The embodiments discussed herein are directed to a computer readable storage medium containing an auditing program, an auditing system, and an auditing method with which validity of a log used in audit is verified by receiving the log from a server at which a plurality of customers shares resources.
Conventionally, in a service provided by using a server at which customers share resources (for example, on-demand service), the customers audit operational status of a center. For example, when specific billing based on an amount of service provided is implemented in an on-demand service, only a data center that operates service can know the amount of service provided. Although this has never become a matter of concern because the amount of service provided and billing do not relate to each other in fixed billing in a conventional resource-fixed allocation, customers might become suspicious of a billing amount unless the center proves that a measured value is not falsified in specific billing in which the value measured by the center matters.
To solve this problem, operational policies are defined by the center, technical measures are taken, and audit is implemented to prove that the operational policies and the technical measures are surely implemented. For example, Japanese Laid-open Patent Publication No. 2002-41456, and Japanese Laid-open Patent Publication No. 2004-295303 disclose techniques of collecting logs used in audit from a server, and accumulating the logs. Operational status of a center can be audited by using the logs accumulated by using the techniques.
The conventional art explained above has a problem that personal information of customers cannot be protected appropriately because a log of a subject customer is made open also to other customers when customers share resources, and information of the customers are mixedly present in a server that stores therein logs used in audit.
The conventional art also has a problem that appropriate audit cannot be performed because an audit result cannot be sufficiently credible if all the logs are not referred to when only a log of a subject customer is audited by separating logs for customers in a system at which customers share resources.
According to an aspect of the invention, a computer readable storage medium contains instructions for implementing an auditing method of verifying validity of a log used in audit by receiving the log from a server at which a plurality of customers shares resources. The instructions, when executed by a computer, cause the computer to perform receiving entire logs including a hashed log in which a log about another customer is hashed by a one-way function, and a log of a subject customer from the server; hashing an unlashed log among the entire logs received at the receiving of the entire logs to generate a hashed log; receiving the hashed log in which the entire logs are hashed; and comparing the hashed log generated at the generating of the hashed log, and the hashed log received at the receiving of the hashed log with each other to verify log validity.
The object and advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the claims.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.
Preferred embodiments of an auditing system according to the present invention are explained in detail with reference to the attached drawings.
In the following embodiment, an auditing system, a configuration of a center, and a configuration and a flow of process of an auditing apparatus according to a first embodiment of the present invention are explained sequentially, and an effect of the first embodiment is explained in the end.
The auditing system according to the first embodiment is explained using
In an auditing system 1 according to the first embodiment, a log used in audit is received from a server at which customers share resources, and then validity of the log is verified. Personal information of a customer is protected, and appropriate audit is executed.
Specifically, the auditing system 1 includes a center 10 that provides various services, and manages logs of servers (a management server, a log storage server, and a hashed log publishing server explained in detailed using
In such a configuration, as depicted in
The auditing apparatus 20 generates an entirely hashed management log by hashing the log of the subject customer among the received management logs (management log (customer A: hashed) in the example of
The auditing apparatus 20 compares the management log hashed by itself (customer A: hashed), and the received management log (hashed) with each other, and verifies the validity of the log (see (5) in
In this manner, the auditing system 1 hashes information about another customer by a one-way function to maintain its confidentiality, and makes it possible to refer to the entire logs; as a result, it becomes possible to protect personal information of a customer, and to execute appropriate audit.
<Configuration of Center>
The configuration of the center 10 depicted in
As depicted in
The server pool 11 includes a plurality of servers (allocated servers, and unallocated servers), and allocates unallocated servers as servers to be used to customers as needed, making them allocated servers. Each server within the server pool 11 stores in a log file a server log (for example, operational history or the like of an application) as log information in the server, and regularly outputs the server log to the log storage server 13. The log information is output by a server allocated exclusively to a customer, and each customer can refer to a server log that is currently exclusive to him/her.
Specifically, as exemplified in
The management server 12 manages allocation status, configures a network, and the like, and stores therein a management log as log information in which logs about a plurality of customers (for example, audit information about server allocation, and operation, or the like) are mixedly present. Specifically, the management server 12 stores therein as log information a common log that is an original log file in which entire information is included (depicted in
The log storage server 13 records therein a server log output from each server, and a log of the management server, and stores therein audit information of the log storage server itself as an audit log in the log storage server (depicted in
The process of generating different logs from a common management log performed by the log storage server 13 is explained using
The log storage server 13 switches log files after a certain period (everyday, every week, every month, or the like) when the log storage server 13 stores therein logs for a long term, and switches log files also at the time point when a customer is switched to another customer.
