WO2020144816A1 - Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme - Google Patents

Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme Download PDF

Info

Publication number
WO2020144816A1
WO2020144816A1 PCT/JP2019/000549 JP2019000549W WO2020144816A1 WO 2020144816 A1 WO2020144816 A1 WO 2020144816A1 JP 2019000549 W JP2019000549 W JP 2019000549W WO 2020144816 A1 WO2020144816 A1 WO 2020144816A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage area
history
event history
event
search
Prior art date
Application number
PCT/JP2019/000549
Other languages
English (en)
Japanese (ja)
Inventor
純明 榮
和彦 磯山
淳 西岡
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2020565111A priority Critical patent/JP7173165B2/ja
Priority to PCT/JP2019/000549 priority patent/WO2020144816A1/fr
Publication of WO2020144816A1 publication Critical patent/WO2020144816A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor

Definitions

  • the present invention relates to a technology for managing history.
  • Patent Document 1 discloses a technique of collecting logs obtained from a plurality of computers into one. Specifically, the integrated log is generated by converting the log obtained from each computer into an intermediate log in a common format and summarizing the contents of the intermediate log.
  • Patent Document 1 does not refer to searching for a desired log from the integrated log.
  • the present invention has been made in view of the above problems, and one of the purposes thereof is to provide a technique for efficiently managing the history of events.
  • the history management device of the present invention 1) acquires an event history that is a history of events related to program activities, and stores the event history from a plurality of storage areas based on the content of the acquired event history.
  • a storage destination determining unit that determines the area
  • 2) a storage processing unit that stores the acquired event history in the determined storage area
  • 3) indicate that the acquired event history is stored in the determined storage area.
  • an index update unit that updates the index information associated with the determined storage area.
  • the search processing device of the present invention includes: 1) a query acquisition unit that acquires a search query indicating a search condition of an event history that is a history of events related to program activities; and 2) a search condition indicated by the acquired search query.
  • a storage area specifying unit that specifies a storage area in which the event history corresponding to the search condition may be stored by comparing with the index information corresponding to each storage area, and 3) targets the specified storage area.
  • a search processing unit that searches the event history corresponding to the search condition.
  • the history management method of the present invention is executed by a computer.
  • the history management method includes 1) acquiring an event history, which is a history of events related to program activities, and selecting a storage area for storing the event history from a plurality of storage areas based on the content of the acquired event history.
  • the search processing method of the present invention is executed by a computer.
  • the search processing method includes 1) a query acquisition step of acquiring a search query indicating a search condition of an event history, which is a history of events related to program activities, and 2) a search condition indicated by the acquired search query.
  • a search processing step of searching the event history corresponding to the search condition is executed by a computer.
  • the search processing method includes 1) a query acquisition step of acquiring a search query indicating a search condition of an event history, which is a history of events related to program activities, and 2) a search condition indicated by the acquired search query.
  • a storage area specifying step of specifying a storage area in which the event history corresponding to the search condition may be stored by comparing with the index information corresponding to the area, and 3) targeting the specified storage area,
  • the program of the present invention causes a computer to execute each step of the control method of the present invention.
  • FIG. 1 is a diagram illustrating a configuration of an information processing system according to a first exemplary embodiment. It is a figure which illustrates the computer for implement
  • each block diagram represents a functional unit configuration, not a hardware unit configuration, unless otherwise specified.
  • FIG. 1 is a diagram illustrating an outline of the operation of the information processing system 4000 according to the present embodiment.
  • FIG. 1 is a diagram showing a conceptual description for facilitating understanding of the operation of the information processing system 4000, and does not specifically limit the operation of the information processing system 4000.
  • the information processing system 4000 has a history management device 2000 and a search processing device 3000.
  • the history management apparatus 2000 stores in the storage area 30 the event history 10, which is information related to events that have occurred in the target computer system (hereinafter, target system).
  • the target system is composed of one or more arbitrary machines.
  • the machine may be a physical machine or a virtual machine.
  • the event represents, for example, an activity (access to a file or another process) performed by a process running on a machine included in the target system.
  • the search processing device 3000 is a device that processes a search request (search query) of the event history stored in the storage area 30 by the history management device 2000.
  • the information processing system 4000 is provided with a plurality of storage areas 30.
  • the event history 10 is stored in a part of a plurality of storage areas 30 (one or more storage areas 30 but not all storage areas 30).
  • the storage area 30 is, for example, one storage device. However, a plurality of storage areas 30 (for example, partitions) may be provided in one storage device. Further, the storage area 30 may be a storage area configured by virtually considering a set of a plurality of storage devices as one storage device.
  • the history management apparatus 2000 determines the storage area 30 in which the event is stored based on the content of the event history 10, and stores the event history in the determined storage area 30. Memorize Further, the history management apparatus 2000 updates the index information 40 so that the search processing apparatus 3000 can narrow down the storage area 30 to be searched to a part when the search is performed.
  • the index information 40 is associated with the storage area 30.
  • the index information 40 corresponding to the storage area 30 indicates whether or not the event history 10 is stored in the storage area 30.
  • the history management apparatus 2000 indicates that the index information 40 corresponding to the storage area 30 indicates that the event history 10 is stored in the storage area 30. To update.
  • the event history 10 is not stored in the storage area 30. .. That is, false negatives are not allowed. By doing so, it is possible to prevent the situation that "the event history 10 corresponding to the search condition actually exists, but the event history 10 cannot be acquired as the search result".
  • the index information 40 indicates that “the event history 10 is stored in the corresponding storage area 30”
  • the event history 10 is actually stored in the storage area 30. It may or may not be stored. That is, false positives may be acceptable.
  • the search processing device 3000 processes the search query 50 using the index information 40.
  • the search query 50 indicates a condition (hereinafter, referred to as a search condition) regarding the event history 10 desired to be acquired from the storage area 30 by a search. For example, when a search is performed using the search query 50 that indicates that the event execution subject is the application X, the search processing device 3000 acquires the event history 10 of each event executed by the application X. ..
