DE102023211239A1 - Apparatus and computer-implemented method for detecting at least one program that causes an anomaly in a computer system - Google Patents

Abstract

Apparatus and computer-implemented method for detecting at least one program that causes an anomaly in a computer system, wherein an occurrence of at least one anomaly in the computer system is detected (302), wherein a history of an execution state or installation state is determined (304) for programs from a set of programs (204) that are executable on the computer system, wherein a correlation between the occurrence and the history is determined (306) for at least one program from the set of programs, wherein the at least one program that causes the at least one anomaly is selected from the set of programs depending on the correlation (308).

Description

State of the art

The invention relates to a device and a computer-implemented method for detecting at least one program that causes an anomaly in a computer system.

The reliability of the computer system is compromised by anomalies. Therefore, identifying the root causes of these anomalies is of utmost importance.

Disclosure of the invention

A computer-implemented method for detecting at least one program that causes an anomaly in a computer system provides for the detection of an occurrence of at least one anomaly in the computer system, wherein a history of an execution state or installation state is determined for programs from a set of programs that can be executed on the computer system, wherein a correlation between the occurrence and the history is determined for at least one program from the set of programs, wherein the at least one program that causes the at least one anomaly is selected from the set of programs depending on the correlation. The method helps to narrow down possible causes of observed anomalies on the computer system in the field and thus facilitates root cause elimination.

The occurrence of the at least one anomaly includes, for example, one or more occurrence times of the at least one anomaly. The method is equally applicable to a sporadically occurring anomaly as to a repeatedly occurring anomaly.

The execution state of the respective program is determined, for example, depending on the start and/or end of the respective program's execution. The events "start" and "end" of the respective program's execution correlate with the occurrence insofar as the occurrence of an anomaly caused by the respective program is less likely before the start and after the end of the respective program's execution than during the respective program's execution.

The execution state of a given program, for example, is determined by its runtime. The runtime of a given program correlates with its occurrence in that the likelihood of an anomaly caused by the given program increases with the length of its runtime.

The installation status of a program is determined, for example, based on the presence or absence of the program on the computer system or the program's version number. Both the presence or absence of a specific program or a specific version number of a specific program can cause an anomaly. An anomaly caused by this specific program is thus detected.

It may be provided that multiple programs causing the anomaly are determined based on a correlation between the execution state histories of the multiple programs. A combination of programs causing the anomaly is thereby detected.

For several programs from the set, for example, a respective degree of correlation between the occurrence and the course of the execution state or the installation state of the respective program is determined, whereby the program with the greatest degree of correlation is selected as the program that causes the at least one anomaly, or whereby the programs whose degree of correlation is greater than a threshold value are selected as the programs that cause the anomaly. For example, an anomaly occurring shortly after a change in the execution state or the installation state of a specific program or several specific programs indicates the specific program or the several specific programs as the cause. This program or these programs are determined by the degree of correlation.

For example, a subset of programs is determined from the set of programs whose execution on the computer system detects at least one anomaly, the correlation for the programs from the subset is determined, and the at least one program causing the anomaly is selected from the subset. This reduces the computational effort and enables the method to be used on computers with fewer computing resources than if the correlation for the programs from the set were determined.

For example, the correlation is determined depending on a ratio between a particularly average distance between occurrence times of the anomaly and a period between a Change in the execution state or installation state and, in particular, a first time of occurrence after the change.

For example, the correlation is determined depending on a ratio between a particular average number of anomalies during an execution of a program and a number of executions of the program in a period between a change in the installation state and a particular first occurrence time after the change.

It can be provided that the occurrence of the at least one anomaly is detected in multiple computer systems, wherein the correlation between the occurrence and the course on the multiple computer systems is determined, wherein the at least one program that causes the at least one anomaly is selected from the set of programs depending on the correlation. Through the central evaluation, in particular for multiple computer systems, a causer can be assigned, even if a correlation on each individual computer system does not allow a clear assignment to a single causer.

To treat the anomaly, it can be provided that the at least one program causing the anomaly is output, or in particular is output, switched off or replaced on the computer system on which the at least one program causes the anomaly.