The hashed log publishing server 14 further stores therein information for separation validity verification (hashed management log and audit log). Specifically, the hashed log publishing server 14 stores therein a management log obtained by hashing all the “subject customers” and all the “occurred events” (depicted in
The operation of generating a signature given to a log by each server, and hashing are explained using
An occurred event is recorded after being converted into a hashed value using a one-way function. The hash function is assumed to be known by a center and all the customers. By following this procedure, the content of log information of other customers is disguised. However, because the flow of process might be guessed from the appearance frequency of log record only with the procedure, a dummy log record is inserted as information for disturbance. The dummy log record is inserted as a process for each customer at an appropriate frequency, and that this is dummy is described in the occurred event. Because information of serial numbers and record time/date are added at the time of hashing, and thus, even the same occurred events produce difference hashed values, an original event is not guessed from a hashed value of an occurred event.
A signature of a log record is generated based on information of a hashed record. A signature of a customer is verified after a process equivalent to hashing. By doing so, a hashed log record, and a signature of an original log record can be made the same, and the signature can be used in confirming unfalsification even at the time of verification described below. As depicted in
<Configuration of Auditing Apparatus>
The configuration of the auditing apparatus 20 depicted in
As depicted in
The communication control I/F 21 controls communication of various pieces of information exchanged with the connected center 10. Specifically, the communication control I/F 21 receives information about a log from the center 10.
The storage unit 23 stores therein data and computer programs necessary for each process operated by the controlling unit 22, and includes, especially as those related closely to the present invention, a server log storage unit 23a, a management log storage unit 23b, an audit log storage unit 23c, a hashed management log storage unit 23d, and a hashed audit log storage unit 23e.
The server log storage unit 23a stores therein a server log received from the log storage server 13 of the center 10. Specifically, as depicted in
The management log storage unit 23b stores therein a management log received from the log storage server 13 of the center 10. Specifically, as depicted in
The audit log storage unit 23c stores therein an audit log received from the log storage server 13 of the center 10. Specifically, as depicted in
The hashed management log storage unit 23d stores therein a management log (hashed) hashed by a hashed log generating unit 22c explained below. Specifically, as depicted in
The hashed audit log storage unit 23e stores therein an audit log (hashed) hashed by the hashed log generating unit 22c explained below. Specifically, as depicted in
The controlling unit 22 includes an internal memory for storing therein computer programs that define various process procedures and the like, and required data, and executes various processes by these computer programs and data. The controlling unit 22 includes, as those closely related to the present invention, an entire log receiving unit 22a, a log verifying unit 22b, the hashed log generating unit 22c, a hashed log receiving unit 22d, and a hashed log verifying unit 22e.
The entire log receiving unit 22a receives logs including a hashed log obtained by hashing a log about another customer by a one-way function, and a log of a subject customer (management log, and audit log) from the log storage server 13 of the center 10. Specifically, the entire log receiving unit 22a notifies the center 10 of performing audit, receives, from the log storage server 13 of the center 10, a server log of a server used by a customer to whom the notification is sent from the center 10 receiving the notification, a management log, and an audit log obtained by hashing logs about another customer by a one-way function, and stores them in the server log storage unit 23a, the management log storage unit 23b, and the audit log storage unit 23c, respectively.
The log verifying unit 22b verifies whether the received server log, the management log, and the audit log do not contradict with each other. Specifically, as depicted in
The log verifying unit 22b verifies whether the entire signature given to signatures of all the records in a log file is appropriate, and confirms that a record is not added, deleted, or replaced. Then, the log verifying unit 22b confirms correspondence of whether a record corresponding to a logging operation described in an audit log exists for each log. Thereby, the log verifying unit 22b confirms that a change is not made in a log without involvement of the log storage server. The log verifying unit 22b confirms correspondence of server assignment information in a management log and a server log. Thereby, deficiency and excess of a server log is verified.
A signature verifying process is explained using FIG. 17. The log verifying unit 22b hashes an original record to generate a hashed record, and verifies a signature of the hashed record. Then, the log verifying unit 22b verifies consistency between the entire record signature and the entire signature. The verifying process is explained in detail below using the flow of the process.
The hashed log generating unit 22c hashes a log of a subject customer among the received management log and the received audit log, and generates an entirely hashed management log and an entirely hashed audit log. Specifically, the hashed log generating unit 22c generates a management log (customer A: hashed) and an audit log (customer A: hashed) obtained by hashing a “subject customer” and an “occurred event” of a subject customer among the management log and the audit log stored in the management log storage unit 23b and the audit log storage unit 23c, and stores them in the hashed management log storage unit 23d and the hashed audit log storage unit 23e, respectively.
