JP2017168030A - History analyzer, history analysis method, history analysis system, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To specify a derivative relation pertaining to data arranged in different devices on the basis of logs pertaining to these data.SOLUTION: A history analyzer of the present invention comprises: a log acquisition unit for acquiring an access log to a file provided in a file provision device and a process operation log that includes information pertaining to an operation executed by a process in a file manipulation device on a file arranged in the file provision device or the file manipulation device; and an analysis unit for specifying from the access log and the process operation log an operation process having manipulated a file to be manipulated that is provided in the file provision device, extracting from the process operation log a log that satisfies a specific condition among logs pertaining to a derivation source operation that could be executed on an original file of the file to be manipulated, in accordance with the type of operation executed on the file to be manipulated, and specifying a file recorded in the extracted log as an original file for the file to be manipulated.SELECTED DRAWING: Figure 22A

Description

  The present invention relates to a history analysis apparatus that can analyze a derivation relationship of a file.

  In recent years, as the storage capacity (storage size) of a file server increases, the amount of data handled by the file server has increased. In addition, there are increasing opportunities for a plurality of people to refer to and edit files registered in the file server.

  Since the file stored in the file server is accessed by a plurality of people, a modified file (sometimes referred to as a derivation destination file) is often created. For example, when a file on a file server is modified on the client side, it may be difficult to specify a derivation relationship between files only with information available on the file server. For this reason, a technique capable of confirming the derivation relationship between files is required. In relation to the above, the following patent documents are known.

  Patent Document 1 discloses a technique for extracting an access log corresponding to an operation log related to a certain file using a file operation log in a client terminal and an access log for a server device.

Patent Document 2 discloses a technique for determining the usage status of a specified file by using operation log information of a client terminal and file relationship information indicating file relationships.
Patent Document 3 discloses a technique for monitoring an operation related to a certain reference file and detecting a derivation destination file generated based on the reference file based on an operation event for the reference file.

  Patent Document 4 discloses a description for managing an operation history for a file using a database. The technique disclosed in Patent Document 4 searches operation information suitable for a file operation tracking request from a database, and displays the result in a listable manner.

JP 2014-153742 A JP 2009-176119 A JP 2009-015659 A JP 2008-052570 A

  When tracking data derived from data (files, etc.) placed on a server (data providing server) that can provide data such as file servers, etc., the data is tracked. It is conceivable to use the access log of the providing server. However, in the access log, there are cases where only information about the reading and writing of data is described. In this case, it is difficult to specify derivation destination data created by an operation related to data that is not completed in the data providing server (for example, editing or copying outside the server).

  As a specific example, a case is assumed in which the data editing location and the location location extend over both the data providing server and the client device. In this case, the access log on the data providing server or client device side includes information that directly associates the derivation source data (hereinafter sometimes referred to as “derivation source data” or “original data”) and the derivation destination data. May not remain, and it may be difficult to track derivation relationships between data.

  On the other hand, the techniques disclosed in Patent Document 1 to Patent Document 4 can directly specify a derivation source file and a derivation destination file derived from the operation log or operation event of the application. It is assumed that. However, as described above, in an actual system, it is not always possible to obtain a log that directly associates a derivation source file with a derivation destination file. For example, when an operation log as described above cannot be acquired from an application that operates a file, it is considered that it is difficult to appropriately track the derivation relationship between files with the techniques described in the above patent documents.

  The present invention has been made in view of the above circumstances. That is, one of the main objects of the present invention is to provide a history analysis device and the like that can specify a derivation relationship related to data based on logs related to data arranged in different devices.

  In order to achieve the above object, a history analysis apparatus according to an aspect of the present invention includes an access log including information on access from a file operation apparatus to a file provided in the file providing apparatus, and the file providing apparatus or the file From a log acquisition unit for acquiring a process operation log including information related to an operation executed by a process in the file operation device with respect to a file arranged in the operation device, from the access log and the process operation log, the An operation process that is the process that has operated the operation target file provided in the file providing apparatus is identified, and the original file of the operation target file is determined according to the type of operation performed on the operation target file. Of logs related to derivation operations that can be executed The specific conditions are met logs were extracted from the process operation log, extracted file recorded in the log relating to the derivation source operation, and a analysis section that identifies as the original file for the operation target file.

  The history analysis method according to one aspect of the present invention is arranged in an access log including information on access from a file operation device to a file provided in the file providing device, and the file providing device or the file operation device. A process operation log including information related to an operation executed by a process in the file operation device for the file, and an operation target file provided in the file providing device from the access log and the process operation log The operation process that is the above-described process that has been operated is identified, and the derivation source operation that is an operation that can be performed on the original file of the operation target file according to the type of operation performed on the operation target file Of the logs, the logs that satisfy a specific condition Extracted from Seth operation log, it extracted the derived operating the derivation source logged operation about to take is executable to identify the original file for the operation target file.

  A history analysis system according to an aspect of the present invention includes a file providing device capable of providing an operation target file and an access log including information related to access to the operation target file via a communication network, and the own device. A file operation device capable of executing an operation related to the operation target file and a file held in the own device by executing a process and providing a process operation log including information related to the operation via a communication network; The access log is acquired from the file providing device via the communication network, the process operation log is acquired from the file operation device, and the file is provided from the access log and the process operation log. Operation target provided in the device A source operation that can be executed on the original file of the operation target file according to the type of operation executed on the operation target file. An analysis unit that extracts a log satisfying a specific condition from the process operation log and identifies a file recorded in the extracted log regarding the derivation source operation as an original file for the operation target file; A history analyzer.

  The object is also achieved by a history analysis apparatus having the above-described configuration, a computer program that implements the history analysis method by a computer, a computer-readable recording medium that stores the computer program, and the like.

  According to the present invention, it is possible to specify a derivation relationship related to data based on logs related to data arranged in different apparatuses.

FIG. 1 is a block diagram illustrating a functional configuration of a system including a history analysis apparatus according to the first embodiment of the present disclosure. FIG. 2 is an explanatory diagram showing a specific example of the server access log. FIG. 3 is an explanatory diagram showing a specific example of a file access log. FIG. 4 is an explanatory diagram showing a specific example of the disk operation log. FIG. 5 is an explanatory diagram showing a specific example of the network operation log. FIG. 6A is an explanatory diagram of a specific example of process state information. FIG. 6B is an explanatory diagram illustrating another specific example of process state information. FIG. 7A is an explanatory diagram illustrating a specific example of network state information. FIG. 7B is an explanatory diagram illustrating another specific example of the network state information. FIG. 8 is an explanatory diagram showing a specific example of the operation history information. FIG. 9 is an explanatory diagram of a specific example of application information. FIG. 10 is a flowchart illustrating a processing procedure for extracting information related to an application that has operated a file. FIG. 11 is a flowchart illustrating a processing procedure for identifying an operation history by an application. FIG. 12 is a flowchart illustrating a processing procedure for specifying an operation history (editing, new creation) and an original file by an application. FIG. 13 is a flowchart illustrating a processing procedure for specifying an operation history (copy, move) and an original file by an application. FIG. 14 is a flowchart illustrating an operation history (download) by an application and a processing procedure for specifying an original file. FIG. 15 is a block diagram illustrating a functional configuration of a system including the history analysis apparatus according to the second modification example of the first embodiment of the present disclosure. FIG. 16 is a flowchart illustrating another processing procedure for extracting information related to an application that has operated a file. FIG. 17 is a block diagram illustrating a functional configuration of a system including a history analysis apparatus according to the third modification example of the first embodiment of the present disclosure. FIG. 18 is an explanatory diagram of a specific example of the Read operation log. FIG. 19 is an explanatory diagram of a specific example of a write operation log. FIG. 20 is an explanatory diagram of a specific example of a file list. FIG. 21A is a flowchart (part 1) illustrating the process of specifying the derivation relationship between files using the similarity. FIG. 21B is a flowchart (part 2) illustrating the process of specifying the derivation relationship between files using the similarity. It is a block diagram which illustrates the functional composition of the history analysis device concerning a 2nd embodiment of this indication. It is a block diagram which illustrates other functional composition of the history analysis device concerning a 2nd embodiment of this indication. FIG. 23 is a diagram illustrating a configuration of a hardware device capable of realizing the components of the history analysis device according to each embodiment of the present disclosure.

  Prior to describing the embodiment of the present invention, technical considerations and the like regarding the present invention will be described in more detail.

  In recent years, companies often place various data such as documents (for example, files) on a data providing server (for example, a file server) for the purpose of information sharing or the like. Hereinafter, for convenience of explanation, it is assumed that such data is provided by a “file”. Note that the present disclosure is not limited to this, and the data may be provided in an appropriate format other than a file.

  For example, a derivation destination file may be generated based on the original data (original file), for example, when the user or the like edits and updates the file and then saves the file with a different name. When tracking original data from a derivation destination file arranged in a file server, it may be difficult to track the original data if an operation that is not completed is executed in the file server.

  When sharing a file on a file server, for example, the file placed on the file server is not directly edited, but the file is temporarily transferred to the user's client device (for example, a computer) and then edited. It is possible to relocate to the file server. Thus, for example, a case is assumed where operations such as file editing and storage are performed over both the file server and the client device. In this case, by comparing the access log information on the file server side and the client device side, a part of operations (for example, copying) executed on these files can be confirmed. However, as described above, information that does not remain in the access log (for example, file editing or network download) may be difficult to track.

  Depending on the application that operates the file, it may be difficult to obtain an operation log related to the application. Further, it may not be easy to modify an application that can operate a file so as to provide a detailed operation log, or to replace the application itself with another application.

