up

EP 0850441:
METHOD OF MONITORING A COMPUTER SYSTEM

Data Sheet

EC Classification:
G06F1/00N5A2T
IPC Classification:
G06F1/00 ; G08B13/22 ; G08B25/00
Priority Number(s):
SE19950003047 19950905
Application Number:
WO1996SE01103 19960905
Requested Patent:
[_] EP0850441 (WO9709667), B1
Applicant(s)::
DANIELSSON DANIEL (SE); BJOERCK BERTIL (SE)
Inventor(s):
DANIELSSON DANIEL (SE); BJOERCK BERTIL (SE)
Publication date:
1997-03-13
Patent Number:
[_] WO9709667
Invention:
METHOD OF MONITORING A COMPUTER SYSTEM

Application

Description


   Description
   
   METHOD OF MONITORING A COMPUTER SYSTEM
   Technical field
   The present invention relates to a method of monitoring a computer
   system, comprising a plurality of client computers, at least one
   server computer, and a wirebased or wireless network, by means of
   which every unit in the system is operatively connected to at lest one
   other unit in the system.
   Description of the prior art
   Some decades ago the term computer network almost entirely referred to
   a mainframe or mini computer type of system. Such computer systems
   were, and still are, in principle based upon a central mainframe or
   mini computer, which is connected to a plurality of user terminals in
   a network structure. In such a system the central computer provides
   all processing power or "intelligence" to the system, while the user
   terminals are mainly provided as means for user communication, i.e.
   monitor and keyboard.
   The central computer handles all software program execution, at the
   same time controlling peripheral units, such as printers and tape
   stations, as well as handling external communications, such as
   telephone-based modem connections.
   The central computer accepts commands from the users by regularly and
   sequentially addressing the various terminals, and in response thereof
   the central computer executes certain pieces of software code and
   supplies resulting information back to the users. To be able to serve
   even a large number of connected users without any excessively long
   response times, such a central mainframe or mini computer comprises
   high-performance components, which are expensive as well as space
   demanding.
   During the last decade or so another scenario has developed. Thanks to
   the progress within the field of electronics it has become possible to
   miniaturise and integrate computer components, and this has resulted
   in an almost exponential increase in computer performance, while the
   relative cost per unit of performance steadily has been reduced. This
   in turn has made it possible to decentralise the computer processing
   by providing the user terminals with hardware and software equipment
   required for execution of computer programs. As a consequence the user
   terminals may be assigned some of the tasks previously assigned to the
   central computer, thereby allowing the latter to be made simpler as
   well as at a lower cost. An additional advantage of such decentralised
   computer processing is the substantially improved opportunities of
   user friendly interfaces.
   The user terminals referred to above are nowadays usually referred to
   as client computers, or merely "clients". The most common types of
   client computers are
   IBM PC-compatible personal computers, personal computers of the
   Macintosh-series, or Unix-type workstations. The central computer
   referred to above today usually corresponds to a so called server
   computer, or just "server". The task of a server computer is to
   provide service to a plurality of connected client computers in some
   way. Common server tasks are storing data and program files of common
   interest to at least some of the client computers, handling printouts
   from the client computers, maintaining a sufficient level of data
   security and integrity within the system by requiring passwords from
   the users, managing safety backups of data and program files, etc.
   In modern computer systems the network is usually physically
   represented by a plurality of coaxial or twisted pair electric cables,
   by means of which the various units in the system are interconnected.
   The client computers, usually appearing at large numbers and normally
   belonging to any of the client computer types described above, are
   connected to the physical network by means of for instance network
   cards or communication ports. The client computers may for instance be
   provided with operating systems such as
   MS-DOS and/or Windows, OS/2 or Unix. Some client operating systems are
   able to handle a direct network access. Other systems, such as MS-DOS
   and Windows, must be provided with additional software modules, such
   as Novell Netware, for network access. Furthermore, one or several
   server computers are connected to the network. A server computer is
   usually realized by some type of powerful micro computer
   administrating the network by means of any network operating system
   available on the market, among which Novell
   Netware, Windows NT, Unix, LAN Manager and AppleTalk are the most
   common. Even mainframe and mini computers of the kinds described above
   may be connected to the network and function as server computers
   through an appropriate software interface.
   A very important aspect in network systems is data security.
   Traditionally a high level of data security is regarded to be
   fulfilled, if the system in question is provided with carefully