The hashed log receiving unit 22d receives the management log (hashed) obtained by hashing an entire management log from the hashed log publishing server of the center 10. Specifically, the hashed log receiving unit 22d receives the management log (hashed) obtained by hashing an entire management log from the hashed log publishing server of the center 10, and notifies the hashed log verifying unit 22e explained below of the received log.
The hashed log verifying unit 22e compares the management log hashed by itself (customer A: hashed) and the received management log (hashed), and verifies validity of the log. Specifically, as depicted in
<Process Operated by Auditing Apparatus>
The process operated by the auditing apparatus 20 according to the first embodiment is explained using
The flow of the log verifying process by the auditing apparatus 20 is explained using
If all the records are not completed (NO at Step S104), the auditing apparatus 20 determines whether a record is hashed (Step S105). After the auditing apparatus 20 hashes the record (Step S106) if the record is not hashed (NO at Step S105), or after it is determined that the record is hashed (YES at Step S105), the auditing apparatus 20 verifies a signature (Step S107).
The auditing apparatus 20 determines whether verification is successful (Step S108), and if not (NO at Step S108), outputs an error message about record signature (Step S109). If the verification is successful (YES at Step S108), the auditing apparatus 20 determines whether the customer name is the name of the auditing apparatus 20 itself (Step S110). If the customer name is not the name of the auditing apparatus 20 itself (NO at Step S110), the process returns to Step S103. If the customer name is the name of the auditing apparatus 20 itself (YES at Step S110), the auditing apparatus 20 confirms an occurred event (Step S111), and determines whether the occurred event is appropriate (Step S112).
As a result, after the auditing apparatus 20 outputs an error message about occurred event (Step S113) if the occurred event is not appropriate (NO at Step S112), or after it is determined that the occurred event is appropriate (YES at Step S112), the process returns to Step S103.
At Step S104, if all the records are completed (YES at Step S104), the auditing apparatus 20 verifies a record signature and an entire signature (Step S114), and determines whether the verification is successful (Step S115). As a result, after the auditing apparatus 20 outputs an error message about file signature (Step S116) if the verification is not successful (NO at Step S115), or after it is determined that the verification is successful (YES at Step S115), the process returns to Step S101.
At Step S102, if the verification of all the logs is completed (YES at Step S102), the auditing apparatus 20, as depicted in
At Step S202, if all the logs are completed (YES at Step S202), the auditing apparatus 20 selects all the records of the audit log sequentially (Step S206), and determines whether all the records are completed (Step S207). If all the records are not completed (NO at Step S207), the auditing apparatus 20 determines whether the customer name is the name of the auditing apparatus itself (Step S208). If the customer name is not the name of the auditing apparatus 20 itself (NO at Step S208), the process returns to Step S206. If the customer name is the name of the auditing apparatus 20 itself (YES at Step S208), the auditing apparatus 20 determines whether an occurred event is log switch (Step S209). If the occurred event is log switch (YES at Step S209), the auditing apparatus 20 acquires log files before and after the switch (Step S210), and determines whether a log before the switch exists (Step S211).
If a log before the switch does not exist (NO at Step S211), the auditing apparatus 20 outputs an error message that a log before the switch does not exist (Step S212). If a log before the switch exists (YES at Step S211), the auditing apparatus 20 determines whether the end time of the log before the switch is appropriate (Step S213). If the end time of the log before the switch is not appropriate (NO at Step S213), the auditing apparatus 20 outputs an error message about end time of the log before the switch (Step S214).
If the end time of the log before the switch is appropriate (YES at Step S213), the auditing apparatus 20 determines whether a log after the switch exists (Step S215). If a log after the switch does not exists (NO at Step S215), the auditing apparatus 20 outputs an error message that a log after the switch does not exists (Step S216). If a log after the switch exists (YES at Step S215), the auditing apparatus 20 determines whether the start time of the log after the switch is appropriate (Step S217). If the start time of the log after the switch is not appropriate (NO at Step S217), the auditing apparatus 20 outputs an error message about start time of the log after the switch (Step S218), and the process returns to Step S206.
At Step S209, if an occurred event is not log switch (NO at Step S209), the auditing apparatus 20 determines whether the occurred event is log record (Step S219). If the occurred event is not log record (NO at Step S219), the process returns to Step S206, and if the occurred event is log record (YES at Step S219), the auditing apparatus 20 acquires a record destination log file (Step S220), and determines whether a record destination log exists (Step S221). If a record destination log does not exists (NO at Step S221), the auditing apparatus 20 outputs an error message that a log file does not exist (Step S222), and the process returns to Step S206.
