The present invention relates generally to the field of distributed computer systems and more particularly to auditing of correlated events within the distributed system.
Distributed computer systems, such as various types of computer networks, enable different users to access applications and/or content specific to their uses and, in some cases, limit the user's access based on the user's authority or permission. For example, web based applications provide users access to a variety of resources. Many of these applications have access control restrictions and/or enforce security policies to prevent unauthorized actions. That is, a web based application may impose restrictions to prevent users from performing actions or accessing content for which that user is not authorized.
In a typical distributed environment, many different servers may be used and each server may include any number of applications, each application proving access to and managing a variety of resources. In such a distributed environment, these applications and servers are not integrated in the sense that they do not share information regarding user activities. These application may share information and access to resources but otherwise do not track which users are performing what kind of actions with which resources. That is, other than the resources that a particular application manages, it is unaware of what a user may be doing or attempting to do with other resources managed by other applications, that may be on different servers.
This can make distributed systems vulnerable to different types of attacks by hackers, crackers, and other assorted miscreants with ill intentions or nothing better to do. More specifically, since the applications and servers of a distributed system are loosely integrated or not integrated at all, such systems can be vulnerable to distributed types of attacks that seek to exploit the fact that the application managing the various resources are largely unaware of each other. For example, a distributed attack may attempt to gain unauthorized access to one system, then another or may attempt to access multiple systems simultaneously.
Additionally, unintentional unauthorized use of resources may go unnoticed. That is, due to some flaw in the management processes of one application or system, a user may unintentionally gain access to a resource for which he is not authorized or for which he does not have permission to access. While not malicious, such unauthorized access can still present problems.
Unauthorized access of resources, whether intentional or unintentional, are difficult to detect and prevent or correct in a distributed system. Attempts to detect and correct such unauthorized access of resources in a distributed system involve monitoring user and application logs for the various servers in the system. However, since such logs are maintained individually by the servers and applications, such a method would involve first collecting the logs from the individual systems and then analyzing them. Since the systems are independent, there is no way to correlate events or even users between the systems. While events may be correlated based on a timestamp associated with each log entry, there is no way of assuring that the clocks of the individual systems are synchronized. Therefore, not only are such methods very inefficient and can be highly labor intensive, they are frequently ineffective and cannot be performed in real time because of the difficulty in correlating the events from the different logs.
Hence, there is a need for methods and systems that allow for auditing of events in a distributed system.