• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for detecting deviations from a predetermined normal state, in particular caused by manipulation, in a computer network (10), in which by the computers (1) of the computer network (10) or by the programs running on these computers (1) (2) protocols are established, respectively, whereby programs (2) or computers (1) define respectively criteria for the logging of events (E) deemed relevant and in case of such an event (E) a log data record ( P) is assigned to which a time stamp (T) and a description record (D) of the respective logged event (E) are assigned, and - whereby all of the individual computers (1) created log records (P) are kept available, wherein During a calibration a) from the descriptive data sets (D) of the protocol data sets (P) partial data sets (A), in particular coincidentally b) that groups (G) of sub-data sets (A) are formed, which are located in protocol data records (P) and whose time stamps (T) lie within a predetermined period of time (DT), c) that within the descriptive data records (A) D) log records (P) for further occurrence of a first partial data set (AA) from one of the created groups (G) is searched and it is checked whether within the given period (DT) the remaining of the respective group (G) associated sub-data sets (AB In the case of repeated successful tests, a test data set (X) comprising the first sub-data set (AA), the remaining sub-data sets (AB) and the time period (DT) is created, and in each case, that during operation of the computer network (10) d ) the description data record (D) of a protocol data record (P) to be examined for the presence of a first partial data record stored in one of the test data records (X) s (AA) is examined, e) when the first partial data set (AA) of one of the examination data sets (X) was found in the protocol data record (P) to be examined, it is checked whether the remaining partial data sets (AB) of the examination data set (X) are contained in protocol data records (P) whose time stamp (T) differs from the time stamp (T) of the protocol data set (P) to be examined by a maximum of the time period (DT) assigned to the test data set (X), and f) if not all of the remaining partial data sets (AB ) are found within the respective test data set (P) with a time stamp (T) within the time period (DT), this is assessed as a deviation and, if appropriate, a corresponding warning is generated.
    公开号:AT514215A1
    申请号:T50292/2013
    申请日:2013-04-29
    公开日:2014-11-15
    发明作者:Florian Dr Skopik;Roman Dipl Ing Fiedler
    申请人:Ait Austrian Inst Technology;
    IPC主号:
    专利说明:

    1
    The invention relates to a method for detecting deviations from a predetermined normal state, in particular caused by manipulation in a computer network. A variety of different approaches are known from the prior art, with which different threat scenarios or general deviations from a predetermined normal state can be determined in computer networks. In all of these procedures, different logging mechanisms are used, whereby it is examined whether individual, predetermined conditions are met which indicate deviations from a given normal state, in particular manipulations. An essential requirement of conventional methods for detecting such discrepancies or manipulations is that parsing mechanisms are available for the particular protocols used to analyze the semantic content of the log records, i. E. that the respective procedures can be determined from the logs.
    In addition to creating the parsers, certain test conditions must then be specified in order to then check the sequence of the previous logging.
    The object of the invention, however, is to provide a method for detecting deviations from a predetermined normal state, in which a semantic check of individually created log records is just not required and testing and processing a variety of log records is possible. The invention solves this problem in a method of the type mentioned above with the characterizing features of claim 1. To detect deviations from a predetermined normal state, in particular caused by manipulation, be in a computer network, in which by the computers of the computer network or on Protocols are created for each of these programs running programs, - are defined by the programs or computers each criteria for logging considered relevant events and in the event of occurrence of such an event a record is created with a timestamp and a description record of the respective logged Be assigned to the event, and - whereby all log records created by the individual computers are kept available. 3/23 2
    The invention provides that during the calibration (a) partial data sets, in particular randomly, be selected from the descriptive data records of the protocol data records b) that groups of partial data records are formed which are located in protocol data records and whose time stamps lie within a predefined period of time, c) that within the descriptive records records for a further subset of a first partial data set from one of the created groups is searched and checked whether within the given time period the remaining of the respective group associated sub-records are, with repeated successful examination in each case a test data set comprising the first Partial record, the remaining partial data sets and the time span is created, and - that during the ongoing operation of the computer network d) the descriptive data record of a protocol data record to be examined for the presence e e) when the first partial data set of one of the examination data records was found in the protocol data record to be examined, it is checked whether the remaining partial data records of the examination data record are present in protocol data records whose time stamp differs from the time stamp of the data item to be examined F) unless all of the remaining sub-records are found within the respective audit record with a time stamp within the time period, judged as deviation and, if appropriate, a warning is generated.
    A significant advantage of the procedure according to the invention is that a concrete, semantic analysis of the log data sets can be dispensed with and the inventive method can be carried out much more easily on computer networks with a wide variety of computer applications. It is thus also possible, with different configurations of individual computers or of the entire computer network, to find in each case a number of test data sets which are matched to the computer network, with which a deviation from the predetermined normal state, in particular in the presence of manipulations, can be determined.