  • the search processing device 3000 uses the index information 40 to narrow down the storage area 30 in which the event history 10 satisfying the search condition indicated by the search query 50 is stored. Specifically, the search processing device 3000 compares each index information 40 with the search condition indicated by the search query 50, so that the event history 10 that satisfies the search condition may be stored in the storage area 30. Specify. Then, the search processing device 3000 searches the specified storage area 30 for the event history 10 that satisfies the search condition. Then, if the event history 10 satisfying the search condition is stored in the storage area 30, the search processing device 3000 acquires the event history 10.
  • history management device 2000 and the search processing device 3000 are separately mounted in FIG. 1, these two devices may be mounted on the same computer.
  • the storage area 30 of the storage destination is determined based on the content of the event history 10 and then the storage area 30 of the storage destination is handled.
  • the index information 40 to be updated is updated.
  • FIG. 2 is a diagram illustrating a configuration of the information processing system 4000 according to the first embodiment.
  • the information processing system 4000 includes a history management device 2000 and a search processing device 3000.
  • the history management device 2000 has a storage destination determination unit 2020, a storage processing unit 2040, and an index update unit 2060.
  • the storage destination determination unit 2020 acquires the event history 10 and determines the storage area 30 in which the event history 10 is stored, based on the content of the event history 10.
  • the storage processing unit 2040 stores the event history 10 in the determined storage area 30.
  • the index updating unit 2060 updates the index information 40 so that the index information corresponding to the determined storage area 30 indicates that the acquired event history 10 is stored in the storage area 30.
  • the search processing device 3000 includes a query acquisition unit 3020, a storage area identification unit 3040, and a search processing unit 3060.
  • the query acquisition unit 3020 acquires the search query 50.
  • the storage area identification unit 3040 compares the search condition indicated by the search query 50 with the index information 40 corresponding to each storage area 30 to store the event history 10 corresponding to the search condition indicated by the search query 50.
  • the storage area 30 that may be present is specified.
  • the search processing unit 3060 searches the event history 10 for the specified storage area 30.
  • Each functional configuration unit of the history management apparatus 2000 may be implemented by hardware that implements each functional configuration unit (eg, hard-wired electronic circuit, etc.), or a combination of hardware and software (eg: Combination of an electronic circuit and a program that controls the electronic circuit).
  • each functional component of the history management apparatus 2000 is realized by a combination of hardware and software will be further described.
  • FIG. 3 is a diagram exemplifying a computer 1000 for realizing the history management device 2000.
  • the computer 1000 is an arbitrary computer.
  • the computer 1000 is a personal computer (PC), a server machine, a tablet terminal, a smartphone, or the like.
  • the computer 1000 may be a dedicated computer designed to realize the history management apparatus 2000 or a general-purpose computer.
  • the computer 1000 has a bus 1020, a processor 1040, a memory 1060, a storage device 1080, an input/output interface 1100, and a network interface 1120.
  • the bus 1020 is a data transmission path for the processor 1040, the memory 1060, the storage device 1080, the input/output interface 1100, and the network interface 1120 to mutually transmit and receive data.
  • the processor 1040 is a processor such as a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), or an FPGA (Field-Programmable Gate Array).
  • the memory 1060 is a main storage device realized by using a RAM (Random Access Memory) or the like.
  • the storage device 1080 is an auxiliary storage device realized by using a hard disk drive, SSD (Solid State Drive), memory card, ROM (Read Only Memory), or the like. However, the storage device 1080 may be configured with the same hardware as the hardware configuring the main storage device, such as RAM.
  • the input/output interface 1100 is an interface for connecting the computer 1000 and an input/output device.
  • the network interface 1120 is an interface for connecting the computer 1000 to a communication network.
  • the communication network is, for example, LAN (Local Area Network) or WAN (Wide Area Network).
  • the method for connecting the network interface 1120 to the communication network may be a wireless connection or a wired connection.
  • the storage device 1080 stores a program module that realizes the functional configuration unit of the history management apparatus 2000.
  • the processor 1040 implements the function corresponding to each program module by reading each of these program modules into the memory 1060 and executing them.
  • Each functional configuration unit of the search processing device 3000 may be implemented by hardware (for example, a hard-wired electronic circuit or the like) that implements each functional configuration unit, similar to each functional configuration unit of the history management apparatus 2000. However, it may be realized by a combination of hardware and software (for example, a combination of an electronic circuit and a program that controls the electronic circuit).
  • FIG. 4 is a diagram exemplifying a computer 5000 for realizing the search processing device 3000.
  • the computer 5000 like the computer 1000, is an arbitrary computer.
  • the computer 5000 has a bus 5020, a processor 5040, a memory 5060, a storage device 5080, an input/output interface 5100, and a network interface 5120.
  • the bus 5020, processor 5040, memory 5060, storage device 5080, input/output interface 5100, and network interface 5120 are similar to the bus 1020, processor 1040, memory 1060, storage device 1080, input/output interface 1100, and network interface 1120, respectively. is there.
  • the storage area 30 is realized by various storage devices.
  • the plurality of storage areas 30 may be realized by one storage device.
  • one storage area 30 may be realized by a plurality of storage devices.
  • a SAN Storage Area Network
  • the computer 1000 is connected to the SAN configured by the storage area 30 via the network interface 1120.
  • the computer 5000 is connected to the SAN configured by the storage area 30 via the network interface 5120.
  • each storage area 30 only needs to be configured to be accessible from both the history management device 2000 and the search processing device 3000, and does not necessarily have to configure the SAN described above.
  • FIG. 5 is a flowchart illustrating the flow of processing executed by the history management device 2000 according to the first embodiment.
  • the storage destination determination unit 2020 acquires the event history 10 (S102).
  • the storage destination determination unit 2020 determines the storage area 30 in which the event history 10 is stored, based on the acquired content of the event history 10 (S104).
  • the storage processing unit 2040 stores the event history 10 in the determined storage area 30 (S106).
  • the index update unit 2060 updates the index information 40 corresponding to the determined storage area 30 (S108).
  • FIG. 6 is a flowchart illustrating the flow of processing executed by the search processing device 3000 according to the first embodiment.
  • the query acquisition unit 3020 acquires the search query 50 (S202).
  • the storage area identifying unit 3040 identifies a storage area in which the event history 10 corresponding to the search condition may be stored by comparing the search condition indicated by the search query 50 with each index information 40 ( S204).
  • the search processing unit 3060 searches the event history 10 for the specified storage area 30 (S206).
  • the event history 10 is information on an event that has occurred on the target system (on the machine included in the target system) at a certain point in the past.
  • the event history 10 shows the event occurrence time and the event content in association with each other.
  • the event history 10 represents a history of activity of a process operating on the target system. For example, the activity of a process is recorded for each system call.
