JP2017107330A - Assistance device, assistance method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for assisting a verifier to easily grasp relationship among a plurality of elements on abnormal events.SOLUTION: An assistance device includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events; and a generation unit configured to generate a relationship graph to be displayed on a display screen on the basis of a sorting result, the relationship graph being designed such that abnormal events are presented with vertexes representing the elements and sides representing relationship among the elements, and that the elements are arranged by type on the display screen.SELECTED DRAWING: Figure 5

Description

  The present invention relates to a support device, a support method, and a program.

  A technique for monitoring a system to detect and display an abnormality is disclosed. For example, Patent Literature 1 describes that an event included in a cause candidate for a cause of a failure and other cause candidates including the event are grouped and a cause candidate is displayed for each group.

  Further, Patent Document 2 describes that a link indicating a dependency relationship between components of the target system is displayed on a display screen.

  Patent Document 3 describes a monitoring device that notifies a user of main event information to be notified to the user and sub-event information that satisfies a set extraction condition.

  Patent Document 4 describes an operation monitoring apparatus that displays nodes and abnormality identification information between nodes.

  Japanese Patent Application Laid-Open No. 2005-228561 describes a technique for extracting a dependency relationship between events and specifying a cause of a failure.

JP 2012-59063 A JP 2012-38028 A JP 2013-191070 A JP 2013-54402 A JP 2006-31109 A

  By monitoring the system, various types of abnormal events are detected. It is difficult for the system administrator to grasp the relevance of such an abnormal event from the log.

  In the technique described in Patent Document 1, related cause candidates for failures are grouped and displayed in order from the highest candidate response priority in group units. Therefore, in the technique of Patent Document 1, for example, even if a failure occurs in the same host, if the failure to be solved is different, the failure is divided into different groups. Therefore, with the technique of Patent Document 1, the administrator cannot grasp the relevance of the abnormal event that has occurred.

  In addition, there are various elements such as a process, a file, and an account as the execution source and execution destination of the abnormal event. However, in the technique described in Patent Document 2, only the dependency relationship between the components of the target system is shown, and elements such as a process, a file, and an account are not disclosed.

  Further, the techniques described in Patent Documents 3 to 5 do not disclose that the administrator grasps the relevance of the abnormal event related to the various elements.

  The present invention has been made in view of the above problems, and its purpose is to make it easy for a confirmer (for example, an administrator who manages a monitored system) to know the relationship of an abnormal event between a plurality of elements. It is to provide technology that supports this.

  The support device according to one aspect of the present invention includes a classification unit that classifies an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event, and a classification result. Generating means for generating a relationship graph that represents the abnormal event with the element as a vertex and the relationship between the elements as an edge, the element is arranged for each type on the display screen, and displayed on the display screen; .

  The support method according to an aspect of the present invention classifies an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event, and the element is based on a classification result. The abnormal event is expressed with the relationship between the elements as a vertex, and the element is arranged for each type on the display screen, and a relation graph displayed on the display screen is generated.

  Note that a computer program that realizes each of the above apparatuses or methods by a computer and a computer-readable non-transitory recording medium in which the computer program is stored are also included in the scope of the present invention.

  ADVANTAGE OF THE INVENTION According to this invention, it can assist that a confirmer grasps | ascertains easily the relationship of the abnormal event between several elements.

It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 1st Embodiment of this invention. It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 2nd Embodiment of this invention. It is a figure which shows an example of the abnormal event list | wrist which is a list | wrist of the abnormal event which the detection part of the assistance apparatus which concerns on the 2nd Embodiment of this invention detected. It is a figure which shows the result of the classification process which the classification | category part of the assistance apparatus which concerns on the 2nd Embodiment of this invention performs. In the 2nd Embodiment of this invention, it is a figure which shows an example of the relationship graph which a display apparatus displays. It is a figure which shows an example of the flow of a process of the assistance apparatus and display apparatus which concern on the 2nd Embodiment of this invention. It is a figure which shows an example of the relationship graph which a display apparatus displays in the modification 1 of the 2nd Embodiment of this invention. It is a figure which shows an example of the relationship graph which a display apparatus displays in the modification 2 of the 2nd Embodiment of this invention. It is a figure which shows an example of the relationship graph which a display apparatus displays in the modification 3 of the 2nd Embodiment of this invention. It is a figure which shows an example of the relationship graph which a display apparatus displays in the modification 4 of the 2nd Embodiment of this invention. It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 3rd Embodiment of this invention. It is a figure which shows an example of the relationship graph which a display apparatus displays in the 3rd Embodiment of this invention. It is a flowchart which shows an example of the flow of a process of the assistance apparatus and display apparatus which concern on the 3rd Embodiment of this invention. It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 4th Embodiment of this invention. It is a figure which shows an example of the screen displayed on the display screen of a display apparatus in the 4th Embodiment of this invention. It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 5th Embodiment of this invention. It is a figure which shows an example of the abnormal event list | wrist which is a list | wrist of the abnormal event which the detection part of the assistance apparatus which concerns on the 5th Embodiment of this invention detected. In the 5th Embodiment of this invention, it is a figure which shows an example of the relationship graph which a display apparatus displays. It is a functional block diagram which shows an example of a function structure of the assistance apparatus which concerns on the 6th Embodiment of this invention. It is a figure which shows an example of the screen displayed on the display screen of a display apparatus in the 6th Embodiment of this invention. It is a figure which shows the other example of the screen displayed on the display screen of a display apparatus in the 6th Embodiment of this invention. It is a figure which illustrates illustartively the hardware constitutions of the computer (information processing apparatus) which can implement | achieve each embodiment of this invention.

