Abstract: A system such as a Web-based system in which a plurality of computers interact with each other is monitored to detect online an anomaly. Transactions of a service provided by each of a plurality of computers to another computer are collected, a matrix of correlations between nodes in the system is calculated from the transactions, and a feature vector representing anode activity balance is obtained from the matrix. The feature vector is monitored using a probability model to detect a transition to an anomalous state.

Abstract: Provides an analysis system for analyzing dependencies among server programs in a computer system, comprising: a transaction detection unit for detecting transactions that is processing of a service which each of the plurality of server programs performs by being called from any other server program; a child transaction candidate detection unit for detecting candidates for a child transaction of each detected transaction, the child transaction being called in the transaction concerned; and a calling frequency calculation unit for outputting service calling frequencies obtained by estimating a frequency at which each server program allows each of the other server programs to perform a service by calling the other program, the estimation being made based on the service detected in association with each transaction and on a service detected in association with the candidate for the child transaction of the transaction.

Abstract: A system such as a Web-based system in which a plurality of computers interact with each other is monitored to detect online an anomaly. Transactions of a service provided by each of a plurality of computers to another computer are collected, a matrix of correlations between nodes in the system is calculated from the transactions, and a feature vector representing anode activity balance is obtained from the matrix. The feature vector is monitored using a probability model to detect a transition to an anomalous state.

Abstract: Systems, apparatus and methods to monitor communications conducted via a host computer placed under the management of security measures such as firewalls or routers' filtering capabilities. A communications monitoring system which includes a packet input means for connecting to predetermined points on a network via a network interface and receiving communications packets flowing at the points; and matching means for performing real-time matching between two packet streams composed of received communications packets each time a communications packet is received. If the two packet streams are highly similar, it is highly likely that an attack or intrusion is being made and an alert is issued.

Abstract: A system such as a Web-based system in which a plurality of computers interact with each other is monitored to detect online an anomaly. Transactions of a service provided by each of a plurality of computers to another computer are collected, a matrix of correlations between nodes in the system is calculated from the transactions, and a feature vector representing a node activity balance is obtained from the matrix. The feature vector is monitored using a probability model to detect a transition to an anomalous state.

Abstract: A transmitter router search apparatus 26 transmits an inspection IP packet to an inspection target network connection apparatus via an intranet 10. The source and destination IP addresses of the inspection IP packet are designated respectively as the IP addresses of a recipient router search apparatus 28 and the inspection target network connection apparatus. A TCP packet, including predetermined ID information, is included in the data portion. The inspection target network connection apparatus generates an IP packet corresponding to the received inspection IP packet. Since the transmission source and destination of the response IP packet are respectively designated the transmission destination and source of the inspection IP packet, the recipient router search apparatus 28 receives the response IP packet via the Internet 19, so long as the inspection target network connection apparatus is a router.

Abstract: Log data for a packet that is exchanged across a network are recorded in a log box. At this time, the data size of the packet and the detection time are recorded. When an illegal access has occurred at a target computer, the tracing of an access chain is performed on the log information. The tracing of the access chain is performed as follows. A change in the size of the data in a packet in accordance with the time of the first connection, and a change in the size of the data in a packet in accordance with the time of the second connection are calculated using the log data, and then the shapes of the graphs formed by these packet series are compared. When the shapes of the graphs are similar, it is ascertained that the pertinent connections are included in the same chain.

Abstract: A memory device is provided that is used by a computer system and that has a memory pattern obtained after a function is called when the computer system executes a program, the memory pattern comprising: a return address storage area for storing a return address 230 for the source of a call for the execution of a currently active function; a previous frame pointer storage area for storing a previous frame pointer 220 to the calling source for the execution of a currently active function; and a local variable storage area to be located below the return address storage area 230 and the previous frame pointer storage area 22, wherein when a data array 211 is stored in the local variable area, a guard variable 212 is stored in a location preceding the data array 211, and wherein the guard variable is used as a target to confirm whether the return address has been destroyed.

Abstract: A system such as a Web-based system in which a plurality of computers interact with each other is monitored to detect online an anomaly. Transactions of a service provided by each of a plurality of computers to another computer are collected, a matrix of correlations between nodes in the system is calculated from the transactions, and a feature vector representing anode activity balance is obtained from the matrix. The feature vector is monitored using a probability model to detect a transition to an anomalous state.

Abstract: Provides an analysis system for analyzing dependencies among server programs in a computer system, comprising: a transaction detection unit for detecting transactions that is processing of a service which each of the plurality of server programs performs by being called from any other server program; a child transaction candidate detection unit for detecting candidates for a child transaction of each detected transaction, the child transaction being called in the transaction concerned; and a calling frequency calculation unit for outputting service calling frequencies obtained by estimating a frequency at which each server program allows each of the other server programs to perform a service by calling the other program, the estimation being made based on the service detected in association with each transaction and on a service detected in association with the candidate for the child transaction of the transaction.

