Data collected from a device or from multiple devices may be analyzed to assess the quality and/or characteristics of the data.
A device that performs tasks or functions may generate an event log, or produce data that can be used to generate an event log. Such an event log may include details of tasks that have taken place in respect of the device over a period of time. Analysis of data included in an event log for a device may be used to reveal information about the device.
Examples will now be described, by way of non-limiting example, with reference to the accompanying drawings, in which:
This disclosure relates to devices which are capable of performing functions. For example, the devices may comprise printing devices, scanning devices, photocopy devices, display devices, detection devices, monitoring devices, and the like. It will be understood that the term “device”, also referred to herein as “connected devices” may also include devices other than those mentioned above.
Events that are performed by or in respect of a device may be logged or recorded as data in an event log. Data describing an event may be recorded numerically, in the form of a numerical value, textually or non-numerically, in the form of text describing a particular event that has taken place, or alphanumerically, in the form of a combination of textual data and numerical data. While any event may be recorded as an entry in an event log for a device, examples of events include: the device being powered on, the device being powered off, a configuration setting of the device being changed, a security setting of the device being changed, a password or authentication credential of the device being changed, an instruction to perform a task (e.g. a printing task) being received by the device, an update of software/firmware of the device being instructed or performed, and so on. In some cases, any event involving an exchange (receipt and/or transmission) of data involving the device may be recorded in an event log. An event log records data defining or describing the event or events that have taken place, and an indication of the time at which each event took place.
Data may be recorded in an event log in one of a plurality of recording or logging levels, wherein each logging level corresponds to an amount of detail included in each entry. For example, events occurring in respect of a device may be recorded according to a plurality of levels L1, L2, . . . LN, where events recorded according to logging level L1 include the smallest amount of information or detail, and events recorded according to logging level LN include the largest amount of information or detail. In a simple example, events may be recorded according to a first, ‘basic’ logging level, in which events may be described at a high-level, using a small number of words or terms, or to a second, more detailed or ‘enhanced’ logging level, in which events may be described at a lower, more detailed level, using a larger number of words or terms, such that more detail of the event can be recorded. In other examples, different levels of logging may include different types of events. For example, one logging level may involve recording events that are not recorded in another logging level. An example of an event log entry recorded according to a ‘basic’ level and an ‘enhanced’ level is shown in Table 1 below.
According to examples disclosed herein, data in event logs of multiple devices may be analyzed and used to determine anomalies or potential security breaches. For example, if a number of devices in a particular setting are expected to behave in a manner (e.g. with similar configuration settings being distributed to all devices, and with similar management tasks being performed in respect of all devices), then a determination can quickly be made if the expected or intended event has not been performed in respect of one of the devices. Such a discrepancy may, for example, be evident by comparing the event logs of the devices. In some examples, the discrepancy may be the result of a technical fault having occurred with respect to a particular device, such as a power outage, network connectivity issues, a lossy network, a computer bug/virus resulting in a reduction of logging or some other fault resulting in events not being logged in the same way as events of other, similar devices. In some scenarios, logging for a device may, for a period of time, stop altogether, or the logging level of a device may be reduced unintentionally. Such a change, reduction or loss in event logging for the device may be indicative of a security breach, for example if logging has been maliciously disabled to disguise or hide a security attack. Moreover, a gap in an event log where no events have been logged for a particular device means that analysis of the events for that device may be flawed.
Periods of reduced or no logging may be rectified by predicting or estimating events that may have been expected to take place during the outage period. In some cases, an event log for a device with a period of reduced or missing event logging may be corrected or supplemented with such estimated events. Previous methods of correcting or adding an entry in an event log for a particular device (e.g. for a number of configuration changes occurring per hour) have involved calculating an average of that value for that particular device over the course of a day, for example, and adding the calculated value to the event log. This approach does not, however, take into account expected changes that might occur during particular periods of the day.