A device for detecting at least one program causing an anomaly in a computer system comprises at least one processor and at least one memory, wherein the memory comprises instructions executable by the at least one processor, upon execution of which instructions by the processor the device carries out the method, wherein the at least one processor is designed to execute the instructions.

A computer program comprises instructions executable by a computer, which, when executed by the computer, cause the computer to carry out the method.

• 1 eine schematische Darstellung einer Vorrichtung zur Erkennung wenigstens eines Programms, das eine Anomalie in einem Rechnersystem verursacht,
• 2 eine schematische Darstellung des Rechnersystems,
• 3 ein Flussdiagramm mit Schritten eines Verfahrens zur Erkennung des wenigstens einen Programms,
• 4 ein erstes Beispiel für eine Korrelation,
• 5 ein zweites Beispiel für die Korrelation,
• 6 ein drittes Beispiel für die Korrelation,
• 7 ein fünftes Beispiel für die Korrelation.

Further advantageous embodiments can be found in the following description and the drawing. The drawing shows:

• 1 a schematic representation of a device for detecting at least one program that causes an anomaly in a computer system,
• 2 a schematic representation of the computer system,
• 3 a flowchart with steps of a method for detecting the at least one program,
• 4 a first example of a correlation,
• 5 a second example of the correlation,
• 6 a third example of the correlation,
• 7 a fifth example of correlation.

In 1 a device 100 for detecting at least one program that causes an anomaly in a computer system is schematically shown.

The device 100 comprises at least one processor 102 and at least one memory 104. The at least one memory 104 is designed to store instructions executable by the at least one processor 102, upon execution of which instructions by the at least one processor 102, the device 100 executes a method for recognizing the at least one program.

In 2 An exemplary computer system 200 is schematically illustrated. In the example, the computer system 200 includes an execution environment 202. The execution environment 202 is configured to execute programs from a set of programs 204. The computer system 200 can be configured to execute the execution environment 202 directly on a hardware computing unit or in a virtual hardware environment.

The computing system 200 may be a vehicle control computer, a mobile phone, or an internet router. The computing system 200 may include a monitoring device for monitoring the programs and anomalies. The monitoring device may be located external to the computing system 200.

In the example, the execution environment 202 comprises an operating system and hardware or software components for influencing an execution state or installation state for one or more programs from the set of programs 204.

Influencing the installation state includes, for example, installing or uninstalling a program on the computer system 200. Influencing the installation state includes, for example, updating a program installed on the computer system 200 to a more recent version of the program.

The influence of the execution state includes, for example, a start or an end or an interruption of the execution of a program on the computing system 200.

A program refers, for example, to an application or a software component. In this example, a program includes program code.

The execution environment 202 provides services or functions for executing programs from the set of programs 204.

An application is, for example, a program designed to provide a functionality expected by computer system 200. For this purpose, the application may access, for example, services or functions of execution environment 202 or another application or multiple other applications. An application may comprise one or more software components.

The presence or absence or execution state of a software component is individually observable in the computer system 200. One software component is distinguishable from another software component.

The execution state indicates, for example, whether a program is "active," i.e., is being executed on computer system 200, or "inactive," i.e., is not being executed on computer system 200. For example, a program has the execution state "active" if the program is running in a running, non-long-term suspended process of execution environment 202. The program code of the program does not need to be directly being executed by a processor of computer system 200. For example, a program has the execution state "inactive" if no process or a long-term suspended process is provided for the program in execution environment 202.

For example, a software component has an "active" execution state if the software component is part of a running, non-long-term suspended process of the execution environment 202. The program code of the software component does not need to be directly executed by a processor of the computer system 200.

A software component is, for example, a program that includes a single function or method of a class in the sense of object-oriented programming.

A software component is, for example, a program that includes the class or a collection of classes.

A software component may include an executable file or a collection of executable files. A software component may include a standalone executable program file, such as machine code, or a shell script.

A software component may include a static or dynamic library file or a collection of static or dynamic library files.

A software component may include a non-standalone executable program library, such as a DLL or a shared object.

A software component may include a configuration file or a collection of configuration files.

The execution environment 202 forms the basis for executing the programs from the set 204.

