis unit 190 causes the notification unit 195 to notify the abnormality of the Web server 300.

As described above, the interruption pairs acquired by the respective Web servers are combined and analyzed in units of URLs, so that an abnormality of each Web server corresponding to the URL can be easily detected.
In addition to the analysis processing of the second embodiment, the analysis processing of the third embodiment can also be performed. For example, the analysis unit 190 collates the analysis result of the second embodiment with the analysis result of the third embodiment, and informs the notification unit 195 about the Web server that is abnormal in both analysis results. An alert output can be instructed. As a result, the accuracy of abnormality detection can be further improved as compared with the determination based on one of the analysis results.

[Fourth Embodiment]
Hereinafter, the fourth embodiment will be described in detail with reference to the drawings. Differences from the second and third embodiments will be mainly described, and description of similar matters will be omitted.

  In the fourth embodiment, the frequency distribution of the number of occurrences of interrupted pairs (interrupt times) is acquired for each URL. Also, the frequency distribution of the number of interruptions is acquired for each Web server constituting the URL. And the function which detects abnormality of each Web server by comparing both frequency distribution is provided.

  Here, the overall configuration of the information processing system according to the fourth embodiment and the hardware configuration of the analysis apparatus are the same as the overall configuration of the information processing system according to the second embodiment described with reference to FIGS. Since the hardware configuration is the same, the description thereof is omitted.

  The functional configuration of the analysis apparatus according to the fourth embodiment is the same as the functional configuration of the analysis apparatus 100 according to the second embodiment described with reference to FIG. For this reason, the analysis apparatus according to the fourth embodiment will be described using the same reference numerals as those used for the components of the analysis apparatus 100. However, the function of the analysis unit 190 is different. The processing functions of the analysis unit 190 according to the fourth embodiment will be described in detail with reference to FIG.

Furthermore, it is assumed that the URL management table 151 described with reference to FIG.
FIG. 19 is a diagram illustrating an example of a data structure of the interruption count table according to the fourth embodiment. The interruption count tables 142, 142 a and 142 b are generated by the analysis unit 190 and stored in the interruption pair information storage unit 140. The analysis unit 190 refers to the suspended pair table 141 stored in the suspended pair information storage unit 140 and generates the number of suspended times tables 142, 142a, 142b by counting the number of suspended pairs per unit time. Can do.

  The interruption count table 142 is a table indicating the interruption count of the Web server 200. The interruption count table 142 a is a table indicating the number of interruptions of the Web server 300. The interruption count table 142b is a table indicating the number of interruptions of the Web server 400.

Hereinafter, the interruption number table 142 will be described, but the interruption number tables 142a and 142b are the same as the interruption number table 142.
The interruption count table 142 is provided with items indicating the item number, time zone, server, and frequency. Information arranged in the horizontal direction of each item is associated with each other to indicate the number of interruptions per unit time of one Web server.

  In the item number, a number for identifying the record is set. In the time zone, a period in which the number of interruptions is counted is set. In the server, the IP address of the corresponding Web server is set. The number of interruptions is set to the number of interruptions per time slot.

  In the interruption count table 142, for example, the item number is “101”, the time zone is “2010/5/21 13: 00: 00.000000 to 13: 00: 59.99999999”, and the server is “10.0.0”. .11: 80 ”and information“ 10 ”(times) are set.

This indicates that the RST packet accompanied by the processing interruption is transmitted “10” times from each terminal device to the Web server 200 in the time period.
Next, a processing procedure of the analysis apparatus 100 according to the fourth embodiment will be described. Here, the pair extraction process is the same as the pair extraction process of the second embodiment shown in FIG.

  The analysis unit 190 refers to the interrupted pair table 141 obtained by the pair extraction process, generates the interrupt count tables 142, 142a, 142b, and stores them in the interrupted pair information storage unit 140 in advance.

FIG. 20 is a flowchart illustrating analysis processing according to the fourth embodiment. Hereinafter, each process is demonstrated along a step number.
[Step S51] The analysis unit 190 identifies a URL to be analyzed. For example, the analysis unit 190 receives a URL selection input by the system administrator, and specifies the URL to be analyzed.

