1. Patent Search
  2. Details

METHOD FOR DYNAMIC ADJUSTMENT OF A LEVEL OF VERBOSITY OF A COMPONENT OF A COMMUNICATIONS NETWORK

20170310537 · 2017-10-26

    Inventors

    Cpc classification

    International classification

    Abstract

    A method for dynamic management of a first level of verbosity of a component defined in a data network, the data network having a control centre, each component allowing the execution of tasks and including a security management configuration associating a status message, forming a log, with the execution of a task of the component, each log associated with a task indicating an event and having a local level, the control centre allowing the collection of a set of logs to supervise the network, the method including: detecting a stimulus by a control centre; determining a component associated with the stimulus detected by the control centre; modifying the first level of verbosity of the component to a second level of verbosity during a first given period, the modification being launched by generating a supervision command by the control centre, the second level of verbosity being defined according to the stimulus.

    Claims

    1. A method for dynamic management of at least a first verbosity level of at least one component defined in a data network, wherein said data network has a control centre, and wherein each component allows execution of a set of tasks, and has a security management configuration associating a status message forming a log, with execution of a task of said component, wherein each log associated with a task indicates at least one event, and has a local level, wherein the control centre collects a set of logs for supervision of said network, said method comprising: detecting a stimulus by a control centre; determining at least one component associated with the stimulus detected by the control centre; and performing a first change of the first verbosity level of said component to a second verbosity level during a first given period, wherein said first change is effected by the control centre generating a supervision command, and wherein the second verbosity level is defined according to the detected stimulus.

    2. The method for dynamic management of at least a first supervision level according to claim 1, wherein after the first period has elapsed the method includes: performing a second change of the second verbosity level of the first component, to return to the first verbosity level.

    3. The method for dynamic management of at least a first verbosity level according to claim 1, wherein the control centre includes a memory in which the following are stored: a set of components in the network, and for each component a first premier verbosity level associated with it; a set of investigation scenarios including predefined stimuli, wherein each predefined stimulus is associated with a recommended verbosity level.

    4. The method for dynamic management of at least a first verbosity level according to claim 3, wherein the value of the second verbosity level is generated according to: an investigation scenario identified according to a determined stimulus, wherein a determined stimulus includes at least one event identified by a received log; a performance value of a component associated with a log used in determining the stimulus.

    5. The method for dynamic management of at least a first verbosity level according to claim 3, wherein the stimulus is the result of: at least one operation to correlate a set of events occurring in a given time window, reported by generating a set of logs of at least one component; a comparison of the result of the operation to correlate collected logs with all the investigation scenarios stored in the control centre.

    6. The method for dynamic management of at least a first verbosity level according to claim 3, wherein an investigation scenario and a correlation operation leading to the determination of a stimulus take the following into account: a plurality of events identified by logs occurring over a given period; one or a plurality of component(s) associated with at least one event; an identification of at least one device.

    7. The method for dynamic management of at least a first verbosity level according to claim 1, wherein at least one agent storing a set of components is configured to collect the logs generated from a plurality of components, wherein the agent transmits the collected logs to the control centre.

    8. The method for dynamic management of at least a first verbosity level according to claim 1, wherein a log includes at least one of the following elements: a date when an event relating to the executed task occurred; an identifier of at least one user; an identifier of at least one component; a category or criticality.

    9. The method for dynamic management of at least a first verbosity level according to claim 1, wherein a log is sent to the control centre by a task when its local level is higher than the component's verbosity level.

    10. The method for dynamic management of at least a first verbosity level according to claim 9, wherein each generated log is stored in a local file of the component or transmitted to an agent or transmitted to the network's control centre.

    11. The method for dynamic management of at least a first verbosity level according to claim 1, wherein the second verbosity level of the component is between the first verbosity level of the component and the maximum possible verbosity level of a component, wherein the second verbosity level depends on the determined stimulus.

    12. The method for dynamic management of at least a first verbosity level according to claim 1, wherein a component is an application component from the following list: a driver; a local agent of a computer hardware device; a database; a business application; an operating system; a network application; a firmware module; an anti-virus module; a firewall; an agent of a hardware component.

    13. The method for dynamic management of at least a first verbosity level according to claim 1, wherein an event which may occur and generate a log is in the following list: a command given by a function of a given component; generation of a result of a function executed following a command; access to, opening, closure or modification of a given file or folder; a determined number of simultaneous connections to a component; a given query with a given IP address; access to a given interface of the component; a reboot of the component; disconnection of the component.