<First Embodiment>
A first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 is a functional block diagram showing an example of a functional configuration of the support apparatus 10 according to the first embodiment of the present invention. Note that the support device 10 shown in FIG. 1 shows a configuration unique to the present invention, and it goes without saying that the support device 10 shown in FIG. 1 may have a configuration not shown in FIG. Yes.

  As illustrated in FIG. 1, the support device 10 according to the present embodiment includes a classification unit 11 and a generation unit 12.

  The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system. This log is stored in a storage unit (not shown).

  The classification unit 11 classifies the received abnormal event for each element related to the abnormal event. Then, the classification unit 11 supplies the classification result to the generation unit 12.

  The generation unit 12 receives the classification result from the classification unit 11. The generation unit 12 generates a relation graph representing the abnormal event based on the received classification result. This relationship graph is a graph in which elements are vertices and relationships between elements are edges. The relation graph generated by the generation unit 12 is displayed on the display screen of the display device. The generation unit 12 generates a relation graph in which elements are arranged for each type on the display screen.

  Thereby, for example, in the relation graph displayed on the display screen of a display device (not shown), the elements are arranged for each type, and represent abnormal events classified for each element.

  Therefore, a confirmer (for example, an administrator of the monitoring target system, hereinafter also referred to as an administrator) confirming this display screen can confirm the relationship between abnormal events on the display screen. Thereby, this confirmer can confirm the relationship between the some abnormal event relevant to this element for every element. Further, the confirmer can compare the abnormal event related to the element with the abnormal event related to another element.

  As described above, the support device 10 according to the present embodiment can support the confirmer to grasp the relevance of the abnormal event between a plurality of elements. Thereby, the support device 10 can support the confirmer to easily grasp the common part (element) of the abnormal event. Therefore, the support device 10 can assist the confirmer to discover the cause and process of the abnormality.

<Second Embodiment>
Next, a second embodiment based on the above-described first embodiment will be described. First, the configuration of the support device 100 according to the present embodiment will be described. FIG. 2 is a diagram illustrating an example of a functional configuration of the support apparatus 100 according to the present embodiment. As illustrated in FIG. 2, the support device 100 according to the present embodiment includes a classification unit 110, a generation unit 120, a storage unit 130, and a detection unit 140.

  The classification unit 110 and the generation unit 120 correspond to the classification unit 11 and the generation unit 12 in the above-described first embodiment, respectively. That is, in FIG. 2, the part enclosed by the broken line frame corresponds to the support device 10 in the first embodiment described above.

  In addition, as illustrated in FIG. 2, the support device 100 is connected to the display device 200. In the present embodiment, the support device 100 is described as an example of a configuration separate from the display device 200. However, the support device 100 has a configuration in which the display device 200 is provided as a display unit. Also good.

  The storage unit 130 stores a result (log) of monitoring a monitoring target system (not shown). In FIG. 2, the case where the storage unit 130 is built in the support device 100 will be described as an example. However, the storage unit 130 may be realized by a storage device separate from the support device 100. .

  This monitored system includes a plurality of devices (hosts) connected via a network. The log includes a result (information indicating an event) of detecting an event between a plurality of elements that has occurred on the monitoring target system for each host. In the case of an event for a certain host, the element may be any of process, file, and external host.

  An event between elements is, for example, that the process has accessed the file when one of the elements is a process and the other is a file. Further, the event between elements is, for example, that one of the elements is a process and the other is an external host, the process is connected to the external host. The event between elements is not limited to this.

  In the present embodiment, description will be made assuming that one event is an event between two elements, but one event may be an event that occurs between a plurality of elements.

  The detection unit 140 detects an event having a high possibility of abnormality from the log stored in the storage unit 130. An example of this abnormal event is shown in FIG. FIG. 3 is a diagram illustrating an example of a list of abnormal events (abnormal event list) detected by the detection unit 140. Note that the abnormal event list shown in FIG. 3 includes abnormal events for a certain host detected from the log.

  As shown in FIG. 3, the abnormal event list includes a plurality of abnormal events. The abnormal event list includes the contents of the abnormal event and the time when the abnormal event occurred. Further, as shown in FIG. 3, the abnormal event list may include an identifier (event ID (Identifier)) for identifying each abnormal event. The information included in the abnormal event list is not limited to this, and may include, for example, the degree of abnormality of the abnormal event. The degree of abnormality represents a high possibility that an abnormal event detected as having a high possibility of abnormality is abnormal. In the present embodiment, the degree of abnormality is represented by a numerical value, and it is assumed that the higher the numerical value, the higher the possibility of abnormality.

  The contents of the abnormal event will be described. For example, the content of the abnormal event with the event ID “ID01” shown in the first line of FIG. 3 is “‘ Process1 ’opened‘ File1 ’. This indicates that one of the elements is a process whose process name is “Process1” and the other is a file whose file name is “File1”. This abnormal event indicates that “Process1” has opened “File1”. Further, for example, the content of the abnormal event with the event ID “ID09” shown in the ninth line of FIG. 3 is “‘ Process1 ’connect with‘ ExHost1 ’. This indicates that one of the elements is a process whose process name is “Process1” and the other is an external host whose external host name is “ExHost1”. This abnormal event indicates that “Process1” is connected to “ExHost1”.

  The detection unit 140 may be configured to add the detected abnormal event to the abnormal event list when detecting the abnormal event. In FIG. 3, for convenience of explanation, an abnormal event list indicating an abnormal event for one host is shown, but the abnormal event list may include an abnormal event for each of a plurality of hosts.

  The detection unit 140 may supply the abnormal event list to the classification unit 110 or may store the abnormal event list in the storage unit 130 or the storage unit in the detection unit 140.