   selected routines for safety backup copying of data and program files
   to external storage media (such as magnetic tapes), as well as
   routines for authorization control when accessing the network (login
   control with respect to passwords, authority levels with respect to
   the authorities given to individual users, etc). Recently, a third
   kind of security problems has emerged, namely theft or attempted theft
   of computers and peripherals comprised in the network.
   As long as the computer systems were traditional mainframe and mini
   computer systems, respectively, the theft risk was low or even
   negligible. Certainly, it did happen on rare occasions that
   unauthorized people accessed the computer centrals and stole parts of
   the computer equipment, but due to the very low demand for such stolen
   and cubic-meter sized central computers, and since the user terminals
   were substantially useless to third persons, such theft activities
   were hardly prosperous. Today the situation is completely different.
   As even our homes are being computerized with normal PC-compatible or
   Macintosh type personal computers, there is a substantially higher
   demand for stolen computer equipment. Most client computers are today
   well-equipped personal computers with monitors, and may in principle
   be used directly even outside a network.
   Furthermore, it has become more and more common that the persons
   carrying out the burglaries and thefts are provided with expert
   knowledge on the economic values of the components comprised in the
   computers. Hence, a burglar of today is often aware of the fact that
   components such as internal memory circuits, hard disks, CD-ROM
   players, motherboards, etc, are to be regarded as valuable, since not
   only may they be easily disassembled and carried away, but they are
   also attractive on the market of stolen property. Consequently, it is
   nowadays common that the burglar will not, as before, steal and carry
   away complete computers, but instead remove the computer housing or
   the like and to some extent consider the values of the individual
   components in the computers so as to steal only such components, which
   are found to be of interest.
   It may easily be perceived that the problems above are a threat to
   data security. Besides the strictly economical cost of replacing
   stolen computers or computer components, the victim is in addition
   subjected to the inconvenience, as well as the economical loss
   inherent thereof, that the attacked computers - and in worse cases the
   entire system - are useless, until the stolen equipment has been
   replaced. If the stolen equipment comprises permanent storage means
   such as hard disks, etc, there is also a risk of having
   business-sensitive data stored thereon disappearing from the company.
   Another negative consequence of a computer theft as described above is
   the tendency of certain criminal individuals of returning to the crime
   scene after some time, in order to carry out a new round of burglary,
   since the stolen equipment will then probably have been replaced by
   new and even more attractive equipment.
   Previously known attempts of preventing theft of computers and
   peripherals have been directed to installation of a conventional and
   separately arranged anti-theft system, for instance a surveillance
   system with infrared or acoustic intruder detection means, sometimes
   combined with burglary sensors attached to windows and doors. Such a
   conventional anti-theft system has the disadvantage of requiring an
   extensive wiring and detector installation. In addition, by experience
   among criminal individuals methods have been developed of avoiding
   conventional surveillance equipment, for instance by making a survey
   of the various detector locations in the premises on beforehand and
   then only carrying out the burglary in such zones, which are out of
   reach of the detectors. Furthermore, some alarm systems may be
   deactivated by interrupting the supply of power to a central unit
   comprised in the alarm system.
   Summary of the invention
   According to the invention there is provided a method of monitoring a
   computer system, comprising a plurality of client computers, at least
   one server computer, and a wirebased or wireless network, by means of
   which each unit in the system is operatively connected to at least one
   other unit in the system. The fundamental idea of the present
   invention is to make use of the already existing network to
   continuously check that all computers and peripherals connected to the
   network are still present in an original state. Should the contact
   with any of the units in the system be lost, for instance due to an
   unauthorized removal of units in the system, or parts of these units,
   this event will be detected and an alarm signal will be generated in
   response thereto. As a consequence the monitoring may be more
   accurately performed as well as at a lower cost than with the
   conventional surveillance equipment described above, partly thanks to
   the eliminated need for any new wire installation and thanks to the
   fact that conventional methods of deactivating such conventional
   surveillance equipment are no longer applicable.
   The object of the invention is achieved by a method of monitoring a
   computer system with the features appearing from the appended patent
   claims.
   Brief description of the drawing