  • these processes may run on the same OS (Operating System) or may run on different OSs. Good. As an example of the latter, for example, by using a socket interface, one process may communicate with another process running on another OS.
  • Event history 10 shows information about one or more items.
  • an event is identified by information representing four elements, that is, a subject, an object, an activity content, and an occurrence time. Therefore, for example, the event history 10 is roughly divided into four items: subject information indicating the subject, object information indicating the object, content information indicating the content of the activity, and the time of occurrence.
  • the subject information is, for example, the type and identification information of the subject.
  • the type of subject is, for example, a process or a socket.
  • the subject information includes information that identifies the process.
  • information for identifying a process will be referred to as process identification information.
  • the process identification information includes a process ID (Identifier).
  • the process identification information regarding the process in which the plurality of threads operate includes the thread ID in addition to the process ID.
  • the process identification information may further include information related to the process execution file.
  • the information about the execution file of the process is, for example, the name or path of the execution file, the hash value of the execution file, the digital signature of the execution file, or the name of the application realized by the execution file.
  • the subject information includes, for example, the identifier assigned to the socket.
  • the object information is, for example, the type and identification information of the object.
  • the type of object is, for example, a process, a file, or a socket. If the object is a process, the object information includes process identification information of the process.
  • the object information includes information that identifies the file (hereinafter, file identification information).
  • file identification information is, for example, the file name or path.
  • the object information includes the hash value of the file, the combination of the file system identifier and the disk block identifier (inode number or object ID) that constitutes the file on the file system, etc. May be included.
  • the object information includes the identifier assigned to the socket.
  • Content information is, for example, an identifier that is assigned in advance to various activity contents. For example, “start process”, “stop process”, “open file”, “read data from file”, “write data to file”, “open socket”, “data from socket” Different identifiers are assigned to the contents of activities such as “reading”, “writing data to a socket”, and “sending data from a socket to another socket”.
  • the access to the socket means access to another device associated with the socket.
  • the content information may indicate the identification information of the system call.
  • the identification information of the system call is, for example, a system call name or a system call number.
  • the contents information includes the contents of the argument given to the system call (value of the argument itself, data stored in the memory area pointed to by the pointer given as an argument), and under what conditions the system call is executed. Information indicating whether or not it has been performed may be further shown.
  • FIG. 7 is a diagram illustrating the event history 10 in a table format.
  • the table of FIG. 7 will be referred to as an event table 200.
  • Each record in the event table 200 represents one event history 10.
  • the event table 200 roughly includes four items: subject information 202, object information 204, content information 206, and occurrence time 207.
  • the subject information 202 includes three items of a process ID 208, a thread ID 209, and a path 210.
  • the object information 204 includes two items of type 212 and identification information 214.
  • the occurrence time 207 indicates the time at which the event occurred.
  • the event history 10 is generated by recording the activity of the process on the target system.
  • Existing technology can be used as the technology for recording the activity of the process.
  • FIG. 7 is a diagram illustrating a case where the content of the event history 10 is distributed and stored in a plurality of tables.
  • FIG. 8 is a diagram illustrating a case where the content of the event history 10 is distributed and stored in a plurality of tables.
  • an event table showing the event history 10 is provided for each type of object. That is, two tables are prepared: an event table representing the event history 10 in which the object is a process and an event table representing the event history 10 in which the object is a file. Further, a table summarizing information about processes (hereinafter, process table) and a table summarizing information about files (hereinafter, file table) are prepared.
  • the event table refers to the process table and the file table.
  • the process table record indicating the information about the process is referred to from the event table. Set to.
  • a record related to the process is added to the process table, and then the record is set to be referenced from the event table. Do the same for files.
  • the storage destination determination unit 2020 acquires the event history 10 to be processed (S102). There are various methods by which the storage destination determination unit 2020 acquires the event history 10. For example, the storage destination determination unit 2020 acquires the event history 10 by receiving the event history 10 transmitted by the device that generated the event history 10. In addition, for example, the storage destination determination unit 2020 acquires the event history 10 by accessing the storage device in which the event history 10 is stored. For example, this storage device is used for temporarily storing the generated event history 10 before storing it in the storage area 30. By storing the event history 10 acquired from this storage device in the storage area 30 by the history management device 2000, the event history 10 is managed in a manner that allows efficient search.
  • the storage destination determination unit 2020 determines the storage area 30 in which the event history 10 is stored, based on the acquired content of the event history 10 (S104).
  • the plurality of storage areas 30 are grouped according to the conditions regarding the content of the event history 10.
  • the number of storage areas 30 included in each group may be one or plural. Further, one storage area 30 may be included in only one group, or may be included in a plurality of groups.
  • the event history 10 having the same content can be stored in the same storage area 30. Therefore, when searching the event history 10, the search range can be efficiently narrowed down.
  • Information indicating the group of the storage area 30 is stored in a storage device that is accessible from both the history management device 2000 and the search processing device 3000. This information is called group information.
  • the group information is information in which a condition regarding the content of the event history 10 and a storage area 30 for storing the event history 10 corresponding to the condition are associated with each other.
  • the storage location determination unit 2020 identifies the condition that the acquired event history 10 matches from the conditions indicated by the group information. Then, the storage destination determination unit 2020 determines the storage area 30 associated with the specified condition as the storage area in which the event history 10 is stored.
  • the plurality of storage areas 30 are divided into groups based on the occurrence time of the event indicated by the event history 10 stored therein.
  • the group information indicates a time range (period) as a condition. That is, the group information indicates the correspondence between the period and the storage area 30.
  • the event history 10 indicating the time of occurrence included in that period is stored.
  • FIG. 9 is a diagram exemplifying group information indicating the event occurrence time as a condition.
  • the table shown in FIG. 9 is called a table 300.
