JP6377091B2 - Analysis device and analysis program - Google Patents

Description

  The present invention relates to a technique for analyzing a system.

A system operating in a company or the like includes many terminals that function as a server such as a web server, an application server, a database server, or a file server.
A system is realized by a large number of applications communicating between terminals inside and outside the system.
Nowadays, the system tends to become larger and more complicated, and the relationship between terminals has become more complicated.

In order for a system to operate smoothly, a technology called job impact analysis is indispensable when a failure occurs in a certain terminal.
Business impact range analysis includes the discovery of a terminal that is highly relevant to the terminal, the determination of how much the terminal is necessary for the system, the determination of whether the failure of the terminal affects other systems and other terminals, etc. Technology to do.

In the business impact range analysis, it was necessary to construct a configuration management database in order to analyze the relationship between terminals. The configuration management database is constructed by collecting configuration management information for managing software and hardware from a terminal and comprehensively integrating the collected configuration management information. The configuration management database is introduced for the purpose of understanding the relationship between the configuration management information.
However, since it is necessary to comprehensively manage the configuration management information, the construction and maintenance of the configuration management database is costly.

In such a business influence range analysis, it is assumed that the degree of association between terminals differs depending on the communicating application.
That is, the business influence range analysis in one system substantially means the business influence range analysis for applications that communicate in the system.
However, conventionally, since the communication characteristics of the application are not taken into consideration, only one business influence range analysis for one system is realized. The communication feature means the frequency of communication between terminals in the same system or the frequency of communication between terminals in different systems.

Patent Literature 1 and Patent Literature 2 disclose a method for realizing business influence range analysis without constructing a configuration management database.
The method is to analyze the relationship between terminals using the communication state of the terminals. The communication state used is information that can be used to determine whether or not there is communication between terminals, and is not information that can determine the content of communication between terminals.

JP 2006-85700 A JP 2006-17834 A

An object of the present invention is to make it possible to specify a set of target devices for which connection is established for each application program.
With the goal.

The analyzer of the present invention is
A device identifier for identifying one target device for each connection established by executing the application program, which is a file generated for each application program for performing processing that requires establishment of a connection between the target devices A storage unit that stores a connection classification file that is a file including a device identifier that identifies the other target device;
For each application program, using a connection classification file corresponding to the application program, a matrix having elements corresponding to the set of target devices, and the presence / absence of an established connection as the value of the element corresponding to the set of target devices And a matrix generation unit that generates an adjacency matrix that is a matrix in which a value that represents the value is set.

According to the present invention, an adjacency matrix in which a value indicating the presence or absence of an established connection is set as the value of an element corresponding to a set of target devices is generated for each application program.
By referring to the adjacency matrix for each application program, it is possible to specify a set of target devices for which connection has been established for each application program.

1 is a configuration diagram of an analysis system 100 according to Embodiment 1. FIG. FIG. 2 is a configuration diagram of an analysis apparatus 200 in the first embodiment. 5 is a flowchart of an analysis method in the first embodiment. 3 is a configuration diagram of a connection management file 282 according to Embodiment 1. FIG. 5 is a flowchart of analysis processing (S200) in the first embodiment. FIG. 3 is a configuration diagram of a connection classification file 283 in the first embodiment. FIG. 3 is a configuration diagram of a process table 281 in the first embodiment. 5 is a flowchart of connection classification processing (S210) in the first embodiment. The flowchart of the matrix production | generation process (S220) in Embodiment 1. FIG. FIG. 6 is a configuration diagram of an analysis result 285 in the first embodiment. The flowchart of the connection specific process and result generation process (S230) in Embodiment 1. FIG. The directed graph 140 in Embodiment 1. FIG. The block diagram of the analyzer 200 in Embodiment 2. FIG. The flowchart of the analysis process (S200) in Embodiment 2. FIG. FIG. 10 is a configuration diagram of an analysis result 286 in the second embodiment. The flowchart of the importance calculation process and result generation process (S240) in Embodiment 2. The directed graph 140 in Embodiment 2. FIG. FIG. 10 is a configuration diagram of an analysis apparatus 200 according to Embodiment 3. FIG. 10 is a configuration diagram of a system table 287 in the third embodiment. FIG. 10 is a configuration diagram of an analysis result 285 in the third embodiment. The directed graph 140 in Embodiment 3. FIG. FIG. 6 is a configuration diagram of an analysis apparatus 200 in a fourth embodiment. FIG. 10 is a configuration diagram of an analysis result 286 in the fourth embodiment. The directed graph 140 in Embodiment 4. FIG. The hardware block diagram of the analyzer 200 in embodiment.

Embodiment 1 FIG.
An analysis system 100 for analyzing a target system having a plurality of target devices 120 will be described with reference to FIGS.

*** Explanation of configuration ***
Based on FIG. 1, the structure of the analysis system 100 is demonstrated.
The analysis system 100 includes a management device 110, a plurality of target devices 120, and an analysis device 200.
The management device 110 is a computer used by an administrator who manages the target system.
The target system is a system including a plurality of target devices 120 and is a system to be analyzed.
The target device 120 is a computer provided in the target system, and is a computer to be analyzed.
The analysis device 200 is a computer that analyzes a target system, that is, a plurality of target devices 120.

  The target device 120 executes a program for performing processing that requires establishment of a connection between the target devices. Hereinafter, such a program is referred to as an application program or an application.

  The management device 110, the plurality of target devices 120, and the analysis device 200 communicate with each other.

Based on FIG. 2, the structure of the analyzer 200 is demonstrated.
The analysis device 200 is a computer including hardware such as a processor 901, a memory 902, an auxiliary storage device 903, and a communication device 904. The processor 901 is connected to other hardware via a signal line.

The processor 901 is an IC (Integrated Circuit) that performs processing, and controls other hardware. Specifically, the processor 901 is a CPU, DSP, or GPU. CPU is an abbreviation for Central Processing Unit, DSP is an abbreviation for Digital Signal Processor, and GPU is an abbreviation for Graphics Processing Unit.
The memory 902 is a volatile storage device. The memory 902 is also called main memory or main memory. Specifically, the memory 902 is a RAM (Random Access Memory).
The auxiliary storage device 903 is a nonvolatile storage device. Specifically, the auxiliary storage device 903 is a ROM, HDD, or flash memory. ROM is an abbreviation for Read Only Memory, and HDD is an abbreviation for Hard Disk Drive.
The communication device 904 is a device that performs communication, and includes a receiver 905 and a transmitter 906. Specifically, the communication device 904 is a communication chip or a NIC (Network Interface Card).

