WO2017038221A1 - コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。 - Google Patents

コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。 Download PDF

Info

Publication number
WO2017038221A1
WO2017038221A1 PCT/JP2016/068740 JP2016068740W WO2017038221A1 WO 2017038221 A1 WO2017038221 A1 WO 2017038221A1 JP 2016068740 W JP2016068740 W JP 2016068740W WO 2017038221 A1 WO2017038221 A1 WO 2017038221A1
Authority
WO
WIPO (PCT)
Prior art keywords
log information
pass
user
processing
processing device
Prior art date
Application number
PCT/JP2016/068740
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
整一 伊藤
由之 久鍋
利和 石崎
Original Assignee
株式会社網屋
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社網屋 filed Critical 株式会社網屋
Priority to SG11201801619RA priority Critical patent/SG11201801619RA/en
Priority to MYPI2018700792A priority patent/MY189366A/en
Publication of WO2017038221A1 publication Critical patent/WO2017038221A1/ja

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment

Definitions

  • the present invention analyzes and translates log information that is output when a user operates a computer device, outputs a report in which operations and operation records for the target computer device are translated into a plain natural language, and advises on improvements. It is related with the technical apparatus which performs.
  • the computer device has a function of recording all software operations including the OS running on the computer device as a log file.
  • the OS running on the computer device
  • logs that record the operation of various computers are output by the OS and software that runs on them.
  • Techniques such as file analysis and translation are required. Analyzing the accumulated log file to find improvement points, improvement information is required for optimization.
  • the present invention is for realizing the following procedures.
  • Log information event log data, audit log
  • Log information output by computer systems and personal computers (smartphones, tablets, wearables), machinery (industrial equipment, general equipment, vehicles), electrical products, and other things (furniture, buildings)
  • Data system log, application log, service log, etc.
  • mapping processing device that extracts necessary items of log information for each user, server, target, Match the output of the mapping process to the user, server, and the combination pattern of the n operation results predetermined in the rule master, and track the trace of the operation that actually occurred
  • From the tracking results for each summary which is the output of the pass 1 processing device, the same operation within a certain time is compressed into one to arrange the output of the pass 1 processing device in a more easily viewable form.
  • Incident management and security management can be performed efficiently and accurately by searching and reporting the results of a series of processing of mapping processing device, prepass processing device, pass 1 processing device, pass 2 processing device, and pass 3 processing device. It is possible to use the log further by the pass 4 processing device that translates code and binary data into natural language, and the pass 5 processing device, the pass 6 processing device, and the pass 7 processing device that output improvement information from the log information. And
  • the log data analysis and log data translation apparatus such as the computer apparatus of the present invention does not require specialized knowledge of the user, makes the log easy to see and grasps the original operation, and greatly increases the storage resource capacity. Savings, and by translating codes and binary data corresponding to events that are output in large quantities in large quantities into natural language, it enables trend analysis.
  • FIG. 1 is an overall configuration diagram showing an example of the present invention
  • FIG. 2 is an overview of mapping processing
  • FIG. 3 is pre-pass 1 processing
  • FIG. 4 is path 1 processing
  • FIG. 5 is path 2 processing
  • FIG. FIG. 8 is a path 5 process.
  • FIG. 9 is a path 6 process.
  • FIG. 10 is a path 7 process.
  • FIG. 1 shows an overall apparatus for collecting 111 log information output by a computer or the like as an example of an embodiment of the present invention, compressing the collected log information, and translating and analyzing the log information into a natural language that is easy for humans to understand.
  • 101 User A has a file 107 A of 104 server ⁇ , files 108 B and 109 ⁇ of 105 server ⁇ , 102 User B has files 108 and 109 on 105 server ⁇ , 103
  • user C operates file 110 of 106 server ⁇
  • each of the computer 104 server ⁇ , 105 server ⁇ , and 106 server ⁇ When each of the computer 104 server ⁇ , 105 server ⁇ , and 106 server ⁇ is operated, it outputs the operation status of the computer as 111 log information.
  • the 113 translation server periodically collects the output log information using a network or the like, and compiles it into one 114 collected log information.
