JP6648511B2 - Support device, support method, and program - Google Patents

Description

  The present invention relates to a support device, a support method, and a program.

  A technique for monitoring a system to detect and display an abnormality is disclosed. For example, Patent Literature 1 describes that an event included in a cause candidate of a failure cause and another cause candidate including the event are collected into a group, and the cause candidate is displayed for each group.

  Further, Patent Literature 2 discloses displaying a link indicating a dependency relationship between components of a target system on a display screen.

  Patent Literature 3 discloses a monitoring device that notifies a user of main event information to be notified to a user and sub-event information that satisfies set extraction conditions.

  Patent Document 4 discloses an operation monitoring device that displays abnormality identification information between nodes and between the nodes.

  Patent Literature 5 discloses a technique for extracting a dependency between events and specifying a cause of a failure.

JP 2012-59063 A JP 2012-38028 A JP 2013-191070 A JP 2013-54402 A JP 2006-31109 A

  By monitoring the system, various types of abnormal events are detected. It is difficult for the system administrator to grasp the relevance of such an abnormal event from the log.

  In the technique described in Patent Literature 1, related cause candidates of a failure are grouped together and displayed in group units in order from the one with the highest priority given to the cause candidate. Therefore, in the technique of Patent Document 1, for example, even if a fault has occurred in the same host, if the fault to be solved is different, the faults are classified into different groups. Therefore, in the technique of Patent Document 1, the administrator cannot grasp the relevance of the abnormal event that has occurred.

  Further, as an execution source and an execution destination of the abnormal event, there are various elements such as a process, a file, and an account. However, the technique described in Patent Literature 2 only shows the dependency between components of the target system, and does not disclose elements such as processes, files, accounts, and the like.

  Also, the technologies described in Patent Documents 3 to 5 do not disclose that an administrator grasps the relevance of the abnormal events related to the various elements.

  The present invention has been made in view of the above problems, and a purpose of the present invention is to allow a confirmer (for example, an administrator who manages a monitored system) to easily grasp the relevance of an abnormal event between a plurality of elements. It is to provide the technology which supports that.

  The support device according to an aspect of the present invention provides a classifying unit that classifies an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event, based on a result of the classification. Generating means for representing the abnormal event with the elements as vertices and the relation between the elements as edges, wherein the elements are arranged for each type on a display screen, and a relation graph displayed on the display screen; , Is provided.

  The support method according to an aspect of the present invention provides a method of classifying, among events between a plurality of elements, an event detected as an abnormal event, for each element related to the abnormal event, based on a result of the classification, Are represented as vertices, and the relationship between the elements is defined as an edge to represent the abnormal event, and the elements are arranged for each type on a display screen, and a relation graph displayed on the display screen is generated.

  Note that a computer program that realizes each of the above devices or methods by a computer, and a non-transitory computer-readable recording medium that stores the computer program are also included in the scope of the present invention.

  Advantageous Effects of Invention According to the present invention, it is possible to assist a checker to easily grasp the relevance of an abnormal event between a plurality of elements.

FIG. 3 is a functional block diagram illustrating an example of a functional configuration of the support device according to the first embodiment of the present invention. It is a functional block diagram showing an example of the functional composition of the support device concerning a 2nd embodiment of the present invention. It is a figure showing an example of an abnormal event list which is a list of abnormal events which the detection part of the support device concerning a 2nd embodiment of the present invention detected. It is a figure showing the result of the classification processing performed by the classification part of the support device concerning a 2nd embodiment of the present invention. FIG. 14 is a diagram illustrating an example of a relation graph displayed by a display device according to the second embodiment of the present invention. It is a figure showing an example of the flow of processing of a support device and a display concerning a 2nd embodiment of the present invention. It is a figure showing an example of the relation graph which a display displays in modification 1 of a 2nd embodiment of the present invention. It is a figure showing an example of the relation graph which a display displays in modification 2 of a 2nd embodiment of the present invention. It is a figure showing an example of the relation graph which a display displays in modification 3 of a 2nd embodiment of the present invention. It is a figure showing an example of the relation graph which a display displays in modification 4 of a 2nd embodiment of the present invention. It is a functional block diagram showing an example of functional composition of a support device concerning a 3rd embodiment of the present invention. It is a figure showing an example of the relation graph which a display displays in a 3rd embodiment of the present invention. It is a flow chart which shows an example of a flow of processing of a support device and a display concerning a 3rd embodiment of the present invention. It is a functional block diagram showing an example of the functional composition of the support device concerning a 4th embodiment of the present invention. It is a figure showing an example of a screen displayed on a display screen of a display in a 4th embodiment of the present invention. It is a functional block diagram showing an example of the functional composition of the support device concerning a 5th embodiment of the present invention. It is a figure showing an example of an abnormal event list which is a list of abnormal events which the detection part of the support device concerning a 5th embodiment of the present invention detected. FIG. 15 is a diagram illustrating an example of a relation graph displayed by a display device according to a fifth embodiment of the present invention. It is a functional block diagram showing an example of the functional composition of the support device concerning a 6th embodiment of the present invention. It is a figure showing an example of a screen displayed on a display screen of a display in a 6th embodiment of the present invention. It is a figure showing other examples of a screen displayed on a display screen of a display in a 6th embodiment of the present invention. FIG. 2 is a diagram exemplarily illustrating a hardware configuration of a computer (information processing device) capable of realizing each embodiment of the present invention.

<First embodiment>
A first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 is a functional block diagram illustrating an example of a functional configuration of a support device 10 according to the first embodiment of the present invention. Note that the support device 10 illustrated in FIG. 1 illustrates a configuration unique to the present invention, and it goes without saying that the support device 10 illustrated in FIG. 1 may have a configuration that is not illustrated in FIG. No.