  • the table 300 associates the record ID 302, the condition 304, and the storage area ID 306 with each other.
  • the record in the first row indicates that the storage areas 30 S1, S2, S3 are associated with the period P1.
  • the storage location determination unit 2020 identifies the period including the occurrence time indicated by the acquired event history 10 from the plurality of periods indicated by the group information. Then, the storage destination determination unit 2020 determines the storage area 30 associated with the specified period as the storage area for storing the event history 10.
  • Events often have a time bias. For example, since the trend of attack methods often changes with time, events related to attacks often have different characteristics for each period. In addition, since the attack activity often has a temporal wave, the occurrence of events related to the attack is often concentrated in a specific period.
  • the search range of the event history 10 can be efficiently narrowed by dividing the storage area 30 storing the event history 10 for each period.
  • the storage area 30 is divided into groups based on a user group related to the subject or object indicated by the event history 10 stored therein.
  • the group information indicates a user group as a condition. That is, the group information indicates the association between the user group and the storage area 30.
  • the event history 10 indicating the user group as a user group relating to a subject or an object is stored.
  • FIG. 10 is a diagram exemplifying group information indicating a user group as a condition.
  • the table shown in FIG. 10 is called a table 400.
  • the table 400 associates the record ID 402, the condition 404, and the storage area ID 406 with each other.
  • the record in the first row indicates that the storage areas 30 S1, S2, S3 are associated with the user group U1.
  • the storage location determination unit 2020 identifies, from a plurality of user groups indicated by the group information, one that matches the user group related to the subject or object indicated by the acquired event history 10. Then, the storage location determination unit 2020 determines the storage area 30 associated with the user group identified in the group information as the storage area for storing the event history 10.
  • information about the user group is included in the subject information and object information of the event history 10. It should be noted that which of the user group related to the subject and the user group related to the object to be used as a condition is set in advance.
  • the user group related to the subject is, for example, a user group to which the user who is executing the process of the subject of the event indicated by the event history 10 belongs.
  • examples of user groups related to objects include the following.
  • the object of the event indicated by the event history 10 is a process
  • the user group related to the object is, for example, the user group to which the user executing the process belongs.
  • the object of the event indicated by the event history 10 is a file
  • the user group related to the object is, for example, the user group to which the owner of the file belongs.
  • the object of the event indicated by the event history 10 is a machine
  • the user group related to the object is, for example, the user group to which the owner of the machine belongs.
  • the occurrence of events is often biased for groups of users such as departments of an organization. For example, targets of attacks are often concentrated on a specific user group. For example, accounts common to user groups, file servers and Web servers in user groups may be the target of attacks. Further, when the operation policy of the computer system is different for each user group, if there is a problem with the operation policy of a certain user group, attacks may concentrate on the user group. Also, if a user group is a security boundary (such as a firewall), an attack that occurs within a certain user group is trapped within that user group (for example, malware infection occurs only within that user group). Therefore, attacks will be concentrated on that user group.
  • a security boundary such as a firewall
  • the search range of the event history 10 can be efficiently narrowed down by dividing the storage area 30 storing the event history 10 for each user group.
  • the storage area 30 is divided into groups based on the type of OS (Operating System) related to the subject or object indicated by the event history 10 stored therein.
  • the group information indicates the type of OS as a condition. That is, the group information indicates the association between the OS type and the storage area 30.
  • the storage area 30 associated with a certain OS type stores an event history 10 indicating the OS type as an OS type related to a subject or an object.
  • FIG. 11 is a diagram exemplifying group information indicating the type of OS as a condition.
  • the table shown in FIG. 11 is called a table 500.
  • the table 500 associates the record ID 502, the condition 504, and the storage area ID 506 with each other.
  • the record in the first line indicates that the storage areas 30 S1, S2, S3 are associated with the OS type “name is OS1 and version is v1”.
  • the information about the OS type should be included in the subject information and object information of the event history 10.
  • which of the OS type related to the subject and the OS type related to the object to be used as a condition is set in advance.
  • the type of OS related to the subject is, for example, the type of OS that is executing the process of the subject of the event indicated by the event history 10.
  • the OS type related to the object is, for example, the OS type executing the process.
  • the OS type related to the object is, for example, the OS type operating on that machine.
  • the types of OS are distinguished by the OS name such as Windows, MacOS, and Android.
  • the OS types may be more finely distinguished by version number or distribution.
  • the OS type is represented by the combination of the OS name and the version number.
  • Event occurrences are often biased in terms of OS type. For example, attacks are often concentrated on the type of OS where vulnerabilities were discovered.
  • the program execution file is usually different for each type of OS, if an attack tool is created for a certain type of OS, the attack by that attack tool is concentrated on that type of OS. Is done.
  • the storage area 30 may be grouped by a combination of various conditions described above.
  • the storage area 30 is made to correspond to a combination of three conditions such as a period, a user group, and an OS type.
  • FIG. 12 is a diagram illustrating a case where the storage area 30 is associated with a combination of a plurality of conditions.
  • the storage area 30 is first divided into groups by period. Next, the storage areas 30 that have been grouped by period are grouped by user group. The storage areas 30 grouped by period and department are grouped by OS type. As a result, the storage area 30 is associated with the combination of the three conditions of “period, department, OS type”.
  • the storage processing unit 2040 stores the event history 10 in the storage area 30 determined by the storage destination determination unit 2020 (S106).
  • S106 storage destination determination unit 2020
  • an existing technique can be used.
  • the storage processing unit 2040 corresponds to the information shown in the event history 10 for each of the plurality of tables.
  • a record is generated, and the generated record is stored in the storage area 30 determined by the storage destination determination unit 2020. That is, both the record of the event table and the record of the other table referred to from the event table are stored in the storage area 30 determined by the storage destination determination unit 2020.
  • a plurality of storage areas 30 may be associated with a condition (such as the record in the first line in FIG. 9).
  • the storage processing unit 2040 selects one from the plurality of storage areas 30 determined using the group information and stores the event history 10 in the selected storage area 30.
  • the criterion for selecting one storage area 30 from the plurality of storage areas 30 is arbitrary.
  • the storage processing unit 2040 selects the storage area 30 with the smallest free space. By doing so, the number of storage areas 30 used can be reduced as much as possible.