  The classification unit 110 receives the abnormal event list from the detection unit 140. Alternatively, the classification unit 110 may acquire the abnormal event list from the storage unit 130 or the storage unit of the detection unit 140.

  The classification unit 110 classifies abnormal events included in the abnormal event list for each element related to the abnormal event. Elements related to the abnormal event are, for example, “Process1” and “File1” in the case of the abnormal event whose event ID is “ID01” illustrated in FIG. 3.

  The classification process of the classification unit 110 will be described with reference to FIG. FIG. 4 is a diagram illustrating a result of the classification process performed by the classification unit 110 of the support apparatus 100 according to the present embodiment. Below, the abnormal event to classify | categorize is demonstrated using event ID.

  The classification unit 110 classifies the abnormal events having the event IDs “ID01” to “ID10” included in the abnormal event list illustrated in FIG. 3 for each element. As a result of classification for each element, as shown in FIG. 4, the abnormal events classified into the element “Process1” have event IDs “ID01”, “ID03”, “ID04”, “ID06”, and “ID09”. Become. The classification unit 110 classifies the abnormal event for each other element, and obtains a classification result as shown in FIG. At this time, the classification unit 110 identifies the type of the classified element for each element. Then, the classification unit 110 associates the identified element type with the element included in the classification result.

  As described above, the classification unit 110 classifies the abnormal event for each element for each host. Then, the classification unit 110 supplies the result of the classification process to the generation unit 120.

  Note that the number of abnormal events classified by the classification unit 110 is not particularly limited. The classification unit 110 may classify abnormal events in a predetermined period from the present time, or may classify abnormal events in a period specified by an administrator or the like.

  The generation unit 120 receives the result of the classification process from the classification unit 110. The generation unit 120 generates a relation graph representing the abnormal event based on the received classification result. The relation graph includes elements as vertices (also referred to as nodes) and lines connecting the elements as edges (also referred to as links, edges, or branches). The relation graph generated by the generation unit 120 is displayed on the display screen of the display device 200. The generation unit 120 generates a relation graph in which elements are arranged for each type using the types associated with the elements included in the classification result on the display screen.

  An example of a relationship graph generated by the generation unit 120 and displayed on the display screen is shown in FIG. FIG. 5 is a diagram illustrating an example of a relationship graph displayed by the display device 200 according to the present embodiment. In this embodiment, it is assumed that the element type is file, process, or external host.

  In the present embodiment, the generation unit 120 generates a relation graph in which elements are represented by circles and elements are connected by solid lines. Note that the shape of the element and the shape of the line connecting the elements are not limited to those shown in FIG. 5, but may be anything that can express the elements and the relationship between the elements. In addition, an element name is displayed in association with each element.

  As shown in FIG. 5, the generation unit 120 displays the element types in the order of files in the host, processes in the host, and external hosts from left to right (in the second direction). Elements are arranged from top to bottom (in the first direction) in a bar-shaped area (type area) representing various types. The elements arranged in this type area are the elements classified by the classification unit 110 shown in FIG. Therefore, for example, “Process1” and “Process2” are arranged in the type region (the bar-shaped region in the center of FIG. 5) whose type is “process”.

  The display order of elements in each type area is not particularly limited. For example, it may be in the order of element names or in the order of the number of related abnormal events.

  The generation unit 120 generates a relation graph as shown in FIG. 5 in which elements related to the same abnormal event are connected by a line based on the classified result. Based on the classification result shown in FIG. 4, the elements related to the abnormal event whose event ID is “ID01” are “Process1” and “File1”. Therefore, the generation unit 120 generates a relation graph between “Process1” and “File1” by connecting these elements with lines.

  Note that, as illustrated in FIG. 5, the generation unit 120 may display an element with many related elements larger than an element with few related elements. For example, since “Process1” is related to five other elements, and “File1” is related to one other element, the generation unit 120 makes “Process1” larger than “File1”. A relationship graph may be generated.

  In FIG. 4, there is one event between elements, but there may be a plurality of events between elements. For example, a plurality of abnormal events may occur between “Process1” and “File1”. In this case, when the classification unit 110 performs classification, the number of abnormal events is counted, and the generation unit 120 generates a relationship graph in which lines connecting elements are changed according to the number of abnormal events. Also good. For example, the generation unit 120 may generate a relationship graph in which lines connecting elements having a large number of abnormal events are displayed larger than other lines, or displayed in a color or manner different from those of other lines. A relationship graph may be generated. Thereby, the support apparatus 100 can assist an administrator or the like to easily grasp that the same abnormal event occurs more frequently than other abnormal events.

  The shape of the type area is not particularly limited. As shown in FIG. 5, when the type area is a bar-shaped area, the generation unit 120 can display the elements arranged for each type, so that an administrator or the like can easily grasp the relationship between the elements for each type. Can help.

  In FIG. 5, the relationship graph is described as an example of an undirected graph. However, the relationship graph may be a directed graph or a graph including an undirected edge and a directed edge. Good.

(Processing of support device 100 and display device 200)
Next, with reference to FIG. 6, the flow of processing of the support device 100 and the display device 200 according to the present embodiment will be described. FIG. 6 is a flowchart illustrating an example of a process flow of the support apparatus 100 according to the present embodiment.

  As shown in FIG. 6, the detection unit 140 detects an abnormal event (step S61). Then, the classification unit 110 classifies the abnormal event for each element related to the abnormal event (step S62).

  And the production | generation part 120 produces | generates the relationship graph showing an abnormal event (step S63). As described above, this relationship graph is a relationship graph in which elements are arranged for each type. Thereafter, the display device 200 displays a relation graph on the display screen (step S64).