  As shown in FIG. 1, the support device 10 according to the present embodiment includes a classification unit 11 and a generation unit 12.

  The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log as a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitored system. This log is stored in a storage unit (not shown).

  The classification unit 11 classifies the received abnormal event for each element related to the abnormal event. Then, the classification unit 11 supplies the classification result to the generation unit 12.

  The generation unit 12 receives the result of the classification from the classification unit 11. The generation unit 12 generates a relationship graph representing the abnormal event based on the received classification result. This relation graph is a graph in which elements are vertices and relations between elements are edges. The relation graph generated by the generation unit 12 is displayed on the display screen of the display device. The generation unit 12 generates a relation graph in which elements are arranged for each type on the display screen.

  Thereby, for example, in the relation graph displayed on the display screen of the display device (not shown), the elements are arranged for each type, and represent abnormal events classified for each element.

  Therefore, a checker who checks this display screen (for example, a manager of the monitored system; hereinafter, also referred to as a manager) can check the relevance between the abnormal events on the display screen. This allows the confirmer to confirm, for each element, the association between a plurality of abnormal events related to the element. Also, the confirmer can compare the abnormal event related to the element with the abnormal event related to another element.

  As described above, the support device 10 according to the present embodiment can assist a checker to grasp the relevance of an abnormal event between a plurality of elements. Thereby, the support device 10 can support the confirmer to easily grasp the common part (element) of the abnormal event. Therefore, the support device 10 can assist the confirmer in finding the cause and background of the abnormality.

<Second embodiment>
Next, a second embodiment based on the first embodiment will be described. First, the configuration of the support device 100 according to the present embodiment will be described. FIG. 2 is a diagram illustrating an example of a functional configuration of the support device 100 according to the present embodiment. As shown in FIG. 2, the support device 100 according to the present embodiment includes a classification unit 110, a generation unit 120, a storage unit 130, and a detection unit 140.

  The classification unit 110 and the generation unit 120 correspond to the classification unit 11 and the generation unit 12 in the above-described first embodiment, respectively. That is, in FIG. 2, a portion surrounded by a broken-line frame corresponds to the support device 10 in the above-described first embodiment.

  Further, as shown in FIG. 2, the support device 100 is connected to the display device 200. Note that, in the present embodiment, an example will be described in which the support device 100 has a configuration separate from the display device 200. However, the support device 100 has a configuration in which the display device 200 is provided inside as a display unit. Is also good.

  The storage unit 130 stores a result (log) of monitoring a monitoring target system (not shown). FIG. 2 illustrates an example in which the storage unit 130 is built in the support device 100, but the storage unit 130 may be realized by a storage device separate from the support device 100. .

  This monitoring target system includes a plurality of devices (hosts) connected by a network. The log includes, for each host, a result of detecting an event between a plurality of elements that has occurred on the monitored system (information indicating the event). In the case of an event for a certain host, the element may be any of process, file, and external host.

  An event between elements is, for example, when one of the elements is a process and the other is a file, the process has accessed the file. The event between the elements is, for example, that one of the elements is a process and the other is an external host, that the process has connected to the external host. The event between elements is not limited to this.

  In this embodiment, one event is described as an event between two elements. However, one event may be an event occurring between a plurality of elements.

  The detection unit 140 detects an event that is highly likely to be abnormal from the log stored in the storage unit 130. FIG. 3 shows an example of this abnormal event. FIG. 3 is a diagram illustrating an example of a list of abnormal events detected by the detection unit 140 (abnormal event list). The abnormal event list shown in FIG. 3 includes an abnormal event for a certain host, which is detected from the log.

  As shown in FIG. 3, the abnormal event list includes a plurality of abnormal events. The abnormal event list includes the contents of the abnormal event and the time at which the abnormal event occurred. Further, as shown in FIG. 3, the abnormal event list may include an identifier (event ID (Identifier)) for identifying each abnormal event. The information included in the abnormal event list is not limited to this, and may include, for example, the degree of abnormality of the abnormal event. The abnormality degree indicates a high possibility that an abnormal event detected as having a high possibility of abnormality is abnormal. In the present embodiment, the degree of abnormality is represented by a numerical value, and the higher the numerical value, the higher the possibility of abnormality.

  The contents of the abnormal event will be described. For example, the content of the abnormal event with the event ID “ID01” shown in the first line of FIG. 3 is “‘ Process1 ’opened‘ File1 ’. This indicates that one of the elements is a process whose process name is "Process1", and the other is a file whose file name is "File1". This abnormal event indicates that “Process1” has opened “File1”. In addition, for example, the content of the abnormal event with the event ID “ID09” shown in the ninth line in FIG. 3 is “‘ Process1 'connect with‘ExHost1' ”. This indicates that one of the elements is a process whose process name is "Process1" and the other is an external host whose external host name is "ExHost1". This abnormal event indicates that “Process1” has been connected to “ExHost1”.

  When detecting the abnormal event, the detecting unit 140 may add the detected abnormal event to the abnormal event list. Note that FIG. 3 shows an abnormal event list indicating an abnormal event for one host for convenience of description, but the abnormal event list may include an abnormal event for each of a plurality of hosts.

  The detection unit 140 may supply the abnormal event list to the classification unit 110, or may store the abnormal event list in the storage unit 130 or a storage unit in the detection unit 140.

  The classification unit 110 receives the abnormal event list from the detection unit 140. Alternatively, the classification unit 110 may acquire the abnormal event list from the storage unit 130 or the storage unit of the detection unit 140.

