Recent information systems have been configured by combining thousands to tens of thousands of information processors. Thus, maintenance and operation thereof is a big business challenge. Meanwhile, various types of computer viruses have been newly discovered. This causes unauthorized network traffic in some cases. In such cases, services must be shut down. To avoid such a situation, a conventional technique uses any resident agent software component for monitoring information processors' operations to analyze an operation state of each information processor.
However, in recent information systems that provide services using many information processors in combination, it is necessary to know how the plural information processors cooperate with one another as well as manage the individual information processors. If the individual information processors are provided with the resident agent software component to realize the above, there is a possibility that the information system cannot operate normally due to a processing load of the agent software component itself and a load of processing for collecting monitoring results from the agent software.
Existing techniques of analyzing an information system state without preventing an information system from operating normally are listed below as a cited technique (see Patent Documents 1 to 4, and Non-Patent Documents 1 to 5, infra). The techniques of Non-Patent Documents 2 and 3 involve installing an agent software component into a communication device such as a router or a network switch to monitor communication traffic or the like. According to these techniques, it is not necessary to install the agent software component into each information processor. However, the following problem occurs. That is, settings of the existing communication device should be changed or the processing load of the communication device increases (see Non-Patent Document 4).
In contrast, Non-Patent Document 1 proposes a technique of reducing a processing load of the communication device in combination with a sampling system. Non-Patent Document 5 proposes a method of extracting a replicated data of communication packets from a switching hub to minimize the load of the communication device. Further, as a cited technique, Patent Document 3 proposes a method of collecting communication packets by use of a software component. Patent Document 4 proposes a method of reducing a load of an information processor when the processor collects communication packets. Further, Patent Documents 1 and 2 propose a technique of analyzing data about collected communication packets and uses the analysis result for monitoring an information system. Further, a system for capturing communication packets sent on a network to analyze a pattern of each packet to detect threats to the information system has been developed.
[Patent Document 1] Japanese Unexamined Patent Application Publication No. 7-321783
[Patent Document 2] Japanese Unexamined Patent Application Publication No. 2002-261799
[Patent Document 3] Japanese Unexamined Patent Application Publication No. 2003-87255
[Patent Document 4] Japanese Unexamined Patent Application Publication No. 2003-23464
[Non-Patent Document 1] K. C. Claffy, G. C. Polyzos, and H-W Braun, Application of Sampling Methodologies to Network Traffic Characterisation. In Proceedings of ACM SIGCOMM'93, San Francisco, Calif., September 1993. (p 65)
[Non-Patent Document 2] RFC 3176 InMon Corporation's Flow: A Method for Monitoring Traffic In Switched and Routed Networks
[Non-Patent Document 3] RFC 3957 Cisco Systems NetFlow Services Export Version 9
[Non-Patent Document 4] Cisco Systems Performance Analysis based on WhitePaper NetFlow
[Non-Patent Document 4] Cisco Systems Document-Id 10570 Configuring the Catalyst Switched Port Analyzer (SPAN) Feature P24
However, there are various threats to an information system such as infection with computer virus to each information processor or a failure in hardware component of each information processor in addition to threats from the outside. Therefore, ex-post detection of threats from the outside is no longer sufficient. It is desirable to take a countermeasure on the assumption that an abnormality such as a failure or attack occurs before the occurrence of the abnormality. In particular, in recent information systems that provide services using many information processors in combination, it is necessary to know how the plural information processors cooperate with one another as well as manage the individual information processors.
Consider that any information processor is inoperable, for example. If the number of other information processors linked with the processor or the number of users of the processor are grasped, these pieces of information can be used for improving the system configuration or the like. However, in most large-scale information systems, correspondence among the information processors cannot be correctly grasped even by a system administrator. In particular, in the case the configuration is frequency changed along with change in business environment or development in information technology, it is difficult to keep up with the configuration change. None of the above cited techniques correctly grasp the current configuration or configuration change.