  Thus, the processes of the support device 100 and the display device 200 are finished.

(effect)
According to the support device 100 according to the present embodiment, the classification unit 110 classifies events detected as abnormal events among events between a plurality of elements for each element related to the abnormal event. Then, the generation unit 120 generates a relation graph representing the abnormal event based on the classification result and arranging elements for each type on the display screen.

  Therefore, the confirmer who confirms the display screen can confirm the relationship between the abnormal events on the display screen. Thereby, this confirmer can confirm the relationship between the some abnormal event relevant to this element for every element. Further, the confirmer can compare the abnormal event related to the element with the abnormal event related to another element.

  As described above, the support device 100 according to the present embodiment allows the confirmer to easily determine the relevance of the abnormal event between the plurality of elements, like the support device 10 according to the first embodiment described above. It can help to grasp. Therefore, the support device 100 can support the confirmer to discover the cause and process of the abnormality.

(Modification 1)
Next, Modification 1 of the support device 100 according to the second embodiment will be described. In the second embodiment described above, an example has been described in which the element type is one of a file, a process, and an external host. However, the element type may be an account. In the present modification, description will be made by taking as an example that the element type is any one of an account, a process, and an external host.

  FIG. 7 shows an example of a relationship graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 7 is a diagram illustrating an example of a relationship graph displayed by the display device 200 in the present modification.

  As illustrated in FIG. 7, the generation unit 120 displays the element types in the order of the account in the host, the process in the host, and the external host from left to right (in the second direction). The elements are arranged from the top to the bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 7, it can be seen that the account with the account name “User1” started the process with the process name “Process1”. Since the event shown in the relationship graph shown in FIG. 7 is an abnormal event, it is understood that starting “Process1” from “User1” is determined to be abnormal. As a result, the administrator or the like can easily grasp the processes started from a plurality of accounts and related to the abnormal event. In addition, an administrator or the like can easily find an abnormal event that is a process started from a plurality of accounts and that is related to an abnormal event and connected to an external host.

(Modification 2)
Next, a second modification of the support device 100 according to the second embodiment will be described. In the first modification described above, an example has been described in which the element type is one of an account, a process, and an external host. However, in this modification, the element type is any of an account, a process, and a file. This will be described as an example.

  FIG. 8 shows an example of a relationship graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 8 is a diagram illustrating an example of a relationship graph displayed on the display device 200 in the present modification.

  As shown in FIG. 8, the generation unit 120 displays the element types in order from left to right (in the second direction) in the order of accounts in the host, processes in the host, and files in the host. Yes. Note that the account and the file may be reversed. The elements are arranged from the top to the bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 8, it can be seen that the account with the account name “User1” started the process with the process name “Process1” as in FIG. 7. Then, it can be seen that “Process1” opened “File1”, “File2”, “File3”, and “File4”. As a result, the administrator or the like can easily grasp the processes started from a plurality of accounts and related to the abnormal event. Further, an administrator or the like can easily find an abnormal event that is a process started from a plurality of accounts and that is associated with an abnormal event, and that a file has been opened.

(Modification 3)
Next, Modification 3 of the support device 100 according to the second embodiment will be described. In this modification, a relation graph displayed by including two elements in one type area will be described.

  For example, when a certain account starts a certain process, the process often connects to an external host as shown in FIG. 7 or opens a file as shown in FIG. In this modification, it will be described that the types of elements included in the relationship graph generated by the generation unit 120 are arranged in the order of an account in the host, a process in the host, a file in the host, and an external host.

  FIG. 9 shows an example of a relationship graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 9 is a diagram illustrating an example of a relationship graph displayed on the display device 200 in the present modification.

  As illustrated in FIG. 9, the generation unit 120 arranges the element types in the order of the account in the host, the process in the host, the file in the host, and the external host from left to right (in the second direction). it's shown. The elements are arranged from the top to the bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 9, it can be seen that the account with the account name “User1” started the process with the process name “Process1” as in FIG. 7. Then, it is understood that “Process1” has opened “File1”, “File2”, “File3”, and “File4” and connected to “ExHost1”. As a result, the administrator or the like can easily grasp the processes started from a plurality of accounts and related to the abnormal event. Administrators can easily find abnormal events that are started from multiple accounts and related to abnormal events, such as processes connected to external hosts and files opened. can do.

  Note that the type area on the right side shown in FIG. 9 includes two types of elements such as an external host and a file. Therefore, the generation unit 120 may generate a relationship graph in which different types of elements are displayed in different modes as illustrated in FIG.

(Modification 4)
Next, Modification 4 of the support device 100 according to the second embodiment will be described. In the relationship graphs shown in FIGS. 5 and 7, the files, processes and accounts in the host and the external host are expressed in the same manner. In this modification, a relation graph displayed in a state where elements included in the host and elements external to the host (external host) can be distinguished will be described.

  FIG. 10 is a diagram illustrating an example of a relationship graph displayed by the display device 200 in the present modification. FIG. 10 is a modification of the relationship graph shown in FIG. For example, as illustrated in FIG. 10, the generation unit 120 of the support apparatus 100 encloses elements included in the host as a set and encloses other elements (external hosts) outside the frame. A graph may be generated. Further, the relationship graph generated by the generation unit 120 is not limited to this. For example, the generation unit 120 may generate a relationship graph in which the color and state of the type area are different between the type area including the elements inside the host and the type area of the external host.

  In this way, by displaying the elements included inside the host and the elements outside the host in a distinguishable state, the administrator can, for example, detect abnormalities with high possibility of information leakage to the external host. Events can be easily found.