  The analysis apparatus 200 includes “units” such as a connection classification unit 211, a matrix generation unit 212, a connection specification unit 213, and a result generation unit 214 as functional configuration elements. The function of “part” is realized by software. The function of “part” will be described later.

The auxiliary storage device 903 stores a program that realizes the function of “unit”. A program that realizes the function of “unit” is loaded into the memory 902 and executed by the processor 901.
Further, the auxiliary storage device 903 stores an OS (Operating System). At least a part of the OS is loaded into the memory 902 and executed by the processor 901.
That is, the processor 901 executes a program that realizes the function of “unit” while executing the OS.
Data obtained by executing a program that realizes the function of “unit” is stored in a storage device such as the memory 902, the auxiliary storage device 903, a register in the processor 901, or a cache memory in the processor 901. These storage devices function as a storage unit 291 that stores data.
The analysis apparatus 200 may include a plurality of processors 901, and the plurality of processors 901 may execute a program that realizes the function of “unit” in cooperation with each other.

The memory 902 stores data used, generated, input / output or transmitted / received by the analysis apparatus 200.
Specifically, the memory 902 stores a process table 281, a connection management file 282, a connection classification file 283, an adjacency matrix 284, an analysis result 285, and the like. The contents of data stored in the memory 902 will be described later.

  The communication device 904 functions as a communication unit that communicates data, the receiver 905 functions as a reception unit 292 that receives data, and the transmitter 906 functions as a transmission unit 293 that transmits data.

Hardware in which the processor 901, the memory 902, and the auxiliary storage device 903 are collected is referred to as a “processing circuit”.
“Part” may be read as “processing” or “process”. The function of “unit” may be realized by firmware.
A program that realizes the function of “unit” can be stored in a nonvolatile storage medium such as a magnetic disk, an optical disk, or a flash memory.

*** Explanation of operation ***
The operation of the analysis system 100 and the operation of the analysis apparatus 200 correspond to an analysis method. The procedure of the analysis method corresponds to the procedure of the analysis program.

The analysis method will be described based on FIG.
In step S110, each target device 120 acquires the connection management file 282. The contents of the connection management file 282 will be described later.

The connection management file 282 is acquired for each target device 120 in the following procedure.
The administrator operates the management device 110 and logs in to the target device 120 remotely. After logging in, the management device 110 displays a command prompt for operating the target device 120.
The administrator inputs a netstat command at the command prompt, the management apparatus 110 transmits the netstat command to the target apparatus 120, and the target apparatus 120 executes the netstat command. By executing the netstat command, the connection management file 282 is generated.
All the management apparatuses 110 acquire the connection management file 282 by executing the above procedure for all the target apparatuses 120.

The connection management file 282 is a file for each target device 120.
For each connection established between the target devices 120, the connection management file 282 includes a communication address corresponding to one target device 120, a communication address corresponding to the other target device, and a process name corresponding to the application program. Including. The communication address is an address used for communication, and corresponds to a device identifier that identifies the target device 120.

FIG. 4 shows a specific configuration of the connection management file 282.
The connection management file 282 includes connection data 130 for each connection.
The connection data 130 includes a protocol name 131, a source IP address 132, a source port number 133, a destination IP address 134, a destination port number 135, a connection state 136, and a process name 137. IP is an abbreviation for Internet Protocol.
The source IP address 132 is a communication address corresponding to one target device 120.
The destination IP address 134 is a communication address corresponding to the other target device 120.
The connection data 130 whose connection state 136 is ESTABLISHED is data of an established connection.
The connection data 130 whose connection state 136 is not ESTABLISHED is data of a connection that has not been established.

Returning to FIG. 3, the description will be continued from step S121.
In step S <b> 121, each target device 120 transmits the connection management file 282 to the analysis device 200.

The connection management file 282 is transmitted for each target device 120 in the following procedure. As described in step S <b> 110, the management apparatus 110 displays a command prompt for operating the target apparatus 120.
The administrator inputs an ftp command or a robotocopy command for transmitting the connection management file 282 to the analysis apparatus 200 at the command prompt.
The management device 110 transmits the input command to the target device 120.
Then, the target device 120 receives the transmitted command and executes the received command. By executing the ftp command or the robot command, the connection management file 282 is transmitted from the target device 120 to the analysis device 200.
The management device 110 receives the connection management file 282 transmitted from the management device 110.
By executing the above procedure for all target devices 120, all target devices 120 transmit the connection management file 282 to the analysis device 200.

In step S122, the analysis apparatus 200 operates as follows.
The receiving unit 292 receives the connection management file 282 for each target device 120, and the storage unit 291 stores the connection management file 282 for each target device 120.

Step S200 is an analysis process.
In step S200, the analysis apparatus 200 analyzes the connection management file 282 for each target apparatus 120.
The analysis result (S200) generates an analysis result 285 for each application program.
Details of the analysis process (S200) and the contents of the analysis result 285 will be described later.

  In step S131, the transmission unit 293 of the analysis apparatus 200 transmits the analysis result 285 for each application program to the management apparatus 110.

  In step S132, the management apparatus 110 receives the analysis result 285 for each application program.

  In step S140, the management apparatus 110 displays the analysis result 285 for each application program.

Based on FIG. 5, the analysis process (S200) will be described.
Step S210 is a connection classification process.
In step S210, the connection classification unit 211 uses the connection management file 282 for each target device 120 to generate a connection classification file 283 for each application program.
The connection classification file 283 is a file generated for each application program.
The connection classification file 283 includes, for each connection established by executing the application program, a device identifier that identifies one target device and a device identifier that identifies the other target device. Specifically, the device identifier is an IP address.

FIG. 6 shows a specific configuration of the connection classification file 283.
The connection classification file 283 includes connection data 130 for each established connection.
The connection state 136 included in each connection data 130 is ESTABLISHED meaning an established connection.
The process name 137 included in each connection data 130 corresponds to a common application program. Specifically, foo. exe and bar. exe is a process name 137 corresponding to the first application program.