    14. A control centre for dynamic management of at least one verbosity level of at least one component of a data network, the control center comprising: a network interface to log into a data network and to collect data transmitted by at least one component in the network; a memory allowing storage of: a set of stored components in the data network, wherein each component enables execution of a set of tasks, wherein each task may generate a log in the network, wherein each log corresponds to a given event; predefined stimuli, wherein each stimulus corresponds to a least one event, or to the result of correlations of events occurring within a time window; investigation scenarios corresponding to a set of necessary data to be collected from at least one component when a stimulus is detected, wherein the collection of a set of necessary data from at least one component implies that a verbosity level of said at least one component is configured; a computer enabling operations to be made on data from logs transmitted by a plurality of components in a data network, including: at least one operation to correlate the events included in the logs generated by at least one component in a given time window, in order to deduce at least one stimulus from them; at least one operation to compare at least one deduced stimulus with a predefined stimulus; at least one deduction of an instruction to be sent to a component intended to modify its verbosity level in accordance with the result of the comparison and of the investigation scenario associated with the predefined stimulus.

    Description

    BRIEF DESCRIPTION OF THE FIGURES

    [0075] Other characteristics and advantages of the invention will be seen clearly on reading the detailed description below, with reference to the appended figures, which illustrate:

    [0076] FIG. 1: an attack identified by a control centre of a server according to the method of the invention;

    [0077] FIG. 2: a server with a plurality of components, the verbosity levels of the logs of which can be modified by means of the method of the invention;

    [0078] FIG. 3: an architecture containing agents able to collect logs generated by components through which it is possible to interface with a control centre;

    [0079] FIGS. 4A and 4B: the main steps of the method used to modify a verbosity level of a component, and to return it to normal,

    DESCRIPTION

    [0080] Definitions

    [0081] The components defined in the present description can be any entity enabling a set of functions to be performed. These maybe hardware components or application components. They may be a user workstation, a printer, a server, a switch, a router, a business application, a network application, an operating system, or alternatively a database, etc. The components can also be storage entities such as files or folders.

    [0082] Rights management includes levels of accreditations, levels of access to files and folders in the network, and levels of access to components.

    [0083] Introduction with FIG. 1

    [0084] FIG. 1 represents a server SERV hosting various applications, each of which defines a component. FIG. 1 illustrates the transmission of an event such as an attack Att.sub.1 made from a workstation 10, which may or may not be declared in the network. An attack may, for example, be an access to an unauthorised file or folder by workstation 10, or one which is not authorised by the rights of a user using workstation 10. Another attack may, for example, be a write command or command to extract data into a table of a database.

    [0085] The attack is generally targeted on a component. With reference to the above two examples, this may be an attack on a file manager or an operating system, or on a database.

    [0086] Each component settings whereby a verbosity level can be defined. The verbosity level defines the volume of logs generated by the component for events which are detected and sent to the control centre. When certain logs are generated relative to the events corresponding to attacks they can define a stimulus. According to the method of the invention stimulus may be determined or detected by a control centre SUPERV.

    [0087] Although a stimulus may be detected, it is possible that the verbosity level assigned to a component does not allow generation of all the logs required for a remote investigation of the attack, its type, and other data enabling a thorough diagnosis to be made.

    [0088] The method of the invention then enables a command noted MODIF(Nc) to be generated, the purpose of which is to modify the verbosity level of the component which has been attacked in order that a larger volume of logs may be generated for the purpose of improved diagnosis.

    [0089] Verbosity Levels

    [0090] FIG. 2 represents a server SERV including, for example, three components noted C.sub.1, C.sub.2 and C.sub.3. The components can be, for example an antivirus program C.sub.1, an operating system C.sub.2 and a database C.sub.3. Each component C.sub.1, C.sub.2 and C.sub.3 includes settings defining a verbosity level of the component. FIG. 2 represents, as an example, various verbosity levels N.sub.C1(1), N.sub.C1(2), N.sub.C2(1), N.sub.C2(2), N.sub.C31(1), N.sub.C31(2), N.sub.C32(1), N.sub.C32(2), relative to components C.sub.1, C.sub.2 and C.sub.3. The various verbosity levels of a component C.sub.p, where p is the component's index, are noted N.sub.Cp(i), where i is an integer between 1 and the maximum number of verbosity levels defined for a given component C.sub.p. The various verbosity levels existing in component C.sub.p can be defined by the supplier of the component, or by configuring the component in a given manner. They are often used to provide standardisation which can be implemented in different ways depending on the nature of the components.