   Preferred applications of the method according to the invention will
   now be described in more detail in the following, reference being made
   to the accompanying drawing, on which FIG 1 schematically illustrates
   an exemplary computer system, in which the method according to the
   invention is applied.
   Description of preferred applications
   In FIG 1 there is shown an example of how the invention may be applied
   in a modern computer system. The computer system 10 of FIG 1 comprises
   a wire-based network 11, to which a plurality of client stations 12,
   13, 14 as well as a server computer 15 are connected. Additionally
   common types of peripherals, such as printers and modems, may be
   connected to the network 11. Furthermore, in FIG 1 it is indicated
   that even other kinds of peripherals, such as telefax and copying
   machines 16, 17, may be directly connected to the network. There is
   already today a clear tendency at certain companies to connect such
   equipment to the network, and it must be regarded as likely, that the
   computer networks of the future will comprise a variety of such
   equipment.
   Preferably the network 11 is physically comprised of an electric
   wiring of coaxial cable or twisted-pair cable type, but also other
   alternatives are possible; wirebased as well as wireless. Low-level
   communication is occurring on the network in accordance with any
   established standard, such as the network prqtocols Ethernet or Token
   Ring, both of which are members of the IEEE 802 family. High-level
   communication is occurring according to a standard suitable for the
   low-level protocol chosen, for instance Novell
   SPX/IPX or the Unix's TCP/IP protocol. For accessing the network the
   connected units are provided with appropriate interface means, such as
   a network card corresponding to the network protocols chosen.
   According to the invention each network unit, that is to be monitored,
   is provided with a surveillance module with the following features.
   The surveillance module is capable of continuously monitoring its host
   unit, i.e. the computer, printer, copying machine, etc, to which the
   surveillance module belongs, so as to detect any change in
   configuration or other status. The surveillance module may for
   instance be arranged to detect when the housing of the host unit is
   opened, when components comprised in the host unit are removed, when
   the supply of power to the host unit is interrupted, or whenever the
   host unit loses contact with the network.
   According to another preferred application the surveillance module may
   instead be arranged to collect status information about the host unit
   at given moments in time, i.e. with no particular focus on a change in
   status.
   Furthermore, the surveillance module is arranged to supply the
   detected or collected information described above through the network
   11 to an alarm unit comprised in the computer system. Preferably, this
   communication occurs according to any network protocol already used in
   the computer system, thereby avoiding conflicts with other hardware
   and software within the system.
   The simplest way of realizing the surveillance module is to provide
   the existing network card with a sensor, which is arranged to detect
   whenever the host unit is opened. It is of greatest importance that
   the surveillance module - in this case the sensor - is operational,
   even when the rest of the host unit is powerless, for instance due to
   a deliberate interruption of the power supply in connection with an
   attempted burglary. Hence, the surveillance module is preferably
   provided with its own power source, for instance a longlife battery.
   Such batteries are already today used in a variety of applications,
   and hence they are not described in more detail here.
   Whenever the sensor detects that the host unit has been opened or that
   the ordinary power supply has been interrupted, the sensor will report
   this condition through the network to the afore-mentioned alarm unit,
   which will be described further below.
   In a more advanced application the surveillance module is arranged to
   collect information according to the above about the configuration of
   the host computer, i.e.
   the number and size of internal memory circuits, the presence of
   secondary storage such as a hard disk or a CD
   ROM player, the presence of a graphic card and a monitor connected to
   the host unit, etc. According to this application the host computer
   will be supplemented by certain hardware and/or software, so that the
   surveillance module may be in a continuous contact with the different
   parts or components in the host computer. This concept, which may be
   referred to as "Safety Channel", will hence mean that certain selected
   components in a host computer will be in constant operative connection
   with a surveillance module in the host computer. In accordance with
   the more simple app lication described above the "Safety Channel"
   application will be supplemented by a battery or another type of
   uninterruptable power source. The surveillance module itself may for
   instance be realized as an electronic circuit on the network circuit
   board, as an independent expansion card or as a software module alone,
   which may be integrated on a low-level basis in the operating system
   of the host computer or which as an alternative may be executed as a
   memory resident program module.