    In order to achieve compatibility with most common software programs, it can advantageously be provided that a description data record assigned to the respective protocol data set 4/23 3 and the sub-data records are each represented by character strings.
    In this case, it can be provided for the selection of partial data sets that in the selection of partial data records from the descriptive data sets of the protocol data records, one contiguous partial character string of the character string representing the descriptive data record is selected and kept available as a partial data record.
    To search for the occurrence of a partial data set can be provided that in the search for the occurrence of a partial data set in Bewehreibungsdatensatz a log record in steps c), d) and e) of claim 1 is checked in each case whether the string of the partial data set of a cohesive Teilzeich corresponds to the descriptive record of the protocoll dataset.
    A particularly simple embodiment of the invention provides that all partial data records each have the same sponsor volume and / or the same length.
    In order to ensure that only test data records are used which represent the normal state of the computer system with sufficient precision, provision can be made for a test data record to be created in step c) only if a significance function SC (c (X), c 'is used. (X)) indicates a value exceeding a predetermined threshold, where c (X) is the number of successful tests and e '(X) is the number of unsuccessful tests.
    In order to promptly query the timely occurrence of individual partial data sets in protocol data sets, it can be provided that the time stamps of the individual partial data sets associated with the group are determined in step c) and the time period associated with the test data set, in particular for each of the remaining sub-records separately, is set to an interval which is determined by the minimum and maximum time difference, preferably with a predetermined tolerance range, between the occurrence of the first sub-data set and the respective remaining sub-data set.
    As simple and time-efficient a query as possible is to allocate exactly two sub-records to each group. 5/23 *
    In order to avoid an excessive number of deviations from the predetermined normal state after an exchange or conversion of computers or computer programs executed on the computers, it can be provided that the calibration step comprises the steps a) to c) at predetermined time intervals, and / or repeating a period of time after the replacement or upgrading of computers or the programs running on them, taking into account only those records whose timestamp is within the last time interval, or since replacement or retrofitting.
    In order to enable greater reliability of the test data sets with regard to the partial data sets determined, it may be provided that the data records associated with the same test data record which are located within the same test data record are examined as to whether the intermediate area between the partial data records is identical, and in this case in the case of the new one Performing the calibration step another partial data set is used, which is composed of the two partial data sets and the intermediate region between the partial data sets.
    In order to enable a check of the interaction of different computer programs or computers, it may be provided that only remaining sub-data records are added to the test data records that do not originate from the protocol data record from which the first sub-data record originated.
    In order to allow a sufficient check of all created log records, it may be provided that so many check records are created that at least a predetermined proportion of the description records of the log records created during a given period contain subsequences.
    In order to automatically detect changes in the computer system to be monitored, it can be provided that the determination of the number c (X) of a test data record and the number of unsuccessful tests c '(X) is carried out again after the test data record has been created, in particular at predetermined time intervals and the audit record is deleted unless a significance function SC ((x). c '{x)) indicates a value exceeding a predetermined threshold.
    In order to have a sufficient number of test data sets available even in the case of system changes, it can be provided that, if after the deletion of a test data record less than a predefined portion of the descriptive data records of the protocol data records created during a predefined time period, partial sequences are contained again a calibration according to the steps a) to c) of claim 1 is performed and the test records are added to the previous, not deleted test records.
    A preferred embodiment of the invention is illustrated by the following drawing figures. In Fig. 1, a computer network to be examined with a number of computers is shown.
    Network and configuration:
    The present embodiment is a computer network with three computers 1a, 1b and 1e (Figure 1). A number of computer programs each run on each of the computers 1a, 1b, 1c, in the present exemplary embodiment a firewall fw-1 being installed on the first computer 1a and a web server 2 being active on the second computer 1b.
    In this computer network 10 are also still a monitoring unit 3 and a logging unit 4, which is connected to a log database 5. However, it is not necessary to use a central log database. Alternatively, it is also possible to access the individual log data distributed. Instead of storing the data, the data can also be made available by streaming.
    The monitoring unit 3, the logging unit and the logging database can be implemented as software programs on one of the computers 1 c of the computer network 10. During operation, all of the computers 1a, 1b, 1C of the computer network 10 and the computer programs fw-1, web-2 running on these computers 1a, 1b, 1c respectively generate protocols.
    Log data:
    Each of the computers 1 a, 1 b, 1 c running programs fw-1, web-2 creates log records P, each of which a time stamp ©! T is assigned. The selection of relevant events in which a computer program 2 or a computer 1 generates a protocol # 1 - # 6, respectively, remains the same
    Leave programmer of the program or the respective administrator of the computer 1 and need not be predetermined for the functioning of the method according to the invention. Furthermore, it is also not necessary that the semantic content of the protocol data lines # 1- # 6 is provided in advance. Rather, it is sufficient that the respective protocol line # 1 - # 6 includes a time stamp T and a description data record D.