According to the present disclosure, devices are grouped according to a particular shared attribute or attributes, and devices within the same group are used to predict an event log entry or check event log entries for other another device in the group. That way, devices that might be considered to operate in a similar way, and that might be managed in the same way by having the same management operations applied to them (e.g. having the same configuration settings to all of the devices) are taken into account when predicting what event one might have expected to see in an event log. Unintended discrepancies might also be detected by comparing a predicted entry with an actual entry in an event log of a device. A discrepancy might indicate an unauthorized or unintended modification of the event log, as discussed below.
Referring to the drawings,
Every event that takes place in respect of a device 102 may be recorded in an event log associated with that device. The event log may record events tasks performed by the device (e.g. details of a print job performed by a printing device) in addition to other events taking place in respect of the device (e.g. changes to configuration settings and so on). The event log of a device may be stored in the device itself, or in a storage medium associated with the device, such as at the management module 104. In some examples, the device itself may update its corresponding event log with events that have taken place while, in other examples, a device's event log may be updated by another component, such as the management module 104.
In some examples, the devices 102 may be devices located in an enterprise setting (e.g. in an office building, a medical facility such as a hospital, a school or university, or the like). The devices 102 may be referred to as connected devices or managed devices. In other words, the devices may receive control data or management data/instructions from a central controller or management system, such as the management module 104. In one example, a device of the devices 102 may comprise a print apparatus, or printer, and the printers may be distributed throughout an office building. For example, the printers A and B may be located on a first floor of the office building, printers C, D, E and F may be located on a second floor of the office building, and printers G and H may be located on third floor of the office building. Each of the printers 102 may be connected to the management module 104 via a network (e.g. a wireless local area network, WLAN).
As noted above, event logs for devices that share a common attribute or attributes may be expected to be similar. In other words, it may be expected that devices that share a similar attribute have similar events occurring in respect of them. While device-specific events, such as printing jobs being performed, will differ from device to device, many administrative tasks (e.g. those performed by the management module 104) may be performed to, or in respect of, all devices that share the common attribute. Devices that share a common attribute may be grouped together and considered as a group, since it may be intended or expected that their event logs will be similar. In the example discussed above with reference to
According to the above example, the devices C, D, E and F all form part of a group (i.e. the second group in the above example) as they share a common attribute (i.e. they are all located the same floor of an office building in this example). According to examples disclosed herein, a prediction of an event that is expected to have occurred in respect of a given device may be made based on an analysis of the events that took place in respect of other devices in the same group as the given device. In other words, devices that share a common attribute with the given device may be used to predict an event that is expected to have occurred in respect of the given device during a period of reduced event logging. In the example of
The first period of interest may comprise a period during which it is intended to supplement missing or a reduced amount of event data for a device if, for example, a logging level has been reduced (e.g. from enhanced to basic event logging) or if logging has stopped altogether for a period of time. For example, the first period of interest may be the time period, T, shown in
The method 300 comprises, at block 304, determining, using a processing apparatus, for a given device in the group of devices, based on the analysis of event log entries, a predicted entry that is expected to appear in the event log of the given device during the first period of interest. Thus, block 304 involves predicting or estimating an event log entry that would have been expected to appear in the event log of one particular device in the group of devices sharing a common attribute during the first period of interest. The prediction of estimation is made using the analysis performed at block 302. In some examples, where the plurality of devices comprises just two devices, the analysis of block 302 may be in respect of the given device and just one other device. In such an example, the predicted entry that is expected to appear in the event log of the given device during the first period of interest may be determined based on the analysis of event log entries of just one other device (for example, even though event log entries may also be analyzed for the given device, they may be ignored or disregarded as part of the analysis).
Determining a predicted entry (at block 304) may be done in a number of ways. In the most basic scenario, event log entries of just one other device in the same group as the given device are analyzed (at 302), and those entries appearing in the event log of the other device during the first period of interest may be replicated and added into the event log of the given device during the first period of interest. The device that is selected whose event log is replicated may be determined using the methods described below, such that the selected device is that which is considered to be most similar to the given device. In other examples, event log entries of multiple other devices in the same group as the given device may be available and analyzed. In those examples, a measure of similarity between the given device and at least one other device of the plurality of devices may be calculated. Based on the calculated measure of similarity, those devices of the plurality of devices that are most similar (in terms of event log entries) to the given device may be used to determine a predicted entry for the given device.