Software components from static libraries are statically linked to a program file or library, for example, during its creation. The execution state of statically linked software components is not recognizable from outside the program file or library. They are therefore considered an integral part of the program file or library.

It may be provided that the computer system 200 comprises means for interprocess communication between programs from the set of programs 204.

It may be provided that the computer system 200 provides multiple execution environments 202. The computer system 200 includes, for example, means for managing the execution environments, in particular a container management system such as Docker, or a runtime environment or software platform such as AUTOSAR.

A single program or combination of programs provided on the computer system 200, or the absence of a program or combination of programs on the computer system 200, or incompatible versions of programs on the computer system may cause an anomaly.

• - Ungewöhnlicher Ressourcenverbrauch insbesondere bezüglich einer CPU, eines Speichers, oder eines Kommunikationsmediums des Rechnersystems 200,
• - Ein Zugriffsversuch oder gehäufte Zugriffsversuche auf eine gesperrte Ressource, Daten oder Dienste des Rechnersystem 200,
• - ein fehlschlagender Versuch einer Authentifizierung gegenüber dem Rechnersystem 200,
• - ein unerwünschtes Beenden einer Software-Komponente,
• - ein unerwünschter Neustart der Ausführungsumgebung 202 oder des Rechnersystems 200,
• - ein unerwünschtes oder auffälliges Verhalten bei einer Benutzung einer Schnittstelle zwischen zwei Programmen.

An anomaly is, for example, a faulty, undesirable or at least unusual behavior of the computer system 200 or one of its components such as:

• - Unusual resource consumption, particularly with regard to a CPU, a memory, or a communication medium of the computer system 200,
• - An attempt or repeated attempts to access a locked resource, data or service of the computer system 200,
• - a failed attempt at authentication against the computer system 200,
• - an unwanted termination of a software component,
• - an unwanted restart of the execution environment 202 or the computer system 200,
• - undesirable or unusual behavior when using an interface between two programs.

An anomaly can be a single event, i.e., one that occurs only once within a certain period of time. An anomaly can persist over a period of time. An anomaly can occur repeatedly over a certain period of time.

• Unerwartetes Ende eines Programms,
• Erhöhter Ressourcenverbrauch, z.B. erhöhte Speicherbelegung, eines Programms,
• Unerlaubter Zugriffsversuch auf eine vom Rechnersystem 200 bereitgestellte Ressource durch ein Programm,
• Wiederholtes Abonnieren eines vom Rechnersystem 200 oder einem anderen Programm bereitgestellten Dienstes durch ein Programm ohne zwischenzeitliche Kündigung des Abos,
• Senden eines undefinierten Datums durch ein Programm an einen vom Rechnersystem 200 oder einem anderen Programm bereitgestellten Dienst, Empfangen eines undefinierten Datums durch ein Programm von einem vom Rechnersystem 200 oder einem anderen Programm bereitgestellten Dienst.

Other examples of an anomaly are:

• Unexpected end of a program,
• Increased resource consumption, e.g. increased memory usage, of a program,
• Unauthorized attempt to access a resource provided by the computer system 200 by a program,
• Repeated subscription by a program to a service provided by the computer system 200 or another program without interim cancellation of the subscription,
• Sending an undefined date by a program to a service provided by the computer system 200 or another program, receiving an undefined date by a program from a service provided by the computer system 200 or another program.

In 3 a flowchart with steps of a method for detecting the at least one program is shown.

The method includes a step 302.

In step 302, an occurrence of at least one anomaly in the computer system 200 is detected. The occurrence includes, for example, one occurrence time of an anomaly or multiple occurrence times of the same anomaly or different anomalies.

In this example, the anomaly is determined independently of conditions that are relevant only within individual or a few software components. In this example, the anomaly is determined independently of knowledge about the internal structure of the respective software component.

In the example, the anomaly is determined independently of detailed or extensive logging data of the software components or their structure and layout.

In the example, the anomaly is detected by means of an automated observation of the running computer system 200, in which data about the execution states or installation states or the occurrence of the at least one anomaly is recorded.

It may be provided that the data is stored in a local persistent data storage, e.g., hard disk, flash memory, or in a central database. The local storage is used, for example, to prevent data loss in the event of a connection interruption or restart of the computer system 200.