The connection classification unit 211 generates a connection classification file 283 for each application program as follows.
The connection classification unit 211 acquires an application name corresponding to the process name from the process table 281 for each process name included in at least one of the connection management files 282. Then, the connection classification unit 211 generates a connection classification file 283 for each application program identified by the acquired application name.
The process table 281 is data in which process names and application names are associated with each other.
The process name is an identifier for identifying a process generated when the application program is executed.
The application name is an identifier for identifying the application program.

FIG. 7 shows a specific configuration of the process table 281.
In the process table 281, process names and application names are associated with each other.
foo. exe and bar. exe is associated with the application (1). Application (1) is the name of the first application program. That is, foo. exe and bar. exe is a process name corresponding to the first application program.

The procedure of the connection classification process (S210) will be described based on FIG.
In step S <b> 211, the connection classification unit 211 combines the connection management file 282 for each target device 120.
Specifically, the connection classification unit 211 combines the connection management files 282 for each target device 120 by executing a cat command program.

  In step S212, the connection classification unit 211 selects one unselected connection data 130 from the connection management file 282 after the combination.

In step S213, the connection classification unit 211 determines whether the selected connection data 130 is data of an established connection.
Specifically, the connection classification unit 211 determines whether the connection state 136 included in the selected connection data 130 is ESTABLISHED.
If the selected connection data 130 is data of an established connection, the process proceeds to step S214.
If the selected connection data 130 is data of a connection that has not been established, the process proceeds to step S216.

In step S214, the connection classification unit 211 uses the process table 281 to specify the application name corresponding to the selected connection data 130.
Specifically, the connection classification unit 211 acquires the process name 137 from the selected connection data 130 and acquires the application name corresponding to the acquired process name 137 from the process table 281.

  In step S215, the connection classification unit 211 adds the selected connection data 130 to the connection classification file 283 corresponding to the specified application name.

In step S216, the connection classification unit 211 determines whether there is unselected connection data 130 in the combined connection management file 282.
If there is unselected connection data 130, the process returns to step S212.
If there is no unselected connection data 130, the connection classification process (S210) ends.

Returning to FIG. 5, the description will be continued from step S220.
Step S220 is a matrix generation process.
In step S220, the matrix generation unit 212 generates an adjacency matrix 284 for each application program, using the connection classification file 283 corresponding to the application program.

The adjacency matrix 284 is a matrix having elements corresponding to the set of the target device 120. In the adjacency matrix 284, a value indicating the presence or absence of an established connection is set as a value of an element corresponding to the set of the target devices 120.
The elements included in the adjacency matrix 284 correspond to a set of the target device 120 corresponding to the row number of the row including the element and the target device 120 corresponding to the column number of the column including the element.
The value of the element included in the adjacency matrix 284 indicates the number of connections established for the set of target devices 120 corresponding to the element.

Based on FIG. 9, the matrix generation process (S220) will be described.
In step S221, the matrix generation unit 212 selects one unselected connection classification file 283.

In step S222, the matrix generation unit 212 generates an adjacency matrix 284 in the initial state.
The adjacency matrix 284 in the initial state is a matrix having the same number of rows and columns as the target device 120. In the adjacency matrix 284 in the initial state, the value of the element in the matrix is zero.

Specifically, the matrix generation unit 212 generates the adjacency matrix 284 in the initial state as follows.
First, the matrix generation unit 212 counts the number N of IP address types included in the selected connection classification file 283.
Next, the matrix generation unit 212 generates an N × N adjacency matrix 284.
Then, the matrix generation unit 212 initializes the values of all elements of the adjacency matrix 284 with 0.

  In the connection classification file 283 of FIG. 6, the IP address type is AA. AA. AA. AA and BB. BB. BB. BB and CC. CC. CC. CC and DD. DD. DD. It is four with DD. In this case, the matrix generation unit 212 generates a 4 × 4 adjacency matrix 284 and initializes all elements of the adjacency matrix 284 with 0.

  In step S223, the matrix generation unit 212 selects one unselected connection data 130 from the selected connection classification file 283.

In step S224, the matrix generation unit 212 selects an element corresponding to the selected connection data 130 from the adjacency matrix 284.
The selected element is an element corresponding to a set of the source IP address 132 and the destination IP address 134 included in the selected connection data 130.

Specifically, the matrix generation unit 212 selects an element using a number management table. In the number management table, IP addresses and numbers are associated with each other. It is assumed that the number management table is stored in the storage unit 291.
First, the matrix generation unit 212 acquires the transmission source IP address 132 from the selected connection data 130, and acquires the number I corresponding to the acquired transmission source IP address 132 from the number management table.
Next, the matrix generation unit 212 acquires the destination IP address 134 from the selected connection data 130, and acquires the number J corresponding to the acquired destination IP address 134 from the number management table.
Then, the matrix generation unit 212 selects an element of I rows and J columns from the adjacency matrix 284.

  In step S225, the matrix generation unit 212 adds 1 to the value of the selected element. As a result, the value X of the selected element is updated to X + 1.

In step S226, the matrix generation unit 212 determines whether there is unselected connection data 130 in the selected connection classification file 283.
If there is unselected connection data 130, the process returns to step S223.
If there is no unselected connection data 130, the process proceeds to step S227.

In step S227, the matrix generation unit 212 determines whether there is an unselected connection classification file 283.
If there is an unselected connection classification file 283, the process returns to step S221.
If there is no unselected connection classification file 283, the matrix generation process (S220) ends.

An adjacency matrix A generated using the connection classification file 283 of FIG. 6 is shown below.
However, AA. AA. AA. AA and BB. BB. BB. BB and CC. CC. CC. CC and DD. DD. DD. The numbers corresponding to each of DD are 1, 2, 3, and 4.

In the connection classification file 283 of FIG. AA. AA. AA is the source IP address 132, and BB. BB. BB. The number of connection data 130 whose destination IP address 134 is BB is four.
Therefore, the value of A [1] [2] is 4. A [I] [J] means an element of I rows and J columns of the adjacency matrix A.

In the connection classification file 283 of FIG. CC. CC. CC is the source IP address 132, and DD. DD. DD. The number of connection data 130 whose DD is the destination IP address 134 is five.
Therefore, the value of A [3] [4] is 5.