In some examples, a measure of similarity may be calculated by computing a similarity metric in respect of the plurality of devices. Such a similarity metric may be used to determine which events occurred in respect of each device in the plurality of devices during a particular period of time, and this can be used to predict an event, or events, likely to have occurred in respect of the given device. For example, consider a feature vector X=[x1 x2 . . . xj], where xj represents a unique event j that has occurred in respect of the given device. In this example, the feature vector x describes a frequency of each event occurring in respect of each device in the plurality of devices. A feature vector for the devices shown in
Table 2 shows the number of times each event x1, x2, x3 has occurred in respect of each device C, D, E and F during the first period of interest. Since the device F experienced a reduction in its logging level during the first period of interest, the number of events occurring in respect of that device cannot be determined and, therefore, question marks are provided for that device. For a more general case, the feature vector may be created as shown in Table 3 below.
In Table 3, f(i,j) represents the number of times each event xj has occurred in respect of device di during the first period of interest. The device dgiven represents the given device whose event log entries for the first period of interest have not or cannot be determined.
A similarity metric may also be computed in respect of the defined period prior to the first period of interest. For example, a similarity metric may be computed in respect of the plurality of devices for a period of one hour leading up to the time at which the logging level for a given device was reduced. Using such a similarity metric, the events occurring in respect of the given device may be compared to the events occurring in respect of each other device. For each pair of devices (di, dgiven)statistical analysis may most similar to the given device. In some examples, a chi-squared analysis may be performed in respect of each pair of devices (di, dgiven) Using the statistical analysis, the k devices that are most similar (e.g. within a defined similarity threshold) to the given device dgiven may be determined. In some examples, an average (e.g. mean) number of each of the events may be calculated across the k similar devices, and this may be used to determine a number of each of those events to be included in the event of for the given device.
In some cases it may be sufficient to determine just which events are expected to have occurred in respect of the given device during the first period of interest. A more accurate event log for the given device may be predicted by estimating the number of occurrences of each event during the first period of interest. However, and even more accurate event log for the given device may be predicted by estimating the time within the first period of interest at which each event is expected to have occurred. Thus, the method 400 may comprise, at block 404, determining, using a processing apparatus, a time within the first period of interest at which the predicted entry is expected to appear. One example approach for determining the times of occurrence of each of the predicted events is described below.
In some examples, determining the time at which the predicted entry is expected to appear may comprise discretizing the first period of interest into a plurality of intervals. Thus, with reference to the example shown in
As noted briefly above, the event logs and the event log entries maybe created and/or stored by the devices themselves or at a central location, such as a storage medium associated with a server, or associated with the management module 104. Prior to performing the blocks of the methods 300, 400 disclosed herein, the method may further comprise, at block 406, receiving the event log entries from each of the plurality of devices.
The methods disclosed herein are used for a number of purposes, and two example scenarios are described below.
In a first scenario, a predicted event log entry that is determined (e.g. at block 304) may be used to supplement an event log of a given device when a logging level for the given device has been reduced, or when event logging for the given device has been stopped altogether. As discussed above, in some examples, event log entries for a device may be recorded according to one of a plurality of levels of event logging. The method 400 may further comprise, at block 408, prior to said analyzing of block 302, receiving an indication that a level of event logging for a device in the plurality of devices has changed. Block 408 may occur at any time prior to block 302, including prior to block 402 and/or prior to block 406, as indicated in
The method 400 may further comprise, at block 410, adding, using a processing apparatus, the determined predicted entry to the event log for the given device. Thus, once a predicted entry has been determined at block 304, that event may be added to the event log, to fill in the event log for the first period of interest. In some examples, multiple event log entries may be predicted, and those multiple entries may be added to the event log for the given device.