  In view of the above, the technology according to the present disclosure is a log that can be acquired from each device in a situation where the derivation source file and the derivation destination file can be arranged and operated on different devices (for example, a file server and a client terminal). Etc. are used to estimate the derivation relationship between these files. For example, it is conceivable to estimate a derivation source file for a derivation destination file by tracking a history of file operations performed in the past on a derivation destination file. Further, for example, it is conceivable to estimate a derivation destination file for the derivation source file by tracking a history of file operations performed on the derivation source file from a certain derivation source file.

  Hereinafter, the technique according to the present disclosure described using each embodiment focuses on the fact that file operations are classified into copy (move), deletion, new creation, change (same file update, alias storage), and the like. The technology according to the present disclosure uses, for example, information about applications, file access logs, storage device or network input / output information, information about process execution status, and the like acquired from each client device that uses a file server. The file operation by the application is estimated. Further, the technology according to the present disclosure can create a file change history by using the access log of the file server, the access log of the client terminal, and the estimated file operation. The technology according to the present disclosure makes it possible to specify an original file (derivation source file) related to a certain derivation destination file and trace the operation history related to the file by recursively repeating such an operation, for example. Also, the technology according to the present disclosure specifies a derivation destination file generated by an operation related to the file, for example, by tracing update information for a certain file in time series. The technology according to the present disclosure can estimate the derivation relationship between files even when the direct relationship between the derivation source file and the derivation destination file cannot be obtained from the operation log of the application, for example. is there. Thereby, the technology according to the present disclosure can hierarchically represent the change history related to the file.

  Hereinafter, a history analysis apparatus and the like that can realize the technology according to the present disclosure will be described using each embodiment. The history analysis device described below may be configured using a single device (physical or virtual device), and may be realized using a plurality of separated devices (physical or virtual devices). Also good. When the history analysis device is configured by a plurality of devices, the devices may be communicably connected via a communication network (communication line) that is wired, wireless, or an appropriate combination thereof. Such a communication network may be a physical communication network or a virtual communication network. A history analysis device described below or a hardware configuration capable of realizing the components will be described later.

<First Embodiment>
The configuration of the first embodiment related to the present disclosure will be described in detail with reference to the drawings.

[Constitution]
FIG. 1 is an explanatory diagram including a system configuration including a history analysis apparatus 300 according to the present embodiment.

  The system illustrated in FIG. 1 includes a file server 100, a client 200, a history analysis apparatus 300, and a network 400.

  The file server 100 is a data providing apparatus that can provide various data (files) via the network 400. The file server 100 has at least a shared storage device 110 and a server access log 120. The file server 100 may be realized by an information processing apparatus such as a computer, for example. The file server 100 may be realized by a physical device, for example, or may be realized by a virtual machine using a well-known virtualization platform.

  The file server 100 can provide a file arranged in the shared storage device 110 to one or more clients 200. The file server 100 may realize file sharing using an appropriate technique including a known technique, for example. As an example, the file server 100 may realize file sharing using NFS (Network File System) or SMB (Server Message Block). A client 200 described below (specifically, an application executed on the client 200) can access a file provided on the file server 100 using, for example, the above technique.

  The shared storage device 110 is a storage device that holds a file and can process file operations such as reading, writing, and deletion from one or more clients 200 regarding the file. The shared storage device 110 may be realized using, for example, a physical storage device such as a hard disk or a semiconductor storage device. Further, the shared storage device 110 may be realized using a virtual storage using a well-known virtualization platform.

  The server access log 120 is a record (log) of an operation (file operation) for a file held in the shared storage device 110. The server access log 120 may record file operations executed by the client 200. In the server access log 120, for example, as illustrated in FIG. 2, the “access time (120a), access source (120b), file name (120c), file operation (120d), size (120d)” relating to a certain file is stored. A plurality of each element may be recorded in chronological order. The server access log 120 may hold, for example, a record relating to file operations in the format illustrated in FIG. 2, but is not limited thereto.

  The access time 120a represents a time when an operation for a file held in the shared storage device 110 is executed. The time when the operation on the file is executed may be the time when the file is accessed by the operation.

  The access source 120b represents information that can identify the client 200 that has accessed the file. The access source 120b may be, for example, information indicating a name (for example, a computer name) that can identify the client 200, or information indicating a network address.

  The file name 120c represents information that can identify the operated file. The file name 120c may be information indicating a name that can specify a file in which data is stored. For example, the file name 120c may be information indicating a path (shared path) of a file provided in the file server.

  The file name 120c recorded in the server access log 120 and the file name 230b described in the file access log 230 (described later) are described with the same path name (such as the path name of the shared path of the file server), for example. The identity between them can be confirmed. For example, when the client 200 accesses a specific file in the file server 100, the same path name representing the file may be recorded in the server access log 120 and the file access log 230. For example, when the file server 100 and the client 200 employ Windows (registered trademark) as the OS, the path name may be represented by a complete path format including a computer name, a shared name, and the like.

  The file operation 120d represents an operation executed on the file. For example, the file operation 120d may be any one of “Read (read), Write (write), Delete (delete), and Rename (rename, rename)”. Operations other than those described above may be recorded in the server access log 120.

  The size 120e represents the size of a file from which an operation has been executed.

  The client 200 is a device that can execute an application that operates a file. The client 200 includes a storage device 210 and a CPU (Central Processing Unit) 220. The client 200 may be, for example, a computer such as a PC (Personal Computer), or may be another information processing apparatus having a communication function. The client 200 may be realized by a physical device or may be realized by a virtual machine using a well-known virtualization platform. Such a client 200 is communicably connected to the file server 100 and the history analysis device 300 via a communication network. A plurality of clients 200 may be connected to the file server 100.

  The client 200 includes a file access log 230, a disk operation log 240, a network operation log 250, process status information 260, and network status information 270. Note that data such as logs may be stored in the storage device 210.

  A client 200 (specifically, an application executed on the client 200) can access a file provided on the file server 100. Further, the client 200 can access a file arranged in a storage device 210 (described later) held in the own device.

  The storage device 210 can process file operations such as storage (storage), reading, writing, and deletion of files. Specifically, the storage device 210 can process a file operation by an application executed by the CPU 220. The storage device 210 may be realized using a physical storage device such as a hard disk or a semiconductor storage device. In addition, when the Klein 200 is realized as a virtual machine, the storage device 210 may be realized as a virtual storage.

  The CPU 220 is a processing device that performs application execution processing in the client 200. The CPU 220 may be realized by a general-purpose microprocessor or the like. When an application is executed in the client 200, the CPU 220 executes a process related to the application.

  The file access log 230 holds, for example, a record (data) related to a file operation executed by the client 200 on the shared storage device 110 in the file server. In the file access log 230, for example, the elements “access time (230a), file name (230b), file operation (230c), size (230d)” in the format illustrated in FIG. Multiple records may be recorded.

  Similar to the access time 120a, the access time 230a represents the time when an operation is performed on a file held in the shared storage device 110. The time when the operation on the file is executed may be the time when the file is accessed by the operation.

  Similarly to the file name 120c, the file name 230b may hold information that can identify the file. The file name 230b may be information representing a name that can specify a file in which data is stored.

  The file operation 230c represents an operation performed on the file. Similarly to the file operation 120d, any one of “Read (read), Write (write), Delete (delete), and Rename (rename)” may be recorded in the file operation 230c. In the file operation of the file access log 230, operations other than those described above may be recorded.

  The size 230d represents the size of the operated file.

  The disk operation log 240 holds data in which disk access operations performed by the client 200 on the storage device 210 are recorded. More specifically, the disk operation log 240 may record an operation related to file access performed by the application on the storage device 210, for example. In the disk operation log 240, for example, a plurality of elements “access time 240a, process ID 240b, file name 240c, file operation 240d, size 240e” may be recorded in time series in the format illustrated in FIG. .

  The access time 240a represents the time when the disk operation has occurred. The time when the disk operation occurs may be the time when the file is accessed by the disk operation.

  The process ID (Identifier) 240b represents information (identifier) that can identify the process that executed the disk access.

  The file name 240c may hold information that can specify a file, like the file name 120c and the file name 230b. That is, the file name 240c may be information indicating a file name (path name) that can specify a file in which data is stored.

  Information similar to the file operations 120d and 230c may be recorded in the file operation 240d.

  In the size 240e, the file size may be recorded in the same manner as the size 120e and the size 230d.

  The network operation log 250 holds data in which a network operation when the client 200 transmits / receives data to / from another network 410 via the network 400 is recorded. The network operation log 250 includes, for example, each element of “access time 250a, access source port number 250b, transmission / reception direction 250c, access destination host 250d, access port number 250e, size 250f” in the format illustrated in FIG. May be described in a time-series order.

  The access time 250a represents the time when the network operation is executed.

  The access source port number 250b represents a port number in the client 200 when a network operation is performed.

  The transmission / reception direction 250c represents the type of network operation. Specifically, the transmission / reception direction 250c may represent whether the network operation is transmission (Upload) or reception (Download).

  The access destination host 250 d represents information that can identify the access destination of the network operation executed in the client 200. The access destination host 250d may be, for example, a name (host name or the like) that can identify the access destination host, or a network address of the access destination host.

  The access destination port number 250e represents the port number of the access destination host connected by the network operation executed in the client 200.

  The size 250 f represents the size of data transmitted or received by a network operation executed in the client 200.

  The process state information 260 holds data (process state) in which the states of one or more processes processed by the CPU 220 are recorded in time series. In the process state information 260, for example, the state of a process at every predetermined time (for example, every predetermined time) may be recorded. In the process state information 260, for example, elements of “process ID (260a), process name (260b), execution user (260c)” are recorded in the format illustrated in FIG. 6A. The process state information 260 may be recorded with time information 260d representing the time when a certain process state is recorded, for example, in the format illustrated in FIG. 6B.