For the detection of anomalies, an anomaly detection device or different anomaly detection devices can be provided which monitor the computer system 300 for the occurrence of anomalies and detect anomalies.

In the example, step 302 is repeated until an anomaly is detected. If an anomaly is detected, step 304 is executed.

In step 304, a history of an execution state or installation state is determined for programs from the set of programs 204. In the example, the respective history is determined from the data.

The execution state of the respective program is determined, for example, depending on the start and/or end of the execution of the respective program.

The execution state of the respective program is determined, for example, depending on the runtime of the respective program.

The installation status for a program is determined, for example, by the presence or absence of the program on the Computer system 200 or a version number of the program.

The method includes a step 306.

In step 306, a correlation between the occurrence and the history is determined for at least one program from the set of programs 204.

In the example, for several programs from the set of programs 204, a respective degree of correlation between the occurrence and the course of the execution state or the installation state of the respective program is to be determined.

The method includes a step 308.

In step 308, the at least one program that causes the at least one anomaly is selected from the set of programs 204 depending on the correlation.

It may be provided that several programs causing the anomaly are determined depending on a correlation between the execution state histories of the several programs.

In one example, the program with the highest degree of correlation is selected as the program that causes at least one anomaly.

In one example, the programs whose degree of correlation is greater than a threshold are selected as the programs that cause the anomaly.

In certain cases, the correlation between the occurrence and the history for a single program directly attributes the anomaly to the triggering program because this program can be identified as the source of the anomaly, for example due to a correlation that is above a threshold.

In other cases, it is not possible to trace the cause back to the cause due to the correlation between the occurrence and the history for individual programs.

It may be provided, in particular if the traceback is not possible, to subsequently carry out step 302, e.g. in order to identify the cause or causes on the basis of several anomalies that occur over a period of time.

To detect a recurring anomaly, a detected anomaly is identified. For example, the anomaly is identified based on the type of anomaly, its source program, or, if the anomaly concerns a message exchanged between two programs, the destination of that message.

• Die Anomalie-Auswertung über mehrere Rechnersysteme 200 erfolgt durch eine Auswertung des Auftretens, insbesondere der Auftretenszeitpunkte, einer oder mehrerer Anomalien und der dabei jeweils vorhandenen Ausführungszustände der jeweiligen Rechnersysteme 200. Beispielsweise erfolgt die Anomalie-Auswertung über die Verläufe des Ausführungszustandes oder Installationszustandes für Programme aus der Menge von Programmen 204 je Rechnersystem 200.

Anomaly analysis across multiple computer systems 200, e.g. in a central system:

• The anomaly evaluation across multiple computer systems 200 is carried out by evaluating the occurrence, in particular the times of occurrence, of one or more anomalies and the respective execution states of the respective computer systems 200. For example, the anomaly evaluation is carried out via the courses of the execution state or installation state for programs from the set of programs 204 per computer system 200.

For example, in step 302, the occurrence of the at least one anomaly in multiple computer systems 200 is detected.

For example, in step 304, the history of the execution state or installation state for programs from the set of programs 204 per computer system 200 is determined. In the example, the respective history is determined from the data of the respective computer system 200.

For example, in step 306, the correlation between the occurrence and the history on the multiple computing systems 200 is determined.

For example, in step 308, the at least one program that causes the at least one anomaly is selected from the set of programs 204 depending on the correlation between the occurrence and the history on the multiple computing systems 200.

In the example, the computer systems 200 are the same computer systems or similar computer systems 200. Similar computer systems 200 comprise, for example, at least partially the same software or hardware.

The computer systems 200 are, for example, computer systems 200 used in vehicles of related model series of a vehicle manufacturer. The computer systems 200 are, for example, embedded software systems, in particular parts of a mass-produced electronic product.

For similar computer systems 200, for example, the selection of installed programs, ie software ware components, very similar. This suggests that a particular anomaly will occur in several of these similar computer systems 200. The larger amount of data—provided by the large number of these similar computer systems 200—can improve the correlation. This is especially true for anomalies that rarely occur in individual computer systems 200.

Detection is also improved when an anomaly is caused by a program, i.e., a software component, that is not installed on all but only on a subset of the similar computer systems. In this case, correlation is achieved, for example, by observing the anomaly only on the computer systems 200 with this additional program.