  As shown in FIGS. 5 and 7 to 10, the generation unit 120 sandwiches the element column of the process type on the display screen between elements of other types (external host, account, and file). Such a relationship graph is preferably generated. This is because the process performed by the account, the process of accessing the file, and the process performed on the external host are all performed by starting the process. Therefore, the generation unit 120 displays a series of behaviors in which one element starts a process and performs a certain abnormal event on the other element by displaying the process element in the center. The administrator can easily check.

<Third Embodiment>
Next, a third embodiment of the present invention will be described. FIG. 11 is a functional block diagram illustrating an example of a functional configuration of the support apparatus 101 according to the present embodiment. For convenience of explanation, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof is omitted.

  As illustrated in FIG. 11, the support apparatus 101 according to the present embodiment includes a classification unit 111, a generation unit 120, a storage unit 130, a detection unit 141, and a reception unit 150.

  In addition to the function of the detection unit 140 described above, the detection unit 141 according to the present embodiment has a function of causing the display device 200 to display an abnormal event list including the detected abnormal event.

  The input device 300 is realized by a mouse, a keyboard, or the like, for example. In this embodiment, the display device 200 and the input device 300 will be described as examples realized by a device separate from the support device 101. However, the display device 200 and the input device 300 are respectively a display unit and a display unit. The input unit may be built in the support apparatus 101. In this case, the display unit and the input unit may be realized as a touch panel, for example.

  The accepting unit 150 accepts an input from an administrator or the like via the input device 300. For example, when the administrator selects a certain abnormal event from the abnormal event list displayed on the display device 200 via the input device 300, the reception unit 150 receives the selection of the abnormal event. Then, the reception unit 150 supplies time information indicating the time of the selected abnormal event to the classification unit 111. Note that the reception unit 150 may supply information indicating the selected abnormal event to the detection unit 141. In this case, the detection unit 141 may specify the time of the abnormal event and supply the specified time information to the classification unit 111.

  The classification unit 111 receives time information from the reception unit 150 or the detection unit 141. The classification unit 111 classifies the abnormal event for each element, as in the above-described classification unit 110, based on the abnormal event after the time indicated by the received time information.

  For example, it is assumed that the abnormal event list shown in FIG. 3 is displayed on the display screen of the display device 200. When the administrator selects the event ID “ID04”, the reception unit 150 receives this selection. Since the time of the abnormal event with the event ID “ID04” is “2015-11-02 12:21:00”, the classification unit 111 classifies the abnormal events after this time. The abnormal events included in the abnormal event shown in FIG. 3 and the abnormal events after the above time are abnormal events having event IDs “ID04” to “ID10”. Therefore, the classification unit 111 classifies the abnormal events having event IDs “ID04” to “ID10” for each element.

  Then, the generation unit 120 generates a relation graph based on the classification result. An example of the relationship graph generated by the generation unit 120 is shown in FIG. FIG. 12 is a diagram illustrating an example of a relationship graph displayed by the display device 200 in the present embodiment.

  Compared with the relationship graph shown in FIG. 5, the relationship graph shown in FIG. 12 does not include abnormal events whose event IDs are “ID01”, “ID02”, and “ID03”.

(Processing of support device 101 and display device 200)
Next, with reference to FIG. 13, the flow of processing of the support apparatus 101 and the display apparatus 200 according to the present embodiment will be described. FIG. 13 is a flowchart illustrating an example of a processing flow of the support apparatus 101 according to the present embodiment.

  As shown in FIG. 13, the detection unit 140 detects an abnormal event (step S131). Thereafter, the receiving unit 150 receives an input from the administrator (step S132). Then, the classifying unit 111 classifies abnormal events after the time specified based on the input received by the receiving unit 150 for each element related to the abnormal event (step S133).

  And the production | generation part 120 produces | generates the relationship graph showing an abnormal event (step S134). As described above, this relationship graph is a relationship graph in which elements are arranged for each type. Thereafter, the display device 200 displays a relation graph on the display screen (step S135).

  Thus, the processes of the support device 101 and the display device 200 are finished.

(effect)
According to the support device 101 according to the present embodiment, it is possible to achieve the same effects as those of the first and second embodiments described above. Further, according to the support device 101 according to the present embodiment, the classification unit 111 selects an abnormal event that occurred after the time specified based on the abnormal event received by the receiving unit 150 as an element related to the abnormal event. Sort by each. And the production | generation part 120 produces | generates a relationship graph based on the abnormal event which the classification | category part 111 classified for every element.

  Thereby, for example, the administrator can easily grasp the abnormal event that has occurred after the abnormal event selected by the administrator.

  For example, when the administrator selects an abnormal event that a certain process has opened a file, the support apparatus 101 displays, on the display device 200, abnormal events that have occurred after the selected abnormal event for each element. can do. As a result, the administrator can easily grasp how the process related to the selected abnormal event has been performed thereafter. For example, the administrator can confirm that the process related to the selected abnormal event has communicated with the external host after the selected abnormal event. As a result, the administrator can easily confirm, for example, the possibility of file leakage.

  In the present embodiment, the case where the reception unit 150 selects an abnormal event from the abnormal event list has been described as an example. However, the reception unit 150 can detect an abnormal event from the relation graph displayed on the display device 200. May be selected. Even in this case, the classification unit 111 can classify the abnormal events after the time of the selected abnormal event for each element. Therefore, the relationship graph generated after that by the generation unit 120 represents an abnormal event that has occurred after the selected abnormal event.

<Fourth embodiment>
Next, a fourth embodiment of the present invention will be described. FIG. 14 is a functional block diagram illustrating an example of a functional configuration of the support apparatus 101 according to the present embodiment. For convenience of explanation, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof is omitted.