  [Step S52] The analysis unit 190 refers to the URL management table 151 stored in the control information storage unit 150, and identifies each Web server corresponding to the URL to be analyzed and its IP address. For example, when “URL-A” is selected, the analysis unit 190 selects the IPs of the Web servers 200, 300, and 400 corresponding to “server A1”, “server A2”, and “server A3” from the URL management table 151. Identify the address.

  [Step S53] The analysis unit 190 refers to the interruption count tables 142, 142a, and 142b stored in the interruption pair information storage unit 140, and acquires the interruption count of each Web server. A period to be analyzed (for example, the past 1 hour, the past 1 day, etc.) is preset in the control information storage unit 150. The analysis unit 190 may acquire the number of interruptions obtained within the analysis target period. Then, the analysis unit 190 calculates the frequency distribution of the number of interruptions per unit time in URL units.

[Step S54] The analysis unit 190 acquires an average value M and a standard deviation D for the frequency distribution of the number of interruptions obtained for each URL.
[Step S55] The analysis unit 190 calculates the frequency distribution of the number of interruptions per unit time in each Web server. The frequency distribution of the number of interruptions in each Web server may be obtained for the same analysis target period as the frequency distribution of the number of interruptions in units of URLs, or may be shorter than that. For example, if the frequency distribution of the number of interruptions is acquired for each Web server for a period such as the past 1 minute to 5 minutes, the presence or absence of the latest abnormality of each Web server can be analyzed in real time.

  [Step S56] Based on the frequency distribution calculated in step S55 for each Web server, the analysis unit 190 determines whether there is a Web server with the number of interruptions equal to or greater than M + K (K is a constant). If it exists, the process proceeds to step S58. If not, the process proceeds to step S57. Here, K is defined in advance according to the operating status of the system. For example, K = 2 × D.

  [Step S57] Based on the frequency distribution calculated in step S55 for each Web server, the analysis unit 190 has half the number of Web servers whose Web server number of interruptions is equal to or greater than M + L (L is a constant L <K) corresponding to the URL. It is determined whether or not it exists. If more than half are present, the process proceeds to step S58. If more than half do not exist, the process is completed. Here, L is defined in advance according to the operating status of the system. For example, L = D.

  [Step S58] The analysis unit 190 notifies the notification unit 195 that an abnormality has occurred in the Web server that satisfies the conditions in step S56 or step S57. The notification unit 195 notifies that an abnormality has occurred in the notified Web server.

  In this way, the analysis device 100 compares the frequency distribution of the number of interruptions in URL units with the frequency distribution of the number of interruptions in Web server units corresponding to the URL. Then, it is determined that an abnormality has occurred in the Web server in which the interrupted pair has occurred exceeding the threshold obtained from the frequency distribution of the number of interruptions in URL units.

Next, a specific example of the analysis process will be described.
FIG. 21 is a first diagram illustrating a specific example of analysis processing according to the fourth embodiment. FIG. 21A illustrates the frequency distribution 840 of the number of interruptions in units of “URL-A”. FIG. 21B illustrates a frequency distribution 841 of the number of interruptions of the Web server 200 (server A1). In FIG. 21, the frequency distribution of the number of interruptions of the Web servers 300 and 400 is not shown.

Here, it is assumed that the threshold value K = M + 2 × standard deviation D and the threshold value L = M + standard deviation D.
In FIG. 21A, a frequency distribution 840 is a frequency distribution obtained by summing up the number of occurrences of interrupted pairs per unit time acquired by the Web servers 200, 300, and 400. The frequency distribution 840 shows the average value M and the standard deviation D. Further, threshold value K = M + 2 × D and threshold value L = M + D are shown.

  In FIG. 21B, it can be seen that in the frequency distribution 841, the number of interruptions greater than or equal to the threshold value K occurs. In this case, the analysis unit 190 determines that an abnormality has occurred in the Web server 200. Then, the analysis unit 190 causes the notification unit 195 to notify the abnormality of the Web server 200.

  FIG. 22 is a second diagram illustrating a specific example of analysis processing according to the fourth embodiment. FIG. 22A illustrates the frequency distribution 850 of the number of interruptions of “URL-A”. FIG. 22B illustrates a frequency distribution 851 of the number of interruptions of the Web server 200 (server A1). FIG. 22C illustrates a frequency distribution 852 of the number of interruptions of the Web server 300 (server A2). In FIG. 22, the frequency distribution of the number of interruptions of the Web server 400 is not shown.