If a record destination log exists (YES at Step S221), the auditing apparatus 20 searches a record history (Step S223), and determines whether a record exists (Step S224). If a record does not exist (NO at Step S224), the auditing apparatus 20 outputs an error message that a record does not exist (Step S225), and on the other hand, if a record exists (YES at Step S224), the auditing apparatus sets a confirmation flag (Step S226), and the process returns to Step S206.
At Step S207, if all the records are completed (YES at Step S207), the auditing apparatus 20, as depicted in
If the customer name is not the name of the auditing apparatus 20 itself (NO at Step S305), the process returns to Step S303, and if the customer name is the name of the auditing apparatus 20 itself (YES at Step S305), the auditing apparatus 20 determines whether a confirmation flag is set (Step S306). If a confirmation flag is not set (NO at Step S306), the auditing apparatus 20 outputs an error message that an audit log does not exist (Step S307), and if a confirmation flag is set (YES at Step S306), the process returns to Step S303.
At Step S302, if all the logs are competed (YES at Step S302), the auditing apparatus 20, as depicted in
On the other hand, if all the entries are completed (YES at Step S404), the auditing apparatus 20 selects all the records of a management log sequentially (Step S406), and determines whether all the records are completed (Step S407). If all the records are not completed (NO at Step S407), the auditing apparatus 20 determines whether the customer name is the name of the auditing apparatus 20 itself (Step S408). If the customer name is not the name of the auditing apparatus 20 itself (NO at Step S408), the process returns to Step S406, and if the customer name is the name of the auditing apparatus 20 itself (YES at Step S408), the auditing apparatus 20 determines whether the occurred event is server allocation (Step S409).
If the occurred event is server allocation (YES at Step S409), the auditing apparatus 20 searches a corresponding allocation period (Step S410), and determines whether a matching entry exists (Step S411). If a matching entry does not exist (NO at Step S411), the auditing apparatus 20 outputs an error message about server allocation log (Step S412), and the process returns to Step S406. If a matching entry exists (YES at Step S411), the auditing apparatus sets a start time flag (Step S413), and the process returns to Step S406.
At Step S409, if the occurred event is not server allocation (NO at Step S409), the auditing apparatus 20 determines whether the occurred event is server deallocation (Step S414). If the occurred event is not server deallocation (NO at Step S414), the process returns to Step S406, and if the occurred event is server deallocation (YES at Step S414), the auditing apparatus 20 search a corresponding allocation period (Step S415), and determines whether a matching entry exists (Step S416).
If a matching entry does not exist (NO at Step S416), the auditing apparatus 20 outputs an error message about the sever deallocation log (Step S417), and the process returns to Step S406. If a matching entry exists (YES at Step S416), the auditing apparatus 20 sets an end time flag (Step S418), and the process returns to Step S406.
At Step S407, if all the records are completed (YES at Step S407), the auditing apparatus 20, as depicted in
If a start time flag is not set (NO at Step S503), the auditing apparatus 20 determines whether it is in an allocation state at the time point of audit range start (Step S504). If it is not in an allocation state at the time point of audit range start (NO at Step S504), the auditing apparatus 20 outputs an error message about server allocation (Step S505). If it is in an allocation state at the time point of audit range start (YES at Step S504), the auditing apparatus 20 determines whether an end time flag is set (Step S506).
If an end time flag is not set (NO at Step S506), the auditing apparatus 20 determines whether it is in an allocation state at the time point of audit range end (Step S507). If it is not in an allocation state at the time point of audit range end (NO at Step S507), the auditing apparatus 20 outputs an error message about server deallocation (Step S508), and the process returns to Step S501.
The hashed log verifying process is explained using
If all the records are not completed (NO at Step S605), the auditing apparatus 20 determines whether the records are hashed (Step S606). If the records are not hashed (NO at Step S606), the auditing apparatus 20 hashes and replaces the records (Step S607), and the process returns to Step S604.
At Step S605, if all the records are completed (YES at Step S605), the auditing apparatus 20 receives a hashed log from the center 10 (Step S608), compares management log hashed by itself and a received management log with each other (Step S609), and determines whether they match with each other (Step S610). If the management log hashed by itself and the received management log do not match with each other (NO at Step S610), the auditing apparatus 20 outputs an error message that the hashed log does not match (Step S611). If the management log hashed by itself and the received management log match with each other (YES at Step S610), the auditing apparatus 20 determines that the log is valid, and the process returns to Step S601.