Due to the central evaluation for several computer systems 200 in particular, a causer can be assigned, even if a correlation on each individual computer system 200 does not allow a clear assignment to a single causer.

It may be provided that the at least one program causing the anomaly is output, deactivated or replaced on the computer system on which the at least one program causes the anomaly.

• Beispielsweise wird das Verfahren zur Eingrenzung einer Menge möglicher Verursacher ausgeführt, um Zeitpunkte eines Auftretens einer bestimmten Anomalie a1 mit protokollierten Ausführungszuständen zu korrelieren, mit dem Ziel möglichst wenige Software-Einheiten als Verursacher der Anomalie zu bestimmen.

Using the procedure to narrow down a set of possible polluters:

• For example, the procedure for narrowing down a set of possible causes is carried out in order to correlate times of occurrence of a certain anomaly a1 with logged execution states, with the aim of determining as few software units as possible as the cause of the anomaly.

The process is initiated, for example, by the first observation of an anomaly that is distinguishable from others. The process continues, for example, until the set of possible causes is sufficiently small or no longer changes over a certain observation period.

Example 1:

The correlation is used, for example, to identify the cause depending on the frequent observation of an anomaly in relation to the average activity duration of a program. A history of the execution state is shown in 4 for programs 401, 402, 403, 404 and a tenfold occurrence an anomaly 405 is shown schematically.

The phases of a frequent occurrence of anomaly 405 are aligned as closely as possible with the active phases of programs 401, 402, 403, and 404 through correlation. The start of an active phase is detected, for example, by a positive edge of the respective execution state. The end of an active phase is detected, for example, by a negative edge of the respective execution state.

In one example, an average interval between the times at which an anomaly occurs is related to the time periods between the start of a respective program and the first time of the subsequent occurrence of the anomaly.

In one example, an average interval between the times at which an anomaly occurs is related to the time periods between the time of the last occurrence of the anomaly and the subsequent end of a respective program.

If both of these time periods are similar to the mean distance, i.e., within a specified tolerance limit around the mean distance, the correlation is assessed as high, i.e., above the threshold. If at least one of the time periods is significantly larger than the mean distance, i.e., outside the specified tolerance limit around the mean distance, the correlation is assessed as lower, i.e., below the threshold.

It may be necessary to consider whether and to what extent an accumulation of the anomaly occurs within the activity period of the program.

In Example 1, the highest correlation between the occurrence and the course of the activity period is achieved for program 401. The correlations between the occurrence and the course of the activity period for programs 403 and 404, in contrast, are lower: for program 403 due to the low overlap of the active phase of program 403 with the occurrence of anomaly 405, and for program 404 due to the long phase of non-observation of anomaly 405 at the beginning and end of the active phase of program 404. The correlation between the occurrence and the course of the activity period for program 402 is the lowest because the active phase of program 402 begins longer than the active phases of the other programs before the occurrence of the first anomaly 405 and ends earlier than the active phases of the other programs and before the last occurrence of anomaly 405.

Example 2:

A history of the execution state is shown in 5 for the programs 401 and 403 and a sixteen-fold occurrence an anomaly 405 is shown schematically.

The correlation between the history and the activity period for program 403 is increased compared to Example 1 due to the greater frequency of occurrence of the anomaly compared to Example 1. This indicates that the anomaly is caused by a combination of programs 401 and 403.

Example 3:

A history of the execution state is shown in 6 for the programs 401 and 403 and a fifteenfold occurrence an anomaly 405 is shown schematically.

The simultaneous activity of multiple sources of anomaly 405 does not necessarily lead to an increased frequency of anomaly 405. The frequency may be limited by a shared resource that can only be used by one program at a time. This determines at least the shortest possible interval between two occurrences of anomaly 405. At maximum resource usage frequency, this would not lead to any change in the frequency of anomaly 405 if additional programs accessing the resource were activated. Rather, it would simply result in an extension of the runtime of the active program units.

The active phases of programs 401 and 403 do not, on their own, completely cover the occurrence of anomaly 405. Therefore, they are both considered to be a causative factor with a similar correlation to the occurrence of the anomaly.