Here, as in FIG. 21, the threshold value K = M + 2 × standard deviation D and the threshold value L = M + standard deviation D are set.
In FIG. 22A, the frequency distribution 850 is a frequency distribution obtained by summing up the number of occurrences of interrupted pairs per unit time acquired by the Web servers 200, 300, and 400. The frequency distribution 850 shows the average value M and the standard deviation D. Further, threshold value K = 2 × D and threshold value L = D are shown.

In FIG. 22B, it can be seen that the number of interruptions equal to or greater than the threshold value K does not occur in the frequency distribution 851. Further, it can be seen that the number of interruptions equal to or greater than the threshold value L has occurred.
In FIG. 22C, it can be seen that in the frequency distribution 852, the number of interruptions greater than or equal to the threshold value K has not occurred. Further, it can be seen that the number of interruptions equal to or greater than the threshold value L has occurred.

  In this case, the analysis unit 190 confirms that there are two of the three web servers that constitute “URL-A”, that is, half or more of all the web servers, that have generated the number of interruptions equal to or greater than the threshold L. Is detected. Then, the analysis unit 190 determines that an abnormality has occurred in the corresponding Web servers 200 and 300. Then, the analysis unit 190 causes the notification unit 195 to notify the abnormality of the Web servers 200 and 300.

Next, a specific example in which an abnormality is detected by acquiring the number of interruptions in the latest time zone of each Web server will be described.
FIG. 23 is a third diagram illustrating a specific example of analysis processing according to the fourth embodiment. A graph 860 in FIG. 23A indicates the number of interruptions that have occurred in the Web servers 200, 300, and 400 in the past one minute of “2010/5/21 13:00:00 to 13:00:59”. A graph 870 in FIG. 23B shows the number of interruptions that have occurred in the Web servers 200, 300, and 400 in the past one minute of “2010/5/21 14:00:00 to 14:00:59”.

  It is assumed that the frequency distribution of the number of interruptions is obtained for the past analysis target period in units of “URL-A”, and the average value M and the standard deviation D are acquired. Further, it is assumed that the threshold value K = M + 2D and the threshold value L = M + D.

  In FIG. 23A, in the example of the graph 860, the number of interruptions of the Web server 400 exceeds the threshold value K in the time period. For this reason, the analysis unit 190 determines that an abnormality has occurred in the Web server 400. Then, the analysis unit 190 causes the notification unit 195 to notify the abnormality of the Web server 400.

  23B, in the example of the graph 870, the number of interruptions of the Web servers 200, 300, and 400 does not exceed the threshold value K. On the other hand, the number of interruptions of the Web servers 200 and 300 exceeds the threshold value L in the time period. In this case, the analysis unit 190 confirms that there are two of the three servers that constitute “URL-A”, that is, the number of interruptions equal to or greater than the threshold L, that is, more than half of all the Web servers. Detect. Then, the analysis unit 190 determines that an abnormality has occurred in the corresponding Web servers 200 and 300. Then, the analysis unit 190 causes the notification unit 195 to notify the abnormality of the Web servers 200 and 300.

  As described above, for each Web server, the number of interruptions in the most recent time zone is acquired and compared with the threshold values K and L, whereby abnormality detection can be performed in real time for each Web server.

  In the graph 860, an abnormality is detected when the number of interruptions equal to or greater than the threshold value K occurs once, but the condition may be further improved to improve the accuracy of abnormality detection. For example, the Web server that continuously acquires the graph 860 for a predetermined period and continuously exceeds the threshold value K a plurality of times may be determined to be abnormal.

  Alternatively, the graph 860 may be acquired at a predetermined period, and a Web server that has exceeded the threshold number of times within a certain period may be determined to be abnormal. For example, when the number of interruptions exceeding the threshold value K occurs three times in 10 minutes, it may be determined as abnormal.