  • the collected 114 collected log information is read and necessary data is added so that it can be easily translated by the 116 mapping processing device.
  • the log pattern is classified by the 117 prepass 1 processing device, and the log operation is organized by the 118 pass 1 processing device.
  • the 119 path 2 processing device and the 120 path 3 processing device organize the translations, the 116 mapping processing device reduces the data volume from 1/1000 to 1/2000 by the 120 path 3 processing device, and the 121 path 4 processing allows a human to It translates into an easy-to-understand natural language, evaluates the user's access rights through 122 pass 5 processing, outputs improvement proposal information through 123 pass 6 processing, and loads server load statistical information through the 124 pass 7 processing device. It is a whole block diagram of the apparatus which performs an output. Since the inventor and the applicant have given their own names, each software and device uses the unique name of the present invention and will be described below. ⁇ Date Date, time, minute, and second when the user accessed the file.
  • Log information Operation records, application logs, service logs, system logs, event logs, audit logs output by computer systems, personal computers, smartphones, tablets, wearables, industrial equipment, general equipment, vehicles, electrical products, medical equipment, furniture, buildings, etc. Operation records such as command information and digital data.
  • -Log information table A table in which the information required for analysis is converted from log information to analysis format and expanded in memory.
  • System log Records information such as computer start and stop, administrator logon and logoff, restart, hardware failure, kernel error, server software and daemon, and resident program start and stop.
  • Access control list Information that describes the access authority for an individual object set by the authentication flow system.
  • Control information Information such as operation, summary, and skip.
  • Event Log Records various events that occur in the system, such as configuration changes and failures.
  • Audit log Records the operations performed by the system user, developer, and operator on the system in chronological order.
  • Rule master A rule for analyzing and judging the operation of each line of log information in time series is described, and the time required for the analysis is described in the rule, and this time is called a fixed time.
  • Constant time This is the time described in the rule master, and a different time is described for each rule. This time is a rule defined in the rule master, the interval master, etc.
  • FIG. 2 is a diagram describing the 116 mapping processing apparatus of the present invention. Collect 111 log information output by computers, etc. on a network, etc., gather it into 114 collected log information, read 114 collected log information, and extract items such as date, user, server, target, and details according to the analysis content 211 operation, 212 summary No.
  • the log information of the file server is used, and the items of 206 date / time, 207 user, 208 server, 209 target, and 210 details are used, and the analysis of the file operation stored in the file server by the user is taken as an example. .
  • the target of analysis is energy saving for cars and industrial equipment, the date and time, energy consumption for a certain period of time, the status of energy consuming equipment (rotations, etc.), external environment (temperature, humidity, etc.), distance traveled, number of operations To do.
  • the read 206 date / time, 207 user, 208 server, 209 target, and 210 detail items are set in the 204 log information table items in the memory, and the 210 details are used to match the 202 details of the 201 operation master.
  • 203 operation is set to 211 operation, and 212 summary No.
  • a default value of “FALSE” is set in the 213 Skip item, and a memory area capable of storing 214 times is secured.
  • FIG. 3 is a diagram describing the 117 prepass 1 processing apparatus of the present invention.
  • a 301 summary table for all combinations of 207 users, 208 servers, and 209 targets existing in the log information table is created, and a sequence No. And create it in memory, 204
  • the 303 summary No. assigned to the 301 summary table is matched with the 303 user, 304 server, and 305 subject of the 301 summary table that are the same as the 207 user, 208 server, and 209 subject of the log information table. No. 212 of the 204 log information table.
  • Set to item. 204 When the combination of 207 users, 208 servers, and 209 targets in the log information table is matched with 303 users, 304 servers, and 305 targets in the 301 summary table and there is no identical combination, the sequence number is set to 302 summary number.
  • the combination of 207 users, 208 servers, and 209 targets is set to 303 users, 304 servers, and 305 targets, and a 301 summary table for all combinations is created on the memory.
  • a 301 summary table for all combinations is created on the memory.