   The alarm unit referred to above is operatively connected to the
   network 11 and is adapted to receive information from the surveillance
   module of each respective monitored network unit. The alarm unit -
   which may be realized as a software module in the server computer 15,
   as a software module in any of the client computers 12, 13, 14
   comprised in the computer system 10, or as a separate unit connected
   to the network - will continuously check the incoming information so
   as to detect an unauthorized manipulation of equipment within the
   computer system 10, for instance an attempted theft.
   In such applications where the surveillance modules according to the
   above themselves will detect a change in the equipment within their
   respective host unit, the alarm unit simply has to generate an
   external alarm signal, whenever any surveillance module has reported
   such a change.
   If, however, the surveillance modules are arranged to report the
   momentary status for the equipment, the alarm unit will be provided
   with a conventional electronic memory, in which the expected status
   for each monitored network unit is stored. The expected status may for
   instance be information about internal memory or hard disk size, the
   number of peripherals connected, such as CD-ROM player and monitor,
   etc. Whenever the reported status deviates from the expected status
   stored in the electronic memory, an external alarm signal will be
   generated.
   Furthermore, the alarm unit may be arranged to regularly and
   sequentially poll the monitored units itself and command them to
   supply their respective status information according to the above.
   Also this polling activity occurs according to the same network
   protocol, which is normally used in the computer system.
   The external alarm signal is preferably an alarm to a security
   company, the police or the security managers at the company, for
   instance by having the alarm signal activate a communication program
   run on any client computer 12, 13, 14 or server computer 15 within the
   computer system 10, wherein the program will call the desired party by
   means of a modem. In order to further increase the security separate
   cellular telephones or radio transmitters 18a, 18b may be connected to
   the computer system 10, wherein the alarm may take place wirelessly to
   the receiving cellular telephone or radio receiver.
   Even the server computer 15 comprised in the computer system may be
   provided with a surveillance module according to the above and take
   part among the monitored units, if the alarm unit is realized as an
   individual unit separated from the server computer, which in
   accordance with the surveillance modules described above is provided
   with an uninterruptable power supply by means of a battery or the
   like.
   According to a more advanced application the alarm unit - be it
   realized as a software module in a computer or as a separate unit -
   may be programmed in such a way, that different alarm conditions are
   used. For instance, an interruption of the normal power supply of the
   computer system may be allowed without giving an alarm, provided that
   the interruption is not followed by any reports on other kinds of
   disturbances, thereby avoiding that a false alarm is given for
   instance during thunderstorms. In addition the alarm unit may be
   programmed to supply more detailed alarm information, when external
   alarm is given, for instance by reporting the kind of change that has
   taken place in the computer system, or which pieces of equipment that
   have been affected.
   It is also possible to practice the method of monitoring according to
   the invention in combination with already existing conventional
   surveillance equipment, such as intruder detectors 19 or entrance
   control units 20. Such conventional units are then provided with
   modified surveillance modules 21, 22, which are arranged to receive an
   alarm signal from the detectors 19 and the units 20, respectively, and
   forward these through the network 11 to the alarm unit described
   above.
   Additionally, the network 11 may be galvanically separated by means of
   network section units 23. Every section of the network 11 is then
   preferably provided with its own alarm unit, said alarm units being
   able to monitor each other to cause an alarm, should any other alarm
   unit or section of the network be made inoperational. Alternatively,
   the entire network 11, or portions thereof, may consist of a
   wire-based optical or a wireless communication link, respectively, of
   previously known design.
   The description above for the preferred applications of the method
   according to the invention are only to be taken as examples. Other
   applications may deviate from what has been described above within the
   scope of the invention, as defined in the appended patent claims. In
   particular, the term server computer is to be interpreted in a broad
   sense; the server computer 15 may be constituted by a pure printer and
   application server (a so called network server) in a "real" server
   network, but alternatively, it may be represented by any given client
   computer 12, 13, 14 in a "peer-to-peer" network, in which the
   different client computers mutually share their own resources as well
   as printers and hard disks, and consequently act as client computers
   as well as server computers.
     _________________________________________________________________
   
