1. Field of the Invention
The present invention relates to a multiple computer system comprising active computers and standby computers connected via a network, and more particularly to the continuation of services in a case where the active computers are disconnected from the Internet due to illegal access.
2. Description of the Prior Art
There are increasing businesses outsourcing their operations of an intra-enterprise information system and corporation Web page management to ASPs (application service providers) to reduce information management costs. The ASPs, in most cases, further outsource the operation management of their computer resources to data centers. Outsourcing models are broadly classified into housing and hosting. In the housing model, computers are owned by users and the data center agencies provide space for installing the computers, including utilities such as power, air conditioning, and connection to the Internet. Although the users themselves generally operate and manage the computers, some agencies provide security monitoring. On the other hand, in the hosting model, agencies provide computers in addition to the above-described computer installation and operating environments, and support computer operation and management, security monitoring, and the like. A shared hosting model is also available in which one computer is shared by tens or hundreds of users.
By the models, computers within a data center, which are connected with the Internet to provide a variety of services, are under the risk of illegal access. Particularly, protection and measures are important against virus contamination and attack on the OS (operating system) and applications. Once virus contamination or illegal invasion has occurred, a large number of users might be damaged, and other external computer resources might also be damaged through the Internet. Therefore, if illegal invasion is detected, it is desired that a concerned computer is to be immediately disconnected from the Internet. By disconnecting the computer from the Internet, a trace of the illegal access can be maintained within the computer thereby helping to locate illegal access routes and means and preventing any reoccurrence. Software for checking for illegal access, particularly contents manipulation of Web pages and the like (proceeding of the 2nd ACM Conference on Computer and Communications Security, “The Design and Implementation of Tripwire: A File System Integrity Checker”), such as the software programs sold under the trademark TRIPWIRE®, is available. TRIPWIRE® programs put status of directories and files of a computer into a database in advance at a reliable point, and detects file additions, changes, and deletions by consulting the database. If illegal access occurs, the changed portions can be located and recovery operation can be performed according to information of the changed portions.
If a file manipulation is detected and a computer is disconnected from the Internet, services to users having used the computer are stopped. In the case of the shared hosting model, this will exert a great influence because services to all users having used the computer are stopped. Also, it creates a problem that some users become unable to use other files because of manipulations of specific files. In such a case, if a system is dually configured by active computers and standby computers, even if services of the active computers are stopped, the services can be continued by the standby computers.
Methods for configuring dual systems include a method for copying data of active computers to standby computers in real time, and a method of periodically backing up data of active computers to backup apparatuses. In the case of the former, since manipulated files are also copied, services cannot be continued in the standby computers, and a large space to install the computers and high costs are required. On the other hand, in the case of the latter, costs can be reduced by assigning one backup apparatus to plural active computers. If a time interval of backup operations is sufficiently long, files backed up can be subjected to manipulation checks for the duration of the interval such that file validity can be guaranteed upon restoration from the backup. However, since backup operation puts a high load on computers and networks, it cannot be performed frequently, usually about once a day. Consequently, since the contents of files restored from the backup apparatuses are often out of date, there is also a problem in service continuation by use of the restored files.