Information Technology Reference
In-Depth Information
Definition 6:
A labeled log graph G2 is sub-graph isomorphic to labeled sub graph
G1, denoted by G2
⊆
G1.
Definition 7:
Virtual Log graph assumes the use of the Frequency Graph mining
algorithm. G is frequent iff supG >
∞
. The frequent subgraph threshold is set to
∞
.
where 0
1 and a graph database GD, is used to find all frequent sub-graphs in
GD. To obtain the frequency of a sub-graph G2, we should count the number of
graphs which contains this sub graph. During the frequent subgraph search step, the
expansion of sub-graphs may cause similar sub-graphs to grow in different ways. The
use of canonical order techniques is adopted to evaluate log graph consistency among
similar graphs.
In the next section we demonstrate how we have developed a software prototype
called a virtual machine log auditor that synchronizes these log formalisms within the
actual working environment.
≤
∞
≥
4 Experimental Results
In order to evaluate the effectiveness of our approach we have implemented a prototype
tool called the “Global Virtual Machine Log Auditor (GVLMA).” We have applied
GVLMA within the context of a University wide deployment for monitoring it's
private VCentre cloud. GVLMA as a software application maps the VMware essx3i
host ran on a Windows 7 operating system. The coordinated mapping task involves
making a read and copy of the source log on the VM kernel host. GVLMA polls the
VCentre disk through a secure ftp session (SENDER shell script) to the VCentre
production storage area network (SAN). At this point it should be noted that our
SENDER script actually does a semantic mapping of the log source schema on the
kernel. We also deploy a LOADER script which initiates an Oracle 11g stored
procedure, and this allows for transformation mapping between the source and target
schema. In this case the target schema is the log auditor's database.
We use JASPER reporting (i.e. Java's web-based GUI reports) to show the
outcome of the semantic translation. In the test environment, we maintain GVLMA
also running on Windows 7, using our own VCentre essx 3i test host. The production
source SAN runs a 1 Terabyte disk storage whereas our test SAN runs a 100GB disk
storage. The production VCentre cloud runs fifteen (15) virtual machine server
instances connected to the local VM host.
The mapped log events are polled over different time points, to determine a
suitable VM log footprint of consistent transactions ran by this host. In Figure 1
below we show a snapshot of these time points for the System Log Events as of
9/11/10. The table frequency shows that between the time interval 9:51 a.m. to 16:36
p.m. a consistent signature of failed disk starts. These results corroborate a chain of
basic evidence to suggest that the security administrator should have swapped out
these disks on the production SAN as well as to perform further forensic analysis on
the same at that instant of noted failure.
The summary evaluation of these failed disk events also lead to obvious
application instances errors on the SAN. For example failed buffer writes of the
application logs, antivirus shutdown on the host etc.
Search WWH ::
Custom Search