  The classification unit 110 classifies the abnormal events included in the abnormal event list for each element related to the abnormal event. Elements related to the abnormal event are, for example, “Process1” and “File1” in the case of the abnormal event whose event ID is “ID01” shown in FIG.

  The classification process of the classification unit 110 will be described with reference to FIG. FIG. 4 is a diagram illustrating a result of the classification process performed by the classification unit 110 of the support device 100 according to the present embodiment. Hereinafter, abnormal events to be classified will be described using event IDs.

  The classification unit 110 classifies the abnormal events having the event IDs “ID01” to “ID10” included in the abnormal event list illustrated in FIG. 3 for each element. As shown in FIG. 4, as a result of classifying each element, abnormal events classified into the element “Process1” have event IDs “ID01”, “ID03”, “ID04”, “ID06”, and “ID09”. Become. The classification unit 110 classifies the abnormal event for each of the other elements, and obtains a classification result as shown in FIG. At this time, the classification unit 110 specifies the type of the classified element for each element. Then, the classification unit 110 associates the identified element type with the element included in the classification result.

  As described above, the classification unit 110 classifies abnormal events for each element for each host. Then, the classification unit 110 supplies the result of the classification process to the generation unit 120.

  Note that the number of abnormal events classified by the classification unit 110 is not particularly limited. The classification unit 110 may classify an abnormal event in a predetermined period from the current time, or may classify an abnormal event in a period designated by an administrator or the like.

  The generation unit 120 receives the result of the classification process from the classification unit 110. The generation unit 120 generates a relation graph representing the abnormal event based on the received classification result. The relation graph includes elements as vertices (also referred to as nodes) and lines connecting the elements as edges (also referred to as links, edges or branches). The relation graph generated by the generation unit 120 is displayed on the display screen of the display device 200. On the display screen, the generation unit 120 generates a relation graph in which the elements are arranged for each type, using the types associated with the elements included in the classification result.

  FIG. 5 shows an example of a relation graph generated by the generation unit 120 and displayed on the display screen. FIG. 5 is a diagram illustrating an example of a relation graph displayed by the display device 200 according to the present embodiment. In the present embodiment, it is assumed that the element types are file, process, and external host.

  In the present embodiment, the generation unit 120 generates a relation graph in which elements are represented by circles and elements are connected by solid lines. The shapes of the elements and the shapes of the lines connecting the elements are not limited to those shown in FIG. 5, but may be any as long as the elements and the relationships between the elements can be expressed. Also, an element name is displayed in association with each element.

  As illustrated in FIG. 5, the generation unit 120 displays the types of the elements in order from left to right (in the second direction) in the order of the file in the host, the process in the host, and the external host. In a bar-shaped area (type area) representing each type, elements are arranged from top to bottom (in the first direction). The elements arranged in this type area are the elements classified by the classification unit 110 shown in FIG. Therefore, for example, “Process 1” and “Process 2” are arranged in the type area of the type “process” (the bar-shaped area at the center in FIG. 5).

  The display order of the elements in each type area is not particularly limited. For example, the order may be the order of element names, or the order of the number of related abnormal events may be large.

  The generation unit 120 generates a relation graph as shown in FIG. 5 in which elements related to the same abnormal event are connected by a line based on the classification result. Based on the classification result shown in FIG. 4, the elements related to the abnormal event with the event ID “ID01” are “Process1” and “File1”. Therefore, the generation unit 120 generates a relation graph between “Process1” and “File1” by connecting these elements with a line.

  Note that, as illustrated in FIG. 5, the generation unit 120 may display an element having many related elements larger than an element having few related elements. For example, since “Process1” is related to five other elements and “File1” is related to one other element, the generation unit 120 sets “Process1” to be larger than “File1”. A relation graph may be generated.

  Further, in FIG. 4, the event between the elements is one by one, but the event between the elements may be plural. For example, a plurality of abnormal events may occur between “Process 1” and “File 1”. In this case, when the classifying unit 110 performs classification, the number of abnormal events is counted, and the generating unit 120 generates a relationship graph in which lines connecting elements are changed according to the number of abnormal events. Is also good. For example, the generation unit 120 may generate a relation graph in which a line connecting elements having a large number of abnormal events is displayed larger than other lines, or may be displayed in a different color or manner from the other lines. A relation graph may be generated. Accordingly, the support apparatus 100 can assist the administrator or the like to easily grasp that the same abnormal event has occurred more frequently than other abnormal events.

  The shape of the type area is not particularly limited. As illustrated in FIG. 5, when the type area is a bar-shaped area, the generation unit 120 can display the elements arranged for each type, so that the administrator or the like can easily grasp the relationship between the elements for each type. Can help you.

  Also, in FIG. 5, an example has been described in which the relation graph is an undirected graph. However, the relation graph may be a directed graph, or may be a graph including an undirected side and a directed side. Good.

(Processing of support device 100 and display device 200)
Next, the flow of processing of the support device 100 and the display device 200 according to the present embodiment will be described with reference to FIG. FIG. 6 is a flowchart illustrating an example of a processing flow of the support device 100 according to the present embodiment.

  As shown in FIG. 6, the detection unit 140 detects an abnormal event (Step S61). Then, the classification unit 110 classifies the abnormal event for each element related to the abnormal event (Step S62).

  Then, the generation unit 120 generates a relation graph representing the abnormal event (Step S63). This relation graph is a relation graph in which elements are arranged for each type, as described above. Thereafter, the display device 200 displays the relation graph on the display screen (Step S64).

  Thus, the processes of the support device 100 and the display device 200 are completed.

(effect)
According to support apparatus 100 according to the present embodiment, classification unit 110 classifies an event detected as an abnormal event among events between a plurality of elements for each element related to the abnormal event. Then, the generation unit 120 generates a relation graph indicating the abnormal event based on the result of the classification and in which elements are arranged for each type on the display screen.