    The computer 1a is configured in such a way that normally all accesses only take place via the firewall fw-1 to the web server web-2. In the log lines # 1 - # 6 shown in Table 1, therefore, one usually finds that the firewall fw has successfully accessed the network -1 always shortly thereafter a corresponding log entry of the web server web-2. # Source Logline Note 1 fw-1 Dec 17 17 ::: 13:11 fw-1 iptablesiACCEPT IN = eth2 OUT-et.h: 0 SR.C = 19 2 :. 163, 0.11 DST = 192.163,1ÖQ :. 5 PRQT: Q = T: CP: SPf = 55325 DPT = 443 2 web-2 Dec 17 1,7 :: 1: 3 :: 11. 192,163: "0..11 web-2- " GET / " 230 " Moz.illa / 4.0 (corapatables; MS.IE 7.0; ... 3 fw-1 Dec 17 17:13:17 fw-1 iptables :: DROP IN = eth3 OU = eth: 0 SRC = 1.2.3.4 : dS: t = 192,168,100.6 PROTO = TCP SPT = 38183DPT = 443 random event 4 fw-1 Dec 17 17:13:17 fw-1 iptables :: ÄCCEPT iPNetbl O0T = eth: O SRC = 192,16 8,3.4 4 D ST = 192.16 8.10 0.3 PROTD-TCP SPT-4932DPT-4 43 5 web-2 Dec 17 17:13:17 192.168.3.44wob 2 - - " GET / " 200 " Mozilla / 4.0 (corr.pati bl e; MS IE: 7.0; ... 6 fw-1 Dec 17 17: 13: 22fw lbiickup agentconnection opened .Regular event, unrelated to record 1,2
    Table 1 contains a brief extract of log records of programs running on computers of a computer network.
    In Table 1, for example, in the first illustrated log line # 1, there is a message with which the firewall accepts a data access. Immediately following, there is another log line that was created by the web server web-2 and points to the access via a web application. Likewise, in the protocol data records under # 4 an access to the firewall fw-1 and then under # 5 8/23 7 a corresponding log entry of the web server web-2. However, log events # 3 and # 6 are not related to records # 1, # 2 or # 4, # 5. From this consideration, it is now clear that certain events, which can be traced on the basis of the protocol lines # 1 - # 6, are always logged in a specific time sequence to each other.
    From the individual generated protocol lines # 1 - # 6, a time stamp T and a description data record D of the respective logged event E are respectively extracted. Table 2 shows log records P made from log lines # 1- # 6 shown in Table 1. Each of the log records includes a timestamp T and a descriptive record D each extracted from one of the log lines # 1- # 6. The log records P produced by all the computers 1 in the network are kept available by a logging unit 4 for further processing steps. In the present embodiment, the log records P are stored in a central log database 5. However, this procedure is not mandatory. Rather, it is also possible to store the individual protocol data locally or to stream it directly to the analysis unit without storage, wherein the logging unit 4 merely manages the protocol records P and, if necessary, accesses the respective log files of the individual computers. For the present method, the logging unit 4 provides the possibility of accessing all the log data records P created by the computers 1 via a uniform interface. The monitoring unit 3 accesses the logging unit 4 on the
    Log records too.
    Source timestamp (T) Description dataset (D) P1 fw-1 Dec 17 17:13:11 fw ^ l iptables: ACCEPT IN = eth2 OUT-etfiÖ: SRC-1: 92.168.0.11 DST = 192.16 8, 100 :. , §: PROTO = TCP SPT = 55325 DPT = 443 P2 web-2 Dec 17 17:13:11 web-2 - " GET / " 2 00 "Mozilla / 4. Q: (compatible; MS IE 7.0; ... P3 fw-1 Dec 17 17:13:17 fw-1 iptables: DROP IN = et "h3: OUT-etb0 SRC = 1.2.3.4 DST = 192.168,100.6 PROTO = TCP SPT = 38183DPT = 443 P4 fw-1 Dec 17 17:13:17 iptables: ACCEPT IN = eth2 ::: 0ÜT = eth0 SRG-l92.168.3.44DST = 192: 168.100.5 PROIO-TCP SPT = 4932DPT = 443 P5 web-2 Dec 17 17:13:17 192.16 8.3.44web-2 - " GET / " 200 " Mozilla / 4.0 (compatible; MSIE 7.0; ... P6 fw-1 Dec 1717: 13: 22 fw-lbackup agentconnecfc: io «opened
    Table 2 - Log records 9/23 8
    Calibration:
    The following shows a calibration carried out by the monitoring unit 3, with which it is possible to obtain groups G of sub-records (A) from log records P, which typically occur within a certain period of time DT. This time span can be between a few milliseconds and several seconds and can be set automatically or subsequently adjusted when the group is created. For the purpose of calibration, firstly different partial data sets A occurring in the descriptive data sets D of the protocol data sets P are selected. Since the logging in the present embodiment - as is common practice - by means of text protocol, partial records A from the descriptive data sets D in the form of contiguous substrings A are selected. The selection of the sub-data sets A can take place at random, advantageously searching for sub-character strings of the descriptive data records D which are contained in a plurality of descriptive data records D.