  As illustrated in FIG. 14, the support device 102 according to the present embodiment includes a classification unit 110, a generation unit 121, a storage unit 130, a detection unit 140, and a reception unit 151. In the present embodiment, the administrator uses the input device 300 to superimpose a mouse pointer or the like on either a vertex or an edge included in the relationship graph displayed on the display device 200 (hereinafter referred to as a mouse). Will be described.

  In the present embodiment, the accepting unit 151 accepts position information indicating the position of a mouse pointer or the like on the display screen, for example. The reception unit 151 supplies the received position information to the generation unit 121.

  The generation unit 121 receives position information from the reception unit 151. The generation unit 121 identifies a vertex (element) or a side displayed at the position represented by the position information from the relationship graph displayed on the display device 200.

  When the administrator mouseovers the element, the generation unit 121 displays the mouseover element on the display screen in a state in which the element is emphasized more than other elements. At this time, the generation unit 121 displays the full path of the highlighted element on the display screen together with the element.

  In addition, when the administrator mouse-overs the side, the generation unit 121 displays the display on the display screen in a state where the elements at both ends of the side and the side are emphasized. At this time, the generation unit 121 displays the full path of the highlighted element on the display screen together with the element. An example of the screen displayed on the display device 200 at this time is shown in FIG.

  The administrator connects the mouse pointer to “File6” and “Process2” in the relationship graph shown in FIG. 12 (that is, the side indicating the relationship of the abnormal event between “File6” and “Process2”). Suppose that they are stacked on top. At this time, as illustrated in FIG. 15, the generation unit 121 emphasizes “File6”, “Process2”, and the side connecting them, and displays them on the display screen of the display device 200. At this time, the generation unit 121 displays “File 6” and “Process 2” in the host on the display screen with a full path.

  As a result, the administrator can easily confirm whether or not this element exists at a position different from the normal even if the name of the element listed as the abnormal event is a known name. For example, if the process named “Process2” is a process that already exists in the host, the generation unit 121 displays the full path so that the administrator can change the location where “Process2” normally exists. Whether it is a process or not can be confirmed. As a result, the support apparatus 102 can assist the administrator in grasping the details of the event listed as an abnormal event.

  The reception unit 151 may be formed integrally with the reception unit 150 described in the third embodiment, or may be different.

  In addition, when an element that the mouse is over is an element, the generation unit 121 emphasizes all of the relationship graphs (sides and elements connected to the element) that indicate an abnormal event related to the element that the mouse is over. It may be displayed on the display screen.

<Fifth embodiment>
Next, a fifth embodiment of the present invention will be described. In the present embodiment, a case where the abnormal event list includes the abnormal degree of the abnormal event will be described. FIG. 16 is a functional block diagram illustrating an example of a functional configuration of the support apparatus 103 according to the present embodiment. For convenience of explanation, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof is omitted.

  As illustrated in FIG. 16, the support device 103 according to the present embodiment includes a classification unit 110, a generation unit 122, a storage unit 130, and a detection unit 140. The support apparatus 103 according to the present embodiment may be configured to include the reception unit 150 or the reception unit 151 as in the third or fourth embodiment described above.

  An example of a list of abnormal events (abnormal event list) detected by the detection unit 140 in the present embodiment is shown in FIG. As shown in FIG. 17, the abnormal event list in the present embodiment includes the degree of abnormality of each abnormal event in addition to the abnormal event list shown in FIG. In the present embodiment, the degree of abnormality is represented by a numerical value from 0 to 1, as shown in FIG. 17, and it is assumed that the higher the numerical value, the higher the possibility of abnormality.

  For example, the classification unit 110 classifies abnormal events as shown in FIG. 17 for each element. As described above, since the abnormal event includes the abnormality level, the abnormal event included in the result of classification by the classification unit 110 also includes the abnormality level.

  The generation unit 122 receives the result of the classification process from the classification unit 110. The generation unit 122 generates a relationship graph based on the result of the classification process. At this time, the generation unit 122 arranges the elements according to the degree of abnormality. For example, the generation unit 122 identifies, for each element, the one having the highest degree of abnormality of the abnormal event related to the classified element. Then, the generation unit 122 arranges the elements in descending order of the specified abnormality degree.

  Referring to FIG. 17, it can be seen that the process having the highest degree of abnormality is “Process 1”, which is an element related to the abnormal event having the event ID “ID11”. Therefore, the generation unit 122 arranges the elements “Process1” and “Process2” whose types are processes in the order of “Process1” and “Process2”.

  Similarly, the generation unit 122 arranges the elements whose file type is “File1”, “File6”, “File5”, “File3”, “File2”, and “File4” in this order.

  Then, the generation unit 122 generates a relation graph in which the arranged elements are connected by a line based on the result of the classification process. An example of the relationship graph generated by the generation unit 122 in the present embodiment is shown in FIG. FIG. 18 is a diagram illustrating an example of a relationship graph displayed by the display device 200 in the present embodiment.

  As shown in FIG. 18, it can be seen that the elements arranged in the type area are arranged from top to bottom (in the first direction) in the order described above. The relationship graph shown in FIG. 18 represents the abnormal event shown in FIG.

  Note that the generation unit 122 may obtain the average degree of abnormality of abnormal events related to the elements for each element, and arrange the elements using the obtained average. In addition, the generation unit 122 may calculate the total degree of abnormality of abnormal events related to the elements for each element, and arrange the elements using the calculated total. Further, the generation unit 122 may display the size and mode of the element in a mode different from other elements according to the obtained total. For example, when the sum of the degree of abnormality obtained for a certain element is larger than the sum of the degree of abnormality of another element, the generation unit 122 may display this element in a more emphasized state than the other element. .