  Therefore, the checker who checks the display screen can check the relevance between the abnormal events on the display screen. This allows the confirmer to confirm, for each element, the association between a plurality of abnormal events related to the element. Also, the confirmer can compare the abnormal event related to the element with the abnormal event related to another element.

  As described above, the support apparatus 100 according to the present embodiment allows the confirmer to easily determine the relevance of the abnormal event between a plurality of elements, similarly to the support apparatus 10 according to the above-described first embodiment. We can help you figure it out. Therefore, the support device 100 can assist the confirmer in finding the cause and background of the abnormality.

(Modification 1)
Next, a first modification of the support device 100 according to the second embodiment will be described. In the above-described second embodiment, an example has been described in which the element type is one of a file, a process, and an external host. However, the element type may be an account. In this modification, an example will be described in which the type of the element is one of an account, a process, and an external host.

  FIG. 7 shows an example of a relation graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 7 is a diagram illustrating an example of a relation graph displayed by the display device 200 in the present modification.

  As illustrated in FIG. 7, the generation unit 120 displays the types of the elements from left to right (in the second direction) in the order of the account in the host, the process in the host, and the external host. Elements are arranged from top to bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 7, it can be seen that the account having the account name "User1" has started the process having the process name "Process1". Since the event shown in the relationship graph shown in FIG. 7 is an abnormal event, it can be seen that starting “Process1” from “User1” is determined to be abnormal. Thus, the administrator or the like can easily grasp the processes started from the plurality of accounts and related to the abnormal event. In addition, the administrator or the like can easily find an abnormal event indicating that a process started from a plurality of accounts and related to the abnormal event has connected to an external host.

(Modification 2)
Next, a second modification of the support device 100 according to the second embodiment will be described. In the first modification described above, an example has been described in which the element type is any of an account, a process, and an external host. However, in this modification, the element type is any of an account, a process, and a file. An example will be described.

  FIG. 8 shows an example of a relation graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 8 is a diagram illustrating an example of a relation graph displayed by the display device 200 in the present modification.

  As illustrated in FIG. 8, the generation unit 120 displays the types of the elements from left to right (in the second direction) in the order of the account in the host, the process in the host, and the file in the host. I have. Note that the account and the file may be reversed. Elements are arranged from top to bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 8, similarly to FIG. 7, it is understood that the account having the account name “User1” has started the process having the process name “Process1”. Then, it can be seen that this "Process1" has opened "File1," "File2," "File3," and "File4." Thus, the administrator or the like can easily grasp the processes started from the plurality of accounts and related to the abnormal event. Further, the administrator or the like can easily find an abnormal event in which a process that is started from a plurality of accounts and a process related to the abnormal event has opened a file.

(Modification 3)
Next, a third modification of the support device 100 according to the second embodiment will be described. In the present modified example, a relation graph in which one type region includes two elements and is displayed will be described.

  For example, when a certain account starts a certain process, the process often connects to an external host as shown in FIG. 7 or opens a file as shown in FIG. In the present modification, a description will be given of the case where the types of elements included in the relation graph generated by the generation unit 120 are arranged in the order of the account in the host, the process in the host, the file in the host, and the external host.

  FIG. 9 shows an example of a relation graph generated by the generation unit 120 and displayed on the display screen in the present modification. FIG. 9 is a diagram illustrating an example of a relation graph displayed by the display device 200 in the present modification.

  As illustrated in FIG. 9, the generation unit 120 sorts the element types in the order of the account in the host, the process in the host, the file in the host, and the external host from left to right (in the second direction). it's shown. Elements are arranged from top to bottom (in the first direction) in the type area representing each type.

  According to the relationship graph shown in FIG. 9, similarly to FIG. 7, it is understood that the account having the account name “User1” has started the process having the process name “Process1”. Then, it can be seen that "Process1" has opened "File1," "File2," "File3," and "File4," and has connected to "ExHost1." Thus, the administrator or the like can easily grasp the processes started from the plurality of accounts and related to the abnormal event. In addition, an administrator can easily find an abnormal event that is a process started from a plurality of accounts and a process related to the abnormal event has connected to an external host and opened a file. can do.

  Note that the right type area shown in FIG. 9 includes two types of elements such as an external host and a file. Therefore, the generation unit 120 may generate a relation graph in which different types of elements are displayed in different modes as shown in FIG.

(Modification 4)
Next, a fourth modification of the support device 100 according to the second embodiment will be described. In the relationship graphs shown in FIGS. 5 and 7, the files, processes, and accounts in the host and the external host are expressed in the same manner. In this modification, a relation graph in which elements included in the host and elements outside the host (external host) are displayed in a distinguishable state will be described.

  FIG. 10 is a diagram illustrating an example of a relation graph displayed by the display device 200 in the present modification. FIG. 10 is a modification of the relationship graph shown in FIG. For example, as illustrated in FIG. 10, the generation unit 120 of the support device 100 surrounds elements included in the host as one set with a frame, and arranges the other elements (external hosts) outside the frame. A graph may be generated. The relation graph generated by the generation unit 120 is not limited to this. The generation unit 120 may generate, for example, a relation graph in which the type and the color of the type area are different between the type area including elements inside the host and the type area of the external host.

  In this way, by displaying the elements included inside the host and the elements outside the host in a distinguishable state, the administrator or the like can notify the external host, for example, of abnormalities that have a high possibility of information leakage. Events can be easily found.