    In the present exemplary embodiment, "accept", "dpt = 443", "wob 2", "ckt", "web-2", "connection openod" were selected as substrings A, which are shown in bold in Table 2. The selection of the substrings A can be repeated, as will be shown later, if due to the first selection of strings no adequate calibration is possible. The re-selection of substrings A as well as an improvement of the calibration will be presented following the description of the calibration procedure.
    Subsequently, a search is made for groups G of partial data sets A which are located in protocol data sets P whose respective time stamp T lies within the predefined time period DT. In the present exemplary embodiment, given a maximum period DT of 1 s, it can be established that the selected partial data sets A with the values "accept", "dpt 443", "wob 2", "get" always in at least one case within the maximum time span DT occur. It may also be noted that at a maximum period DT from 3s to 5s, the selected sub-data sets A with the values "web-2" and "connoc t: i on oponecl" occur in at least one case at random within the maximum time period DT. 10/23 9
    These partial data sets A occurring within the same time span are grouped into groups G1, G2 as shown in Table 3, Table 3 shows the data structure of groups G1, G2: AA AB DT G1 DPT = 443 web-2 1s ACCEPT GET G2 web 2 connection opened 3s-5s
    Table 3: Groups
    In order to find out which partial data sets A have not only occurred accidentally within a certain period of time, but are interrelated with each other, within the collection data records 0 of the protocol data records P a further occurrence of a first partial data set AA from one of the created groups G is sought. If such a further occurrence of the first partial data set AA is found, it is checked whether within the predetermined period of time DT the remaining partial data sets AB assigned to the respective group G are located.
    For example, in protocol record P1 in Table 2, the substring AA = "accept" was found. In connection with this substring AA, the remaining substrings AB of the group G1 with the values "dpt 4 43" in P1 and the values "web 2" and "cet" in P2 were also found. In protocol record P4, the string AA = "acckpt" reappears. Now it is checked if the remaining strings AB = "dpt = 443", "wob 2", "cet" are within the given period of time DT. After checking the character strings P4 and P5 within the period DT, it can be determined that this is the case.
    The individual created groups Gl, G2 stand for the hypothesis, i. provisional assumption or assumption that the occurrence of the first partial data sets AA in descriptive data sets D of protocol records P, the respective further sub-records AB occur in descriptive data sets D of protocol records P, wherein the first partial data set AA containing log records P and the further sub-records containing P rotoko I Idaten Sets P are within a predetermined period of time DT. 11/23 10
    If this hypothesis embodied in group G1, G2 can be confirmed several times, it can be declared a generally valid test condition if a given significance exists, deviations from this test condition being regarded as potential safety threats or case scenarios.
    Such a test condition can be represented by a test data record X whose data structure substantially corresponds to the data structure of a group G1S G2. Each examination data set X has the first partial data set AA or the one or more data sets AB as well as the time period DT.
    The following shows how, for a hypothesis contained in a group, a probability value can be determined which, in the event of the occurrence of the first partial data set AA in a protocol data record, the probability of the occurrence of all other partial data records AB of the group within a time period DT after or before the Appearance of the first partial data set AA indicates.
    The reliability of a hypothesis, which is described by the group G1 or a test data set X corresponding to this group G1, can be determined by means of a significance function SC (c (X), c '(X)). Two arguments are given to this significance function SC, namely the number of cases in which the hypothesis represented by the group G applied and the number of cases in which this was not the case. The value c (X) corresponds to the number of successful tests and c '(X) to the number of unsuccessful tests of the hypothesis of the group G. If the significance function exceeds a threshold value, the group G can be used as test data record X.
    The distribution of the evaluation results, i. the number of positive and negative evaluations of exam records or groups can be considered as a result of a Bernoulli process. The statistical significance of a hypothesis can be determined in particular by means of a binomial test, it only being possible for groups G which model hypotheses with a sufficiently high significance to be able to generate test data records X.