  The process ID 260a represents information (identifier) that can identify a process executed in the client 200.

  The process name 260b represents the name of the process identified by the process ID 260a. The process name 260b may represent, for example, the name of an application executed on the client 200.

  The execution user 260 c represents a user who executed a process in the client 200.

  The network status information 270 holds data used in the client 200 and recorded in a time-series manner in which the network port number usage status is recorded. In the network status information 270, for example, the port number of the network being used may be recorded at every predetermined time (for example, every predetermined time). In the network status information 270, for example, each element of a port number (270a) and a process ID (270b) is described in a format illustrated in FIG. 7A. In the network status information 270, time information (270c) indicating the time when the usage status of a certain port number is recorded may be recorded in the format illustrated in FIG. 7B, for example.

  The port number 270a represents a network port number used in the client 200.

  The process ID 270b represents the process ID of the process using the port with the port number 270a.

  The history analysis apparatus 300 includes a log acquisition unit 310 and an analysis unit 340. The history analysis device 300 may include operation history information 320 and application information 330. The history analysis apparatus 300 can be realized by an information processing apparatus such as a computer. The history analysis device 300 may be realized by a physical device, for example, or may be realized by a virtual machine using a well-known virtualization platform. The history analysis apparatus 300 is connected to the file server 100 and the client 200 via the network 400 so that they can communicate with each other.

  The log acquisition unit 310 has a function of acquiring various log information from the file server 100 and the client 200 via the network 400 and generating operation history information 320. Such various log information may include, for example, a server access log 120, a file access log 230, a disk operation log 240, a network operation log 250, process state information 260, network state information 270, and the like.

  The operation history information 320 holds, as data, an operation history executed on a certain file in the file server 100 or the client 200. Specifically, the operation history information 320 records an analysis result obtained by analyzing the operation history related to a certain file by the analysis unit 340. The operation history information 320 includes, for example, “operation time (320a), file name (320b), user operation (320c), operation source host (320d), operation source file (320e) in a format illustrated in FIG. ), Operation element (320f) "may be recorded.

  The operation time 320a represents a time when an operation on a certain file is executed. The operation time 320a may be a time when the file is accessed.

  The file name 320b represents information (for example, a file name, a path name, etc.) that can identify the file on which the operation has been executed.

  The user operation 320c represents an operation executed on the file. For example, any one of “copy, new creation, editing, derivation, deletion, movement, renaming” may be recorded in the user operation 320 c. Operations other than those described above may be recorded in the user operation 320c.

  The operation source host 320d represents a division method that can identify the client 200 on which the file operation is executed.

  The operation source file 320e represents information (for example, a file name, a path name, etc.) that can specify an original file (derivation source file) of a certain file.

  The operation user 320f represents, for example, information (for example, a user name) that can specify a user who has operated the file.

  The application information 330 holds information related to the application (for example, information related to extensions and operations that can be used in the application) as data. In the application information 330, for example, as illustrated in FIG. 9, information indicating “application name (330a), extension (330b), possible operation (330c), port number (330d)” related to the application is recorded. Good. The application information 330 may be registered in advance by a user or the like.

  The application name 330a represents the name of the application.

  The extension 330b represents, for example, an extension of a file that can be handled by the application (an extension of a file associated with the application).

  The possible operation 330c represents the type of file operation that can be executed by the application. In the possible operation 330c, for example, any one of “Edit (edit), Copy (copy: copy), Download (download), and Upload (upload)” may be described. Operations other than those described above may be recorded in the possible operation 330c.

  The port number 330d represents a port number used by the application during network communication.

  The analysis unit 340 derives a file (may be described as “target file”) arranged in the file server from various log information, operation history information 320, and application information 330 acquired by the log acquisition unit 310. An original file (may be described as “original file”) and an operation history related to the target file are estimated. Specific processing of the analysis unit 340 will be described later.

  The network 400 is a communication network that connects the file server 100, one or more clients 200, and the history analysis apparatus 300 so that they can communicate with each other, and that can transfer files between them. The network 400 can be connected to another network 410, and can transmit / receive information (data) to / from the other network 410 using, for example, the Web (World Wide Web) or electronic mail. Such a network 400 may be realized by wired communication, wireless communication, or an appropriate combination thereof. The network 400 may be realized as a virtual network using a well-known virtualization platform.

  The network 400 may be communicably connected to another network 410 (communication network). The other network 410 may be realized by wired communication, wireless communication, or an appropriate combination thereof, or may be realized as a virtual network using a well-known virtualization infrastructure.

  It is assumed that common time information (time information) is recorded in the server access log 120 and the file access log 230 described above. For this reason, the time information of the file server 100 and the time information of each client 200 may be synchronized. When it is difficult to strictly synchronize these pieces of time information, for example, by comparing the access time and the size, the access time in the server access log 120 and the file access log 230, the file name, Assuming that identity can be secured. For example, the history analysis apparatus 300 (particularly the analysis unit 340) performs an operation in which a specific log recorded in the server access log 120 and a specific log recorded in the file access log 230 are executed on the same file. The following method may be used to determine whether or not the log is related to. That is, when at least one of the difference between the access times recorded in the two logs and the difference in size is smaller than the specified value, the history analysis apparatus 300 relates to the operation performed on the same file. You may determine that it is a log.

[Operation]
Hereinafter, the operation of the history analysis apparatus 300 in the present embodiment will be described with reference to the drawings. Specifically, a process for estimating the original file 541 for the target file 501 held in the shared storage device 110 of the file server 100 and the operation history related to the target file 501 will be described. The target file 501 is a file to be subjected to history analysis. The original file 541 is an original (derived) file of the target file 501.

  Generally, it is considered that a derivation destination file is created by executing editing, copying, alias saving, and the like on data read from an original file (derivation source). In other words, it is considered that the read operation (read) is executed from the original file 541 before the write operation for the target file 501 is executed. The history analysis apparatus 300 (the analysis unit 340) specifies a read operation that satisfies a certain specific condition and is executed before a write operation related to the target file 501. Then, the file on which the Read operation is executed is estimated as the original file 541 related to the target file 501. Hereinafter, an operation performed on a derivation source file may be referred to as a derivation source operation.

  The history analysis apparatus 300 acquires the server access log 120 from the file server 100 using the log acquisition unit 310. Further, the history analysis apparatus 300 acquires each log of the file access log 230, the disk operation log 240, the network operation log 250, the process status information 260, and the network status information 270 from one or more clients 200 (step of FIG. 10). S1001).

  The analysis unit 340 extracts from the server access log 120 a log that describes the operation of the target file 501 and arranges the logs in time series. The analysis unit 340 extracts the first access log list 502 corresponding to the write operation for the target file 501 by extracting the log related to the write operation from the arranged logs (step S1002).

  The analysis unit 340 extracts the first access log 503 having the oldest access time from the first access log list 502 (step S1003). The analysis unit 340 is not limited to the above, and may extract, for example, a log within a certain reference time range from the oldest access time as the first access log 503.

  The analysis unit 340 refers to “access source (120b in FIG. 2)” recorded in the first access log 503. The analysis unit 340 acquires the file access log 230 of the client 200 corresponding to the access source 120b (step S1004).

  The analysis unit 340 selects a log list including the same file name as the target file 501 from the acquired file access log 230 and arranges the list in chronological order. As a result, the analysis unit 340 creates the file access log list 511 (step S1005).

  The analysis unit 340 acquires, from the file access log list 511, a log in which the access time 230a and the file operation 230c match the access time 120a and the file operation 120d recorded in the server access log 120, respectively (step S1006). Hereinafter, the acquired log is referred to as a write log 512 hereinafter.

  If the same data is recorded in the file access log 230 and the disk operation log 240, the disk operation log 240 is used in step S1004 to step S1005 without using the file access log 230. May be.

  The analysis unit 340 selects, from the disk operation log 240, a log whose access time coincides with the write log 512. The analysis unit 340 acquires the data recorded in the process ID 240b in the selected log (step S1007). Hereinafter, the data of the process ID 240b is described as a process ID 521 (operation process ID). The process corresponding to the process ID 521 is the process of the application that executed the write operation for the target file.

  The analysis unit 340 searches the process state information 260 acquired from the client 200 for data including the same process ID as the process ID 521, and acquires the process name 260b included in the data (step S1008). Hereinafter, the acquired process name 260b is referred to as a process name 522.

  The analysis unit 340 extracts, from the application information 330, data whose application name (330a in FIG. 9) matches the process name 522, and identifies a possible operation (330c in FIG. 9) related to the application corresponding to the process name 522 ( Step S1009). Hereinafter, the identified possible operation 330c is referred to as a possible operation 523. When the process name 522 cannot be extracted, the analysis unit 340 handles the application as an unknown application. In this case, the analysis unit 340 estimates that the application can execute at least one of arbitrary file operation and network operation.

  Hereinafter, a process in which the analysis unit 340 detects a file (a derivation source file (original file)) that is an update source or a copy source of the target file 501 that has been written will be described. For example, the analysis unit 340 may execute a process for estimating an original file described below after the process in step S1009 described above.

  Assume that a possible operation 523 in the process name 522 of the application information 330 includes an element “Edit (edit)”. In this case, in the client 200, there is a possibility that new file creation, modification by editing, derivation by alias saving, and the like are performed. Hereinafter, processing performed by the analysis unit 340 in this case will be described with reference to flowcharts illustrated in FIGS. 11 and 12.

  The analysis unit 340 detects, from the process state information 260, the oldest time when data including the process ID 521 is recorded before (in the past) the access time of the write log 512 (step S1201). In other words, the analysis unit 340 detects the time when the data including the process ID 521 is recorded in the process state information 260 for the first time before the access time of the write log 512. Hereinafter, the oldest time in which data including the process ID 521 is recorded may be referred to as “process activation time”.