Abstract: Systems, apparatus and methods to monitor communications conducted via a host computer placed under the management of security measures such as firewalls or routers' filtering capabilities. A communications monitoring system which includes a packet input means for connecting to predetermined points on a network via a network interface and receiving communications packets flowing at the points; and matching means for performing real-time matching between two packet streams composed of received communications packets each time a communications packet is received. If the two packet streams are highly similar, it is highly likely that an attack or intrusion is being made and an alert is issued.

Abstract: A transmitter router search apparatus 26 transmits an inspection IP packet to an inspection target network connection apparatus via an intranet 10. The source and destination IP addresses of the inspection IP packet are designated respectively as the IP addresses of a recipient router search apparatus 28 and the inspection target network connection apparatus. A TCP packet, including predetermined ID information, is included in the data portion. The inspection target network connection apparatus generates an IP packet corresponding to the received inspection IP packet. Since the transmission source and destination of the response IP packet are respectively designated the transmission destination and source of the inspection IP packet, the recipient router search apparatus 28 receives the response IP packet via the Internet 19, so long as the inspection target network connection apparatus is a router.

Abstract: Log data for a packet that is exchanged across a network are recorded in a log box. At this time, the data size of the packet and the detection time are recorded. When an illegal access has occurred at a target computer, the tracing of an access chain is performed on the log information. The tracing of the access chain is performed as follows. A change in the size of the data in a packet in accordance with the time of the first connection, and a change in the size of the data in a packet in accordance with the time of the second connection are calculated using the log data, and then the shapes of the graphs formed by these packet series are compared. When the shapes of the graphs are similar, it is ascertained that the pertinent connections are included in the same chain.

Abstract: A memory device is provided that is used by a computer system and that has a memory pattern obtained after a function is called when the computer system executes a program, the memory pattern comprising: a return address storage area for storing a return address 230 for the source of a call for the execution of a currently active function; a previous frame pointer storage area for storing a previous frame pointer 220 to the calling source for the execution of a currently active function; and a local variable storage area to be located below the return address storage area 230 and the previous frame pointer storage area 22, wherein when a data array 211 is stored in the local variable area, a guard variable 212 is stored in a location preceding the data array 211, and wherein the guard variable is used as a target to confirm whether the return address has been destroyed.

Abstract: A method and apparatus for transforming a topological wire route to a physical wire route is described where the topological wire is a connected route having only a topological position determined with respect to terminals or obstacles. A topological wire is first selected and then obstacles which sight the selected wire are identified. A fan with a radius that is a predetermined number times a minimum space is then set to the identified obstacle as a forbidden region. A minimum space must be left between the selected wire and the identified obstacle. Finally, a shortest route is detected so that it does not pass through the forbidden region, and the route of the physical wire on the board is determined with the shortest route.

Abstract: A plane is segmented into a plurality of regions whose vertexes are points which include the terminals, and a route search graph is generated. The route search graph expresses a connection relationship between the plurality of regions. A line connecting two objects in a shortest distance is recorded as a critical cut together with a width of wires that can go through the critical cut, the two objects including the terminals. A corresponding relationship relative to the critical cut and, when necessary, position information relative to the critical cut are recorded in edges of one of the plurality of regions related to the critical cut and in a necessary terminal.

Abstract: A plane is segmented into a plurality of regions whose vertexes are points which include the terminals, and a route search graph is generated. The route search graph expresses a connection relationship between the plurality of regions. A line connecting two objects in a shortest distance is recorded as a critical cut together with a width of wires that can go through the critical cut, the two objects including the terminals. A corresponding relationship relative to the critical cut and, when necessary, position information relative to the critical cut are recorded in edges of one of the plurality of regions related to the critical cut and in a necessary terminal.

Abstract: There is used a disk medium in which tracks are divided into a plurality of zones in the radial direction and information is read and written with a constant linear density by using a clock signal of a different frequency every zone. A drive unit forms a dead space corresponding to at least one track at a zone boundary of the disk medium and reads or writes the information. In the case where it is judged that the head passes through the zone boundary by the seeking operation to the cylinder address position instructed from an upper apparatus, the cylinder address instructed from the upper apparatus is corrected on the basis of the number of boundary passing times and the seeking operation is performed.

Abstract: There is used a disk medium in which tracks are divided into a plurality of zones in the radial direction and information is read and written with a constant linear density by using a clock signal of a different frequency every zone. A drive unit forms a dead space corresponding to at least one track at a zone boundary of the disk medium and reads or writes the information. In the case where it is judged that the head passes through the zone boundary by the seeking operation to the cylinder address position instructed from an upper apparatus, the cylinder address instructed from the upper apparatus is corrected on the basis of the number of boundary passing times and the seeking operation is performed.

Abstract: It is aimed to solve numerical planning problems in a manner better reflecting planner's intention. Variables of a numerical planning problem are displayed as graphical objects on a display unit, guidance constraints are added to corresponding variables by manipulating graphics objects through a mouse, and corresponding variable values are modified through manipulation to the graphics objects. The planner can confirm guidance constraints set to the graphics objects by color display. New solution is obtained under constraints oriented to the problem and guidance constraints by the operations research procedure using the distance from a preceding solution as an objective function.