   Data supplied from the esp@cenet database - l2

Claims


   Claims
   
   CLAIMS
   1. A method of monitoring a computer system (10), comprising a
   plurality of client computers (12, 13, 14), at least one server
   computer (15), and a wirebased or wireless network (11), by means of
   which each unit in the system is operatively connected to at least one
   other unit in the system, c h a r a c t e r i z e d by the steps of
   continuously collecting information about at least some of the client
   computers (12, 13, 14) in each respective client computer;
   supplying the collected client computer information to an alarm unit
   comprised in the system (10) with the network (11) acting as
   information carrier and in accordance with the same network
   protocol(s) that is/are normally used in the computer system (10);
   comparing in the alarm unit the client computer information received
   with previously received client computer information; and
   generating an alarm signal by means of the alarm unit, if the
   difference between the client computer information received and the
   previously received client computer information is larger than a
   predetermined amount of information.
   2. A method according to claim 1, c h a r a c t e r i z e d in that
   said client computer information comprises information about the
   operative connection between the client computer (12, 13, 14) and the
   rest of the computer system (10).
   3. A method according to claim 1, c h a r a c t e r i z e d in that
   said client computer information comprises information about
   components in the client computer (12, 13, 14), such as internal
   memory, hard disk, CD-ROM player, etc.
   4. A method according to any preceding claim, c h a r a c t e r i z e
   d in that said network (11) at least partly is constituted by a set of
   electrical wires of coaxial cable or twisted-pair cable type.
   5. A method according to any preceding claim, c h a r a c t e r i z e
   d in that said network (11) is at least partly constituted by an
   optical fibre cable.
   6. A method according to any preceding claim, c h a r a c t e r i z e
   d in that said network protocol(s) is/are in accordance with any of
   the network standards IEEE 802.3, IEEE 802.4 or IEEE 802.5.
   7. A method according to any preceding claim, wherein the computer
   system (10) further comprises peripheral equipment (16, 17), c h a r a
   c t e r i z e d by the additional steps of
   continuously collecting information also in said peripheral equipment
   (16, 17) about the equipment itself as well as components comprised
   therein;
   supplying the collected peripheral equipment information to an alarm
   unit comprised in the computer system with the network acting as
   information carrier;
   comparing peripheral equipment information received in the alarm unit
   with previously received peripheral equipment information; and
   generate an alarm signal by means of the alarm unit, if the difference
   between the peripheral equipment information received and the
   previously received peripheral equipment information is larger than a
   predetermined amount of information.
   8. A method according to claim 7, c h a r a c t e r i z e d in that
   said peripheral equipment (16, 17) at least partly comprises telefax
   equipment (16).
   9. A method according to claim 7, c h a r a c t e r i z e d in that
   said peripheral equipment (16, 17) at least partly consists of a
   copying machine (17).
   10. A method according to claim 7, c h a r a c t e r i z e d in that
   said peripheral equipment at least partly is constituted by
   conventional surveillance equipment (19, 20).
   11. A method according to any preceding claim, c h a r a c t e r i z e
   d in that all monitored units (12, 13, 14; 16, 17) are provided with
   their own power source, said power source being operational also when
   the rest of the computer system (10) is powerless.
   12. A method according to any preceding claim, c h a r a c t e r i z e
   d by the additional step of
   when said alarm signal is generated by the alarm unit, establishing a
   telephone-based contact with at least one subscriber, who is located
   outside the premises, in which the computer system (10) is situated.
   13. A method according to any preceding claim, c h a r a c t e r i z e
   d in that the alarm unit is constituted by a computer program executed
   or run in said server computer (15) or in any of the client computers.
     _________________________________________________________________
   
   Data supplied from the esp@cenet database - l2

Granted Patent


OCR result
#f