  • the storage processing unit 2040 may select the storage area 30 having the largest free space. By doing so, access to the storage area 30 can be dispersed.
  • the storage processing unit 2040 may store a plurality of event history 10 in any two or more of the plurality of storage areas 30 determined by using the group information. ..
  • Existing technology such as RAID can be used for the technology to increase data redundancy.
  • the index update unit 2060 updates the index information 40 corresponding to the storage area 30 determined by the storage destination determination unit 2020 (S108).
  • the association between the storage area 30 and the index information 40 is determined in advance. For example, in the group information described above, a combination of the condition, the storage area 30, and the index information 40 is indicated. As a result, one index information 40 is used for one or more storage areas 30 associated with the same condition in the group information.
  • the index information 40 is generated and initialized when the group information is generated, for example.
  • the index information 40 corresponding to the storage area 30 is information indicating whether or not a certain event history 10 is stored in the storage area 30. Further, one piece of index information 40 is associated with one or more items in the event history 10. Here, the item of the event history 10 associated with the index information 40 is called an index item. For example, assume that the execution file name of the main process is used as the index item. In this case, the storage area 30 in which a certain event history 10 is stored can be grasped by using the execution file name and the index information of the main process indicated by the event history 10.
  • a Bloom filter As a specific data structure of the index information 40, for example, a Bloom filter can be adopted.
  • the Bloom filter is composed of a bit string of a predetermined length.
  • one or more functions (for example, hash functions) are prepared in advance to operate the Bloom filter.
  • Each operation function maps the input data to any one or more bits included in the Bloom filter. That is, when data is input to the operation function, one or more bit positions in the Bloom filter are output.
  • the size (bit number) of the Bloom filter and the number of operation functions can be arbitrarily determined.
  • the Bloom filter does not always generate false negatives, and the probability of false positives is small. Therefore, the condition that “false negatives are not allowed but false positives are allowed” is satisfied, and thus the data structure is suitable for the index information 40 used by the history management apparatus 2000.
  • the index updating unit 2060 When a Bloom filter is used as the index information 40, the index updating unit 2060 inputs the value of the index item indicated by the event history 10 processed by the storage processing unit 2040 into the above-mentioned operation function. Then, the index update unit 2060, for the Bloom filter corresponding to the storage area 30 in which the storage processing unit 2040 stores the event history 10, sets the value of one or more bits obtained from the operation function to the corresponding storage area 30. The value is changed to a value (for example, 1) indicating that the event history 10 is stored in.
  • a value for example, 1
  • FIG. 13 is a diagram illustrating a method of updating the index information 40 realized by the Bloom filter.
  • three operation functions h1 to h3 are used.
  • the index updating unit 2060 inputs the value of the index item indicated by the event history 10 to each operation function described above. As a result, the position of one or more bits is output from each operation function.
  • the index item is the execution file name of the main process. Therefore, the index updating unit 2060 inputs the execution file name of the main process indicated by the event history 10 into each of the operation functions h1 to h3. The operation functions h1 to h3 output the positions p1 to p3, respectively, according to the input.
  • the index updating unit 2060 sets the bit at each position output by each operation function to 1 in the Bloom filter. For example, in FIG. 13, the value of the bit at three locations from position p1 to p3 is changed to 1. When generating the Bloom filter, the values of all bits are initialized to 0.
  • each bit corresponding to the value indicated by the index item of the event history 10 in the bloom filter (index information 40) corresponding to the storage area 30. Becomes 1.
  • the storage area 30 in which the event history 10 that satisfies the search condition is stored can be quickly narrowed down. Therefore, the event history 10 can be efficiently searched.
  • a specific example of the search method using the Bloom filter will be described later.
  • the index information 40 may have a data structure other than the Bloom filter.
  • the data structure forming the index information 40 various data structures used for indexes in existing database management systems and the like can be used.
  • a plurality of index information 40 may be prepared for each storage area 30.
  • a plurality of index information 40 having different index items are prepared for each storage area 30.
  • FIG. 14 is a diagram illustrating a case where a plurality of index information 40 is prepared for each storage area 30.
  • a bloom filter having an execution file name of a main process as an index item and a bloom filter having an object file name as an index item are prepared for each storage area 30.
  • the index updating unit 2060 inputs the execution file name of the process of the subject indicated by the event history 10 into the operation function, and uses the result of the execution file name of the Bloom filter corresponding to the storage area 30 in which the event history 10 is stored. Update the file whose index is the executable file name of the process.
  • the index updating unit 2060 inputs the file name of the object indicated by the event history 10 to the operation function, and uses the result of the input, the file name of the object among the Bloom filters corresponding to the storage area 30 in which the event history 10 is stored. Update the file name as an index item.
  • the plurality of index information 40 having different index items may have the same or different operation function. In the latter case, in the example of FIG. 14, different sets of operation functions are used to update the two Bloom filters.
  • One index item may correspond to a set of a plurality of items included in the event history 10.
  • the index information 40 is updated using the result obtained by inputting a set of a plurality of items corresponding to the index item (for example, a character string in which the values of the items are connected) to the operation function.
  • FIG. 15 is a diagram illustrating a case where index items correspond to a set of a plurality of items included in the event history 10.
  • one index item is defined by a set of the execution file name of the main process and the file name of the object. Therefore, one Bloom filter is prepared for each storage area 30 with the combination of the execution file name of the main process and the file name of the object as an index item.
  • the index updating unit 2060 inputs a character string in which the execution file name of the main process indicated by the event history 10 and the file name of the object are connected to the operation function, and the result is used to update the Bloom filter.
  • the item of the event history 10 adopted as the index item is an item frequently specified as a search condition. For example, it is assumed that the event history 10 is frequently searched to find out whether or not malware is being executed. In this case, it is considered that the search is frequently performed based on the execution file name of the main process. Therefore, it is preferable to adopt the execution file name of the main process as the index item.
  • the query acquisition unit 3020 first acquires the search query 50 (S202).
  • the search query 50 indicates a search condition that is a condition regarding the event history 10 to be searched. It can be said that the search condition represents the feature of the event history 10 to be searched.