  • 204 The 303 summary No. assigned to the 301 summary table is matched with the 303 user, 304 server, and 305 subject of the 301 summary table that are the same as the 207 user, 208 server, and 209 subject of the log information table.
  • No. 212 of the 204 log information table Set to item.
  • FIG. 4 is a diagram describing the pass 1 processing apparatus of the present invention. Process from the beginning of the 204 log information table expanded in memory, 212 Summary No.
  • the same data “1” can be searched for, and the 210 detailed data of 205 Seq # “2” is “$% # 257445y7nco9yw983”. Since there is no data in the 407 sequence 2 of “1” and the 405 fixed time is “3” and the difference in 206 date / time is “0” in this case, the 211 operation of 205 Seq # “1” is read. And 211 operation is set to “read”, 213Skip remains “FALSE”, and 213Skip of 205Seq # “2” is set to “TRUE”. Next, the pointer is advanced by one. However, since 213 Skip of 205 Seq # “2” is “TRUE”, the pointer is not processed and the pointer is advanced by one.
  • the same data “1” can be searched for, and the 210 detailed data of 205 Seq # “8” is “$% # 257445y7nco9yw983”. Since there is no data in the 407 sequence 2 of “1” and the 405 fixed time is “3” and the difference in 206 date / time is “1” in this case, the 211 operation of 205 Seq # “7” is read. And 211 operation is set to “read”, 213 Skip is set to “FALSE”, 213 Skip of 205 Seq # “8” is set to “TRUE”, and the pointer is advanced by one. Next, the pointer is advanced by 1.
  • FIG. 5 is a diagram describing the pass 2 processing apparatus of the present invention. Only the “FALSE” item in the 204 log information table developed in the memory is targeted, and the data of the same 211 operation 212 summary No. within a fixed interval before and after is collected according to the 501 interval master, and 211 operations are the same for 214 times The 212 summary No. is counted and the number of times is set.
  • 213 Skip of 205 Seq # “4” is “FALSE” or “FALSE”, but 211 operation and 212 summary No. Does not match, it is excluded from processing, and the match processing pointer is advanced by one. Since 213 Skip of 205 Seq # “5” is “TRUE”, it is not processed and the match processing pointer is advanced by one. Although 213 Skip of 205 Seq # “6” is “FALSE” and “FALSE”, 211 operation and 212 summary No. Does not match, it is excluded from processing, and the match processing pointer is advanced by one. 213 Skip of 205 Seq # “7” is “FALSE”, and 212 summary No.
  • the 213 Skip of the sixth 205 Seq # “6” in addition to the pointer is “FALSE” 211
  • the operation is “write” When the 502 operation of the 501 interval master is examined, “write” is present and the 503 interval is “2”. Therefore, in order to investigate 2 seconds before and after, 211 operation “write” 212 summary No.
  • the pointers “(3)” and 205Seq # “6” are stored, and the match processing pointer is shifted to a position two seconds before. In the present embodiment, two seconds before 206 date and time is the head data of the 204 log information table.
  • 213 Skip of 205 Seq # “1” is “FALSE”, but 211 operation and 212 summary No.
  • FIG. 6 is a diagram describing the pass 3 processing apparatus of the present invention.
  • the operation of the computer performs a plurality of operations in response to one command from a human.
  • the computer reads the index information on the disk and then deletes the index information.
  • the 212 summary No. of 204 log information table Each time 211 operations are checked, an operation actually performed by a human is determined. Processing is started from the head of the 204 log information table developed in the memory of FIG. 6, 205 Seq # “1” 213 Skip is “FALES”, and 212 summary No. Is “1” and 211 operation is “read” for the first time, 211 operation “read” 212 summary No. The pointer “1” is stored, and the pointer for processing is advanced by one. Since 213 Skip of 205 Seq # “2” is “TRUE”, the pointer is advanced by one, and one is advanced.
  • FIG. 7 is a diagram describing the pass 4 processing apparatus of the present invention. Based on 612 users from the 124 access log output as a file at pass 3, the actions performed by the users are translated into natural language using the 701 dictionary master. By using natural language, human-readable system audit trails, attendance management, daily reports, weekly reports, etc. can be automatically generated, and any data output by any machine can be generated by changing the 701 dictionary master. Can be converted.
  • the 701 dictionary master 702 operation 1 is “logon” 704 sentences corresponding to “ ⁇ user ⁇ ” corresponding to 612 users and “ ⁇ server ⁇ ” corresponding to 613 servers, and 126 natural language reports. Output to a file.
  • the next same 612 user and 615 operation is “logoff”, a punctuation mark “,” and a line feed code are written, and logoff processing is performed according to the dictionary master.
  • search for “read” in 702 operation 1 of the 701 dictionary master There are two cases in the 701 dictionary master, and there is a pattern in which “write” continues.