    [0091] As an example, first component C.sub.1, which is an antivirus program, has 4 different verbosity levels: “Error”, “Warning”, “Informational” and “Debug”. They are generally defined in English-language terminology, and define increasing degrees of verbosity.

    [0092] As an example, verbosity level “Debug” means that all logs of all events which may occur within component C.sub.1 are reported. Level “Error” means that certain type of events, corresponding to identified errors which may occur, are reported. Thus, when the verbosity level of component C.sub.1 is at level “Warning”, some logs are generated by component C.sub.1, in particular logs for the more important type of event.

    [0093] When control centre SUPERV detects a stimulus indicating the occurrence of an attack or of abnormal actions in a component, a command is generated so as to change the verbosity level of component C.sub.1 to a higher verbosity level.

    [0094] According to one implementation of the invention, control centre SUPERV can also generate a command intended to modify the verbosity level of a set of components C.sub.1, C.sub.2 and C.sub.3 which are hosted, for example, on the same server SERV.

    [0095] FIG. 2 represents arrows shown at the verbosity level in question when commands to change verbosity level are generated by control centre SUPERV, including in particular: [0096] a change from a verbosity level of N.sub.C1(1) to degree N.sub.C1(2) of component C.sub.1; [0097] a change from a verbosity level of N.sub.C2(1) to degree N.sub.C2(2) of component C.sub.2; [0098] a change from a verbosity level of N.sub.C31(1) to degree N.sub.C31(2) of a part C.sub.31 of component C.sub.3; [0099] a change from a verbosity level of N.sub.C32(1) to degree N.sub.C32(2) of a part C.sub.32 of component C.sub.3.

    [0100] Sub-Components

    [0101] A component C.sub.p may indeed include an architecture defining sub-components (C.sub.pj).sub.je[1:Jmax], where j is an index referring to a sub-component of component C.sub.p, where the number of sub-components in a component C.sub.p is equal to J.sub.max. The sub-components are also called parts of a component. This architecture is particularly suitable, for example, for databases which include different tables. Each table can have different security levels which require independent configuration from one table to the next in respect of the verbosity levels of the sub-components.

    [0102] The method of the invention means that each sub-component may be considered to be a component, the verbosity level of which can be changed independently of the other sub-components of the same component.

    [0103] FIG. 3 represents, in particular, a control centre SUPERV, of components C.sub.1, C.sub.2, C.sub.1′, C.sub.2′ and C.sub.3′.

    [0104] A set of components may be hosted on the same hardware, such as a server, a router or any device connected to the network supervised by control centre SUPERV.

    [0105] Agents

    [0106] In order to collect the logs transmitted by the components of a given set, agents AC.sub.1, AC.sub.2 can be configured to centralise the logs transmitted by each component.

    [0107] As an example, FIG. 2 represents a server SERV containing a set of components. An agent can be hosted by this same server SERV, the function of which is to store the server's components and to collect the logs generated by each component.

    [0108] According to one implementation, illustrated in FIG. 3, control centre SUPERV includes a network interface 11 with each agent AC.sub.1, AC.sub.2 so as to collect the logs transmitted by each component. According to one implementation, each agent enables the logs to be identified with the components from which they are obtained, and the logs to be organised according to predefined criteria. According to one implementation an agent may include additional data in the logs generated by the tasks executed within each component, or perform correlation operations between logs to generate criticality indicators, which are themselves reported to control centre SUPERV in the form of logs.

    [0109] Alternatively, or in combination with the previous implementations, according to one implementation control centre SUPERV includes certain interfaces 11 with agents and other interfaces 12 directly with components, for example with a component C.sub.2, as illustrated in FIG. 3.

    [0110] According to various compatible cases of the invention, an implementation enables an agent to be defined in a component or a device hosting the component. A second implementation enables a remote agent to be defined, for example one dedicated to collecting logs from various components hosted on various devices. This may be the case when a component includes tasks which are distributed across the network on various devices.

    [0111] Generation of LOGs

    [0112] When a log is generated after a task has been executed there are various possible implementations to perform the method of the invention.

    [0113] According to a first implementation the logs are recorded in a file of the component or a file of the device hosting the component. In the latter case it is also said that the logs are sent to a remote file. In this case agent AC.sub.1 or AC.sub.2 or control centre SUPERV accesses the file to extract the logs recorded in it from it.

    [0114] According to another implementation the logs are sent to a remote agent hosted, for example, on a device other than the component generating the logs in question.