  As shown in FIGS. 5 and 7 to 10, on the display screen, the generation unit 120 places the column of the element of the process type between the columns of the elements of the other types (external host, account, and file). It is preferable to generate such a relation graph. This is because the process performed by the account, the process of accessing the file, and the process performed on the external host are all performed by starting the process. Therefore, the generation unit 120 arranges and displays the process elements in the center, and thus a series of behaviors in which one element starts a certain process and performs a certain abnormal event on another element is performed. , Can be easily confirmed by an administrator.

<Third embodiment>
Next, a third embodiment of the present invention will be described. FIG. 11 is a functional block diagram illustrating an example of a functional configuration of the support device 101 according to the present embodiment. Note that, for convenience of description, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof will be omitted.

  As illustrated in FIG. 11, the support device 101 according to the present embodiment includes a classification unit 111, a generation unit 120, a storage unit 130, a detection unit 141, and a reception unit 150.

  The detecting unit 141 according to the present embodiment has a function of causing the display device 200 to display an abnormal event list including the detected abnormal event in addition to the function of the detecting unit 140 described above.

  The input device 300 is realized by, for example, a mouse, a keyboard, and the like. In the present embodiment, an example will be described in which the display device 200 and the input device 300 are realized by devices separate from the support device 101. However, the display device 200 and the input device 300 are respectively configured by a display unit and an input device. The input unit may be configured to be built in the support device 101. In this case, the display unit and the input unit may be realized as, for example, a touch panel.

  The receiving unit 150 receives input from an administrator or the like via the input device 300. For example, when the administrator selects a certain abnormal event from the abnormal event list displayed on the display device 200 via the input device 300, the receiving unit 150 receives the selection of the abnormal event. Then, the reception unit 150 supplies time information indicating the time of the selected abnormal event to the classification unit 111. Note that the reception unit 150 may supply information indicating the selected abnormal event to the detection unit 141. In this case, the detection unit 141 may specify the time of the abnormal event and supply the specified time information to the classification unit 111.

  The classification unit 111 receives time information from the reception unit 150 or the detection unit 141. The classification unit 111 classifies the abnormal events for each element based on the abnormal events after the time indicated by the received time information, similarly to the above-described classification unit 110.

  For example, it is assumed that the abnormal event list shown in FIG. 3 is displayed on the display screen of the display device 200. When the administrator selects the event ID “ID04”, the receiving unit 150 receives this selection. Then, since the time of the abnormal event having the event ID “ID04” is “2015-11-02 12:21:00”, the classification unit 111 classifies the abnormal event after this time. The abnormal events included in the abnormal events illustrated in FIG. 3 and the abnormal events after the above time are abnormal events with event IDs “ID04” to “ID10”. Therefore, the classification unit 111 classifies the abnormal events having the event IDs “ID04” to “ID10” for each element.

  Then, the generation unit 120 generates a relation graph based on the classification result. FIG. 12 shows an example of the relation graph generated by the generation unit 120. FIG. 12 is a diagram showing an example of a relation graph displayed by display device 200 in the present embodiment.

  Compared to the relationship graph shown in FIG. 5, the relationship graph shown in FIG. 12 does not include the abnormal events with the event IDs “ID01”, “ID02”, and “ID03”.

(Processing of support device 101 and display device 200)
Next, with reference to FIG. 13, a flow of processing of the support device 101 and the display device 200 according to the present embodiment will be described. FIG. 13 is a flowchart illustrating an example of a processing flow of the support device 101 according to the present embodiment.

  As shown in FIG. 13, the detecting unit 140 detects an abnormal event (Step S131). Thereafter, the receiving unit 150 receives an input from the administrator (Step S132). Then, the classification unit 111 classifies the abnormal event after the time specified based on the input received by the receiving unit 150 for each element related to the abnormal event (step S133).

  Then, the generation unit 120 generates a relation graph representing the abnormal event (Step S134). This relation graph is a relation graph in which elements are arranged for each type, as described above. After that, the display device 200 displays the relation graph on the display screen (Step S135).

  Thus, the processes of the support device 101 and the display device 200 are completed.

(effect)
According to the support apparatus 101 according to the present embodiment, the same effects as those of the above-described first and second embodiments can be obtained. Further, according to support apparatus 101 according to the present embodiment, classifying section 111 converts an abnormal event occurring after a time specified based on the abnormal event received by receiving section 150 into an element related to the abnormal event. Classify each. Then, the generation unit 120 generates a relation graph based on the abnormal events classified by the classification unit 111 for each element.

  Thus, for example, the administrator can easily grasp abnormal events that have occurred after the abnormal event selected by the administrator.

  For example, when the administrator selects an abnormal event indicating that a certain process has opened a certain file, the support apparatus 101 displays, on the display device 200, abnormal events that have occurred after the selected abnormal event for each element. can do. Thereby, the administrator can easily grasp what kind of behavior the process related to the selected abnormal event has performed thereafter. For example, the administrator can confirm that the process related to the selected abnormal event has communicated with the external host after the selected abnormal event. Thereby, the administrator can easily confirm the possibility that the file has leaked, for example.

  In the present embodiment, an example has been described in which the receiving unit 150 selects an abnormal event from the abnormal event list. However, the receiving unit 150 determines the abnormal event from the relation graph displayed on the display device 200. May be selected. Even in this case, the classification unit 111 can classify an abnormal event after the time of the selected abnormal event for each element. Therefore, the relation graph generated by the generation unit 120 thereafter indicates an abnormal event that has occurred after the selected abnormal event.

<Fourth embodiment>
Next, a fourth embodiment of the present invention will be described. FIG. 14 is a functional block diagram illustrating an example of a functional configuration of the support device 101 according to the present embodiment. Note that, for convenience of description, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are given the same reference numerals, and detailed descriptions thereof will be omitted.