  • the same 612 user is “A”
  • the 613 server is “ ⁇ ”
  • the 614 target is “former”.
  • the lower 211 operation searches for an item of “write”. Since the data of 611 date and time is “2015/06/24 20:39:49” and “2015 / 06.24 20:59:05” match, 701 In the dictionary master, 702 operation 1 is “read”, 703 operation 2 is “write”, and 614 target is applied to “ ⁇ target ⁇ ”, and 124 access log time, 704 sentences, commas, and line feed codes are 126 natural Output to language report.
  • FIG. 8 is a diagram describing the pass 5 processing apparatus of the present invention.
  • information such as a server, target, authority, application period, approval date / time, deletion date / time and the like that can be used for each user set in advance using an electronic approval workflow system and the like, and 803 of the 801 access log (user sort)
  • the validity of the access authority for the object 805 is confirmed, and the confirmation content is written in the 821 warning of the 127 warning report.
  • the 801 user “A” of the 801 access log (user sort) that is output by sorting and outputting the 125 access logs by 612 users is the 804 server “ ⁇ ” 805 target “A” at 802 date and time “2015/06/21 10:35:40”. It can be seen from the 806 operation that read has been made.
  • 801 users in the 801 access log (user sort), 804 servers, and 805 targets are used as keys to match 812 users, 813 servers, and 814 targets in the 811 access control list, and from the information on the 816 application period, 817 approval date, and 818 deletion date It can be seen that the user 812 user “A” has been revoked from the 818 deletion date and time to 2015/06/20 on the 813 server “ ⁇ ” 814 target “A”. However, in reality, the 803 user “A” reads the 804 server “ ⁇ ” 805 target “Class A” from the operation at 802 date and time “2015/06/21 10:35:40”. From this fact, you can guess -The administrator has made a mistake in setting access rights.
  • FIG. 9 is a diagram describing the pass 6 processing apparatus of the present invention.
  • the past access history is accumulated, the access status of the actual file is compared based on the accumulated access record, and no one has accessed for a certain period of time based on the instruction information set in advance by the administrator.
  • an alarm report is output, automatically deleted, or automatically backed up to storage.
  • the 904 server and 905 target of the 901 access log (server sort) output by sorting and outputting the 125 access log on the 613 server is used as a key, and the 914 last access date of the row having the same 911 server and 912 target is matched with the 128 access history.
  • the 915 audit date is updated to the current processing date, and the number of 916 elapsed days is updated from the current date to the number of days subtracted from the 914 last access date.
  • FIG. 10 is a diagram describing the pass 7 processing apparatus of the present invention.
  • the access frequency of a file in a server in a certain period such as six months, quarterly, or monthly is measured to calculate 1005 ratio 1 and the amount of processing associated with access, and consider future load distribution of each server.
  • the date and time part of the 125 access log 206, 207 users, 208 servers, 209 objects and 211 operations and 211 operations as keys are matched with the 129 operation improvement information and the corresponding 1004 times, the 207 servers, 208 objects, 206 of the 125 access logs
  • the user counts the date part of 205 date and time and the number of appearances of 210 operations and adds them to 1004 times.
  • 203 After processing all the rows of the log information table, Using the value of 1004 times, statistical information such as access ratio is calculated on a monthly and quarterly basis.
  • the number of 1004 times is set as a percentage from the number of 1004 times of all servers on a monthly basis, and information is set in the target unit for 1005 ratio 1 and in the server unit for 1006 ratio 2.
  • the access frequency from an operation actually performed by a human. Since each item of the 902 statistical information can be freely changed, it is possible to analyze all statistical information such as communication line usage frequency and communication line communication fee. It is possible to improve the processing content and programming by analyzing the load for each access content.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
PCT/JP2016/068740 2015-09-04 2016-06-17 コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。 WO2017038221A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
SG11201801619RA SG11201801619RA (en) 2015-09-04 2016-06-17 Device for outputting information for inspection and for analyzing system tendency through analysis and translation of computer operation log
MYPI2018700792A MY189366A (en) 2015-09-04 2016-06-17 Device for outputting information for inspection and for analyzing system tendency through analysis and translation of computer operation log