As described above, the interruption pairs acquired by the respective Web servers are combined and analyzed in units of URLs, so that an abnormality of each Web server corresponding to the URL can be easily detected.
In addition to the analysis processing of the second and third embodiments, the analysis processing of the fourth embodiment can also be performed. For example, the analysis unit 190 collates the analysis result of the second embodiment, the analysis result of the third embodiment, and the analysis result of the fourth embodiment, and determines that all the analysis results are abnormal. The alert unit 195 can be instructed to output an alert for the web server that has been sent. As a result, the accuracy of abnormality detection can be further improved as compared with any one of the analysis results.

  Note that by performing operation monitoring using the analysis apparatus 100 described in the second to fourth embodiments, it is not necessary to incorporate a function for detecting an abnormality individually in each Web server. Therefore, the introduction cost of the monitoring function can be reduced. Further, it is not necessary to execute detection processing on each Web server. Therefore, the influence on the original processing of each Web server can be reduced. For this reason, there is an advantage that the integrated management of the entire information processing system can be efficiently performed as compared with the case where abnormality detection is performed by individual servers as in the prior art.

Regarding the above embodiment, the following additional notes are disclosed.
(Supplementary Note 1) Acquire communication information transmitted and received between a plurality of terminal devices and an information processing device, store the communication information in a storage unit,
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Generate some interrupted pair information and store it in the storage means,
Analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
An analysis program characterized by causing a computer to execute processing.

(Additional remark 2) It is the execution request which the terminal device which transmitted the said interruption request | requirement transmitted to the said information processing apparatus before the said interruption request with reference to the communication history memorize | stored in the said memory | storage means, Comprising: The interrupt pair information is generated by extracting an execution request in which a processing response has not been transmitted from the information processing apparatus to the terminal apparatus that has transmitted the interrupt request in response to the request.
The analysis program according to appendix 1, which causes a computer to execute processing.

(Additional remark 3) When the acquired communication information is a process response, the communication information which shows the execution request of the process corresponding to the said process response is extracted from the said memory | storage means, and the information which shows the combination of the said process response and the said execution request Normal pair information is generated and stored in the storage means,
Using the interrupted pair information stored in the storage unit and the normal pair information stored in the storage unit, an abnormality in processing by the information processing apparatus is detected.
The analysis program according to any one of appendix 1 or 2, which causes a computer to execute processing.

(Supplementary Note 4) A predetermined time difference threshold value is calculated based on a first time difference distribution indicating a time difference distribution between an execution request and a processing response included in each of the plurality of normal pair information stored in the storage unit,
A predetermined determination value is calculated based on a second time difference distribution indicating a time difference distribution between the execution request and the interruption request included in each of the plurality of interruption pair information stored in the storage unit;
Detecting the information processing apparatus as abnormal when the determination value is equal to or greater than the time difference threshold;
The analysis program according to appendix 3, which causes a computer to execute processing.

(Supplementary Note 5) The analysis program according to Supplementary Note 4, wherein the determination value is a value calculated based on a predetermined reference value of the second time difference distribution.
(Additional remark 6) The said interruption pair information is matched with each of several said information processing apparatus which provides a predetermined | prescribed service, and is stored in the said memory | storage means,
A third time difference distribution indicating a time difference distribution between the execution request and the interruption request included in each of the interruption pair information regarding the plurality of information processing apparatuses, and information on an analysis target that is any one of the plurality of information processing apparatuses Detecting an abnormality in the information processing apparatus to be analyzed by comparing the execution request included in each of the interrupt pair information related to the processing device and a fourth time difference distribution indicating the distribution of the time difference between the interrupt requests;
The analysis program according to any one of appendix 1 or 2, which causes a computer to execute processing.

(Supplementary note 7) Based on the third time difference distribution, a predetermined time difference threshold is calculated,
Based on the fourth time difference distribution, a predetermined determination value is calculated,
When the determination value is equal to or greater than the time difference threshold, the information processing apparatus to be analyzed is detected as abnormal.
The analysis program according to appendix 6, characterized by causing a computer to execute processing.

(Supplementary note 8) The analysis program according to supplementary note 7, wherein the determination value is a value calculated based on a predetermined reference value of the fourth time difference distribution.
(Additional remark 9) The said interruption pair information is matched with each of several said information processing apparatus which provides a predetermined | prescribed service, and is stored in the said memory | storage means,
Calculating a frequency distribution indicating an acquisition frequency per unit time of interrupted pair information related to a plurality of the information processing devices, calculating a predetermined interrupt frequency threshold based on the frequency distribution,
Detecting an abnormality of each of the plurality of information processing devices based on the number of acquisitions of the interrupted pair information for each of the plurality of information processing devices in a predetermined period and the threshold for the number of interruptions.
The analysis program according to any one of appendix 1 or 2, which causes a computer to execute processing.