  • the search condition is a condition regarding the value of an item included in the event history 10.
  • the storage area identifying unit 3040 identifies the storage area 30 in which the event history 10 satisfying the search condition indicated by the search query 50 may be stored. Therefore, the storage area specifying unit 3040 compares the search condition indicated by the search query 50 with the index information 40, and the index information 40 stores the event history 10 satisfying the search condition in the corresponding storage area 30. It is determined whether or not it is represented. When the index information 40 indicates that the event history 10 satisfying the search condition is stored in the corresponding storage area 30, the storage area identifying unit 3040 sets the storage area 30 corresponding to the index information 40 to the search condition. The event history 10 to be satisfied is specified as the storage area 30 that may be stored.
  • the storage area specifying unit 3040 searches the storage area 30 corresponding to the index information 40.
  • the storage area 30 that does not store the event history 10 that satisfies the condition is specified.
  • the storage area specifying unit 3040 obtains one or more bit positions by inputting the value of the index item specified by the search condition into the operation function of the Bloom filter. Then, the storage area identifying unit 3040 determines whether or not the obtained bit position is 1 for the Bloom filter corresponding to each storage area 30 (the event history 10 that satisfies the search condition is stored in the corresponding storage area 30). Whether or not it is a value indicating that the The storage area specifying unit 3040 specifies the storage area 30 corresponding to the Bloom filter whose obtained bit positions are all 1 as the storage area 30 that may store the event history 10 satisfying the search condition. .. On the other hand, the storage area identification unit 3040 identifies the storage area 30 corresponding to the Bloom filter in which any of the obtained bit positions is 0 as the storage area 30 in which the event history 10 satisfying the search condition is not stored.
  • FIG. 16 is a diagram exemplifying a search using the index information 40 composed of Bloom filters.
  • the index item is the executable file name of the main process.
  • the storage area specifying unit 3040 inputs the execution file name of the process of the subject specified by the search query 50 from the operation function h1 to h3. As a result, positions q1 to q3 are output from these operation functions, respectively.
  • the storage area identification unit 3040 determines whether or not the values of positions q1 to q3 are all 1 for each of the plurality of Bloom filters.
  • the storage area identification unit 3040 identifies the storage area 30 corresponding to the Bloom filter whose positions q1 to q3 are all 1 as the storage area 30 in which the event history 10 that satisfies the search condition may be stored. To do. On the other hand, the storage area identifying unit 3040 sets the storage area 30 corresponding to the Bloom filter for which any of the values from position q1 to q3 is not 1 to the storage area in which the event history 10 satisfying the search condition is not stored. Identified as 30.
  • the index information 40 does not allow false negatives. Therefore, by using the index information 40, at least the storage area 30 that is sure not to store the event history 10 satisfying the search condition is specified, and the storage area 30 is excluded from the search target of the event history 10. can do. Therefore, the time required for searching the event history 10 can be shortened.
  • the storage area identifying unit 3040 determines whether or not the event history 10 that satisfies the search condition is stored in each storage area 30 by using the plurality of index information 40 for each storage area 30.
  • the index information 40 is realized by a Bloom filter.
  • the value of the index item specified in the search condition is input to the Bloom filter operation function. By doing so, the position of the bit corresponding to the search condition is output for each index item.
  • the storage area specifying unit 3040 may store the event history 10 satisfying the search condition in the storage area 30 in which all the positions of the bits obtained from the operation function are 1 in all the corresponding Bloom filters. It is specified as a certain storage area 30. On the other hand, in any of the corresponding Bloom filters, the storage area 30 in which the position of any bit obtained from the operation function is 0 is specified as the storage area 30 in which the event history 10 satisfying the search condition is not stored. ..
  • FIG. 17 is a diagram exemplifying a search in the case where a plurality of index items exist.
  • an index item called the execution file name of the main process
  • an index item called the object file name.
  • the storage area identification unit 3040 inputs the execution file name of the main process specified in the search condition into the operation function, thereby setting the bit positions q1 to q3 of the Bloom filter corresponding to the execution file name of the main process.
  • the storage area specifying unit 3040 inputs the file name of the object specified in the search condition to the operation function to acquire q6 from the bit position _q4 _ for the Bloom filter corresponding to the file name of the object. ..
  • the storage area identifying unit 3040 determines whether or not all the bits from positions q1 to q3 are 1 in the bloom filter corresponding to the execution file name of the main process. Similarly, the storage area identifying unit 3040 determines whether or not the bits from positions q4 to q6 are all 1 in the bloom filter corresponding to the file name of the object. If the bits at positions q1 to q3 are all 1 in the bloom filter corresponding to the execution file name of the main process, and the bits at positions q4 to q6 are all 1 in the bloom filter corresponding to the object file name It is understood that there is a possibility that the event history 10 satisfying the search condition is stored in the storage area 30 corresponding to these Bloom filters.
  • one of the bits from position q1 to q3 is 0 in the bloom filter corresponding to the execution file name of the main process, or one of the bits from position q4 to q6 in the bloom filter corresponding to the object file name. Is 0, it can be seen that the event history 10 that satisfies the search condition is not stored in the storage area 30 corresponding to these Bloom filters.
  • the items corresponding to the above-mentioned index items must be included in the items of the event history 10 specified by the search condition.
  • the execution file name of the main process is used as the index item as shown in FIG. 13
  • the execution file name of the main process needs to be specified by the search condition indicated by the search query 50. If the condition regarding the index item is not included in the search condition, for example, the search processing device 3000 does not use the index information 40 and executes the search for all the storage areas 30.
  • the search processing unit 3060 executes a search of the event history 10 for the storage area 30 specified by the storage area specifying unit 3040. Specifically, the search processing unit 3060 searches the storage area 30 corresponding to the specified index information 40 for the event history 10 that satisfies the search condition. Then, if the event history 10 that satisfies the search condition is stored in the storage area 30, the search processing unit 3060 acquires the event history 10. Note that existing technology can be used as a technology for searching for data satisfying the search condition in a specific storage area.
  • a storage destination determination unit that acquires an event history, which is a history of events related to program activities, and determines a storage area for storing the event history from a plurality of storage areas based on the content of the acquired event history.
  • a storage processing unit that stores the acquired event history in the determined storage area;
  • a history management device including an index update unit that updates index information associated with the determined storage area so as to indicate that the acquired event history is stored in the determined storage area. .. 2.