    The significance function evaluates a binomial test for the assumption that c (X) / (c (X) + c '(X)) is greater than a specified Schwivivvertvy probability, e.g. 99%. By choosing the threshold probability, it is therefore also possible to control how many test data records are really confirmed. 12/23 11
    The more frequently the hypothesis underlying the calibration of a group G1, G2 has been fulfilled, the greater the reliability attributed to this hypothesis and thus also to the group G1, G2. A group G1, G2 is particularly suitable as examination data set X if it applies in a statistically significant number of cases. The two hypotheses underlying the groups G1, G2 can be checked, for example, by means of the protocol data records P shown in Table 4, so that the assumed reliability of the hypotheses underlying the groups G1, G2 is increased if these are correct and reduced if these do not apply.
    Source Protocol Record Remark 101 fw-1 Dec: 17 17:25:48 fw-1 iptable s: ACCEPT IN = eth2 OUT = ethQ SRC = 19 2.16 8.2 ,: 15 5 DS T = 1.9 2.168, IQ 0.5 PROTO-TCP SPT- 553: 25 DPT = 443 Trigger X1 102 web-2 Dec 17 17:25:49 192,168.Q.11 web-2 - - " GET f " 200 "Mozilla./4.8 (compatible; MS1E: 7.0 ·, .... follow-up event X1 (OK), trigger X2 103 fw-1 Dec 17 17: 25: 49fw-lbackup agentconnection opened Follow-up event X2 (OK) 104 fw- 1 Dec 17 17: 2 6: Olf w-lbackup; agentconnection opened 105 fw-1 Dec 17 17:26:03 fw-1 iptables: ACCEPT IN = eth2 OUT ^ ethO SRC = 192.168.2.155 DST = 19 2,168,100, 5 PROTO = TCP SPT = 55325 DPT = 443 Trigger X1 106 web-2 Dec 17 17:26:03 192.168.2.155web-2 - - " GET / about. Html " 2 00 " Mozilla / 4.0 {cffipatible :; MSI: E: 7.0, follow-up event X1 (OK), trigger X2 (not OK, no follow-up event for G2) 107 fw-1 Dec 17 17:26:03 fw-1 iptablestACCEPT IN = eth2 OUT = ethO SRC = 192.168. 0.8 DST = 192.168.100.5 PROTO = TCP SPT = 55325 DPT = 443 Trigger X1 108 web-2 Dec 17 17:26:04 192.168.0.8web-2 - " GET / " 200 " Mozilla / 4.0 (compatible ; Chromium ... follow-up event X1 (OK), trigger X2 (not OK, no follow-up event for G2)
    Table 4 - further verification of test records
    From Table 4 it can be seen that the partial data sets A of the group G1 occur several times together in protocol data records P within the observation window predetermined by the time period DT around the trigger event, e.g. Log records 101/102, 105/106, 107/108. For group G2 this is not always the case, e.g. the group G2 is found in 102/103, but after 106, 108 not 13/23 12 the expected subset AB follows in time in one of the following log records. Therefore, for the group G2 in the system described above, no examination record X would be created.
    In determining the time DT of a test data set X to be assigned to the test data record, the time span between the occurrence of the first partial data record A of the test data record X or the group from which the test data record X originates and the occurrence of the last of the remaining data records AB can be used the maximum and minimum time difference, provided with a tolerance range, are used as threshold values. Thus, for example, a hypothesis embodied by a test data record X may state that the further data records AB always occur within a time interval of 3 to 5 seconds after the occurrence of the first data record AA.
    At the end of the calibration procedure or even during operation, it can be examined whether, at least in a given proportion, the
    Description records D Parts records A are included, the one
    Examination data set X are assigned as first or remaining partial data set AA, AB. If this is not the case, further sub-data sets A from such descriptive data sets D not yet taken into account can be specifically used to form new groups G of sub-data sets A. These groups can be re-examined for their statistical significance, with possibly statistically reliable examination records X being formed.
    Ongoing operation:
    In operation, the audit data sets P that are currently made available are checked for the presence of first sub-data records AA of the audit data records X. Table 5 contains log records P of a period of time within which the operating condition is determined by e.g. has changed an attack on the web server web-1 or a hardware failure. The test as to whether or not the hypothesis of test data set X applies is carried out during operation according to the same specifications as during the calibration. If a first partial data set AA of a test data record X was found, then the remaining partial data records AB of this test data record X are searched for. If the remaining partial data records AB are not found within the time span specified in the test data record X, it is determined that the system is in a state which deviates from the normal state and the monitoring unit generates a corresponding warning.