  Specifically, the analysis unit 340 may, for example, trace the record of the process state information 260 from the access time of the write log 512 and confirm the data in which the process state including the process ID 521 is recorded. For example, the analysis unit 340 extracts data having the oldest recorded time from data including the process ID 521. Then, the time when the data is recorded may be treated as the process activation time. Hereinafter, such process activation time may be referred to as process activation time 531. The analysis unit 230 may estimate that the application corresponding to the process ID 521 is alive (executed) at least between the process activation time 531 and the access time of the write log 512.

  The analysis unit 340 confirms the written log from the process activation time 531 to the access time of the write log 521 from the file access log 230. The analysis part 340 narrows down the log relevant to the possible operation 523 among those logs. Thereby, the analysis unit 340 extracts an access log list 532 (second access log list) that is a log candidate in which an operation by the application corresponding to the process ID 521 is recorded (step S1202). For example, when the possible operation 523 is “Edit (edit)”, the analysis unit 340 displays, from the file access log 230, a file operation (230c in FIG. 3) corresponding to “Read, Write, Rename”. It may be extracted.

  The analysis unit 340 extracts a log in which the process ID included in the disk operation log 240 matches the process ID 521 from the extracted access log list 532. The analysis unit 340 generates a third access log list using the extracted log (step S1203). Hereinafter, the third access log list may be referred to as an access log list 533.

  The analysis unit 340 confirms whether the access log list 533 includes a read operation read log (step S1204). The analysis unit 340 specifies, for example, a read operation (Read operation) that is an operation (derivation source operation) that can be executed on the derivation source file in accordance with an operation (Write operation) performed on the operation target file. It may be confirmed whether the access log list 533 includes a read operation log.

  Hereinafter, a case where the read operation log is included in the access log list 533 (YES in step S1204) will be described.

  If a process can only edit a single document, the old read access update is considered discarded. For example, when a read access (Read) occurs a plurality of times, the contents of the old read access can be discarded by a new read access. Therefore, the analysis unit 340 acquires a candidate log including the latest (newest access time) Read operation in the access log list 533 (third access log list) (step S1205). For example, the analysis unit 340 may acquire, as a candidate log, a log related to a Read operation executed at a time closest to the access time of the write log 512 in the access log list 533. When a plurality of Read operations are recorded at the same time, the analysis unit 340 may acquire a log regarding the Read operation recorded last as a candidate log. Hereinafter, this log is referred to as a candidate log 534.

  In this case, the analysis unit 340 may estimate that the original file 541 that is the update source of the target file 501 is a file specified by the file name of the candidate log 534 (step S1206). In other words, the analysis unit 340 estimates that the file name of the candidate log 534 is the file name of the original file 541.

  If the file name of the original file 541 (that is, the file name recorded in the candidate log 534) matches the file name of the target file 501, the analysis unit 340 executes the file It is estimated that the performed user operation is “update”. Hereinafter, the estimated user operation may be referred to as a user operation 535.

  When the file name of the original file 541 and the file name of the target file 501 are different, the analysis unit 340 estimates that the target file 501 is a derivation destination file stored with a file name different from that of the original file 541. In this case, the analysis unit 340 may estimate that the user operation is “derivation”.

  Hereinafter, a case where the log related to the Read operation is not included in the access log list 533 (third access log list) (NO in step S1204) will be described.

  In this case, the analysis unit 304 may determine that the original file 541 related to the target file 501 is not detected (step S1207).

  The analysis unit 340 checks whether there are other elements (elements other than Edit) in the other possible operations 523 (step S1208).

  If NO in step S1208 (there is no other possible operation), the analysis unit 340 estimates that the target file 501 is a newly created file (step S1209). Thereby, the analysis unit 340 may estimate that the user operation 535 is “new creation”.

  If YES in step S1208 (there is another possible operation), the analysis unit 340 confirms the other operation (step S1210).

  Hereinafter, a case where the element “copy (Copy)” is included in the log possible operation 523 including the process name 522 in the application information 330 will be described with reference to the flowchart of FIG. 13. The same processes as those in the flowchart of FIG. 12 are denoted by the same reference numerals, and redundant description is omitted.

  When a copy operation is performed on a certain file, it is considered that the application has copied and moved the file to another location without editing the contents of the file. As a specific example, assuming a file operation using an Explorer in Windows (registered trademark), it is considered that an operation for copying or moving a file to another folder has been performed.

  When a certain file is copied, it is considered that the read operation for the copy source file is executed with the same size as the copy destination file before the write operation for the copy destination file occurs.

  Therefore, the analysis unit 340 may execute the same processing as in the case where the element “Edit (edit)” is included in the possible operation described above, for example, in order to track the copy source file (step S1201). To Step S1205). Thereby, the analysis unit 340 generates an access log list 533 (third access log list), and acquires a candidate log 534 including the latest Read information.

  The analysis unit 340 extracts, from the extracted candidate log 534, data whose size (230d) recorded in the log matches the size of the write log 512 (step S1301). That is, the analysis unit 340 extracts a log of a read operation having a size that matches the written size from among the logs related to the read operation executed before the write operation to the disk occurs. Hereinafter, the extracted log related to the read operation may be referred to as a replication source candidate log.

  Accordingly, the analysis unit 340 can estimate that the file name of the original file 541 that is the update source of the target file 501 is the file name described in the copy source candidate log.

  The analysis unit 340 refers to the file access log 230 and determines whether there is a delete operation log related to the file with the file name described in the replication source candidate log after the access time of the replication source candidate log. (Step S1302). Specifically, the analysis unit 340 determines whether there is a delete operation log related to the file having the file name described in the replication source candidate log within a predetermined deletion reference time from the access time of the replication source candidate log. It may be determined. Such deletion reference time may be determined as appropriate. The deletion reference time may be a sufficiently short fixed time determined based on a certain reference, for example.

  If YES in step S1302, the analysis unit 340 estimates that the original file 541 related to the target file 501 has been deleted, and determines that the user operation 535 is a “move” operation (step S1303). If NO in step S1302, the analysis unit 340 estimates that the target file 501 has been copied from the original file 541 and determines that the user operation 535 is a “copy” operation (step S1304).

  As described above, the method in which the analysis unit 340 determines that the user operation 535 is “copy”, “update”, “new creation”, and “derivation” has been described. The analysis unit 340 can directly identify these operations for “rename” and “delete” operations other than those described above with reference to the disk operation log 240. In this case, the analysis unit 340 can specify the user operation 535 from the contents of the disk operation log 240. The analysis unit 340 can identify the original file 541 when the user operation is “rename” from the contents of the disk operation log 240.

  When the original file 541 related to the target file 501 can be identified, the analysis unit 340 describes the file update information in the operation history information 320.

  The analysis unit 340 can record the following data in the operation history information 320 using the estimation result and the collected various logs. That is, the operation time of the target file 501 (access time of the target file 501) may be set as the operation time 320a of the operation history information 320. As the file name 320b, the file name of the target file 501 may be set. As the user operation 320c, the estimated user operation 535 may be set. In the operation source host 320d, a host name or the like of the client 200 that has performed an operation related to the target file 501 may be set. The file name of the candidate log 534 estimated in the above process may be set in the operation source file 320e. The execution user 260c extracted from the process state information 260 may be set as the operation user 320f. For example, the analysis unit 340 may register the data of the execution user 260c registered in association with the process ID 521 in the vicinity of the operation time of the target file 501 with the operation user 320f.

  The analysis unit 340 may, for example, replace the identified original file 541 with the target file 501 (that is, specify the identified original file as a new target file) and execute the above processing recursively. As a result, information is added to the operation history information 320, and the change source history of the file can be tracked by sequentially referring to the information.

  The history analysis apparatus 300 according to the present embodiment configured as described above can track the update history of a file even in an environment where an operation log by an application cannot be acquired. This is because the history analysis apparatus 300 (particularly the analysis unit 340) can identify the application that operated the target file 501 and the operation using various logs recorded in the client 200. Specifically, the history analysis apparatus 300 refers to, for example, the access time of the target file 501 and executes an operation related to the target file 501 from the file access log 230, the disk operation log 240, the process state information 260, and the like. To extract. The original file 541 related to the target file 501 and the user operation executed by the application can be specified from the operation that can be executed by the application and the log of the file operation executed by the application.

  The history analysis apparatus 300 can detect the original data that is the source of the target file 501 by tracing the update history of the target file 501. This is because the history analysis apparatus 300 can specify the original file 541 related to a certain target file 501 as described above. That is, the history analysis apparatus 300 can sequentially track the original file 541 related to a certain target file 501 by repeatedly (recursively) executing such processing.

  The history analysis apparatus 300 can specify a user who has operated (for example, newly created or edited) the original file 541 by specifying the original file 541 related to the target file 501.

  As described above, according to the history analysis apparatus 300 in the present embodiment, logs (server access) regarding files (for example, the target file 501 and the original file 541) respectively arranged in different apparatuses (for example, the file server 100 and the client 200). Log 120, file access log 230, disk operation log 240, etc.), the derivation relationship for these files can be specified.

<First Modification>
Hereinafter, the first modified example (hereinafter sometimes referred to as modified example 1) according to the first embodiment described above will be described. This modification corresponds to a case where an operation such as downloading from a communication network (for example, downloading from a Web server) is included.

  The apparatus configuration capable of realizing the history analysis apparatus 300 in the present modification may be the same as that in the first embodiment. As will be described below, the history analysis apparatus 300 in the present modification is different in operation from the history analysis apparatus 300 in the first embodiment. The history analysis apparatus 300 in this modification refers to the network operation log 250 and the network state information 270.