  • the storage destination determination unit acquires group information that associates a condition related to the content of the event history with one or more storage areas that store the event history corresponding to the condition, and displays the group information in the group information.
  • the storage area associated with the condition that the acquired event history matches is determined as the storage area in which the acquired event history is stored.
  • the condition indicated by the group information indicates a period including an event occurrence time, 1.
  • the storage destination determination unit determines the storage area associated with a period including an event occurrence time indicated by the acquired event history in the group information as a storage area for storing the event history. History management device described in. 4.
  • the condition indicated by the group information indicates a user group related to an event subject or an object
  • the storage destination determination unit determines the storage area associated with a user group relating to the subject or object of the event indicated by the acquired event history in the group information, as a storage area for storing the acquired event history.
  • the condition indicated by the group information indicates the type of OS (Operating System) related to the subject or object of the event
  • the storage location determination unit determines the storage area associated with the OS type related to the subject or object of the event indicated by the acquired event history in the group information as a storage area for storing the acquired event history. Yes, 2. History management device described in. 6.
  • the index information includes a Bloom filter
  • the index update unit is Input the information contained in the acquired event history into one or more functions, In the Bloom filter included in the index information corresponding to the storage area determined by the storage destination determination unit, the acquired event history is stored as a bit value determined by the value output from the function. To a value indicating 1. Through 5.
  • the history management device described in any one.
  • a query acquisition unit that acquires a search query indicating a search condition of an event history that is a history of events related to program activities, Storage area identification for identifying a storage area in which the event history corresponding to the search condition may be stored by comparing the search condition indicated by the acquired search query with index information corresponding to each storage area Department,
  • a search processing device comprising: a search processing unit that searches the specified storage area for the event history corresponding to the search condition.
  • the index information includes a Bloom filter, The storage area specifying unit, Enter information about the event history specified by the search criteria into one or more functions, A storage area corresponding to the Bloom filter, which is a value indicating that any of the bit values determined by the value output from the function is stored in the corresponding storage area of the event history specified by the search condition. 7. is specified as a storage area in which the event history corresponding to the search condition may be stored. Search processing device described in.
  • a history management method executed by a computer A storage destination determining step of acquiring an event history, which is a history of events related to program activities, and determining a storage area for storing the event history from a plurality of storage areas based on the content of the acquired event history.
  • a storage processing step of storing the acquired event history in the determined storage area A history management method comprising: an index updating step of updating index information associated with the determined storage area so that the acquired event history is stored in the determined storage area. .. 10.
  • group information in which a condition relating to the contents of the event history and one or more storage areas for storing the event history corresponding to the condition are associated with each other is acquired and indicated in the group information. 8.
  • the storage area associated with the condition that the acquired event history matches is determined as the storage area for storing the acquired event history.
  • the condition indicated by the group information indicates a period including an event occurrence time, 10.
  • the storage area associated with a period including an event occurrence time indicated by the acquired event history in the group information is determined as a storage area for storing the event history.
  • the condition indicated by the group information indicates a user group related to an event subject or an object
  • the storage area associated with the user group related to the subject or object of the event indicated by the acquired event history in the group information is determined as a storage area for storing the acquired event history. 10.
  • the condition indicated by the group information indicates the type of OS (Operating System) related to the subject or object of the event
  • the storage area associated with the type of OS related to the subject or object of the event indicated by the acquired event history in the group information is determined as a storage area for storing the acquired event history. Yes, 10.
  • the index information includes a Bloom filter, In the index updating step, Input the information contained in the acquired event history into one or more functions, In the Bloom filter included in the index information corresponding to the storage area determined by the storage destination determination step, the acquired event history is stored as a bit value determined by the value output from the function. Is updated to a value indicating 9. Through 13.
  • a search processing method executed by a computer comprising: A query acquisition step for acquiring a search query indicating search conditions of event history, which is a history of events related to program activities, Storage area identification for identifying a storage area in which the event history corresponding to the search condition may be stored by comparing the search condition indicated by the acquired search query with index information corresponding to each storage area Steps, A search processing step of searching the specified storage area for the event history corresponding to the search condition. 16.
  • the index information includes a Bloom filter, In the storage area specifying step, Enter information about the event history specified by the search criteria into one or more functions, A storage area corresponding to the Bloom filter, which is a value indicating that any of the bit values determined by the value output from the function is stored in the corresponding storage area of the event history specified by the search condition. 14. is specified as a storage area in which the event history corresponding to the search condition may be stored. Search processing method described in.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un dispositif de gestion d'historique (2000) qui acquiert un historique d'événements (10), qui est un historique d'un événement relatif à l'activité de programme, et, sur la base du contenu de l'historique d'événements acquis 10, détermine dans laquelle de multiples régions de mémorisation (30) mémoriser l'historique d'événements acquis (10). Le dispositif de gestion d'historique (2000) mémorise l'historique d'événements acquis (10) dans une région de mémorisation déterminée (30). Le dispositif de gestion d'historique (2000) met à jour des informations d'index (40) associées à la région de mémorisation déterminée (30) de façon à représenter que l'historique d'événements acquis (10) a été mémorisé dans la région de mémorisation déterminée (30).
PCT/JP2019/000549 2019-01-10 2019-01-10 Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme WO2020144816A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2020565111A JP7173165B2 (ja) 2019-01-10 2019-01-10 履歴管理装置、履歴管理方法及びプログラム
PCT/JP2019/000549 WO2020144816A1 (fr) 2019-01-10 2019-01-10 Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/000549 WO2020144816A1 (fr) 2019-01-10 2019-01-10 Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme

