Thanks to the development of a network such as the Internet and wireless communication technology, wired and wireless communications continue to be increasingly used.
Recently, however, new problems such as frequently occurring malicious traffic attempts, e.g., denial-of-service (DOS) attacks on the networks, are on the rise. A denial-of-service attack refers to a type of malicious attack to make a machine connected to the network or its resource unavailable for the originally intended use by disrupting its services. There may be various means, motivations, and targets but such attacks may generally cause websites or services to be temporarily or indefinitely disrupted or suspended. Furthermore, as even Distributed DoS (DDoS) attacks capable of making services unavailable by distributively placing several computers for simultaneous attacks occur frequently, it is necessary to be prepared for such attacks.
To detect events of such attacks or abnormal behaviors and protect systems from them, a variety of methods were applied to conventional log collecting and analyzing systems. It is important for the log collecting and analyzing systems to detect events rapidly and give notice to users (real-timeness) but it is also important for them to accurately detect and give notice (accuracy). Therefore, trade-offs are made.
In other words, in the past, for real-timeness, logs are distributed to a module with multiple clustered nodes. In this case, it could be difficult to find desired events accurately because events are detected by typically and simply matching character strings or simply applying a threshold (i.e., if the amount of the same kind of logs exceeding the threshold are generated, the logs are determined as events). In addition, this method may cause a difficulty in control due to the same type of events being continuously generated. For example, if tens or hundreds of events regarding the same attack behavior for more than 1,000 times are individually notified, controlling users would feel difficulty in identifying the attack behavior.
In contrast, for accuracy, conventionally, log data is saved in a batch in non-temporary storage media (e.g., a disk drive) and searched (a batch process), in which case, fast detection of an event may be difficult as the process causes a structural delay in a typical manner. Accordingly, an event detection technique which has accuracy together with real-timeness is required.
The inventor intends to propose a method for detecting an event by using seven event detection options to detect an event effectively and efficiently as a method for detecting an event from a memory, instead of storing log data in non-temporary storage media (such as a disk) when a cluster node that handles log data initially receives the log data and searching for them, and a system using the method.