  Also in the present modification, the process of acquiring the possible operation (the possible operation 523) related to the application that operates the target file 501 illustrated in FIG. 10 may be the same as that in the first embodiment.

  Hereinafter, a case where a download element is included in the possible operations in the process name 522 of the application information 330 will be described. In this case, in the client 200, for example, data may be downloaded from another network 410 via the network 400. Such a download can be executed by a general method such as a download using a web browser. Since data is received from the network 400 by the download operation, generally, after executing the download process (for example, immediately after), writing to the file is generated with the same size as the size of the downloaded data. It is thought that there is. Therefore, the history analysis apparatus 300 (analysis unit 340) specifies a download operation that satisfies a specific condition as a derivation source operation executed before a write operation related to the target file 501. Then, the history analysis apparatus 300 estimates the data received by the download operation as an original file 541 related to the target file 501.

  In order to track the downloaded file, the analysis unit 340 executes a process similar to the case where the element “edit” is included in the possible operation 523 in the first embodiment. Hereinafter, the processing of the analysis unit 340 will be described with reference to the flowchart illustrated in FIG.

  The analysis unit 340 extracts the activation time (process activation time) of the process (process ID 512) that executed the write process for the file having the same file name as the target file 501 by the same process as in step S1201 described above (step S1401). ).

  The analysis unit 340 refers to the network state information 270 acquired between the process activation time and the access time of the write log 512, and extracts data in which the process ID 521 (operation process ID) is recorded in the process ID (270b). To do. As described above, the process ID 521 is a process ID related to a process in which an operation related to the target file 501 is executed in the client 200.

  For example, the analysis unit 340 extracts the following logs from the process activation time 531 to the access time of the write log 512 from the logs recorded in the network operation log 250. That is, for example, the analysis unit 340 may extract a log in which the port number used by the process with the process ID 521 matches the access destination port number 250e from the network operation log 250. For example, when data whose application name (330a) matches the process name 522 is registered in the application information 330, the analysis unit 340 records a log where the port number (330d) matches the access destination port number 250e. May be extracted. The analysis unit 340 generates a network log list 560 including the extracted logs (step S1402). The network log list 560 may have the same configuration as the network operation log 250. Hereinafter, one line (one log) in the network log list 560 is referred to as a network log 561.

  The analysis unit 340 selects each network log 561 in the network log list 560 from the network log list 560 in the order close to the access time of the target file 501 (step S1403).

  The analysis unit 340 determines whether or not the selected network log is a log related to a download operation (step S1404). The analysis unit 340, for example, according to an operation (Write operation) performed on the operation target file, As an operation (derivation source operation) that can be executed on the derivation source file, a Download operation is specified, and it is confirmed whether or not the network log 561 selected from the network log list 560 is a log of the Donload operation. . The analysis unit 340 can determine whether or not the log is a log related to the download operation with reference to the transmission / reception direction (250c) in the network log.

  Hereinafter, the case of YES in step S1404 will be described.

  In this case, the analysis unit 340 may correct the size (250f) set in the network log according to the communication protocol when data is received by the Donload operation (step S1405). This is because, depending on the communication protocol, the downloaded data size and the data size written to the file may differ depending on header information and encoding. The analysis unit 340 may correct the data size using, for example, an appropriate mathematical expression associated with the communication protocol. Hereinafter, the corrected size may be referred to as a corrected size.

  The analysis unit 340 determines whether the size (or correction size) recorded in the network log 561 matches the size recorded in the write log 512 (step S1406). For example, when the size recorded in the network log 561 (or the size) matches the size recorded in the write log 512, the analysis unit 340 may determine that these match. For example, when the difference between the size (or the size) recorded in the network log 561 and the size recorded in the write log 512 is smaller than the predetermined reference value (threshold value), the analysis unit 340 You may determine that these match.

  In steps S1403 to S1406, the analysis unit 340 may execute the following processing, for example. In other words, the analysis unit 340 has a transmission / reception direction 250c of “Download” in the network log list 560, a size (or correction size) 250f that matches the size of the target file 501, and is closest to the access time of the target file 501. The network log 561 may be selected.

  If YES in step S1406, analysis unit 340 estimates that a download operation has been executed (step S1407). In this case, the analysis unit 340 transmits the file from the network before the process (the process corresponding to the process ID 521) that executed the operation on the target file 501 executes the writing to the target file 501 (before the access time of the write log 512). Estimated that you downloaded. The analysis unit 340 may estimate that the original file 541 that is the update source of the target file 501 is data acquired (received) from the access destination host (250d) of the network log 561.

  If NO in step S1404 or step S1406 (size mismatch), the analysis unit 340 executes the same processing for other logs included in the network log list (steps S1408 to S1404).

  If there is no compatible download log in the network log list (NO in step S1408), the analysis unit 340 may determine that the download operation has not been executed. In that case, if there is another possible operation, the analysis unit 340 may continue the processing related to the possible operation (steps S1409 to S1411).

  Note that processes other than those executed by the history analysis apparatus 300 in the present modification may be the same as those in the first embodiment, for example.

  The history analysis apparatus 300 according to this modification configured as described above can estimate whether or not the original file 541 related to the target file 501 is data downloaded via a communication network. When the original file 541 is data downloaded via a communication network, the download source can be specified. This is because the history analysis apparatus 300 downloads data having a size that matches the size of the original file 541 (the size of the write log 512) by the application that operated the original file 541 (the application corresponding to the process ID 521). This is because it can be identified.

  By using the history analysis apparatus 300 in this modification as described above, for example, a problem that may occur when the original file 541 is downloaded from an external site or the like can be confirmed.

  Further, the history analysis apparatus 300 in this modification can specify the original file 541 as in the first embodiment. In addition, the history analysis apparatus 300 according to this modification can specify the user who has operated the original file 541.

<Second Modification>
Hereinafter, a second modification example (hereinafter, may be referred to as modification example 2) related to the first embodiment will be described. The history analysis apparatus 300 in this modification can detect a derivation destination file derived from a certain file. The derivation destination file may be a file generated by an appropriate method (for example, editing, copying, alias saving, etc.) based on a certain file, for example.
An apparatus configuration capable of realizing the history analysis apparatus 300 in the present modification may be the same as that in the first embodiment and Modification 1 as illustrated in FIG. As will be described below, the history analysis apparatus 300 in the present modification is different in operation from the first embodiment. In FIG. 15, the same components as those in FIG. 1 are denoted by the same reference numerals, and detailed description thereof is omitted.

  Hereinafter, in the present modification, a process in which the history analysis apparatus 300 estimates the derivation destination file 702 related to the target file 701 stored in the shared storage device 110 of the file server 100 and the operation history related to the file 701 will be described. In FIG. 15, for convenience of explanation, the derivation destination file 702 is arranged in the client 200, but the derivation destination file 702 may be arranged in the file server 100.

  FIG. 16 is a flowchart showing an example of the operation of the history analysis apparatus 300 in the present modification. In FIG. 16, processes (steps) similar to those in FIG. 10 are denoted by the same reference numerals, and detailed description thereof is omitted. Since the operation of the log acquisition unit 310 in the history analysis apparatus 300 may be the same as that in the first embodiment and the first modification example, detailed description thereof is omitted.

  The analysis unit 340 executes steps S1001 to S1005 in FIG. 16 as in the first embodiment. That is, the analysis unit 340 refers to the access source (120b) of the first access log 503 and acquires the file access log 230 of the corresponding client 200. The analysis unit 340 creates a file access log list 511 in which logs including the same file name as the target file 701 are extracted and arranged in time series.

  The analysis unit 340 extracts only Read access from the file access log list 511 and creates a read list 513 (step S1601). The read list 513 represents a log of a read operation from the target file 701 executed by the client 200. Hereinafter, one log included in the reading list 513 is referred to as a reading log 514.

  For example, the analysis unit 340 determines whether or not the content read by the operation recorded in the read log 514 (that is, the content read from the target file 701) has been duplicated by alias storage or copy processing. Check in sequence order.

  For example, as in the first embodiment, the analysis unit 340 acquires the process ID 521 (operation process ID) and the possible operation 523 of the application that executed the read operation from the read log 514 and the process state information 260. (Steps S1602 to S1009 in FIG. 16). In step S1602, the analysis unit 340 may select, for example, a log whose access time matches the read log 514 from the disk operation log 240, and acquire the process ID 240b in the selected log.

  Similar to the processing in the first embodiment, the analysis unit 340 confirms the presence or absence of a write operation by the process (process corresponding to the process ID 531) that reads the file (target file 701). For example, the analysis unit 340 may check whether the disk operation log 240 includes a log of a write operation by the process corresponding to the process ID 531 after the access time of the target file 701. Thereby, the analysis part 340 can confirm whether the object file 701 is written in the other file etc., for example.

  If the “Edit (edit)” element is included in the possible operation 523 specified in step S <b> 1009, there is a possibility that a derivation destination file has been generated in the client 200 by file update or alias saving.

  When the write operation by the process corresponding to the process ID 531 is confirmed, the analysis unit 340 confirms the file name of the write destination file. When the file name of the write destination file is the same as that of the target file 701, the analysis unit 340 may record the operation as the “update” operation in the operation history information 320. When the file name of the write destination file is different from that of the target file 701, the analysis unit 340 may record the operation as the “derivation” operation in the operation history information 320.

  When the “Copy” element is included in the possible operation 523 specified in step S1009, the target file 701 may be copied or moved. As a specific example, an Explorer file operation in Windows (registered trademark) is assumed. In this case, the target file 701 may have been copied or moved to another folder without editing the contents of the file.