In some examples, where the level of event logging has reduced during the period of interest, predicted entries for the given device may be determined based on a predefined mapping between entries of different levels. For example, if the logging level was reduced from “enhanced” to “basic” for the given device during the first period of interest, then a predetermined mapping between “enhanced” entries and “basic” entries may be used to determine the predicted entries. The predefined mapping may, for example, be stored in a database or lookup table in a storage medium accessible to an apparatus performing the method 300, 400.
In a second scenario, a predicted event log entry that is determined (e.g. at block 304) may be used to check the accuracy of a devices event log. In this example, the predicted entry may be used to detect a security breach, for example where an event log of a device has been modified (e.g. maliciously). This example relates to a scenario where a change in the level of event logging may not have been detected or indicated. Therefore, events may have occurred in respect of each of the plurality of devices, and entries may have been logged in event logs for each device. In this example, event log entries for the plurality of devices are analyzed, and a predicted entry for a given device (i.e. one of the plurality of devices) is compared to entries appearing in the event log in order to determine its accuracy. This may be done for multiple event log entries over a period of time (e.g. the first period of interest), and if the predicted entries are the same as, or similar to within a defined similarity threshold, the actual entries appearing in the event log for the given device, then it may be determined that the recorded event log entries are genuine and accurate. However, if the predicted event log entries for the given device differ from the actual event log entries recorded by more than a defined similarity threshold, then it may be determined that the event log entries appearing in the event log are inaccurate or have been modified, for example.
The second scenario is described with reference to
In this example, the blocks of the method 500 may be repeated for all of the devices in the plurality of devices, such that each device is, in turn, considered to be the given device. In other words, the event logs of each device may be checked in order to determine whether or not the events appearing in the actual event log for that device correspond with (e.g. are the same as or similar to) the predicted event(s) for that device. In this way, it is possible to detect a possible security breach or malicious modification of an event log for any device in the plurality of devices.
The alert signal that is generated at block 504 may comprise any alert signal suitable for informing a computing device or operator of a potential discrepancy between the predicted entries and the actual entries of an event. In one example, the generation of an alert signal may comprise generating and sending a message (an email message) to an operator to make the operator aware of a potential anomaly in the event log data.
The method 500 may be repeated periodically, so that the event logs of all of the devices in the plurality of devices can be continuously checked their authenticity. Thus, in some examples, the method 500 may further comprise repeating (506) the analyzing and determining for a second period of interest beginning when the first period of interest ends. The repeating (506) may continue for a new period of interest each time the previous period of interest ends. Each time the analyzing and determining blocks are repeated, the comparing (block 502) may be performed in respect of the predicted entries for the given device during the new period of interest.
Examples disclosed herein also relate to an apparatus, such as an apparatus capable of performing the methods 300, 400, 500 disclosed herein.
In some examples, the processing circuitry 602 may update, for the first connected device, a portion of the dataset corresponding to the first defined time period to include the estimated information stop in other words, the dataset (e.g. the event log) for the first connected device (e.g. the given device) may be updated (e.g. supplement) to include additional or replacement predicted entries (i.e. the estimated information). This may be used to fill-in or replace a portion of an event log entry for a device if the logging for that device has stopped or if the logging level for that device has been reduced, as described in the first scenario described above.
The processing circuitry 602 may, in some examples, compare the estimated information with information included in the portion of the data set corresponding to the first defined timed period for the first connected device. Responsive to determining that the estimated information differs from the information included in said portion of the data set by more than a defined amount, the processing circuitry 602 may generate an alert signal. The defined amount here may comprise a defined threshold, such that, if the estimated information differs from the information in the actual dataset by more than the defined threshold, then an alert signal is generated. This example corresponds to the second scenario described above, in which event logs for all of the devices in a plurality of devices are checked, and nominees in the event logs may be detected.
Examples disclosed herein also relate to a machine-readable medium.