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015187392A JP6501159B2 (ja) 2015-09-04 2015-09-04 コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。
JP2015-187392 2015-09-04

Publications (1)

Publication Number Publication Date
WO2017038221A1 true WO2017038221A1 (ja) 2017-03-09

Family

ID=58188868

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/068740 WO2017038221A1 (ja) 2015-09-04 2016-06-17 コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。

Country Status (5)

Country Link
JP (1) JP6501159B2 (zh)
MY (1) MY189366A (zh)
SG (1) SG11201801619RA (zh)
TW (1) TWI722001B (zh)
WO (1) WO2017038221A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113076296A (zh) * 2021-03-30 2021-07-06 咪咕文化科技有限公司 日志生成方法、装置、电子设备及存储介质
CN113535519A (zh) * 2021-07-27 2021-10-22 浪潮软件科技有限公司 一种监控告警方法

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008050560A1 (fr) * 2006-10-25 2008-05-02 Sharp Kabushiki Kaisha Serveur de distribution de contenu, serveur de fourniture de contenu, système de distribution de contenu, procédé de distribution de contenu, procédé de fourniture de contenu, dispositif de terminal, programme de commande et support d'enregistrement lisible par ordinateur
JP2011065397A (ja) * 2009-09-17 2011-03-31 Nec Corp 不正アクセス検出装置、不正アクセス検出プログラム、および、不正アクセス検出方法
JP2012022380A (ja) * 2010-07-12 2012-02-02 Kddi Corp ログ抽出システムおよびプログラム
JP2013084212A (ja) * 2011-10-12 2013-05-09 Nippon Telegr & Teleph Corp <Ntt> ログ収集システム、方法及びプログラム
JP2013152657A (ja) * 2012-01-26 2013-08-08 Kyocera Document Solutions Inc ログ変換プログラム、情報処理装置
JP2013171542A (ja) * 2012-02-22 2013-09-02 Nippon Telegr & Teleph Corp <Ntt> 性能分析装置、性能分析方法及び性能分析プログラム
JP2014106679A (ja) * 2012-11-27 2014-06-09 Fujitsu Ltd サンプリングプログラム、サンプリング方法及び情報処理装置
JP2015141472A (ja) * 2014-01-27 2015-08-03 株式会社東芝 情報処理装置及び情報処理プログラム

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101339551B (zh) * 2007-07-05 2013-01-30 日电(中国)有限公司 自然语言查询需求扩展设备及其方法
CN101093509B (zh) * 2007-07-18 2010-06-16 中国科学院计算技术研究所 一种查询交互系统和方法
JP2010262491A (ja) * 2009-05-08 2010-11-18 Hitachi Ltd ログ集約装置
WO2010141799A2 (en) * 2009-06-05 2010-12-09 West Services Inc. Feature engineering and user behavior analysis
JP2012208565A (ja) * 2011-03-29 2012-10-25 Sumitomo Electric System Solutions Co Ltd ログ管理方法、ログ管理装置、及びプログラム
US8776241B2 (en) * 2011-08-29 2014-07-08 Kaspersky Lab Zao Automatic analysis of security related incidents in computer networks
US20140120513A1 (en) * 2012-10-25 2014-05-01 International Business Machines Corporation Question and Answer System Providing Indications of Information Gaps