  The analysis unit 340 can estimate the copy or movement of the target file 701, for example, by the same processing as in the first embodiment. That is, the analysis unit 340 can estimate the copy or movement of the target file 701 based on whether or not a delete operation has been performed on the file after the read operation on the target file 701.

  The analysis unit 340 may record the estimation result of the file operation in the operation history information 320.

  The analysis unit 340 can specify the derivation destination file 702 related to the target file 701 by performing the above processing recursively for all the logs included in the reading list 513.

  According to the history analysis apparatus 300 in the present modification configured as described above, a derivation destination file (derivation destination file 702) derived from a derivation source file (target file 701) can be specified. Thereby, the following effects are obtained.

  For example, when a file including inappropriate information is found, it is possible to specify a range affected by a file including inappropriate information by specifying a derivation destination file. As one specific example, by using the history analysis device 300 according to this modification, it is possible to specify the range of the derivation destination file 702 that needs to be corrected when the target file 701 includes incorrect information. As another specific example, when information leakage or the like occurs from a certain target file 701 to a derivation destination file 702, the leakage range can be specified.

  Further, according to the history analysis apparatus 300 in this modification, the latest version related to a certain target file 701 can be searched by tracking the derivation destination file 702 of the target file 701. According to the history analysis apparatus 300 in the present modification, the usage status of the target file 701 (for example, the generation status of the derivation destination file 702) can be acquired and visualized in the form of a folder tree. It becomes possible. According to the history analysis apparatus 300 in the present modification, it is possible to check the data take-out situation from the area where security is required. For example, it is possible to confirm data take-out by specifying the write destination of the derivation destination file 702 generated from the target file 701 arranged in the area where security is ensured.

<Third Modification>
Hereinafter, a third modification example (hereinafter referred to as modification example 3) related to the first embodiment will be described. The history analysis apparatus 300 in this modification can detect a derivation destination file created from a derivation source file when a certain process (application) can process a plurality of files.

  As illustrated in FIG. 17, the history analysis apparatus 300 according to the present modification further includes a process disk operation log 350, a Read operation log 360, and a Write operation log 370 with respect to the history analysis apparatus 300 according to the first embodiment. You may have. Further, the history analysis apparatus 300 in the present modification may create the file list 380. Other apparatus configurations of the history analysis apparatus 300 may be the same as those in the first embodiment. As will be described below, the history analysis apparatus 300 in the present modification is different in operation from the first embodiment.

  The process disk operation log 350 may have the same configuration as the disk operation log 240 (FIG. 4).

  The Read operation log 360 represents a log in which information related to the Read operation is recorded. In the Read operation log 360, for example, as shown in FIG. 18, each element of “operation ID (360a), access time (360b), file name (360c), size (360d)” is recorded in time series. The The Read operation log 360 may be described as a “Read operation log list”.

  The operation ID 360a is identification information (identifier) that can identify each Read operation.

  The access time 360b represents the time when access to a file for which a read operation has been executed occurs. The access time 360b may be a time when the Read operation is executed.

  The file name 360c represents the name of the file on which the Read operation is executed.

  The size 360d represents the size of the file on which the Read operation is executed.

  The write operation log 370 represents a log in which information related to the write operation is recorded. In the write operation log 370, for example, as illustrated in FIG. 19, each element of “access time (370a), file name (370b), size (370c), estimated ReadID list (370d)” is recorded in time series. Is done. The write operation log 370 may be described as a “write operation log list”.

  The access time 370a represents a time when access to a file for which a write operation has been executed occurs. The access time 370a may be a time when the write operation is executed.

  The file name 370b represents the name of the file for which the Write operation has been executed.

  The size 370c represents the size of the file for which the Write operation has been executed.

  The estimated ReadID list 370d represents information that can identify the Read operation that was executed before the Write operation was executed. One or more operation IDs 360a of the Read operation log 360 are recorded in the estimated ReadID list 370d. The estimated ReadID list 370d may be described as an “estimated reading candidate list”.

  The file list 380 holds information regarding the degree of similarity between a certain derivation source file and a derivation destination file. In the file list 380, for example, a list of derivation destination file candidates regarding a derivation source file may be recorded. The file list 380 may be described as a “candidate data list”. In the file list 380, for example, as shown in FIG. 20, a plurality of elements “file name (380a), score (380b)” are described. Hereinafter, the file list 380 may be referred to as a “candidate file list”.

  The file name 380a represents a file name (such as a path name) that can identify the file. In the file name 380a, for example, a file name of a derivation destination file relating to a certain derivation source file is recorded. The data recorded in the file name 380a is not limited to a specific file name. In the file name 380a, for example, an element capable of setting a score relating to the derivation source file such as data representing “<new creation>” may be set as appropriate.

  The score 380b represents the similarity between the file recorded in the file name 380a and the derivation source file. In the score 380b, a numerical value indicating the degree of similarity (for example, a numerical value in the range of “0” to “1”) may be set.

  Hereinafter, the operation of the history analysis apparatus 300 according to this modification will be described.

  Similar to the first embodiment, the history analysis apparatus 300 according to the present modified example executes each process illustrated in FIG. 10, so that the process ID 521 (operation process ID) and the application possible operation 523 are performed on the target file 501. To get.

  Hereinafter, a process in which the history analysis apparatus 300 according to the present modification specifies a derivation destination file will be described with reference to flowcharts illustrated in FIGS. 21A and 21B.

  When “Edit (edit)” is included in the possible operation 523 of the application, there is a possibility that a read / write operation (including new creation) involving file modification is being executed.

  The history analysis apparatus 300 (in particular, the analysis unit 340) confirms the lifetime (execution period) of the application corresponding to the process ID 521. The analysis unit 340 refers to the process state information 260, and before and after the time (access time) when the operation on the target file 501 is performed, the oldest (past) time when the process ID 521 is recorded, the newest time, Are acquired (step S2101). Hereinafter, the oldest time when the process ID 521 is recorded is described as a process start time 601 and the latest time is described as a process end time 602. That is, the process start time 601 and the process end time 602 represent the lifetime (execution period) of the process ID 521.

  The analysis unit 340 includes, from the disk operation log 240, an access time (240a) included between the process start time 601 and the process end time 602, and a process ID (240b) of all operations corresponding to the process ID 521 ( The process disk operation log 350) is extracted (step S2102). Hereinafter, the extracted process disk operation log 350 may be described as a “process all operation log list”.

  The analysis unit 340 extracts, from the process disk operation log 350, a log related to an access whose file operation is “Read operation”. The analysis unit 340 arranges the extracted logs in chronological order, assigns an operation ID to each log in chronological order, and records it as a Read operation log 360 (step S2103).

  The analysis unit 340 extracts, from the process disk operation log 350, a log related to access in which the access time is the time after the operation of the target file 501, and the file operation is “Write operation”, and records it as a Write operation log 370. (Step S2104).

  For example, assume that alias saving is executed for a certain file (derivation source file). In this case, it is considered that after the read access to the derivation source file is performed, the write access to the derivation destination file is performed.

  For the write operation recorded in the write operation log 370, the analysis unit 340 lists the read operations executed before the access time (370a) of the write operation from the read operation log 360. The analysis unit 340 transcribes a list of operation IDs (360a) related to Read operations listed for a certain Write operation to the estimated ReadID list 370d of the Write operation (Step S2105). The analysis unit 340 may execute the above process for all write operations recorded in the write operation log 370. The analysis unit 340 performs the above-described processing in order of the access time of the write operation log 370 in order from the oldest, and when the file name of the extracted read operation is duplicated, only the read operation log related to the latest operation ID is left. This prevents duplicate registration of the same file in the ReadID list.

  In order to prevent duplication of the write file, the analysis unit 340 leaves only the log related to the newest write operation when the write operation having the same file name is recorded in the write operation log 370 (step S2106).

  As a result of the above processing, candidates for the Read operation for the derivation source file for the Write operation recorded in the Write operation log 370 are acquired as an estimated ReadID list.

  If the operation related to the target file 501 is a read operation, the analysis unit 340 lists the logs in which the estimated ReadID list is recorded in the write operation log 370 (step S2108). In this case, the analysis unit 340 may execute the following process as a specific example. That is, the analysis unit 340 may extract a write operation log in which the operation ID given to the read operation regarding the target file 501 is included in the estimated ReadID list from the write operation log 370. The analysis unit 340 acquires the file name (370b) recorded in the extracted write operation log, thereby creating a file list 380 that may have been written (step S2109). In other words, in this case, the file name registered in the file list 380 represents a file in which a Write operation is executed after a Read operation for one or more files is executed by a process corresponding to the process ID 521.

  When the target file 501 is a write operation, the analysis unit 340 extracts a log whose file name matches the target file 501 from the write operation log 370 and acquires an estimated ReadID list recorded in the log ( Step S2110).

  The analysis unit 340 creates the file list 380 by comparing the operation ID included in the estimated ReadID list with the Read operation log 360 and acquiring the file name related to the operation ID (step S2111). In other words, in this case, the file name registered in the file list 380 represents a file in which the read operation is executed before the write operation is executed on the target file 501 by the process corresponding to the process ID 521.

  In the above process, when the file list 380 is not created, the analysis unit 340 may treat the target file 501 as a newly created file.

  The analysis unit 340 determines the similarity between the target file 501 and the files recorded in the file list 380 (step S2112). The analysis unit 340 determines the similarity of these files using an existing similarity determination technique such as cosine similarity calculation, and calculates a score for each file recorded in the file list 380.

  Note that the target file 501 may be a newly created file. Therefore, in order to determine the case of new creation, the item corresponding to the new creation and its score may be set in the file list 380. The score set for new creation may be a fixed value or a value that changes according to the file size.

