In recent years, with the performance improvement of computers and speeding up of networks, the performance of information technology (IT) systems has improved. IT systems that process highly confidential information such as personal information or information for only in-company use are widely used. Troubles, such as abnormal processes occurring in such IT systems or unauthorized access to the IT systems, often cause serious problems that require prompt action.
Accordingly, various trouble monitoring technologies for promptly and accurately detecting troubles occurring in the IT systems have been proposed. For example, with one trouble monitoring technology, trouble message patterns that characterize troubles are extracted from logs of past troubles and stored. If a message pattern that matches a held trouble message pattern is detected during the operation of an IT system, the occurrence of a trouble is detected.
When this trouble detection technology is employed, however, sometimes the noises are mixed into the extracted trouble message and thereby deteriorate the detection accuracy of troubles. For example, with the trouble detection technology, if messages such as a trouble message, a system login message, and a trouble message sequentially occur, a pattern including a normal message that occurs between trouble messages is detected as a part of the trouble message pattern. Accordingly, with this trouble detection technology, in some cases, trouble message patterns including unnecessary messages may be created, thus reducing the detection accuracy of troubles.
Therefore, a method for preventing deterioration in detection accuracy has been proposed (see, for example, Japanese Laid-open Patent Publication No. 2006-318071). Some propose a technology for learning trouble message patterns through repeated learning using, for example, Bayesian estimation as indicated by Equation (1). Specifically, the probability that “trouble A” occurs when “event a” is output is calculated. By using the Bayesian estimation, a trouble detection apparatus can detect the probability that the message output during system operation indicates a trouble.
                                          P            ij                    ⁡                      (                                          H                ⁢                                                                  ⁢                1                            |              Y                        )                          =                                            P              ij                        ⁢                                                  ⁢                          (                              H                ⁢                                                                  ⁢                1                            )                        ⁢                                          P                ij                            ⁡                              (                                  Y                  |                                      H                    ⁢                                                                                  ⁢                    1                                                  )                                                                                                          P                  ij                                ⁡                                  (                                      H                    ⁢                                                                                  ⁢                    1                                    )                                            ⁢                                                P                  ij                                ⁡                                  (                                      Y                    |                                          H                      ⁢                                                                                          ⁢                      1                                                        )                                                      +                                                            P                  ij                                ⁡                                  (                                      H                    ⁢                                                                                  ⁢                    2                                    )                                            ⁢                                                P                  ij                                ⁡                                  (                                      Y                    |                                          H                      ⁢                                                                                          ⁢                      2                                                        )                                                                                        (        1        )            
For example, as illustrated in FIG. 19, when the “event a” is output, suppose that the probability of it being the “trouble A” is Pij(H1|Y) and the probability of it not being the “trouble A” is Pij(H1|N). If another “event a” is output subsequently, Pij(H1|Y) and Pij(H1|N) are updated using Pij (H1), which is a prior probability. By this procedure, every time the “event a” is output, the probability of it being the “trouble A” and the probability of it not being the “trouble A” can be updated. As a result, messages other than those that definitely occur during the trouble can be excluded from the trouble message patterns, and it is possible to more accurately detect troubles using the trouble message patterns.
However, with the conventional technology described above, there is a problem in that a lot of time is required to create the trouble message patterns which would realize highly accurate trouble detection. Specifically, with the method of calculating the probability of the trouble message patterns using the Bayesian estimation, because the probability is learned using a message obtained when exactly the same trouble occurred in the past, exactly the same troubles need to occur and messages that are output at that time need to be collected. Accordingly, because trouble message patterns of troubles that occur less frequently, for example, once a month, can only be collected once a month, the probability thereof can also only be collected once a month. Therefore, a lot of time is required to improve the accuracy of the probability for all of the possible trouble message patterns.