    [0115] The various implementations may be combined, for example when the network includes various components which are configured differently.

    [0116] Stimulus=1 LOG

    [0117] The method of the invention includes a step intended to identify a stimulus. This step may be performed by a component, an agent located on the same device as the component, or a remote agent, or alternatively directly by control centre SUPERV.

    [0118] According to a first implementation, a stimulus is the identification of a given log which has been generated by a given component, According to one example, control centre SUPERV receives a log from a given component or from a given agent where the log indicates that a given event has occurred in the component. Control centre SUPERV is able to identify this event, or to identify the log directly. In addition, control centre SUPERV identifies the component, the device hosting the component and, if applicable, the agent which collected the log. According to one implementation the control centre identifies a chain of different components. In this latter case a suspect event occurring in a component can allow an analysis of a set of components which may be affected by an anomaly or an attack. The method of the invention may then include a step intended to modify the verbosity level of a set of components.

    [0119] According to one implementation the control centre associates with each event a scenario for investigating the error, the attack or the anomaly relating to the reported event, The investigation scenario includes an analysis of a number of logs of the component, in order to identify a cause. When, in its investigation scenario, control centre SUPERV identifies the verbosity levels of the logs it requires to start its analysis these may lead it to deduce a necessary maximum verbosity level which must be changed in the component. When the verbosity level has been identified the control centre generates a command to modify the verbosity level of the component in question according to the method of the invention. The component's verbosity level is changed such that the logs required for the analysis are generated and sent to the control centre.

    [0120] Thus, depending on whether a given event does or does not occur, the method of the invention can modify the component's verbosity level dynamically.

    [0121] As an example according to one implementation, the control centre includes a database storing the types of event which may occur for a given component or a given agent, and associates with it a verbosity level which must be applied to the component if the event occurs.

    [0122] Stimulus=Result of a Correlation

    [0123] According to another implementation the stimulus is identified after operations to correlate logs which are generated. According to the envisaged implementation of the invention these correlation operations can be undertaken by: [0124] the component itself: the component then transmits an indicator to an agent or to the control centre giving the result of the correlation. The indicator can itself be included in a particular log. This result can then define a stimulus depending on its value; [0125] the agent which collects logs from different components: the agent can then correlate logs from a given component, or alternatively logs transmitted from various components, for example when a joint attack on various components occurs; [0126] the control centre: which collects all the logs, either sent directly by the components, or by intermediate agents, or alternatively by both.

    [0127] One advantage of detecting a stimulus from operations to correlate received logs is that it is possible to identify, for example, attacks over given time windows, or alternatively joint attacks on various network components.

    [0128] FIG. 3 shows various tasks T.sub.pk(LOG.sub.pk, N.sub.Lk) which may be executed within each component C.sub.p. Index “p” enables the component to be named, and the index “k” enables task undertaken in component C.sub.p to be designated.

    [0129] Each task T.sub.pk(LOG.sub.pk, N.sub.Lk) generates a log LOG.sub.pk. Logs LOG.sub.pk generated in this manner are sent after a step of detailed comparison below, when a local level N.sub.Lk of the task or log is higher than verbosity level N.sub.Cp of component C.sub.p.

    [0130] It will be understood that agents AC.sub.1 and AC.sub.2 collect only logs which have been sent by the components to which the agents are attached.

    [0131] According to one implementation, control centre SUPERV includes an inventory of predefined stimuli, where each stimulus is associated with a combination of events which may occur within a given component over a given time period.

    [0132] As an example, the writing of a value in a table of a database defines a first event, and a change to its configuration defines a second event, These two events, when they occur within the same given time period, by the same user, may match a predefined stimulus.

    [0133] Control centre SUPERV is able to detect these two events as a stimulus when logs have been sent.

    [0134] Main Steps of the Method

    [0135] FIG. 4A represents the main steps of the method of the invention when control centre SUPERV detects a stimulus.

    [0136] Component C.sub.p includes a set of tasks T.sub.pk(LOG.sub.pk, N.sub.Lk), where p refers to the component and k a task of component C.sub.p. For example, component C.sub.1 therefore includes tasks T.sub.1k(LOG.sub.1k, N.sub.Lk). Each task T.sub.1k contains the definition of at least one log LOG.sub.1k and one local level N.sub.Lk which is associated with it. When the tasks are executed, for example a task intended to open a given file, an associated log is then generated. Local level N.sub.Lk of task T.sub.1k or of associated log LOG.sub.1k is compared to the component's verbosity level, such that the log in question may or may not be sent to: [0137] an agent AC.sub.X, where “x” is the index referencing the agent, or; [0138] control centre SUPERV, or alternatively; [0139] a local file.