  As shown in FIG. 14, the support device 102 according to the present embodiment includes a classification unit 110, a generation unit 121, a storage unit 130, a detection unit 140, and a reception unit 151. In the present embodiment, an operation of superimposing a mouse pointer or the like on either a vertex or a side included in the relation graph displayed on the display device 200 using the input device 300 (hereinafter, a mouse operation) A case in which “over” is performed will be described.

  In the present embodiment, the receiving unit 151 receives, for example, position information indicating the position of a mouse pointer or the like on the display screen. The receiving unit 151 supplies the received position information to the generating unit 121.

  The generation unit 121 receives the position information from the reception unit 151. The generation unit 121 specifies, from the relation graph displayed on the display device 200, a vertex (element) or a side displayed at a position represented by the position information.

  If the element that has been moused over by the administrator is an element, the generation unit 121 displays the mouseover element on the display screen in a state where the element is emphasized more than other elements. At this time, the generation unit 121 causes the display screen to display the full path of the highlighted element together with the element.

  Further, when the side that the administrator has moused over is a side, the generation unit 121 displays the element at both ends of the side and the side on the display screen with the side highlighted. At this time, the generation unit 121 causes the display screen to display the full path of the highlighted element together with the element. FIG. 15 shows an example of a screen displayed on the display device 200 at this time.

  The administrator sets the mouse pointer to an edge connecting “File6” and “Process2” in the relationship graph shown in FIG. Suppose that it is piled on top. At this time, as illustrated in FIG. 15, the generation unit 121 highlights “File6”, “Process2”, and the side connecting them, and displays them on the display screen of the display device 200. At this time, the generation unit 121 causes the location of “File6” and “Process2” in the host to be displayed on the display screen with a full path.

  Thereby, even if the name of the element listed as the abnormal event is a known name, the administrator can easily confirm whether or not this element exists at a position different from the usual one. For example, if the process named “Process2” is a process that already exists in the host, the generation unit 121 displays the full path, and the administrator can check the location where “Process2” normally exists. You can check whether it is a process or not. Accordingly, the support device 102 can assist the administrator in grasping the details of the event listed as the abnormal event.

  The receiving unit 151 may be formed integrally with the receiving unit 150 described in the third embodiment, or may be different.

  Further, when the element that has been moused over by the administrator is an element, the generation unit 121 emphasizes all of the relation graphs (sides and elements connected to the element) representing an abnormal event related to the element that has been moused over. May be displayed on a display screen.

<Fifth embodiment>
Next, a fifth embodiment of the present invention will be described. In the present embodiment, a case will be described in which the abnormal event list includes the abnormal degree of the abnormal event. FIG. 16 is a functional block diagram illustrating an example of a functional configuration of the support device 103 according to the present embodiment. Note that, for convenience of description, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof will be omitted.

  As shown in FIG. 16, the support device 103 according to the present embodiment includes a classification unit 110, a generation unit 122, a storage unit 130, and a detection unit 140. The support device 103 according to the present embodiment may be configured to include the reception unit 150 or the reception unit 151 as in the above-described third or fourth embodiment.

  FIG. 17 shows an example of a list of abnormal events (abnormal event list) detected by the detection unit 140 according to the present embodiment. As shown in FIG. 17, the abnormal event list in the present embodiment includes the abnormal degree of each abnormal event in addition to the abnormal event list shown in FIG. In the present embodiment, the degree of abnormality is represented by a numerical value from 0 to 1 as shown in FIG. 17, and it is assumed that the higher the numerical value, the higher the possibility of abnormality.

  The classification unit 110 classifies, for example, an abnormal event as illustrated in FIG. 17 for each element. As described above, since the abnormal event includes the degree of abnormality, the abnormal event included in the result of the classification performed by the classification unit 110 also includes the degree of abnormality.

  The generation unit 122 receives the result of the classification process from the classification unit 110. The generation unit 122 generates a relation graph based on the result of the classification process. At this time, the generation unit 122 arranges the elements according to the degree of abnormality. For example, the generation unit 122 specifies, for each element, an abnormal event having the highest abnormality degree related to the classified element. Then, the generation unit 122 arranges the elements in descending order of the specified abnormality degree.

  Referring to FIG. 17, it can be seen that the process with the highest abnormality degree is “Process 1” which is an element related to the abnormal event with the event ID “ID11”. Therefore, the generation unit 122 arranges the elements “Process1” and “Process2” of the process types in the order of “Process1” and “Process2”.

  Similarly, the generating unit 122 arranges the elements of the file type in the order of “File1,” “File6,” “File5,” “File3,” “File2,” and “File4.”

  Then, based on the result of the classification process, the generation unit 122 generates a relation graph in which the arranged elements are connected by a line. FIG. 18 illustrates an example of the relation graph generated by the generation unit 122 according to the present embodiment. FIG. 18 is a diagram illustrating an example of a relation graph displayed by display device 200 in the present embodiment.

  As shown in FIG. 18, it can be seen that the elements arranged in the type area are arranged in the order described above from the top to the bottom (in the first direction). Then, it can be seen that the relationship graph shown in FIG. 18 expresses the abnormal event shown in FIG.

  Note that the generation unit 122 may obtain the average of the degree of abnormality of the abnormal event related to the element for each element, and may arrange the elements using the obtained average. In addition, the generation unit 122 may determine the total of the degree of abnormality of the abnormal event related to the element for each element, and may arrange the elements using the calculated total. In addition, the generation unit 122 may display the size and the mode of the element in a mode different from the other elements according to the obtained total. For example, when the sum of the degrees of abnormality obtained for a certain element is larger than the sum of the degrees of abnormality of another element, the generation unit 122 may display the element in a more emphasized state than the other elements. .