(effect)
According to the support device 103 according to the present embodiment, the same effects as those of the first and second embodiments described above can be obtained. Further, according to the support device 103 according to the present embodiment, the generation unit 122 generates a relation graph in which elements are arranged in the first direction for each type based on the degree of abnormality. By displaying the relationship graph generated in this way on the display device 200, the administrator can easily identify an abnormal event that is highly likely to be abnormal.

<Sixth Embodiment>
Next, a sixth embodiment of the present invention will be described. FIG. 19 is a functional block diagram illustrating an example of a functional configuration of the support apparatus 104 according to the present embodiment. For convenience of explanation, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof is omitted.

  As illustrated in FIG. 19, the support apparatus 104 according to the present embodiment includes a classification unit 110, a generation unit 120, a storage unit 130, a detection unit 140, a reception unit 152, and a display control unit 160.

  In the present embodiment, it is assumed that the detection unit 140 supplies the abnormal event list to the display control unit 160. In the present embodiment, it is assumed that the generation unit 120 supplies the generated relationship graph to the display control unit 160. At this time, it is assumed that the abnormal event included in the relation graph supplied from the generation unit 120 to the display control unit 160 is associated with the abnormal event included in the abnormal event list. For example, it is assumed that an event ID representing an abnormal event is associated with each edge included in the relationship graph.

  The accepting unit 152 accepts position information indicating the position of a mouse pointer or the like on the display screen. The receiving unit 152 supplies the received position information to the display control unit 160.

  The display control unit 160 generates a screen that causes the display device 200 to display the abnormal event list received from the detection unit 140 and the relationship graph received from the generation unit 120. Then, the display control unit 160 controls to display the generated screen (generation screen) on the display screen of the display device 200. Accordingly, the display device 200 displays the generation screen generated by the display control unit 160 on the display screen based on the control from the display control unit 160.

  Further, the display control unit 160 receives position information from the reception unit 152. The display control unit 160 specifies the position of the mouse pointer from the position information, and specifies the abnormal event displayed at the specified position. Then, the display control unit 160 causes the display device 200 to display the abnormal event in the relationship graph and / or the abnormal event in the abnormal event list related to the specified abnormal event in a manner different from other abnormal events.

  An example of a generation screen generated by the display control unit 160 and displayed on the display screen is shown in FIG. FIG. 20 is a diagram illustrating an example of a generation screen displayed on the display screen of the display device 200 in the present embodiment.

  As shown in FIG. 20, the generation screen includes a relationship graph and an abnormal event list. The abnormal event included in the relation graph displayed on the display screen is associated with the abnormal event included in the abnormal event list.

  FIG. 21 shows an example of the display screen when the administrator performs an operation of overlaying the mouse pointer or the like on the relation graph or abnormal event list displayed on the display screen shown in FIG.

  As shown in FIG. 21, it is assumed that the administrator mouses over an abnormal event whose event ID is “ID25” on the abnormal event list, for example. At this time, the display control unit 160 identifies the abnormal event from the position where the mouse is over, and displays the edges and elements on the relationship graph related to the identified abnormal event in a manner different from the other sides and elements. . Since the abnormal event with the event ID “ID25” is an abnormal event between “Process2” and “File5”, the display control unit 160 connects the elements of “Process2” and “File5” to these elements. For example, the lines are highlighted and displayed on the display screen.

  At this time, the display control unit 160 may highlight and display the abnormal event that has been moused over.

(effect)
According to the support device 104 according to the present embodiment, it is possible to achieve the same effects as those of the first and second embodiments described above. Further, according to the support device 104 according to the present embodiment, the display control unit 160 generates a screen including a list including abnormal events and a relation graph associated with the list, Display on the display screen. When the pointer displayed on the display screen is superimposed on one of the abnormal events displayed on the display screen, the display control unit 160 displays the abnormal event on which the pointer is superimposed. An abnormal event related to is displayed in a different manner from other abnormal events.

As a result, for example, from the abnormal event list, the administrator can simply move the mouse over an abnormal event that the administrator wants to confirm the relationship, and the administrator Other abnormal events can be confirmed on the graph. Therefore, the administrator can easily deal with abnormalities such as tracking abnormal events from the relationship graph and abnormal event list displayed on the display screen. For example, the logs stored in the storage unit 130 are generally arranged in time series. Therefore, abnormal events included in the abnormal event list are also arranged in time series. Therefore, the administrator can check abnormal events in the corresponding relationship graph by moving the mouse over the abnormal events arranged in time series in order, so that the temporal order of abnormal events can be easily grasped. can do. For example, the behavior is the same in the following elements (1) and (2), but the correspondence method changes depending on the time series.
(1) A process communicated with an external host after opening a file.
(2) A process opened a file after communicating with an external host.
According to the present embodiment, since the administrator can easily confirm this difference, the support apparatus 104 can assist the administrator in taking an optimum response to the abnormal event. The order of abnormal events in the abnormal event list is not limited to time series, and any order may be used.

(About hardware configuration)
In each embodiment of the present invention, each component of each device represents a functional unit block. Part or all of each component of each device is realized by an arbitrary combination of an information processing device 500 and a program as shown in FIG. 22, for example. The information processing apparatus 500 includes the following configuration as an example.

