1. Field of the Invention
The present invention relates to an abnormality detection system, an abnormality management apparatus, an abnormality management method, a probe and a program with which an abnormality occurring in a network is managed.
2. Description of the Related Art
Today it is crucial to successfully avert trouble and disconnection in a network such as the Internet where an enormous volume of information is distributed in heavy transmission traffic. Trouble occurring in such a network includes problems caused by human interference such as a worm, as well as problems attributable to the network itself or problems occurring in electronic devices connected in the network.
There are technologies disclosed in the related art for detecting abnormalities occurring in a network by gathering in a management apparatus that manages network devices MIB (management information bases) constituted with information obtained at the individual network devices and provided to an outside apparatus to inform the outside apparatus the statuses of the individual subject network devices, calculating a characteristics value representing each network device based upon the average value, the maximum value or the minimum value indicated in the MIB and notifying a manager if the calculated characteristics value manifests a significant deviation.
There are also technologies disclosed in the related art whereby the traffic flow at a given point in the network is analyzed and a warning is issued if a problem occurs in the network or a site by monitoring the utilization of specific applications, i.e., the users of the applications and the frequency of use of the applications.
While the data obtained in the MIB are all gathered at the management apparatus and the average value is calculated by focusing on the individual values indicated in the data, the data are analyzed based upon the average value in an ambiguous manner in MIB-based abnormality detection. For instance, if the information traffic on the Internet is analyzed through a standard sampling method, an erroneous detection is bound to occur frequently since the volume of data processed is constantly changing, and thus, the adoption of the standard sampling method in such an application is likely to prove problematic in practical use.
In addition, in the network traffic monitoring method mentioned above, packets in the traffic are first analyzed at the flow level and then applications are identified or the users of the individual applications are identified. This necessitates an analysis of the payload portion of each packet containing data, which, in turn, is bound to significantly increase the load on the computer. Furthermore, an illegal packet intended to cause a bug in the program executed to analyze the payload portion may induce an erroneous operation during abnormality detection processing.