Publications (1)

Publication Number Publication Date
WO2020144816A1 true WO2020144816A1 (fr) 2020-07-16

Family

ID=71521072

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/000549 WO2020144816A1 (fr) 2019-01-10 2019-01-10 Dispositif de gestion d'historique, dispositif de traitement de recherche, procédé de gestion d'historique, procédé de traitement de recherche et programme

Country Status (2)

Country Link
JP (1) JP7173165B2 (fr)
WO (1) WO2020144816A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115964190A (zh) * 2022-12-07 2023-04-14 中科雨辰科技有限公司 一种更新历史事件信息的数据处理系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61188644A (ja) * 1985-02-15 1986-08-22 Fujitsu Ltd ログアウト方式
JP2006259811A (ja) * 2005-03-15 2006-09-28 Nec Corp ログ作成装置及びプログラム
JP2013012155A (ja) * 2011-06-30 2013-01-17 Toshiba Corp 情報処理装置、クライアント管理方法及びクライアント管理システム
US20170228409A1 (en) * 2016-02-08 2017-08-10 Red Hat, Inc. In-memory journaling

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61188644A (ja) * 1985-02-15 1986-08-22 Fujitsu Ltd ログアウト方式
JP2006259811A (ja) * 2005-03-15 2006-09-28 Nec Corp ログ作成装置及びプログラム
JP2013012155A (ja) * 2011-06-30 2013-01-17 Toshiba Corp 情報処理装置、クライアント管理方法及びクライアント管理システム
US20170228409A1 (en) * 2016-02-08 2017-08-10 Red Hat, Inc. In-memory journaling

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115964190A (zh) * 2022-12-07 2023-04-14 中科雨辰科技有限公司 一种更新历史事件信息的数据处理系统
CN115964190B (zh) * 2022-12-07 2023-07-14 中科雨辰科技有限公司 一种更新历史事件信息的数据处理系统

Also Published As

Publication number Publication date
JP7173165B2 (ja) 2022-11-16
JPWO2020144816A1 (fr) 2020-07-16

Similar Documents

Publication Publication Date Title
US11921873B1 (en) Authenticating data associated with a data intake and query system using a distributed ledger system
US12026155B2 (en) Executing one query based on results of another query
US11113294B1 (en) Recommending query templates during query formation
US11263268B1 (en) Recommending query parameters based on the results of automatically generated queries
US12093318B2 (en) Recommending query parameters based on tenant information
US11216511B1 (en) Executing a child query based on results of a parent query
US11604799B1 (en) Performing panel-related actions based on user interaction with a graphical user interface
EP3545430B1 (fr) Reconnaissance d'objets de données inconnus
US11822640B1 (en) User credentials verification for search
KR102464222B1 (ko) 프라이버시 민감형 사용자 콘텐츠를 위한 구성 가능한 주석
US9418237B2 (en) System and method for data masking
US6832227B2 (en) Database management program, a database managing method and an apparatus therefor
US11636128B1 (en) Displaying query results from a previous query when accessing a panel
US11644955B1 (en) Assigning a global parameter to queries in a graphical user interface
EP2939173B1 (fr) Représentation en temps réel d'un état de système pertinent pour la sécurité
US20180285596A1 (en) System and method for managing sensitive data
US11809397B1 (en) Managing slot requests for query execution in hybrid cloud deployments
US20160224660A1 (en) Systems and Methods for Distributing Indexer Configurations
US11770450B2 (en) Dynamic routing of file system objects
US11074196B1 (en) Evicting data associated with a data intake and query system from a local storage
US11687487B1 (en) Text files updates to an active processing pipeline
US20200250180A1 (en) Management of queries in a hybrid cloud deployment of a query system
US11520739B1 (en) Distributed query execution and aggregation
US11500874B2 (en) Systems and methods for linking metric data to resources
US20210350026A1 (en) Systems and methods for generating and processing secure search queries

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19908271

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020565111

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19908271

Country of ref document: EP

Kind code of ref document: A1