Returning to FIG. 5, step S230 will be described.
Step S230 is a connection specifying process and a result generating process.
In step S230, the connection identification unit 213 identifies, for each application program, a set of target devices 120 corresponding to the established connection, using the adjacency matrix 284 corresponding to the application program.
And the result production | generation part 214 produces | generates the analysis result 285 which shows the group of the specified target apparatus 120 for every application program.

FIG. 10 shows a specific configuration of the analysis result 285.
In the analysis result 285, the source IP address 132, the destination IP address 134, and the number of connections 141 are associated with each other.
The source IP address 132 and the destination IP address 134 identify a set of target devices 120 corresponding to the established connection.
The connection number 141 is the number of established connections.

Based on FIG. 11, the procedure of the connection specifying process and the result generating process (S230) will be described.
In step S231, the result generation unit 214 generates a new analysis result 285. The new analysis result 285 is an empty file.

  In step S232, the connection identification unit 213 selects one unselected adjacency matrix 284.

  In step S233, the connection specifying unit 213 selects one unselected element from the selected adjacency matrix 284.

In step S234, the connection specifying unit 213 determines whether the value of the selected element is 0.
If the value of the selected element is 0, the process proceeds to step S236.
If the value of the selected element is not 0, the process proceeds to step S235.

  In step S235, the result generation unit 214 adds the set of device identifiers corresponding to the selected element and the value of the selected element to the analysis result 285.

Specifically, the result generation unit 214 operates as follows using the number management table described in step S224 of FIG.
The result generation unit 214 acquires an IP address corresponding to the row number of the row including the selected element from the number management table. The acquired IP address corresponds to the transmission source IP address 132.
In addition, the result generation unit 214 acquires an IP address corresponding to the column number of the column including the selected element from the number management table. The acquired IP address corresponds to the destination IP address 134.
Then, the result generation unit 214 adds the source IP address 132, the destination IP address 134, and the number of connections 141 to the analysis result 285. The connection number 141 is the value of the selected element.

In step S236, the connection specifying unit 213 determines whether there is an unselected element in the selected adjacency matrix 284.
If there is an unselected element, the process returns to step S233.
If there is no unselected element, the process proceeds to step S237.

In step S237, the connection identification unit 213 determines whether there is an unselected adjacency matrix 284.
If there is an unselected adjacency matrix 284, the process returns to step S231.
If there is no unselected adjacency matrix 284, the connection specifying process and the result generating process (S230) are terminated.

FIG. 12 shows a directed graph 140 generated using the analysis result 285 of FIG. The directed graph 140 is a weighted directed graph.
The directed graph 140 includes nodes, edges connecting the nodes, and weights attached to the edges.
The node is a diagram illustrating the target device 120 with which a connection has been established. The target device 120 to which X is attached is XX. XX. XX. The target device 120 has an IP address XX.
The edge is an arrow indicating the direction from the target device 120 corresponding to the source IP address 132 to the target device 120 corresponding to the destination IP address 134.
The weight is the number of connections 141.

The directed graph 140 is displayed on the management device 110.
The administrator refers to the displayed directed graph 140 and grasps the relationship between the target devices 120.
For example, with reference to the directed graph 140 of FIG. 12, the administrator knows that a failure that has occurred in the target device (A) may affect the target device (B) and the target device (C).

*** Effects of Embodiment 1 ***
For each application program, it is possible to identify a set of target devices 120 for which a connection has been established. As a result, since the relationship between the target devices 120 is known, it is possible to know the range of influence that the failure that has occurred in any of the target devices 120 reaches.

  Since the plurality of connection data 130 acquired by the plurality of target devices 120 are classified for each application program, it is possible to analyze the business influence range at the application unit level. That is, it is possible to realize a business influence range analysis in consideration of the communication characteristics of the application program.

Embodiment 2. FIG.
A mode for analyzing the importance of each target device 120 in the target system will be described with reference to FIGS. However, the description which overlaps with Embodiment 1 is abbreviate | omitted or simplified.

*** Explanation of configuration ***
The configuration of the analysis system 100 is the same as that described with reference to FIG. 1 in the first embodiment.

Based on FIG. 13, the structure of the analyzer 200 is demonstrated.
The analysis device 200 includes an importance level calculation unit 215 as an element of a functional configuration.
The importance calculation unit 215 calculates the importance for each target device 120.
Data indicating the degree of importance for each target device 120 is an analysis result 286.
Details of the function of the importance calculation unit 215 will be described later.

*** Explanation of operation ***
The procedure of the analysis method is the same as the procedure described in Embodiment 1 with reference to FIG.
However, a part of the analysis process (S200) is different from the first embodiment.
In step S131, the analysis apparatus 200 transmits an analysis result 286 for each application program in addition to the analysis result 285 for each application program. In step S132, the management apparatus 110 receives the analysis result 286 for each application program in addition to the analysis result 285 for each application program. In step S140, the management apparatus 110 displays the analysis result 286 for each application program in addition to the analysis result 285 for each application program.

Based on FIG. 14, the analysis process (S200) will be described.
The analysis process (S200) includes step S240 in addition to the process described with reference to FIG. 5 in the first embodiment.

Step S240 is importance calculation processing and result generation processing.
In step S240, the importance calculation unit 215 calculates eigenvectors for each application program using the adjacency matrix 284 corresponding to the application program. Further, the importance calculation unit 215 calculates the importance for each target device 120 using the calculated eigenvector.
And the result production | generation part 214 produces | generates the analysis result 286 which shows the importance for every object apparatus 120 for every application program.

FIG. 15 shows a specific configuration of the analysis result 286.
In the analysis result 286, the IP address 142 and the importance 143 are associated with each other.
The source IP address 132 identifies the target device 120 having the importance 143.

Based on FIG. 16, the procedure of importance calculation processing and result generation processing (S240) will be described.
In step S241, the importance calculation unit 215 selects one unselected adjacency matrix 284.

  In step S242, the importance calculation unit 215 switches the row and column of the selected adjacency matrix 284 to generate an adjacency transpose matrix.