(Additional remark 10) The receiving means which acquires the communication information transmitted / received between several terminal devices and information processing apparatus, and stores it in a memory | storage means,
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Extraction means for generating certain interrupted pair information and storing it in the storage means;
Analyzing means for analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
The analysis apparatus characterized by having.

(Appendix 11) The analysis device is
Acquire communication information transmitted and received between the plurality of terminal devices and the information processing device, and store in the storage means,
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Generate some interrupted pair information and store it in the storage means,
Analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
An analysis method characterized by that.

DESCRIPTION OF SYMBOLS 1 Analysis apparatus 1a Memory | storage means 1b Reception means 1c Extraction means 1d Analysis means 2 Information processing apparatus 3, 4 Terminal device 5 Communication history 5a, 5c Execution request 5b Processing response 5d Interruption request 6, 6a Interruption pair information 7, 7a Normal pair information Ta, Tb time difference

Claims (7)

Acquire communication information transmitted and received between the plurality of terminal devices and the information processing device, and store in the storage means,
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Generate some interrupted pair information and store it in the storage means,
Analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
An analysis program characterized by causing a computer to execute processing. When the acquired communication information is a process response, communication information indicating an execution request for the process corresponding to the process response is extracted from the storage unit, and a normal pair that is information indicating a combination of the process response and the execution request Information is generated and stored in the storage means;
Using the interrupted pair information stored in the storage unit and the normal pair information stored in the storage unit, an abnormality in processing by the information processing apparatus is detected.
The analysis program according to claim 1, which causes the computer to execute processing. A predetermined time difference threshold is calculated based on a first time difference distribution indicating a time difference distribution between an execution request and a processing response included in each of the plurality of normal pair information stored in the storage unit;
A predetermined determination value is calculated based on a second time difference distribution indicating a time difference distribution between the execution request and the interruption request included in each of the plurality of interruption pair information stored in the storage unit;
Detecting the information processing apparatus as abnormal when the determination value is equal to or greater than the time difference threshold;
The analysis program according to claim 2, which causes the computer to execute processing. The suspended pair information is stored in the storage means in association with each of the plurality of information processing devices that provide a predetermined service,
A third time difference distribution indicating a time difference distribution between the execution request and the interruption request included in each of the interruption pair information regarding the plurality of information processing apparatuses, and information on an analysis target that is any one of the plurality of information processing apparatuses Detecting an abnormality in the information processing apparatus to be analyzed by comparing the execution request included in each of the interrupt pair information related to the processing device and a fourth time difference distribution indicating the distribution of the time difference between the interrupt requests;
The analysis program according to claim 1, which causes the computer to execute processing. The suspended pair information is stored in the storage means in association with each of the plurality of information processing devices that provide a predetermined service,
Calculating a frequency distribution indicating an acquisition frequency per unit time of interrupted pair information related to a plurality of the information processing devices, calculating a predetermined interrupt frequency threshold based on the frequency distribution,
Detecting an abnormality of each of the plurality of information processing devices based on the number of acquisitions of the interrupted pair information for each of the plurality of information processing devices in a predetermined period and the threshold for the number of interruptions.
The analysis program according to claim 1, which causes the computer to execute processing. Receiving means for acquiring communication information transmitted and received between the plurality of terminal devices and the information processing apparatus and storing it in the storage means;
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Extraction means for generating certain interrupted pair information and storing it in the storage means;
Analyzing means for analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
The analysis apparatus characterized by having. Analysis device
Acquire communication information transmitted and received between the plurality of terminal devices and the information processing device, and store in the storage means,
When the acquired communication information is a process interruption request, communication information indicating an execution request for the process interrupted by the interruption request is extracted from the storage unit, and information indicating a combination of the interruption request and the execution request Generate some interrupted pair information and store it in the storage means,
Analyzing the execution status of the processing by the information processing apparatus using the interrupted pair information stored in the storage means;
An analysis method characterized by that.

Images