    Source Log Record Note 201 fw-1 Dec 17 22:06:46 fw-1 iptabJ es: ACCEPT IN eth2 OUT = ethO SRC 192.168.0.11 DST = 192.168.100.5 PROTO-TCP SPT-55325 DPT = 443 Trigger X1 202 web-2 Dec 17 22:06:46 192.168.0.11 web-2 - - " GET / " 200 " Mozilla / 4.0 (corrpat, i bl.e; MS IE 7.0; ... Follow-up Event X1 (OK) 203 fw-1 Dec 17 22: 06: 18fw 1 i pt.abl es :: DROP IN eth3 OUT = ethO SRC "1.2.3.4 DST = 192.168.100.6 PROTO-TCP SPT = 3 818 3 DPT = 4 4 3 204 fw-1 Dec 17 22:06:51 fw-1 iptables: ACCEPT IN eth2 OUT = ethO SRC 192.168.2.101 DST = 192.163.100.5 PROTO · 'i'CP SPT = 4932 DPT = 4 4 3 Trigger XI 205 web-2 Dec 17 22:06:51 192.168.2.101web-2 - " GET / " 200 " Mozilla / 4.0 (compatible; MS CE 7.0; ... follow-up event X1 (OK) 206 fw-1 Dec 17 22:06:58 fw-1 iplables: ACCEPT IN = eth2 OUT = ethO SRC 192.168.2.101 DST = 192.163 .100.5 PRQTQ = TCP SPT = 4932 DPT = 4 4 3 Trigger X1, following event missing 207 fw-1 Dec 17 22:07:00 fw-1 iptables: ACCEPT IN = eth2 OUTot; h0 SRC = 192.168.0.8 DST = 192.168. 100.5 PROTO = TCP SPT = 4932DPT = 443 Trigger XI, next event missing 208 fw-1 Dec 17 22:07:01 fw-1 iptables: ACCEPT IN = eth; 2 OUT = ethO ORC = 192.0: 8.2.101 DST = 192.168.100.5 PRQTO = TCP 007 4932 DPT = 443 Trigger X1, subsequent event missing
    Table 5: Application of examination record X1 to consecutive log records
    In the embodiment shown in Table 5, web server web-2 fails at time Dec 17 22:06:55. After log record 205, Web-2 no longer creates log records P. The evaluation of the examination data set X1, which has hitherto been regarded as reliable, shows that the first subsequence AA has the value "accept". the second subsequence with the value " web-2 " within the time period DT does not follow and therefore the evaluation of the test data set X1 is negative. The monitoring unit 3 issues a warning and optionally also provides the system administrator with the test condition or rule embodied in the injured test data record X1.
    In addition, the verification and falsification of the rules or test conditions of test data sets X can also be carried out during operation, wherein parallel to the test also the respective determined reliability test condition of the test data set is adapted analogous to the reliability of the hypothesis of a group. The reliability of the test condition of a test data record X can thus also be adapted during ongoing operation.
    Adaptations at runtime;
    In the following individual methods for checking and ongoing validation and completion of the already created test records X are presented, which can be performed independently of each other.
    If an exchange of individual computer 1 or programs 2 is made on the computers 1, certain test data sets X can lose reliability as a result of these measures, for example, if after logging on a web server despite requests to this web server, no further log messages occur. In this case, it can be examined whether and which of the test data sets X have lost reliability by using the determination of the reliability of hypotheses used in the course of the test of groups G1, G2 also for the test conditions of the test data sets X. If this reliability falls below a predetermined threshold value, the test data record X can be removed.
    If, after the deletion of one of test data records X, less than a predefined portion of the descriptive data records D, the protocol data records P created during a predefined period of time contain at least one of the previously selected subsequences A, a calibration can be carried out again. The newly found examination data sets X are added to the previous non-deleted examination data sets X.
    If, by adding components, new log records are added in which the available sub-records AA, AB are not included, then a recalibration can be made which selects sub-records specifically from the log records originating from the newly added components. Subsequently, new groups can be searched for and it can be examined whether these groups have a significance exceeding a predetermined level. In this case, audit records can be created based on the significant groups. 16/23 15
    For the same examination record X, associated partial data sets AA; AB located within the same protocol record P can be examined as to whether the intermediate region between the sub-data sets AA, AB is identical. In this case, when a calibration is performed again, a partial data set AA, AB is created, and assigned to the examination data record X, which consists of the two partial data records AA; AB and the intermediate area between the sub-data sets AA; AB is composed. 17/23
    权利要求:
    Claims (13)
    [1]
    16: Claims 1. A method for detecting deviations from a predetermined normal condition, in particular caused by manipulation, in a computer network (10) in which the computers (1) of the computer network (10) or on these computers (1) protocols (2) or computers (1) are each set criteria for the logging of events (E) considered relevant and in case of occurrence of such an event (E) respectively a log record (P) is created, to which a time stamp (T) and a description record (D) of the respective logged event (E) are assigned, and - wherein all the protocol data records (P) created by the individual computers (1) are kept available , characterized in that - in the course of a calibration a) from the descriptive data sets (D) of the protocol data sets (P) partial data b) that groups (G) of sub-data sets (A) are formed, which are located in protocol data sets (P) and whose time stamps (T) lie within a predetermined period of time (DT), c ) that within the descriptive data sets (D) protocol data sets (P) are searched for further occurrences of a first partial data record (AA) from one of the created groups (G) and it is checked whether within the given period of time (DT) the others of the respective group ( G) associated partial data sets (AB) are, with repeated successful examination in each case a test data set (X) comprising the first partial data set (AA), the remaining partial data sets (AB) and the time period (DT) is created, and - that during operation of the computer network (10) d) the descriptive data set (D) of a protocol data record (P) to be examined for the existence of a data record in one of the test data records (X) e) when the first partial data record (AA) of one of the test data sets (X) was found in the protocol data record (P) to be examined, it is checked whether the remaining partial data records (AB) of the test data record (X) in protocol data sets (P) are present whose time stamp (T) differs from the time stamp (T) of the examined 18/23 17 log data set (P) by a maximum of the test data record (X) associated time period (DT), and f) if not all of the remaining partial data records (AB) within the respective test data record (P) are found with a time stamp (T) within the time period (DT), this is assessed as a deviation and, if appropriate, a corresponding warning is generated.