    [0140] The operation intended to compare the verbosity level of a given log LOG.sub.pk transmitted by a component C.sub.p and the verbosity level of associated component C.sub.p in order to decide whether or not to send a LOG is named COMP(N.sub.Lk, N.sub.Cp) in FIGS. 4A and 4B.

    [0141] The operation to generate a log LOG.sub.pk is named GEN(LOG.sub.pk) in FIGS. 4A and 4B. The operation to send a log LOG.sub.pk to a local file in order to record it, or an agent AC.sub.X, or alternatively control centre SUPERV, is named ENV(LOG.sub.pk) in FIGS. 4A and 4B.

    [0142] In the example of FIGS. 4A, 4B an agent collects the logs sent and generated by the tasks executed in each component. This collection of logs by the agent is named AC.sub.x(LOG.sub.pk), where x is the index referencing the agent in question.

    [0143] Using the collection of the logs of agent AC, Control centre SUPERV can identify stimuli: either spontaneously, if it receives a particular log, or by performing correlation operations between logs received over a time window, or by comparing logs transmitted from various components.

    [0144] The function which enables the stimulus to be detected is named DETECT STIMULI in FIGS. 4A and 4B.

    [0145] When a stimulus is detected the control centre is able to generate a new verbosity level which will be attributed to component C.sub.p. To accomplish this, as seen above, control centre SUPERV can associate an investigation scenario with an event relating to the detection of the stimulus. This association enables an appropriate verbosity level to be generated, in order to perform an analysis of the logs of the component in which the event has occurred.

    [0146] It is also possible for control centre SUPERV to modify verbosity levels of various components, in order to investigate the causes of the occurrence of one or more identified events.

    [0147] FIG. 4A includes an arrow 20 indicating that the verbosity level change function has been started by control centre SUPERV for component C.sub.p.

    [0148] In addition to the sequence of events of FIG. 4A, FIG. 4B represents steps taken after the change of verbosity level N.sub.Cp(1), having become N.sub.Cp(2), where N.sub.Cp(2)>N.sub.Cp(1) of component C.sub.p.

    [0149] After the verbosity level has been changed a larger number of logs is transmitted to control centre SUPERV, either directly or via the agent. As an example, log LOG.sub.pq associated with task T.sub.pq is then transmitted after the verbosity level of component Cp has been changed, whereas it had been filtered out before the change in this example. The number of logs is equal to the logs transmitted by tasks the logs of which have verbosity levels higher than the new verbosity level of component C.sub.p. Control centre SUPERV can then start an investigation step, called INVEST, to deduce from them the causes of the occurrence of the event(s) which occurred within component C.sub.p, by analysing the logs which have been reported.

    [0150] When this investigation INVEST is completed, either by an end action applied by control centre SUPERV, or after the elapse of a first time period T.sub.1, which may for example be predefined, then a new function to modify the verbosity level is started in order to return to default level N.sub.cp(1). In this example this action 21 is initiated by control centre SUPERV. According to another example it could be applied automatically by the component itself.

    [0151] According to one implementation of the invention, first given period T.sub.1 is equal to a time interval during which no threat from component C.sub.p has been identified by control centre SUPERV after the verbosity level of component C.sub.p changed.

    [0152] Performance Parameter

    [0153] According to one implementation, the control centre takes account of at least one performance parameter to generate a new verbosity level after detecting a stimulus. For example, when the network is small, typically with limited bandwidths, the value of the new verbosity level can be changed to prevent the bandwidth becoming congested by generating too many logs.

    [0154] According to this implementation, control centre SUPERV can execute a function taking into account an investigation scenario identified from a stimulus, and at least one performance parameter relating to a value of the component. For example, if the component is an application of a mobile terminal connected to the network via a small bandwidth the new verbosity level may remain unchanged compared to the component's current verbosity level, or it may be weighted in accordance with the performance parameter taken into account.

    [0155] Control centre SUPERV may include an inventory of the supervised components in the network, each of which is associated with at least one value relating to performance parameter, such as a value representing a bandwidth, for example. According to another example, the performance parameter is a performance value of the component. Typically, if the component uses many resources, control centre SUPERV may weight the value of the new verbosity level which will be attributed to a component so as not to affect adversely the performance of said component. The performance value may be defined, for example, by a number of events processed by the component over a predefined period.