(effect)
According to the support apparatus 103 according to the present embodiment, the same effects as those of the above-described first and second embodiments can be obtained. Further, according to support device 103 according to the present embodiment, generation unit 122 generates a relation graph in which elements are arranged in the first direction for each type based on the degree of abnormality. By displaying the relation graph generated in this way on the display device 200, the administrator can easily specify an abnormal event that is highly likely to be abnormal.

<Sixth Embodiment>
Next, a sixth embodiment of the present invention will be described. FIG. 19 is a functional block diagram illustrating an example of a functional configuration of the support device 104 according to the present embodiment. Note that, for convenience of description, blocks having the same functions as the blocks included in the drawings described in the above-described embodiments are denoted by the same reference numerals, and detailed description thereof will be omitted.

  As shown in FIG. 19, the support device 104 according to the present embodiment includes a classification unit 110, a generation unit 120, a storage unit 130, a detection unit 140, a reception unit 152, and a display control unit 160.

  In the present embodiment, the detecting unit 140 supplies the abnormal event list to the display control unit 160. Further, in the present embodiment, it is assumed that generation unit 120 supplies the generated relation graph to display control unit 160. At this time, it is assumed that the abnormal event included in the relation graph supplied by the generation unit 120 to the display control unit 160 is associated with the abnormal event included in the abnormal event list. For example, it is assumed that an event ID indicating an abnormal event is associated with each side included in the relation graph.

  The receiving unit 152 receives position information indicating a position of a mouse pointer or the like on the display screen. The receiving unit 152 supplies the received position information to the display control unit 160.

  The display control unit 160 generates a screen that causes the display device 200 to display the abnormal event list received from the detection unit 140 and the relation graph received from the generation unit 120. Then, the display control unit 160 controls the generated screen (generation screen) to be displayed on the display screen of the display device 200. Thereby, the display device 200 displays the generation screen generated by the display control unit 160 on the display screen based on the control from the display control unit 160.

  Further, display control section 160 receives the position information from reception section 152. The display control unit 160 specifies the position of the mouse pointer from the position information, and specifies the abnormal event displayed at the specified position. Then, the display control unit 160 causes the display device 200 to display the abnormal event in the relationship graph and / or the abnormal event in the abnormal event list related to the specified abnormal event in a manner different from other abnormal events.

  FIG. 20 shows an example of a generation screen generated by the display control unit 160 and displayed on the display screen. FIG. 20 is a diagram showing an example of a generation screen displayed on the display screen of display device 200 in the present embodiment.

  As shown in FIG. 20, the generation screen includes a relation graph and an abnormal event list. The abnormal event included in the relationship graph displayed on the display screen is associated with the abnormal event included in the abnormal event list.

  FIG. 21 shows an example of a display screen when the administrator performs an operation of superimposing a mouse pointer or the like on the relation graph or the abnormal event list displayed on the display screen shown in FIG.

  As illustrated in FIG. 21, it is assumed that the administrator mouses over an abnormal event whose event ID is “ID25” on the abnormal event list, for example. At this time, the display control unit 160 specifies the abnormal event from the mouse-over position, and displays the side and the element on the relation graph related to the specified abnormal event in a manner different from other sides and elements. . Since the abnormal event with the event ID “ID25” is an abnormal event between “Process2” and “File5”, the display control unit 160 connects the elements of “Process2” and “File5” and connects these elements. For example, the line is displayed on the display screen with emphasis.

  At this time, the display control unit 160 may also highlight and display a mouse-over abnormal event.

(effect)
According to the support device 104 according to the present embodiment, the same effects as those of the above-described first and second embodiments can be obtained. Further, according to support device 104 according to the present embodiment, display control unit 160 generates a screen including a list including an abnormal event and a relation graph associated with the list, and generates the generated screen. It is displayed on the display screen. When the pointer displayed on the display screen is superimposed on any one of the plurality of abnormal events displayed on the display screen, the display control unit 160 Is displayed in a manner different from other abnormal events.

By this, for example, from the abnormal event list, the administrator simply mouses over an abnormal event that the administrator wants to confirm the relationship, and the administrator can change the element related to the mouse-over abnormal event or the like. Other abnormal events can be confirmed on the graph. Therefore, the administrator can easily deal with abnormalities such as tracking abnormal events from the relationship graph and the abnormal event list displayed on the display screen. For example, logs stored in the storage unit 130 are generally arranged in chronological order. Therefore, the abnormal events included in the abnormal event list are also arranged in chronological order. Therefore, the administrator can check the abnormal events in the relationship graph by hovering over the abnormal events arranged in chronological order in order, so that the temporal sequence of the abnormal events can be easily grasped. can do. For example, the behavior in the same element as in the following (1) and (2), but the corresponding method changes depending on the time series.
(1) A process communicates with an external host after opening a file,
(2) A process opens a file after communicating with an external host.
According to the present embodiment, since the administrator can easily confirm the difference, the support device 104 can support the administrator to take an optimal response to the abnormal event. The order of the abnormal events in the abnormal event list is not limited to the time series, but may be any order.

(About hardware configuration)
In each embodiment of the present invention, each component of each device indicates a block of a functional unit. Some or all of the components of each device are realized by, for example, an arbitrary combination of an information processing device 500 and a program as shown in FIG. The information processing device 500 includes, for example, the following configuration.