CPU (Central Processing Unit) 501
ROM (Read Only Memory) 502
-RAM (Random Access Memory) 503
A program 504 loaded into the RAM 503
A storage device 505 for storing the program 504
A drive device 507 for reading / writing the recording medium 506
Communication interface 508 connected to the communication network 509
An input / output interface 510 for inputting / outputting data
-Bus 511 connecting each component
Each component of each device in each embodiment is realized by the CPU 501 acquiring and executing a program 504 that realizes these functions. The program 504 that realizes the function of each component of each device is stored in advance in the storage device 505 or the RAM 503, for example, and is read by the CPU 501 as necessary. Note that the program 504 may be supplied to the CPU 501 via the communication network 509 or may be stored in the recording medium 506 in advance, and the drive device 507 may read the program and supply it to the CPU 501.

  There are various modifications to the method of realizing each device. For example, each device may be realized by an arbitrary combination of the information processing device 500 and a program that are separately provided for each component. A plurality of constituent elements included in each device may be realized by an arbitrary combination of one information processing device 500 and a program.

  In addition, some or all of the components of each device are realized by other general-purpose or dedicated circuits, processors, or combinations thereof. These may be configured by a single chip or may be configured by a plurality of chips connected via a bus.

  Part or all of each component of each device may be realized by a combination of the above-described circuit and the like and a program.

  When some or all of the constituent elements of each device are realized by a plurality of information processing devices and circuits, the plurality of information processing devices and circuits may be centrally arranged or distributedly arranged. Also good. For example, the information processing apparatus, the circuit, and the like may be realized as a form in which each is connected via a communication network, such as a client and server system and a cloud computing system.

  Each of the above-described embodiments is a preferred embodiment of the present invention, and the scope of the present invention is not limited only to the above-described embodiments, and those skilled in the art do not depart from the gist of the present invention. However, it is possible to construct a form in which various modifications are made by correcting or substituting the above-described embodiments.

DESCRIPTION OF SYMBOLS 10 Support apparatus 11 Classification part 12 Generation part 100 Support apparatus 101 Support apparatus 102 Support apparatus 103 Support apparatus 104 Support apparatus 110 Classification part 111 Classification part 120 Generation part 121 Generation part 122 Generation part 130 Storage part 140 Detection part 141 Detection part 150 Reception Unit 151 receiving unit 152 receiving unit 160 display control unit 200 display device 300 input device

Claims (16)

Classifying means for classifying an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event;
Based on the result of the classification, the abnormal event is represented by using the element as a vertex and the relationship between the elements as an edge, the element is arranged for each type on the display screen, and the relation graph is displayed on the display screen Generating means for generating the support device. The event is an event that occurs on a system including a plurality of hosts,
The classification means classifies the abnormal event for each element for each host,
The generating unit arranges the elements in a first direction for each type, and generates the relation graph in which the type is arranged in a second direction different from the first direction for each host. Item 4. The support device according to Item 1. The abnormal event is associated with a value indicating the degree of abnormality,
The support device according to claim 2, wherein the generation unit generates the relation graph in which the elements are arranged in the first direction for each type based on the degree of abnormality.   4. The support apparatus according to claim 2, wherein the type of the relation graph is arranged in the order of a file in the host, a process in the host, and an external host different from the host in the second direction. 5.   4. The relationship graph according to claim 2, wherein the type is arranged in the order of an account in the host, a process in the host, a file in the host, or an external host different from the host in the second direction. The support device described.   4. The relationship graph according to claim 2, wherein the type is arranged in the order of an account in the host, a process in the host, a file in the host, and an external host different from the host in the second direction. The support device described.   The generation unit generates the relation graph in which elements inside the host and elements representing external hosts different from the host are displayed in a distinguishable manner on the display screen. The support device according to any one of 2 to 6. Further comprising accepting means for accepting selection of the abnormal event;
The support according to any one of claims 1 to 7, wherein the classifying unit classifies abnormal events that have occurred after a time specified based on the received abnormal event for each element related to the abnormal event. apparatus.   When the pointer displayed on the display screen is superimposed on the vertex or the side on the display screen, the generation unit is configured to select the element indicating the vertex connected to the vertex or the side. The support apparatus according to claim 1, wherein a location in the host is displayed on the display screen with a full path. A display control means for generating a screen including the list including the abnormal event and the relationship graph associated with the list, and causing the generated screen to be displayed on the display screen;
When the pointer displayed on the display screen is superimposed on any one of the abnormal events displayed on the display screen, the display control means The support apparatus according to any one of claims 1 to 9, wherein an abnormal event related to an abnormal event is displayed in a manner different from other abnormal events.   The support device according to claim 1, further comprising detection means for detecting the abnormal event.   The support apparatus according to claim 1, further comprising display means including the display screen. Of events between multiple elements, classify the events detected as abnormal events for each element related to the abnormal event,
Based on the result of the classification, the abnormal event is represented by using the element as a vertex and the relationship between the elements as an edge, the element is arranged for each type on the display screen, and the relation graph is displayed on the display screen A support method to generate. The event is an event that occurs on a system including a plurality of hosts,
When classifying the abnormal event for each element, for each host, classify the abnormal event,
When generating the relationship graph, the elements are arranged in a first direction for each type, and the relationship graph is generated for each host in which the type is arranged in a second direction different from the first direction. The support method according to claim 13. A process of classifying an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event;
Based on the result of the classification, the abnormal event is represented by using the element as a vertex and the relationship between the elements as an edge, the element is arranged for each type on the display screen, and the relation graph is displayed on the display screen A program for causing a computer to execute a process for generating The event is an event that occurs on a system including a plurality of hosts,
The process of classifying is a process of classifying the abnormal event for each element for each host,
The generating process arranges the elements in a first direction for each type, and generates the relationship graph arranged in a second direction different from the first direction for each host. The program according to claim 15.

Images