In step S243, the importance calculation unit 215 generates a transposed normal matrix as follows.
First, the importance calculation unit 215 calculates a column total that is the sum of the values of the elements included in each column for each column of the adjacent transposed matrix.
Next, the importance calculation unit 215 calculates a ratio value for each element included in the adjacent transposed matrix. The ratio value is a value obtained by dividing the element value by the column total of the columns including the element.
Then, the importance calculation unit 215 generates a matrix in which the ratio value for each element included in the adjacent transposed matrix is set. The generated matrix is a transposed normal matrix.

An adjacent transposed matrix generated using the adjacent matrix A shown in Expression (1) is shown in Expression (2).
Further, a transposed normal matrix generated using the adjacent transposed matrix shown in Expression (2) is shown in Expression (3).

In step S244, the importance calculation unit 215 generates an eigen equation using the transposed normal matrix.
In step S245, the importance calculation unit 215 calculates the eigenvalue by solving the generated eigen equation. Specifically, the importance calculation unit 215 calculates the eigenvalue having the maximum absolute value among eigenvalues obtained by solving the eigen equation.
In step S246, the importance calculation unit 215 calculates an eigenvector using the calculated eigenvalue and the transposed normal matrix.

Equation (4) shows an eigen equation generated using the transposed normal matrix of Equation (3). det (X) means a determinant of the matrix X, λ means an eigenvalue, and I means a square matrix having the same order as the matrix X.
The eigen equation of equation (4) can be transformed into equation (5).
Of the eigenvalues λ obtained by solving the eigenequation of equation (5), the eigenvalue λ having the maximum absolute value is 1, as shown in equation (6).

When the eigenvalue λ is 1, Equation (7) is obtained by using the transposed normal matrix of Equation (3) and the eigenvalue λ.
Equation (7) can be transformed into Equation (8). P means an eigenvector, and O means a zero matrix having the same order as the matrix X.
When the equation (8) is calculated, the eigenvector P shown in the equation (9) is calculated. In the eigenvector P of Equation (9), the elements in the first row correspond to the target device (A), the elements in the second row correspond to the target device (B), and the elements in the third row correspond to the target device (C). And the element in the fourth row corresponds to the target device (D).

  In step S247, the importance calculation unit 215 calculates the importance 143 for each target device 120 using the eigenvector as follows.

The eigenvector includes an element corresponding to the target device 120 for each target device 120.
The importance calculation unit 215 calculates the importance 143 of the target device 120 corresponding to the element using the value of the element for each element included in the eigenvector.

  Specifically, the importance calculation unit 215 calculates a vector sum that is the sum of the values of elements included in the eigenvector. Then, the importance calculation unit 215 calculates the importance 143 of the target device 120 corresponding to the element, using the element value and the vector sum for each element included in the eigenvector. The importance 143 is a value obtained by dividing the element value by the vector sum.

In the eigenvector P of Equation (9), the vector sum is 66 (= 15 + 25 + 13 + 13).
Dividing each element of the eigenvector P in equation (9) by the vector sum gives a normalized eigenvector shown in equation (10). In the normalized eigenvector of Expression (10), each element has importance 143.
In the normalized eigenvector of Expression (10), the element in the first row is the importance 143 of the target device (A). The element in the second row is the importance 143 of the target device (B), the element in the third row is the importance 143 of the target device (C), and the element in the fourth row is the target device (D). The degree of importance is 143.

  In step S248, the result generation unit 214 generates an analysis result 286 indicating the importance 143 for each target device 120.

Specifically, the result generation unit 214 operates as follows using the number management table described in step S224 of FIG.
The result generation unit 214 acquires an IP address associated with the number n as the IP address 142 associated with the nth importance 143 from the unique number management table.
Then, the result generation unit 214 associates the acquired IP address 142 and the nth importance 143 with each other and describes them in the analysis result 286.

In step S249, the result generation unit 214 determines whether there is an unselected adjacency matrix 284.
If there is an unselected adjacency matrix 284, the process returns to step S241.
If there is no unselected adjacency matrix 284, the importance calculation processing and result generation processing (S240) ends.

FIG. 17 shows a directed graph 140 generated using the analysis result 285 of FIG. 10 and the analysis result 286 of FIG.
A star mark attached to the target device (B) means that the target device (B) has the highest importance.

*** Effects of Embodiment 2 ***
The importance level of each target device 120 constituting the target system can be calculated.
The importance is an index for relatively determining the role of the target device 120 in the target system. The higher the importance, the greater the role of the target device 120. When a failure occurs in the target device 120 having a high importance level, the influence range of the failure is large.

*** Other configurations ***
The analysis device 200 may not include the connection specifying unit 213.

Embodiment 3 FIG.
An embodiment for performing analysis for each target system will be described with reference to FIGS. However, the description which overlaps with Embodiment 1 is abbreviate | omitted or simplified.

*** Explanation of configuration ***
The configuration of the analysis system 100 is the same as that described with reference to FIG. 1 in the first embodiment.
However, there are multiple target systems. That is, the plurality of target devices 120 constitute a plurality of target systems.
In addition, the application program is a program for performing processing that requires connection establishment between two target devices 120 included in different target systems.

Based on FIG. 18, the structure of an analyzer is demonstrated.
The configuration of the analyzer 200 is the same as that described in the first embodiment based on FIG.
However, the system table 287 is stored in the storage unit 291. The contents of the system table 287 will be described later.

*** Explanation of operation ***
The procedure of the analysis method is the same as the procedure described in Embodiment 1 with reference to FIG.
However, a part of the analysis process (S200) is different from the first embodiment.
Further, in the processing from step S131 to step S140, the contents of the analysis result 285 to be transmitted, received, and displayed are different from those in the first embodiment.

The procedure of the analysis process (S200) is the same as the procedure described based on FIG. 5 in the first embodiment.
However, part of the matrix generation process (S220) and the connection identification process (S230) is different from the first embodiment.

  In step S220, the matrix generation unit 212 generates an adjacency matrix 284 for each application program, using the connection classification file 283 corresponding to the application program.

The adjacency matrix 284 is a matrix having elements corresponding to a set of target systems. In the adjacency matrix 284, a value indicating the presence or absence of an established connection is set as a value of an element corresponding to the set of target systems.
The elements included in the adjacency matrix 284 correspond to a set of a target system corresponding to the row number of the row including the element and a target system corresponding to the column number of the column including the element.
The value of the element included in the adjacency matrix 284 indicates the number of connections established for the set of target systems corresponding to the element.