・ CPU (Central Processing Unit) 501
・ ROM (Read Only Memory) 502
・ RAM (Random Access Memory) 503
A program 504 loaded into the RAM 503
A storage device 505 for storing the program 504
A drive device 507 for reading and writing the recording medium 506
A communication interface 508 connected to the communication network 509
An input / output interface 510 for inputting / outputting data
A bus 511 for connecting each component
Each component of each device in each embodiment is realized by the CPU 501 acquiring and executing a program 504 that realizes these functions. The program 504 for realizing the function of each component of each device is stored in advance in, for example, the storage device 505 or the RAM 503, and is read by the CPU 501 as necessary. The program 504 may be supplied to the CPU 501 via the communication network 509, or may be stored in the recording medium 506 in advance, and the drive device 507 may read the program and supply it to the CPU 501.

  There are various modifications of the method of realizing each device. For example, each device may be realized by an arbitrary combination of a separate information processing device 500 and a program for each component. Also, a plurality of components included in each device may be realized by an arbitrary combination of one information processing device 500 and a program.

  In addition, some or all of the components of each device are realized by other general-purpose or dedicated circuits, processors, and the like, and combinations thereof. These may be configured by a single chip, or may be configured by a plurality of chips connected via a bus.

  Some or all of the components of each device may be realized by a combination of the above-described circuit and the like and a program.

  When a part or all of each component of each device is realized by a plurality of information processing devices and circuits, the plurality of information processing devices and circuits may be centrally arranged or distributed and arranged. Is also good. For example, the information processing device, the circuit, and the like may be realized as a form in which each is connected via a communication network, such as a client and server system or a cloud computing system.

  Each of the above-described embodiments is a preferred embodiment of the present invention, and does not limit the scope of the present invention only to the above-described embodiments. Those skilled in the art will not depart from the gist of the present invention. However, it is possible to construct a form in which various modifications are made by modifying or substituting the above embodiments.

Reference Signs List 10 support device 11 classification unit 12 generation unit 100 support device 101 support device 102 support device 103 support device 104 support device 110 classification unit 111 classification unit 120 generation unit 121 generation unit 122 generation unit 130 storage unit 140 detection unit 141 detection unit 150 reception Unit 151 reception unit 152 reception unit 160 display control unit 200 display device 300 input device

Claims (13)

Classification means for classifying an event detected as an abnormal event among events between a plurality of elements, for each element related to the abnormal event,
Based on the result of the classification, the abnormal event is expressed with the elements as vertices and the relation between the elements as edges, and the relationship graph is displayed on the display screen, with the elements being arranged for each type on a display screen. and a generating means for generating,
The event is an event that has occurred on a system including a plurality of hosts,
The classification means classifies the abnormal event for each element for each host,
A support device that arranges the elements in a first direction for each type and generates the relationship graph in which the types are arranged in a second direction different from the first direction for each host; . The abnormality event is associated with a value indicating the degree of abnormality,
The support device according to claim 1, wherein the generation unit generates the relation graph in which the elements are arranged in the first direction for each type based on the degree of the abnormality. The support device according to claim 1 , wherein, in the relation graph, the types are arranged in the second direction in the order of a file in a host, a process in the host, and an external host different from the host. The relationship graph, the type is, in the second direction, the account in the host, the process within the host, arranged in order of different external hosts the file or the host in the host, to claim 1 or 2 The support device as described. The relationship graph, the type is, in the second direction, the account in the host, the process within the host, arranged in order of different external hosts a file and the hosts in the host, to claim 1 or 2 The support device as described. The generation unit includes an internal component of the host, the elements representing the external host that is different from the said host, in the display screen, generates the relationship graph displayed in distinguishable manner, claim The support device according to any one of 1 to 5 . Further comprising a receiving means for receiving the selection of the abnormal event,
The support according to any one of claims 1 to 6, wherein the classification unit classifies an abnormal event generated after a time specified based on the received abnormal event for each element related to the abnormal event. apparatus. When a pointer displayed on the display screen is superimposed on the vertex or the side on the display screen, the generation unit determines whether the element indicating a vertex connected to the vertex or the side corresponds to the element. The support device according to any one of claims 1 to 7 , wherein the location in the host is displayed on the display screen by a full path. A list including the abnormal event and the relation graph associated with the list, a screen including a generated screen, the generated screen, further comprising a display control means for displaying on the display screen,
When the pointer displayed on the display screen is superimposed on any one of the plurality of abnormal events displayed on the display screen, the display control unit superimposes the pointer. The support device according to any one of claims 1 to 8, wherein an abnormal event related to the present abnormal event is displayed in a manner different from other abnormal events. The support device according to any one of claims 1 to 9, further comprising a detection unit configured to detect the abnormal event. The support device according to claim 1 , further comprising a display unit including the display screen. Among events between a plurality of elements, an event detected as an abnormal event is classified for each element related to the abnormal event,
Based on the result of the classification, the abnormal event is represented by defining the element as a vertex and the relationship between the elements as an edge, and the relational graph in which the element is arranged for each type on a display screen and displayed on the display screen Produces
The event is an event that has occurred on a system including a plurality of hosts,
When classifying the abnormal event for each element, classify the abnormal event for each host,
When generating the relation graph, the elements are arranged in a first direction for each type, and the relation graph in which the types are arranged in a second direction different from the first direction is generated for each host. How to help. Among the events between a plurality of elements, a process of classifying an event detected as an abnormal event for each element related to the abnormal event;
Based on the result of the classification, the abnormal event is expressed with the elements as vertices and the relation between the elements as edges, and the relationship graph is displayed on the display screen, with the elements being arranged for each type on a display screen. And causing the computer to execute
The event is an event that has occurred on a system including a plurality of hosts,
The classifying process is a process of classifying the abnormal event for each element for each host,
The processing for generating includes a program for arranging the elements in a first direction for each type, and generating, for each host, the relation graph in which the types are arranged in a second direction different from the first direction. .

Images