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008050560A1 (fr) * 2006-10-25 2008-05-02 Sharp Kabushiki Kaisha Serveur de distribution de contenu, serveur de fourniture de contenu, système de distribution de contenu, procédé de distribution de contenu, procédé de fourniture de contenu, dispositif de terminal, programme de commande et support d'enregistrement lisible par ordinateur
JP2011065397A (ja) * 2009-09-17 2011-03-31 Nec Corp 不正アクセス検出装置、不正アクセス検出プログラム、および、不正アクセス検出方法
JP2012022380A (ja) * 2010-07-12 2012-02-02 Kddi Corp ログ抽出システムおよびプログラム
JP2013084212A (ja) * 2011-10-12 2013-05-09 Nippon Telegr & Teleph Corp <Ntt> ログ収集システム、方法及びプログラム
JP2013152657A (ja) * 2012-01-26 2013-08-08 Kyocera Document Solutions Inc ログ変換プログラム、情報処理装置
JP2013171542A (ja) * 2012-02-22 2013-09-02 Nippon Telegr & Teleph Corp <Ntt> 性能分析装置、性能分析方法及び性能分析プログラム
JP2014106679A (ja) * 2012-11-27 2014-06-09 Fujitsu Ltd サンプリングプログラム、サンプリング方法及び情報処理装置
JP2015141472A (ja) * 2014-01-27 2015-08-03 株式会社東芝 情報処理装置及び情報処理プログラム

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113076296A (zh) * 2021-03-30 2021-07-06 咪咕文化科技有限公司 日志生成方法、装置、电子设备及存储介质
CN113076296B (zh) * 2021-03-30 2024-06-07 咪咕文化科技有限公司 日志生成方法、装置、电子设备及存储介质
CN113535519A (zh) * 2021-07-27 2021-10-22 浪潮软件科技有限公司 一种监控告警方法
CN113535519B (zh) * 2021-07-27 2024-01-30 浪潮软件科技有限公司 一种监控告警方法

Also Published As

Publication number Publication date
MY189366A (en) 2022-02-07
TW201719474A (zh) 2017-06-01
TWI722001B (zh) 2021-03-21
JP6501159B2 (ja) 2019-04-17
SG11201801619RA (en) 2018-03-28
JP2017049962A (ja) 2017-03-09

Similar Documents

Publication Publication Date Title
Hargreaves et al. An automated timeline reconstruction approach for digital forensic investigations
CN111680153A (zh) 一种基于知识图谱的大数据鉴真方法与系统
Kim et al. SoK: A Systematic Review of Insider Threat Detection.
CN106528828A (zh) 一种基于多维度校验规则的数据质量检测方法
Choi et al. Forensic recovery of SQL server database: Practical approach
McDaniel Data provenance and security
Lewis et al. DIGITAL AUDITING: Modernizing the Government Financial Statement Audit Approach.
Singh et al. Sql injection detection and correction using machine learning techniques
KR102509748B1 (ko) 메타데이터 및 딥러닝 보안제어를 이용한 가명처리 서비스 제공 시스템
Astekin et al. DILAF: a framework for distributed analysis of large‐scale system logs for anomaly detection
CN112291261A (zh) 一种知识图谱驱动的网络安全日志审计分析方法
Yao et al. Improving state-of-the-art compression techniques for log management tools
Sallam et al. Result-based detection of insider threats to relational databases
Kumar Raju et al. Event correlation in cloud: a forensic perspective
Solomon et al. A knowledge based approach for handling supply chain risk management
CN115796607A (zh) 一种基于用电信息分析的采集终端安全画像评估方法
WO2017038221A1 (ja) コンピュータ装置の動作記録の解析、翻訳を行い、監査に対する情報の出力及びシステムの傾向分析装置。
CN116662987A (zh) 业务系统监控方法、装置、计算机设备及存储介质
AfzaliSeresht et al. An explainable intelligence model for security event analysis
Genga et al. Towards a systematic process-aware behavioral analysis for security
US8307001B2 (en) Auditing of curation information
KR101415528B1 (ko) 분산된 시스템을 위한 데이터 오류 처리 장치 및 방법
Didriksen Forensic analysis of OOXML documents
Li et al. Graded security forensics readiness of SCADA systems
Mihailescu et al. Unveiling Threats: Leveraging User Behavior Analysis for Enhanced Cybersecurity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16841253

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 11201801619R

Country of ref document: SG

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16841253

Country of ref document: EP

Kind code of ref document: A1