    [2]
    2. Method according to claim 1, characterized in that a description data record (D) assigned to the respective protocol data record (P) and the sub-data records (A; AA; AB) are each represented by character strings, in particular a) in the selection of sub-data records (A ) from the descriptive data records (D) of the protocol data records (P) is selected a contiguous character string of the character string representing the descriptive data record and is kept as a partial data record and / or b) in the search for the occurrence of a partial data record (A; AA; AB ) in the description data record of a protocol data record in steps c), d) and e) of patent claim 1 is checked in each case whether the character string of the partial data record (A) corresponds to a contiguous sub-string of the descriptive data record (D) of the protocol data record (P).
    [3]
    3. The method according to claim 1 or 2, characterized in that all sub-data sets (A; AA; AB) each have the same data volume and / or the same length.
    [4]
    4. Method according to one of the preceding claims, characterized in that in step c) a test data set (X) is only created in each case if a significance function SC (c (X), c '(X)) indicates a value that contains a value exceeds the predetermined threshold, where c (X) is the number of successful tests and c '(X) is the number of unsuccessful tests.
    [5]
    5. Method according to one of the preceding claims, characterized in that, in the case of a multiple successful check, it is determined in step c) within which time period the time stamps (T) of the individual partial data sets (AA, AB) associated with the group (G) lie and which are the Time interval (DT), in particular for each of the remaining partial data records (AB) separately, is set to an interval which is defined by the minimum and maximum time difference, preferably with a predetermined tolerance range, between the occurrence of the 19/23 18, first sub-data set (AA) and the respective remaining sub-data set (AB) is determined.
    [6]
    6. The method according to any one of the preceding claims, characterized in that each group (G) exactly two partial data sets (AA, AB) are assigned.
    [7]
    7. The method according to any one of the preceding claims, characterized in that the calibration step comprising the steps a) to c) at predetermined time intervals, and / or a predetermined period of time after the replacement or conversion of computers (1) or executed on these programs (2) is repeated, taking into account only those log records whose timestamp lies within the last time interval or since replacement or retrofitting.
    [8]
    8. Method according to one of the preceding claims, characterized in that in the case of the same test data set (X) associated partial data sets (AA; AB) which are located within the same protocol data set (P), it is examined whether the intermediate area between the partial data sets (AA; ) is identical, and in this case the renewed execution of the calibration step, a further partial data set (A) is used, which is composed of the two partial data sets (AA, AB) and the intermediate region between the partial data sets (AA, AB).
    [9]
    9. The method according to any one of the preceding claims, characterized in that the test data sets (X) only remaining partial data sets (AB) are added, which do not come from the log data set (P), from which the first partial data set (AA) comes.
    [10]
    10. Method according to one of the preceding claims, characterized in that so many test data records (X) are created that at least in a predetermined proportion of the descriptive data records (D) of the protocol data sets (P) created during a given period of time, partial sequences (A; AB) are included.
    [11]
    11. The method according to any one of the preceding claims, characterized in that the determination of the number c (X) of a test data set (X) and the number of unsuccessful tests c '(X) after the creation of the test data set (X), in particular in predetermined Time intervals, is executed again and the test data record is deleted, unless a significance function SC (c (x), c '(x)) indicates a value that exceeds a predetermined threshold. 20/23 19:
    [12]
    12. The method of claim 10, wherein after the deletion of a test data record (X) less than a predefined portion of the descriptive data records (D) of the protocol data records (P) created during a predefined period of time, partial sequences (A; AA; AB ) is carried out again, a calibration according to the steps a) to c) of claim 1 is performed and the previous, not deleted test records (X) new test records (X) are added.