  The analysis unit 340 can list the files that may have been updated from the target file 501 by arranging the files recorded in the file list 380 in the order of the scores. The analysis unit 340 can estimate that among the files recorded in the file list 380, a file having a score equal to or higher than a certain reference value (reference score) is a derivation destination file for the target file 501. By setting a score above a certain reference score as a newly created score, it is possible to estimate the case where a file is newly created.

  If the read file and the write file have a one-to-one correspondence, it is considered that no derivation destination file has occurred. In this case, the analysis unit 340 can reduce the false detection rate by excluding such a file from the score calculation.

  According to the history analysis apparatus 300 in the present modification configured as described above, when a file is operated by an application or the like that handles a plurality of files in one process, the derivation relationship of the files can be estimated.

  In the first embodiment and its modifications (first to third modifications), the file server 100, the client 200, and the history analysis apparatus 300 are independent of each other physical or logical. The aspect realized as an apparatus has been described. However, the present disclosure is not limited to the above. For example, any client 200 may include the function of the history analysis device 300 by including the components of the history analysis device 300. That is, an aspect in which the client 200 and the history analysis apparatus 300 are integrated is also included in the present disclosure.

<Second Embodiment>
Hereinafter, the second embodiment according to the present disclosure, which is the basis of the first embodiment of the present disclosure described above, will be described.

  FIG. 22A is a block diagram illustrating a functional configuration of the history analysis apparatus 2200 according to this embodiment. As illustrated in FIG. 22A, the history analysis device 2200 includes a log acquisition unit 2201 and an analysis unit 2202. These components constituting the history analysis device 2200 may be communicably connected using an appropriate communication method.

  The history analysis apparatus 2200 may be communicably connected to the file providing apparatus 2210 and the file operation apparatus 2220 via a communication network, as illustrated in FIG. 22B. The file providing device 2210 may be, for example, a device configured in the same manner as the file server 100 in the first embodiment and the modifications thereof. The file operation device 2220 may be a device configured in the same manner as the client 200 in the first embodiment and the modifications thereof.

A log acquisition unit 2201 in the history analysis device 2200 acquires an access log including information related to access from the file operation device 2220 to a file provided in the file providing device 2210. In addition, the log acquisition unit 2201 acquires a process operation log including information related to an operation executed by a process in the file operation device 2220 with respect to a file arranged in the file providing 2210 device or the file operation device 2220. For example, the following information may be included. The access log may include, for example, information indicating a time when an operation on a file provided in the file providing apparatus 2210 is executed. The access log may include, for example, information that can identify the file operation device 2220 that has accessed the file. The access log may include, for example, information (for example, a path name, a file name, etc.) that can specify the file itself. The access log may include, for example, information indicating the content of an operation executed on the file (for example, read, write, delete, rename, etc.). The access log may include information indicating the size of the file, for example. For example, the access log may hold the same data as the server access log 120 in the first embodiment and the modifications thereof.

  The process operation log may include the following information, for example. The process operation log may include, for example, information indicating the time when the process is executed in the file operation device 2220. The process operation log may include, for example, information (identifier or the like) that can identify the process. The process operation log may include information (path name, file name) and the like that can identify the file operated (accessed) by the process. The process operation log may include information indicating the content of the operation executed by the process. The process operation log may include information indicating the size of the file, for example. For example, the process operation log may hold data similar to at least one of the file access log 230 and the disk operation log 240 in the first embodiment and the modifications thereof.

  For example, the log acquisition unit 2201 may be configured in the same manner as the log acquisition unit 310 in the first embodiment and the modifications thereof, and may provide the same function.

  The analysis unit 2202 identifies an operation process, which is the process that has operated the operation target file provided in the file providing apparatus, from the access log and the process operation log. Specifically, the analysis unit 2202 may extract a log related to the operation target file from, for example, an access log and a process operation log. Then, the analysis unit 2202 further extracts, from the extracted logs related to the operation target file, a log in which the time when the operation is performed in the access log and the process operation log and the content of the operation are common, and the operation related to the log You may identify the process that executed.

  The analysis unit 2202 includes a derivation source operation in a log related to a derivation source operation that is an operation that can be performed on the derivation source file of the operation target file according to the type of operation performed on the operation target file. A log satisfying the condition is extracted from the process operation log.

  Hereinafter, as a specific example, a case where the type of operation performed on the operation target file is a write operation (Write operation) will be described. In this case, the analysis unit 2202 estimates that the data read by the reading operation from the original file is written to the operation target file that is the derivation destination file. Therefore, for example, the analysis unit 2202 specifies a read operation (Read operation) as an operation (derivation source operation) that can be performed on the original file of the operation target file. Then, the analysis unit 2202 extracts, from the process operation log, a log that satisfies a specific condition from among the logs related to the reading operation. Specifically, for example, the analysis unit 2202 extracts a log related to a read operation executed at a time closest to the time when the write operation related to the operation target file is executed among the read operations included in the process operation log. Also good. The specific condition may be appropriately determined according to the relationship between the operation executed on the operation target file and the derivation source operation.

  The analysis unit 2202 identifies the file recorded in the log relating to the extracted derivation source operation as the original file for the operation target file. Such an original file may be held in the file operation device 2220.

  For example, the analysis unit 2202 may be configured in the same manner as the analysis unit 340 in the first embodiment and the modifications thereof, and may provide the same function.

  According to the history analysis apparatus 2200 of the present embodiment configured as described above, logs (for example, an access log and a process operation log) relating to data respectively arranged in different apparatuses (for example, the file providing apparatus 2210 and the file operation apparatus 2220). ) To identify the derivation relationship for those data. The reason is as follows. First, the history analysis apparatus 2200 can identify an operation process that has performed an operation related to an operation target file arranged in the file providing apparatus 2210. Further, the history analysis apparatus 2200 can specify an operation that can be executed on the original file related to the operation target file among the logs related to the operation executed by the operation process in the file operation apparatus 2220. In other words, it is possible to extract from the log candidates for operations that can be performed on the original file. By selecting a log that satisfies a specific condition from among the candidate logs, it is possible to specify the original file related to the operation target file. Since the operation process can operate the file arranged in the file operation device 2220, the original file may be arranged in the file operation device 2220. Therefore, for example, the history analysis apparatus 2200 can specify the derivation relationship between the operation target file arranged in the file providing apparatus 2210 and the original file arranged in the file operation apparatus 2220.

  The example which applied the technique regarding this indication to the log | history analyzer (300, 2200) was demonstrated using each said embodiment. In each of the above embodiments, for example, the history analysis method according to the present disclosure can be performed by operating the history analysis device (300, 2200). The method of executing the history analysis method is not limited to the above, and it is executed by an appropriate device (for example, an information processing device such as a computer) that can execute the same operation or processing as the history analysis device (300, 2200). Is also possible. The technology related to the present disclosure is implemented as a system including the history analysis apparatus 300, the file server 100, and the client 200, or a system including the history analysis apparatus 2200, the file providing apparatus 2210, and the file operation apparatus 2220. May be.

<Configuration of hardware and software program (computer program)>
Hereinafter, a hardware configuration capable of realizing each of the above-described embodiments will be described.

  In the following description, the history analysis devices (300, 2200) described in the above embodiments are collectively referred to as “history analysis device”. In addition, each component of the history analysis device may be simply referred to as “component of the history analysis device”.

  The history analysis device described in the above embodiments may be configured by one or a plurality of dedicated hardware devices. In that case, each component shown in each of the above drawings (FIGS. 1, 10, 15, 17, 17, 22A and 22B) is a hardware in which a part or all of them are integrated (integrated with processing logic mounted). It may be realized using a circuit or a storage device.

  When the history analysis device according to the present disclosure is realized by dedicated hardware, the components of the history analysis device may be realized by, for example, a circuit configuration that can provide each function. Such a circuit configuration includes, for example, an integrated circuit such as SoC (System on a Chip), a chip set realized using the integrated circuit, and the like. In this case, the data held by the components of the history analysis apparatus is, for example, a RAM (Random Access Memory) area integrated as SoC, a flash memory area, or a storage device (semiconductor storage device or the like) connected to the SoC. May be stored. In this case, a well-known communication network may be employed as a communication line that connects each component of the history analysis apparatus. Further, the communication line connecting each component may be connected between each component by peer-to-peer.

  The history analysis apparatus described above may be configured by general-purpose hardware as exemplified in FIG. 23 and various software programs (computer programs) executed by the hardware. In this case, the history analysis apparatus may be configured by a combination of an appropriate number of general-purpose hardware devices 2300 and software programs.

  An arithmetic device 2301 in FIG. 23 is an arithmetic processing device such as a general-purpose CPU (Central Processing Unit) or a microprocessor. For example, the arithmetic device 2301 may read various software programs stored in a non-volatile storage device 2303 (to be described later) into the storage device 2302 and execute processing according to the software programs. For example, the functions of the components of the history analysis device in each of the above embodiments may be realized using a software program executed by the arithmetic device 2301.

  The arithmetic device 2301 may be a multi-core CPU including a plurality of CPU cores, for example. The arithmetic device 2301 may be a multi-thread CPU in which one CPU core can execute a plurality of threads. The hardware device 2300 may include a plurality of arithmetic devices 2301.

  The storage device 2302 is a memory device such as a RAM that can be referred to from the arithmetic device 2301, and stores software programs, various data, and the like. Note that the storage device 2302 may be a volatile memory device.

  The nonvolatile storage device 2303 is a nonvolatile storage device such as a magnetic disk drive or a semiconductor storage device using a flash memory. The nonvolatile storage device 2303 can store various software programs, data, and the like.

  The drive device 2304 is, for example, a device that processes reading and writing of data with respect to a recording medium 2305 to be described later.