Specifically, the matrix generation unit 212 generates an adjacency matrix 284 using the connection classification file 283 and the system table 287 for each application program.
The system table 287 is data in which a device identifier that identifies the target device 120 and a system identifier that identifies the target system are associated with each other.
The matrix generation unit 212 operates as follows for each set of device identifiers included in the connection classification file 283. First, the matrix generation unit 212 acquires a set of system identifiers corresponding to the set of device identifiers from the system table 287. Next, the matrix generation unit 212 selects an element corresponding to the set of target systems identified by the acquired set of system identifiers from the adjacency matrix 284. Then, the matrix generation unit 212 sets the value of the selected element to a value that means that there is an established connection.

FIG. 19 shows a specific configuration of the system table 287.
In the system table 287, the IP address and the system name are associated with each other.
The IP address is a device identifier that identifies the target device 120.
The system name is a system identifier that identifies the target system.

The procedure of the matrix generation process (S220) is the same as the procedure described with reference to FIG. 9 in the first embodiment.
However, part of step S222 and step S224 is different from the first embodiment.

In step S222, the matrix generation unit 212 generates an adjacency matrix 284 in the initial state.
The adjacency matrix 284 in the initial state is a matrix having the same number of rows and columns as the target system. In the adjacency matrix 284 in the initial state, the value of the element in the matrix is zero.

Specifically, the matrix generation unit 212 generates the adjacency matrix 284 in the initial state as follows.
First, the matrix generation unit 212 counts the number N of system identifier types included in the system table 287.
Next, the matrix generation unit 212 generates an N × N adjacency matrix 284.
Then, the matrix generation unit 212 initializes the values of all elements of the adjacency matrix 284 with 0.

  In the system table 287 of FIG. 19, there are three types of system names: system (1) to system (3). In this case, the matrix generation unit 212 generates a 3 × 3 adjacency matrix 284 and initializes all elements of the adjacency matrix 284 with 0.

  In step S224, the matrix generation unit 212 selects an element corresponding to the selected connection data 130 from the adjacency matrix 284.

Specifically, the matrix generation unit 212 selects an element using a number management table. In the number management table, system names and numbers are associated with each other. It is assumed that the number management table is stored in the storage unit 291.
First, the matrix generation unit 212 acquires the source IP address 132 and the destination IP address 134 from the selected connection data 130.
Next, the matrix generation unit 212 acquires a system name corresponding to the acquired transmission source IP address 132 from the system table 287, and acquires a number I corresponding to the acquired system name from the number management table.
Next, the matrix generation unit 212 acquires a system name corresponding to the acquired destination IP address 134 from the system table 287, and acquires a number J corresponding to the acquired system name from the number management table.
Then, the matrix generation unit 212 selects an element of I rows and J columns from the adjacency matrix 284.

  An adjacency matrix A generated using the connection classification file 283 in FIG. 6 and the system table 287 in FIG. 19 is shown below. However, the number corresponding to the system (X) is X.

In the system table 287 of FIG. 19, the IP address corresponding to the system (1) is AA. AA. AA. AA and DD. DD. DD. DD. The IP address corresponding to the system (2) is BB. BB. BB. BB.
In the connection classification file 283 of FIG. AA. AA. AA is the source IP address 132, and BB. BB. BB. The number of connection data 130 whose destination IP address 134 is BB is four.
DD. DD. DD. DD is the source IP address 132 and BB. BB. BB. The number of connection data 130 whose BB is the destination IP address 134 is six.
Therefore, the value of A [1] [2] is 10 (= 4 + 6). A [I] [J] means an element of I rows and J columns of the adjacency matrix A.

In the system table 287 of FIG. 19, the IP address corresponding to the system (3) is CC. CC. CC. CC.
In the connection classification file 283 of FIG. CC. CC. CC is the source IP address 132 and AA. AA. AA. The number of connection data 130 whose AA is the destination IP address 134 is zero.
CC. CC. CC. CC is the source IP address 132, and DD. DD. DD. The number of connection data 130 whose DD is the destination IP address 134 is five.
Therefore, the value of A [3] [1] is 5 (= 0 + 5).

The connection identification process and the result generation process (S230) differ from the first embodiment in that the set of the target devices 120 is replaced with the set of the target systems.
That is, for each application program, the connection specifying unit 213 uses the adjacency matrix 284 corresponding to the application program to specify a set of target systems corresponding to the established connection.
Then, the result generation unit 214 generates an analysis result 285 indicating the specified target system set for each application program.

FIG. 20 shows a specific configuration of the analysis result 285.
In the analysis result 285, the transmission source system name 144, the destination system name 145, and the number of connections 141 are associated with each other.
The source system name 144 and the destination system name 145 identify a set of target systems corresponding to the established connection.
The connection number 141 is the number of established connections.

  The procedure of the connection specifying process and the result generating process (S230) is the same as the procedure described with reference to FIG. 11 in the first embodiment except for a part of step S235.

  In step S235, the result generation unit 214 adds a set of system names corresponding to the selected element and the value of the selected element to the analysis result 285.

Specifically, the result generation unit 214 operates as follows using a number management table in which system names and numbers are associated with each other.
The result generation unit 214 acquires a system name corresponding to the row number of the row including the selected element from the number management table. The acquired system name is the transmission source system name 144.
Further, the result generation unit 214 acquires a system name corresponding to the column number of the column including the selected element from the number management table. The acquired system name is the destination system name 145.
Then, the result generation unit 214 adds the transmission source system name 144, the destination system name 145, and the number of connections 141 to the analysis result 285. The connection number 141 is the value of the selected element.

FIG. 21 shows a directed graph 140 generated using the analysis result 285 of FIG.
In the directed graph 140, a node is a diagram illustrating the target system 121 in which a connection is established. The target system 121 to which X is attached is the target system 121 identified by the system name “target system (X)”.
The edge is an arrow indicating a direction from the target system 121 corresponding to the transmission source system name 144 to the target system 121 corresponding to the destination system name 145.
The weight is the number of connections 141.

The directed graph 140 is displayed on the management device 110.
The administrator refers to the displayed directed graph 140 and grasps the relationship of the target system 121.
For example, with reference to the directed graph 140 of FIG. 21, the administrator knows that a failure occurring in the target system (1) may affect the target system (2) and the target system (3).