    [13]
    13. Disk on which a program for carrying out a method according to one of claims 1 to 12 is stored. Vienna, on April 29, 2013 21/23
    类似技术:
    公开号 | 公开日 | 专利标题
    EP2800307B1|2016-06-08|Method for detecting deviations from a given standard state
    DE112012000797B4|2021-07-01|Multiple modeling paradigm for predictive analytics
    DE102006029138A9|2008-05-21|Method and computer program product for the detection of memory leaks
    DE112010004252T5|2013-01-24|Systems and methods for resource leak detection
    EP2186003B1|2012-06-27|Method and device for determining a probability of occurrence
    DE102014116367A1|2015-05-28|MANAGEMENT OF LEVELS OF INFORMATION TECHNOLOGY SYSTEMS
    DE112014001997T5|2015-12-31|Identify client states
    EP3528162A1|2019-08-21|Method for recognizing abnormal operational states
    EP3719651A1|2020-10-07|Method for characterizing the operating state of a computer system
    EP3582443B1|2020-12-30|Grammar detection
    DE112012004169T5|2014-06-26|Monitor the execution of stored procedures
    EP1470459A1|2004-10-27|Early prognosis of the reliability of a technical arrangement
    DE102012210482A1|2012-12-27|Method and system for migrating business process instances
    DE102016101871A1|2016-08-11|Capture non-initialized memory references
    EP3588340A1|2020-01-01|Computer-implemented method for operating a data storage device
    EP3134842A1|2017-03-01|Computing device and method for detecting attacks on a technical system based on events of an event sequence
    AT523829B1|2021-12-15|Method for detecting abnormal operating states of a computer system
    DE602004007475T2|2008-03-13|Method and system for detecting possible blockages in computer programs
    EP2601594A1|2013-06-12|Method and apparatus for automatically processing data in a cell format
    EP1717990A1|2006-11-02|Test device for a telecommunications network and method to perform a test of atelecommunications network
    DE112019004198T5|2021-06-02|Provision of proposed solutions to remedy an industrial machine failure
    EP3961447A1|2022-03-02|Method for detecting abnormal operating states of a computer system
    DE102020208543A1|2022-01-13|Method and device for performing a dynamic security check of software programs
    DE112015004557B4|2021-04-29|Requirements monitoring
    DE102019102299A1|2020-07-30|Method and device for the automated detection of errors in computer systems
    同族专利:
    公开号 | 公开日
    AT514215B1|2015-06-15|
    EP2800307B1|2016-06-08|
    EP2800307A1|2014-11-05|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US6515967B1|1998-06-30|2003-02-04|Cisco Technology, Inc.|Method and apparatus for detecting a fault in a multicast routing infrastructure|
    JP2002111782A|2000-09-12|2002-04-12|Internatl Business Mach Corp <Ibm>|Fault management system for network system, server used therefor, fault management system and recording medium|
    US20040128583A1|2002-12-31|2004-07-01|International Business Machines Corporation|Method and system for monitoring, diagnosing, and correcting system problems|
    US20060047995A1|2004-08-30|2006-03-02|Uwe Schriek|Method and apparatus for diagnosing monitoring systems of technical equipment|
    EP2645627A1|2012-03-26|2013-10-02|Alcatel Lucent|Method for managing a communication network|AT520746B1|2018-02-20|2019-07-15|Ait Austrian Institute Tech Gmbh|Method for detecting abnormal operating conditions|EP2299650A1|2009-09-21|2011-03-23|Siemens Aktiengesellschaft|Method for recognising anomalies in a control network|AT518805B1|2016-07-07|2018-05-15|Ait Austrian Institute Tech Gmbh|A method for detecting abnormal conditions in a computer network|
    AT521665B1|2018-06-11|2021-05-15|Ait Austrian Inst Tech Gmbh|Grammar recognition|
    AT522281A1|2019-04-02|2020-10-15|Ait Austrian Institute Tech Gmbh|Method for characterizing the operating status of a computer system|
    AT523829B1|2020-07-28|2021-12-15|Ait Austrian Inst Tech Gmbh|Method for detecting abnormal operating states of a computer system|
    AT523948A1|2020-09-01|2022-01-15|Ait Austrian Inst Tech Gmbh|Method for detecting abnormal operating states of a computer system|
    法律状态:
    优先权:
    申请号 | 申请日 | 专利标题
    ATA50292/2013A|AT514215B1|2013-04-29|2013-04-29|Method for detecting deviations from a predetermined normal state|ATA50292/2013A| AT514215B1|2013-04-29|2013-04-29|Method for detecting deviations from a predetermined normal state|
    EP14165972.2A| EP2800307B1|2013-04-29|2014-04-25|Method for detecting deviations from a given standard state|
    [返回顶部]