Example 4:

The method may provide for the occurrence of anomaly 405 to be correlated not only with the history of a single program, but also with the history of other programs. This is helpful when an anomaly 405 only occurs in the interaction of several programs.

In 7 An example is shown for programs 401, 402, and 403. Here, there is a moderate correlation between the occurrence of anomaly 405 and the active phases of programs 401 and 403. A very good correlation, however, is found with the period of joint activity, i.e., the active phases, of programs 401 and 403. The correlation with the active phases of joint activity of programs 401 and 402, or of programs 402 and 403, is zero when anomaly 405 occurs.

• Wird eine Anomalie nur selten in Bezug auf die durchschnittlichen aktiven Phasen der Programme beobachtet, kann die Korrelation alternativ mit dem folgenden Verfahren erfolgen.

Use of the procedure when an anomaly is observed sporadically:

• If an anomaly is observed only rarely with respect to the average active phases of the programs, the correlation can alternatively be performed using the following procedure.

In the first step, the activity states of the programs at the observation times at which an anomaly is detected are determined. The programs active at each observation time form the set of possible causative agents at that observation time.

A union set A of the active programs is now determined.

The union set A represents the maximum number of possible causative agents. The actual causative agents form an unknown subset of this set. This subset may be incomplete if the anomaly occurs only very sporadically.

To reduce the proportion of non-causative programs in the union A, the second step is to form the union N of active programs for which the anomaly was never observed. Active programs for which the anomaly occurred sporadically, i.e., was observed at least once, are not combined with the union N because at least one of these programs must be a causative agent of the anomaly.

In the case of a sporadic anomaly, the union set N may also contain actual causative agents because they were active while the anomaly was not observed. The motivation for this step is that this set is sufficiently small for a sufficiently long observation period.

In the third step, the members of the union set N are removed from the union set A, i.e., the difference set K = A \ N is formed. The difference set K now represents the set of the most probable causes.

It can be provided that the computer system 200 is observed at different times in which the computer system 200 is in different runtime states, ie in which different combinations of programs are in the active phase or not are in the active phase. The difference set K is determined, for example, depending on the observations and non-observations of the anomaly and the runtime states at the time points. The assumption is that this method provides a good approximation of the actual causative set, provided there is a sufficient number of observations or non-observations of the anomaly.

• Die Ursache einer Anomalie ist entweder bereits im Auslieferungszustand des Rechnersystems 200 enthalten oder wird durch eine Änderung des Installationszustands des überwachten Rechnersystems 200 eingebracht.

Correlation with changes in the installation status:

• The cause of an anomaly is either already contained in the delivery state of the computer system 200 or is introduced by a change in the installation state of the monitored computer system 200.

• - der Installation eines neuen Programms,
• - dem Ersetzen einer Version eines vorhandenen Programms durch eine neuere oder ältere Version.

The change can consist of, for example,

• - installing a new program,
• - replacing a version of an existing program with a newer or older version.

The occurrence of the anomaly is correlated with one or more of these changes.

It may be provided that the removal of a program is considered a change that removes a cause from the computer system 202, which would result in the absence or reduction of the frequency of an anomaly.

In the example, the programs determined depending on the correlation of their execution state with the occurrence of the anomaly are examined to determine how well the occurrence of the anomaly in question correlates with the installation or a version change of the respective program.

This correlation is calculated, for example, by comparing the average interval between the anomaly observation times to the time period between the change in the installation of the respective program and the first observation of the anomaly. The higher this value, i.e., the more "directly" the anomaly was first observed after the change in the installation, the higher the correlation.

The lower the respective value, the more likely the cause of the anomaly is not related to the change in the installation of the program, but the anomaly is triggered by a later event such as the exploitation of a security vulnerability or the attempt to do so.

Alternatively, the average number of observations of the anomaly during the active phases of the respective programs can be compared to the number of active phases of that program between the change in the installation and the first observation of the anomaly to determine the degree of correlation.

The set of possible culprits can be determined by passively monitoring the programs from the set of programs 204. It may be possible to remove programs from the set of programs 204, deactivate them, or install a newer or older version of the programs in order to reduce the set of possible culprits.