As noted above in various examples herein, the devices may comprise printers. In other examples, the devices may comprise any other type of device for which an event log is generated. Each of the devices may, in some examples, comprise a device selected from a group comprising: a printer, a scanner, a photocopier, and a sensing device. In some examples, the plurality of devices and/or the group of devices may include devices of different types, such as printers and scanners. In some examples, the devices may be located in an office environment. In other examples, such as where the devices comprise sensing devices, the devices may be located in an industrial environment, such as a manufacturing facility. For example, the sensing devices may comprise motion detectors or sensors associated with machinery or manufacturing equipment. Events may occur in respect of the sensing devices, and those events may be recorded in an event log in respect of each device.
Examples disclosed herein provide a mechanism by which event logs of devices are grouped according to a common attribute may be used to predict an event or events that might be expected to have occurred in respect of another device in the same group. By basing the prediction on event log entries of devices that share the same common attribute, a more accurate prediction may be made, as it may be expected that similar events may have occurred in respect of all of the devices that share the same attribute. Thus, where there exists a gap in an event log for a device, it is possible to predict the events that should have appeared within the event log, and the event log may be updated with the predicted events. Moreover, the methods disclosed herein may be used to continuously check event logs of devices within a group, and any anomalous event log entries appearing in one of the event logs may be detected, thereby enabling a security breach (e.g. an unauthorised or malicious modification of an event log) to be quickly detected.
Examples in the present disclosure can be provided as methods, systems or machine readable instructions, such as any combination of software, hardware, firmware or the like. Such machine readable instructions may be included on a computer readable storage medium (including but is not limited to disc storage, CD-ROM, optical storage, etc.) having computer readable program codes therein or thereon.
The present disclosure is described with reference to flow charts and/or block diagrams of the method, devices and systems according to examples of the present disclosure. Although the flow diagrams described above show a specific order of execution, the order of execution may differ from that which is depicted. Blocks described in relation to one flow chart may be combined with those of another flow chart. It shall be understood that each flow and/or block in the flow charts and/or block diagrams, as well as combinations of the flows and/or diagrams in the flow charts and/or block diagrams can be realized by machine readable instructions.
The machine readable instructions may, for example, be executed by a general purpose computer, a special purpose computer, an embedded processor or processors of other programmable data processing devices to realize the functions described in the description and diagrams. In particular, a processor or processing apparatus may execute the machine readable instructions. Thus functional modules of the apparatus and devices may be implemented by a processor executing machine readable instructions stored in a memory, or a processor operating in accordance with instructions embedded in logic circuitry. The term ‘processor’ is to be interpreted broadly to include a CPU, processing unit, ASIC, logic unit, or programmable gate array etc. The methods and functional modules may all be performed by a single processor or divided amongst several processors.
Such machine readable instructions may also be stored in a computer readable storage that can guide the computer or other programmable data processing devices to operate in a specific mode.
Such machine readable instructions may also be loaded onto a computer or other programmable data processing devices, so that the computer or other programmable data processing devices perform a series of operations to produce computer-implemented processing, thus the instructions executed on the computer or other programmable devices realize functions specified by flow(s) in the flow charts and/or block(s) in the block diagrams.
Further, the teachings herein may be implemented in the form of a computer software product, the computer software product being stored in a storage medium and comprising a plurality of instructions for making a computer device implement the methods recited in the examples of the present disclosure.
While the method, apparatus and related aspects have been described with reference to certain examples, various modifications, changes, omissions, and substitutions can be made without departing from the spirit of the present disclosure. It is intended, therefore, that the method, apparatus and related aspects be limited only by the scope of the following claims and their equivalents. It should be noted that the above-mentioned examples illustrate rather than limit what is described herein, and that those skilled in the art will be able to design many alternative implementations without departing from the scope of the appended claims. Features described in relation to one example may be combined with features of another example.
The word “comprising” does not exclude the presence of elements other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the claims.
The features of any dependent claim may be combined with the features of any of the independent claims or other dependent claims.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2019/067797 | 12/20/2019 | WO |