  The recording medium 2305 is an arbitrary recording medium capable of recording data, such as an optical disk, a magneto-optical disk, and a semiconductor flash memory.

  The network interface 2306 is a device that controls transmission / reception of data to / from the communication network. The history management apparatus may acquire various logs from the file server 100 (file providing apparatus 2210), the client 200 (file operation apparatus 2220), and the like via the network interface 2306.

  The history analysis apparatus according to the present invention described with reference to each of the above-described embodiments, or its components, for example, can implement the functions described in the above-described embodiments with respect to the hardware device 2300 illustrated in FIG. It may be realized by supplying a software program.

  More specifically, for example, the present invention may be realized when the arithmetic device 2301 executes a software program supplied to the hardware device 2300. In this case, an operating system running on the hardware device 2300, middleware such as database management software, network software, and virtual environment infrastructure may execute a part of each process.

  In each embodiment described above, each unit illustrated in each of the above drawings can be realized as a software module, which is a function (processing) unit of a software program executed by the hardware described above. However, the division of each software module shown in these drawings is a configuration for convenience of explanation, and various configurations can be assumed for implementation.

  When each component of the history analysis apparatus exemplified in each of the above embodiments and the modifications thereof is realized as a software module, for example, these software modules may be stored in the nonvolatile storage device 2303. These software modules may be read out to the storage device 2302 when the arithmetic device 2301 executes each process.

  In addition, these software modules may be configured to transmit various data to each other by an appropriate method such as shared memory or inter-process communication. With such a configuration, these software modules are connected so as to communicate with each other.

  Further, the software program may be recorded on the recording medium 2305. In this case, the software program may be stored in the non-volatile storage device 2303 through the drive device 2304 as appropriate at the shipping stage or operation stage of the history analysis apparatus.

  In the above case, the method of supplying various software programs to the hardware device 2300 is performed in the device using an appropriate jig in the manufacturing stage before shipment or the maintenance stage after shipment. An installation method may be adopted. As a method for supplying various software programs, a general procedure may be adopted at present, such as a method of downloading from the outside via a communication line such as the Internet.

  In such a case, the present invention can be understood to be constituted by a computer-readable recording medium on which the code constituting the software program or the code is recorded. In this case, the recording medium is not limited to a medium independent of the hardware device 2300, and includes a recording medium in which a software program transmitted via a LAN or the Internet is downloaded and stored or temporarily stored.

  Further, the components of the history analysis apparatus described above are configured by a virtualized environment in which the hardware device 2300 illustrated in FIG. 23 is virtualized and various software programs (computer programs) executed in the virtualized environment. May be. In this case, the components of the hardware device 2300 illustrated in FIG. 23 are provided as virtual devices in the virtual environment. In this case as well, the present invention can be realized with the same configuration as when the hardware device 2300 illustrated in FIG. 23 is configured as a physical device.

  In the above, this invention was demonstrated as an example applied to exemplary embodiment mentioned above. However, the technical scope of the present invention is not limited to the scope described in the above embodiments. It will be apparent to those skilled in the art that various modifications and improvements can be made to such embodiments. In such a case, new embodiments to which such changes or improvements are added can also be included in the technical scope of the present invention. Embodiments combining the above-described embodiments are also included in the technical scope of the present invention. Furthermore, embodiments combining the above-described embodiments and new embodiments obtained by changing or improving the above-described embodiments may also be included in the technical scope of the present invention. This is clear from the matters described in the claims.

100 File Server 110 Shared Storage Device 120 Server Access Log 200 Client 210 Storage Device 220 CPU
300 History Analysis Device 310 Log Acquisition Unit 340 Analysis Unit 400 Network 2200 History Analysis Device 2201 Log Acquisition Unit 2202 Analysis Unit 2210 File Providing Device 2220 File Manipulation Device 2301 Arithmetic Device 2302 Storage Device 2303 Non-volatile Storage Device 2304 Drive Device 2305 Recording Medium 2306 Network interface

Claims (10)

An access log including information related to access from a file operation device to a file provided in the file providing device and a file placed in the file providing device or the file operation device are executed by a process in the file operation device. A process operation log including information related to the operation, and a log acquisition unit for acquiring
From the access log and the process operation log, an operation process that is the process that has operated the operation target file provided in the file providing apparatus is specified, and according to the type of operation performed on the operation target file Among the logs related to the derivation source operation, which is an operation that can be executed on the original file of the operation target file, a log that satisfies a specific condition is extracted from the process operation log, and the extracted log regarding the derivation source operation is extracted. A history analysis apparatus comprising: an analysis unit that identifies the recorded file as an original file for the operation target file. When the operation performed on the operation target file by the operation process is a write operation, the analysis unit
Among the read operations related to the file that is the derivation source operation executed by the operation process after the process start time when the operation process was started, before the time when the write operation related to the operation target file is executed, When a log of a read operation executed at a time closest to a time when a write operation related to the operation target file is executed is included in the process operation log, the file on which the read operation is executed is related to the operation target file. The history analysis device according to claim 1 specified as an original file. The analysis unit
When the identified name of the original file and the name of the operation target file match, it is determined that the original file has been edited by the operation process;
The history analysis apparatus according to claim 2, wherein when the specified name of the original file and the name of the operation target file do not match, it is determined that the original file has been saved with a different name by the operation process. The analysis unit
When the identified size of the original file matches the size of the operation target file, information indicating deletion of the original file is within a reference time after the time when the write operation related to the operation target file is executed. Whether the original file has been moved as the operation target file by the operation process or whether the original file has been copied as the operation target file by the operation process based on whether or not it is recorded in the process operation log The history analysis apparatus according to claim 2, wherein The log acquisition unit further acquires a network operation log that is a log related to a data transmission / reception operation performed on the communication network in the file operation device,
When the operation performed on the operation target file by the operation process is a write operation, the analysis unit
Among the download operations that are the derivation source operations related to the file, executed by the operation process after the process start time, the size of the data received by the download operation or the correction size calculated from the size of the received data is The history analysis device according to claim 2, wherein when the log that matches the size of the operation target file is included in the network operation log, the received data is specified as an original file related to the operation target file. The analysis unit
From the process operation log, a log of a read operation executed on the operation target file is extracted, and for each extracted log, the operation process that has executed the read operation on the operation target file is specified,
From the process operation log, a log related to a write operation executed by the operation process is identified after the time when the read operation related to the operation target file is executed by the operation process, and the write operation recorded in the specified log is The history analysis apparatus according to claim 2, wherein the executed file is specified as a derivation destination file related to the operation target file. The analysis unit
A process all operation log list that is a log related to an operation executed by the operation process is extracted from the process operation log between the process start time and a process end time when the operation process is finished.
Create a read operation log list obtained by extracting the log related to the read operation from the process all operation log list,
Create a write operation log list obtained by extracting a log related to a read operation executed after the time when an operation related to the operation target file is executed from the process all operation log list,
With reference to the read operation log list, if there is a read operation executed before the execution time of the write operation recorded in the log for all the logs included in the write operation log list, the read operation is performed. Associate one or more logs related to the operation as an estimated reading candidate list,
When the operation related to the operation target file is a read operation, the file recorded in the log of the write operation log list associated with the estimated read candidate list is recorded in the candidate file list,
When the operation related to the operation target file is a write operation, the estimated read candidate list associated with the log related to the write operation executed on the file having the same name as the operation target file in the write operation log list. Record the file in the candidate file list;
Calculating a score representing the degree of similarity between the file recorded in the candidate file list and the operation target file;
Among the files recorded in the candidate file list, the file whose score is equal to or higher than a reference value is specified as a derivation destination file for the operation target file.
The history analysis apparatus according to claim 2. An access log including information related to access from a file operation device to a file provided in the file providing device and a file placed in the file providing device or the file operation device are executed by a process in the file operation device. Process operation log containing information related to the
From the access log and the process operation log, specify the operation process that is the process that operated the operation target file provided in the file providing device,
A log that satisfies a specific condition among logs related to a derivation source operation that is an operation that can be executed on the original file of the operation target file according to the type of operation executed on the operation target file. Extracted from the operation log
A history analysis method for specifying, as an original file for the operation target file, a file in which the derivation source operation recorded in the extracted log relating to the derivation source operation is executed. On the computer,
An access log including information related to access from a file operation device to a file provided in the file providing device and a file placed in the file providing device or the file operation device are executed by a process in the file operation device. Processing to obtain a process operation log including information related to the operation performed,
A process of specifying an operation process that is the process that has operated the operation target file provided in the file providing device from the access log and the process operation log;
A log that satisfies a specific condition among logs related to a derivation source operation that is an operation that can be executed on the original file of the operation target file according to the type of operation executed on the operation target file. Processing to extract from the operation log;
A program for executing a process of specifying a file on which the derivation source operation recorded in the extracted log relating to the derivation source operation is executed as an original file for the operation target file. A file providing device capable of providing an operation target file and an access log including information on access to the operation target file via a communication network;
A file capable of executing an operation related to the operation target file and a file held in the own device by executing a process in the own device and providing a process operation log including information related to the operation via a communication network. An operating device;
A log acquisition unit for acquiring the access log from the file providing device via the communication network, and acquiring the process operation log from the file operation device;
From the access log and the process operation log, an operation process that is the process that has operated the operation target file provided in the file providing apparatus is specified, and according to the type of operation performed on the operation target file Then, among the logs related to the derivation source operation that is an operation that can be executed on the original file of the operation target file, a log that satisfies a specific condition is extracted from the process operation log, and the extracted log related to the derivation source operation An analysis unit that identifies the file recorded in the file as an original file for the operation target file,
A history analysis system comprising a history analysis device.

Images