*** Effects of Embodiment 3 ***
Since a plurality of connection data 130 acquired by a plurality of target devices 120 are classified for each application program and are further grouped for each target system, it is possible to analyze a business influence range at a system unit level. That is, it is possible to realize a business influence range analysis in consideration of the communication characteristics of the application program.

Embodiment 4 FIG.
A mode for analyzing the importance of each target system in the entire target system will be described with reference to FIGS. However, the description which overlaps with the description from Embodiment 1 to Embodiment 3 is abbreviate | omitted or simplified.

*** Explanation of configuration ***
The configuration of the analysis system 100 is the same as that described in the third embodiment.

Based on FIG. 22, the structure of the analyzer 200 is demonstrated.
The analysis device 200 includes an importance level calculation unit 215 as an element of a functional configuration.
The importance calculation unit 215 calculates the importance for each target system.
Data indicating the importance for each target system is an analysis result 286.
Details of the function of the importance calculation unit 215 will be described later.

*** Explanation of operation ***
The procedure of the analysis method is the same as that of the second embodiment except for a part of the analysis process (S200).

The analysis process (S200) is the same as the procedure described in the second embodiment based on FIG.
Steps S210 and S220 are as described in the first embodiment.
Step S230 is as described in the third embodiment.
Step S240 is partially different from the processing described in the second embodiment.

In step S240, the importance calculation unit 215 calculates an eigenvector for each application program using the adjacency matrix 284 corresponding to the application program. The importance calculation unit 215 calculates the importance for each target system using the calculated eigenvector.
And the result production | generation part 214 produces | generates the analysis result 286 which shows the importance for every object system for every application program.

FIG. 23 shows a specific configuration of the analysis result 286.
In the analysis result 286, the system name 146 and the importance 143 are associated with each other.
The system name 146 identifies a target system having the importance 143.

  The procedure of importance calculation processing and result generation processing (S240) is the same as that in the second embodiment. However, the importance level 143 calculated in step S247 is the importance level 143 for each target system.

An adjacent transpose matrix generated using the adjacent matrix A shown in Expression (11) is shown in Expression (12).
Further, a transposed normal matrix generated using the adjacent transposed matrix shown in Expression (12) is shown in Expression (13).

An eigen equation generated using the transposed normal matrix of Expression (13) is shown in Expression (14). det (X) means a determinant of the matrix X, λ means an eigenvalue, and I means a square matrix having the same order as the matrix X.
The eigen equation of equation (14) can be transformed into equation (15).
Of the eigenvalues λ obtained by solving the eigenequation of equation (15), the eigenvalue λ having the maximum absolute value is 1, as shown in equation (16).

When the eigenvalue λ is 1, Equation (17) is obtained using the transposed normal matrix of Equation (13) and the eigenvalue λ.
Equation (17) can be transformed into Equation (18). P means an eigenvector, and O means a zero matrix having the same order as the matrix X.
When the equation (18) is calculated, the eigenvector P shown in the equation (19) is calculated. In the eigenvector P of Expression (19), the elements in the first row correspond to the target system (1), the elements in the second row correspond to the target system (2), and the elements in the third row correspond to the target system (3). Corresponding to

In the eigenvector P of Equation (19), the vector sum is 68 (= 33 + 32 + 3).
Dividing each element of the eigenvector P in equation (19) by the vector sum gives a normalized eigenvector shown in equation (20). In the normalized eigenvector of Expression (20), each element has importance 143.
In the normalized eigenvector of equation (20), the first row element is the importance level 143 of the target system (1), the second row element is the importance level 143 of the target system (2), and the third row The element is the importance level 143 of the target system (3).

FIG. 24 shows a directed graph 140 generated using the analysis result 285 of FIG. 20 and the analysis result 286 of FIG.
The star mark attached to the target system (1) means that the importance level of the target system (1) is the highest.

*** Effects of Embodiment 4 ***
The importance of each target system can be calculated.
The importance is an index for relatively determining the role of the target system in a plurality of target systems. The higher the importance, the greater the role of the target system. When a failure occurs in a target system having a high importance level, the influence range of the failure is large.

*** Other configurations ***
The analysis device 200 may not include the connection specifying unit 213.

*** Supplement to the embodiment ***
In the embodiment, the function of the analysis apparatus 200 may be realized by hardware.
FIG. 25 shows a configuration when the function of the analysis apparatus 200 is realized by hardware.
The analysis apparatus 200 includes a processing circuit 990. The processing circuit 990 is also called a processing circuit.
The processing circuit 990 is a dedicated electronic circuit that realizes the function of the “unit” described in the embodiment. The “part” includes a storage unit 291.
Specifically, the processing circuit 990 is a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA, an ASIC, an FPGA, or a combination thereof. GA is an abbreviation for Gate Array, ASIC is an abbreviation for Application Specific Integrated Circuit, and FPGA is an abbreviation for Field Programmable Gate Array.
The analysis apparatus 200 may include a plurality of processing circuits 990, and the plurality of processing circuits 990 may realize the function of “unit” in cooperation with each other.

  The function of the analysis device 200 may be realized by a combination of software and hardware. That is, a part of “part” may be realized by software, and the rest of “part” may be realized by hardware.

  The embodiments are exemplifications of preferred forms and are not intended to limit the technical scope of the present invention. The embodiment may be implemented partially or in combination with other embodiments. The procedure described using the flowchart and the like may be changed as appropriate.

  100 analysis system, 110 management device, 120 target device, 121 target system, 130 connection data, 131 protocol name, 132 source IP address, 133 source port number, 134 destination IP address, 135 destination port number, 136 connection state, 137 Process name, 140 directed graph, 141 number of connections, 142 IP address, 143 importance, 144 source system name, 145 destination system name, 146 system name, 200 analyzer, 211 connection classification unit, 212 matrix generation unit, 213 connection Identification unit, 214 Result generation unit, 215 Importance calculation unit, 281 Process table, 282 Connection management file, 283 Connection classification file, 284 Adjacency matrix, 285 Analysis result , 286 analysis, 287 system tables, 291 storage unit, 292 reception unit, 293 transmission unit, 901 a processor, 902 a memory, 903 an auxiliary storage device, 904 communication device, 905 a receiver, 906 a transmitter, 990 processing circuits, 991 storage unit.