As explained above, validity of a log is verified by: receiving entire logs including a hashed log in which a log of another customer is hashed by a one-way function, and a log of a subject customer from the center 10; hashing an unlashed log among the received entire logs to generate a hashed log; receiving an entire hashed log in which all the logs are hashed; and comparing the generated hashed log and the received hashed logs with each other. Therefore, the entire logs can be referred to while maintaining confidentiality of information about another customer by hashing the information by a one-way function; as a result, it is possible to protect personal information of a customer, and execute appropriate audit.
According to the first embodiment, because a hashed log is received from the center 10 that manages each server, the hashed log is received directly from the center 10 without bypassing a third party; as a result, it is possible for example to easily identify a cause of falsification of a log, if found.
Although in the first embodiment, an entirely hashed log is received from the center 10, the present invention is not limited to this. An entirely hashed log may be received from another customer.
In a second embodiment of the present invention, a log is verified by receiving an entirely hashed log from another customer, and comparing the received hashed log and a log hashed by itself with each other. An auditing system la according to the second embodiment are explained using
First of all, the auditing system la according to the second embodiment are explained. As depicted in
Unlike the first embodiment, in the auditing system la according to the second embodiment, the auditing apparatuses 20A and 20B of each customer exchange hashed logs with each other ((3) in
Thereafter, with the auditing apparatuses 20A and 20B of each customer, each customer compares a hashed log hashed by itself, and a hashed log generated by another customer with each other, and confirms whether a log received by himself/herself and a log received by another customer originate from a single common log (see (4) in
As described above, in the second embodiment, a hashed log is received from another customer bypassing a third party, not directly from the center 10; as a result, it is possible to execute more appropriate audit.
Although preferred embodiments of the present invention are explained above, the present invention may be implemented in various different forms other than the embodiments explained above. Anther preferred embodiment of the present invention is explained below as a third embodiment of the present invention.
(1) System Configuration Etc.
Each component of each unit depicted in the drawings is conceptual in function, and is not necessarily physically configured as depicted. That is, the specific forms of dispersion and integration of the components are not meant to be restricted to those depicted in the drawings. All or part the components may be functionally or physically distributed or integrated in arbitrary units according to various kinds of load and the state of use. For example, the entire log receiving unit 22a and the log verifying unit 22b may be integrated. Furthermore, all or arbitrary part of the process functions performed in each component may be achieved by a Central Processing Unit (CPU) and a computer program analyzed and executed on the CPU, or may be achieved as hardware with a wired logic.
All or part of the processes explained as being automatically performed in the embodiments may be manually performed, or all or part of the processes explained as being manually performed may be automatically performed through a known method. In addition, the process procedure, the control procedure, specific names, and information inducing various kinds of data and parameters explained in the specification and depicted in the drawings may be arbitrarily changed unless otherwise specified.
(2) Computer Program
Various kinds of processes explained in the embodiments may be achieved by executing a previously prepared computer program with a computer. This program may be recorded on a computer-readable storage medium such as a floppy disc (FD), a CD-ROM, an MO, and a DVD. An example of a computer that executes a computer program having functions similar to those explained in the embodiments explained above is explained using
As depicted in
The ROM 630 stores therein an auditing program that exhibits functions similar to those of the embodiments described above, that is, an entire log receiving program 631, a log verifying program 632, a hashed log generating program 633, a hashed log receiving program 634, and a hashed log verifying program 635 as depicted in
When the CPU 640 reads out these programs 631 to 635 from the ROM 630, and executes them, the programs 631 to 635 function as an entire log receiving process 641, a log verifying process 642, a hashed log generating process 643, a hashed log receiving process 644, and a hashed log verifying process 645, respectively, as depicted in
The HDD 610 is provided with a server log table 611, a management log table 612, an audit log table 613, a hashed management log table 614, and a hashed audit log table 615 as depicted in
According to the present invention, it becomes possible to refer to the entire logs while hashing information about another customer by the one-way function to maintain confidentiality; as a result, it becomes possible to protect personal information of a customer, and to execute appropriate audit.
According to the present invention, the hashed log is received directly from the center not bypassing a third party; as a result, it becomes possible for example to identify a cause of falsification easily, if found.
According to the present invention, the hashed log is received bypassing a third party, not directly from a center that manages a server; as a result, it becomes possible to execute more appropriate audit.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions, nor does the organization of such examples in the specification relate to a showing of the superiority and inferiority of the invention. Although the embodiments of the present inventions have been described in detail, it should be understood that the various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the invention.
This application is a continuation of PCT international application Ser. No. PCT/JP2007/056490 filed on Mar. 27, 2007 which designates the United States, incorporated herein by reference, the entire contents of which are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/JP2007/056490 | Mar 2007 | US |
Child | 12547255 | US |