In the example, the observation period is chosen such that after the reduction of the possible causes, a period is observed that is at least as long as the observation period before the reduction.

The described approach requires only minimal computing resources, such as memory for log data. This allows a longer period of time to be retained with the same computing resources. This improves correlation due to the larger history. The described approach does not require any specialized knowledge of the observed software components. This is particularly advantageous when the software components come from different sources, e.g., from different manufacturers.

The method can be executed in the execution environment 202 or outsourced. For example, the computing system 202 can be observed and the correlation can be performed or evaluated from another execution environment, for example, from a "housekeeping" domain. The observation of the computing system 202 and the correlation can be performed or evaluated to a centrally located system in a computer cloud.

If the reduction was achieved by a version change of certain programs, this state is definitively established in the computer system 200 if the anomaly does not occur.

If the reduction was achieved by deactivating certain programs, a user can decide, for example, whether their permanent deactivation is acceptable or whether a version change should be carried out.

Claims (14)

Computer-implemented method for detecting at least one program that causes an anomaly in a computer system (200), characterized in that an occurrence of at least one anomaly in the computer system (200) is detected (302), wherein a history of an execution state or installation state for programs from a set of programs (204) that can be executed on the computer system (200) is determined (304), wherein for at least one program from the set of programs (204) a correlation between the occurrence and the history is determined (306), wherein the at least one program that causes the at least one anomaly is selected from the set of programs (204) depending on the correlation (308). Procedure according to Claim 1 , characterized in that the occurrence of the at least one anomaly comprises one or more occurrence times of the at least one anomaly. Method according to one of the preceding claims, characterized in that the execution state of the respective program is determined depending on a start and/or an end of the execution of the respective program (304). Method according to one of the preceding claims, characterized in that the execution state of the respective program is determined depending on a runtime of the respective program (304). Method according to one of the preceding claims, characterized in that the installation state for a program is determined depending on the presence or absence of the program on the computer system or a version number of the program (304). Method according to one of the preceding claims, characterized in that a plurality of programs causing the anomaly are determined (308) depending on a correlation between the courses of the execution state of the plurality of programs. Method according to one of the preceding claims, characterized in that for several programs from the set a respective degree of correlation between the occurrence and the course of the execution state or the installation state of the respective program is determined (306), wherein the program with the greatest degree of correlation is selected (308) as the program that causes the at least one anomaly or wherein the programs whose degree of correlation is greater than a threshold value are selected (308) as the programs that cause the anomaly. Method according to one of the preceding claims, characterized in that a subset of programs is determined from the set of programs, during the execution of which on the computer system at least one anomaly is detected, wherein the correlation for the programs from the subset is determined and the at least one program which causes the anomaly is selected from the subset. Method according to one of the preceding claims, characterized in that the correlation is determined as a function of a ratio between a particularly average distance between times of occurrence of the anomaly and a period of time between a change in the execution state or installation state and a particularly first time of occurrence after the change. Method according to one of the preceding claims, characterized in that the correlation is determined as a function of a ratio between a particularly average number of anomalies during an execution of a program and a number of executions of the program in a period between a change in the installation state and a particularly first time of occurrence after the change. Method according to one of the preceding claims, characterized in that the occurrence of the at least one anomaly is detected (302) in a plurality of computer systems (200), wherein the correlation between the occurrence and the course on the plurality of computer systems (200) is determined (306), wherein the at least one program that causes the at least one anomaly is selected (308) from the set of programs (204) depending on the correlation. Method according to one of the preceding claims, characterized in that the at least one program which causes the anomaly is output, or in particular is output, switched off or replaced on the computer system on which the at least one program causes the anomaly. Device (100) for detecting at least one program causing an anomaly in a computer system (200), characterized in that the device (100) comprises at least one processor (102) and at least one memory (104), wherein the at least one memory (104) comprises instructions executable by the at least one processor (102), upon execution of which by the processor (102) the device implements the method according to one of the Claims 1 until 12 wherein the at least one processor (102) is configured to execute the instructions. Computer program, characterized in that the computer program comprises computer-executable instructions, the execution of which by the computer causes the computer to carry out the method according to one of the Claims 1 until 12 executes.

Images