Claims (18)

A device identifier for identifying one target device for each connection established by executing the application program, which is a file generated for each application program for performing processing that requires establishment of a connection between the target devices A storage unit that stores a connection classification file that is a file including a device identifier that identifies the other target device;
For each application program, using a connection classification file corresponding to the application program, a matrix having elements corresponding to the set of target devices, and the presence / absence of an established connection as the value of the element corresponding to the set of target devices And a matrix generation unit that generates an adjacency matrix that is a matrix in which a value that represents the value is set. The storage unit is a file for each target device, and for each connection established between the target devices, a communication address corresponding to a device identifier for identifying one target device and a device identifier for identifying the other target device A connection management file, which is a file including a communication address corresponding to, and a process name corresponding to the application program,
The analyzer is
The analysis apparatus according to claim 1, further comprising a connection classification unit that generates a connection classification file for each application program using a connection management file for each target apparatus. The storage unit stores a process table in which a process name and an application name for identifying an application program are associated with each other,
The connection classification unit acquires an application name corresponding to a process name from the process table for each process name included in at least one of the connection management files, and the connection classification for each application program identified by the acquired application name The analysis apparatus according to claim 2, which generates a file. For each application program, using an adjacency matrix corresponding to the application program, a connection identifying unit that identifies a set of target devices corresponding to the established connection;
The analysis device according to any one of claims 1 to 3, further comprising: a result generation unit that generates an analysis result indicating a specified set of target devices for each application program. 5. The element included in the adjacency matrix corresponds to a set of a target device corresponding to a row number of a row including the element and a target device corresponding to a column number of a column including the element. The analyzer according to any one of the above. The analysis device according to claim 5, wherein the value of an element included in the adjacency matrix indicates the number of connections established for a set of target devices corresponding to the element. For each application program, calculate an eigenvector using an adjacency matrix corresponding to the application program, and calculate an importance for each target device using the calculated eigenvector,
The analysis apparatus according to claim 6, further comprising: a result generation unit that generates an analysis result indicating importance for each target apparatus for each application program. The importance calculating unit
Swapping rows and columns of the adjacency matrix to generate an adjoint transpose matrix;
For each column of the adjacent transposed matrix, calculate a column sum that is the sum of the values of the elements included in the column, and divide the element value for each element included in the adjacent transposed matrix by the column total of the column including the element Calculate a ratio value, and generate a transposed normal matrix in which the ratio value for each element included in the adjacent transpose matrix is set,
The analyzer according to claim 7, wherein an eigen equation is generated using the transposed normal matrix, an eigen value is calculated by solving the generated eigen equation, and the eigen vector is calculated using the calculated eigen value and the transposed normal matrix. . The eigenvector includes an element corresponding to the target device for each target device,
The importance calculating unit
The analyzer according to claim 7 or 8, wherein the importance of a target device corresponding to an element is calculated using an element value for each element included in the eigenvector. The importance calculation unit calculates a vector sum that is a sum of values of elements included in the eigenvector, and for each element included in the eigenvector, obtains a value obtained by dividing the element value by the vector sum as an element The analysis apparatus according to claim 9, wherein the analysis apparatus calculates the importance degree of the target apparatus corresponding to. An analysis program for causing a computer to execute processing using a connection classification file,
The connection classification file is a file generated for each application program for performing processing that requires the establishment of a connection between target devices, and one target for each connection established by executing the application program. A file including a device identifier for identifying a device and a device identifier for identifying the other target device;
For each application program, using a connection classification file corresponding to the application program, a matrix having elements corresponding to the set of target devices, and the presence / absence of an established connection as the value of the element corresponding to the set of target devices An analysis program for causing a computer to execute a matrix generation process for generating an adjacency matrix that is a matrix in which a value indicating “a” is set. A file generated for each application program for performing processing that requires establishment of a connection between two target devices included in different target systems, and for each connection established by executing the application program, A storage unit for storing a connection classification file that is a file including a device identifier for identifying one target device and a device identifier for identifying the other target device;
For each application program, using a connection classification file corresponding to the application program, a matrix having elements corresponding to the target system set, and the presence or absence of an established connection as the value of the element corresponding to the target system set And a matrix generation unit that generates an adjacency matrix that is a matrix in which a value that represents the value is set. The storage unit stores a system table in which a device identifier for identifying a target device and a system identifier for identifying a target system are associated with each other,
The matrix generation unit acquires a set of system identifiers corresponding to a set of device identifiers from the system table for each set of device identifiers included in the connection classification file, and is a target system identified by the acquired set of system identifiers The analysis apparatus according to claim 12, wherein an element corresponding to the set is selected from the adjacency matrix, and a value of the selected element is set to a value meaning that there is an established connection. For each application program, using an adjacency matrix corresponding to the application program, a connection identification unit that identifies a set of target systems corresponding to the established connection,
The analysis device according to claim 12, further comprising: a result generation unit that generates an analysis result indicating a set of identified target systems for each application program. The element included in the adjacency matrix corresponds to a set of a target system corresponding to a row number of a row including an element and a target system corresponding to a column number of a column including the element. The analyzer according to any one of the above. The analysis device according to claim 15, wherein the value of an element included in the adjacency matrix indicates the number of connections established for a set of target systems corresponding to the element. The analyzer is
For each application program, calculate an eigenvector using an adjacency matrix corresponding to the application program, and calculate an importance for each target system using the calculated eigenvector,
The analysis apparatus according to claim 16, further comprising: a result generation unit that generates an analysis result indicating importance for each target system for each application program. An analysis program for causing a computer to execute processing using a connection classification file,
The connection classification file is a file generated for each application program for performing processing that requires establishment of a connection between two target devices included in different target systems, and is established by executing the application program. A file including a device identifier for identifying one target device and a device identifier for identifying the other target device for each connection made,
For each application program, using a connection classification file corresponding to the application program, a matrix having elements corresponding to the target system set, and the presence or absence of an established connection as the value of the element corresponding to the target system set An analysis program for causing a computer to execute a matrix generation process for generating an adjacency matrix that is a matrix in which a value indicating “a” is set.

Images