Description:TECHNICAL FIELD
The present disclosure relates generally to forensic systems and more specifically relates to detecting anomaly in devices by identifying any scanning or other alternate information gathering attempt by another device.

BACKGROUND ART
[0001] Website analysis tools help optimize your website, improve your search rankings, and drive more traffic to your website. If you have an online strategy for your business, you need website analysis tools to ensure your web pages are highly visible to your target market. Why is website visibility and search engine optimization (SEO) important? Search engines, such as Google (which accounts for nearly two-thirds of all web searches in the U.S.) and Bing, use algorithms that analyze your website’s page content.

[0002] Not only do search engines look at keywords, they judge the appropriateness and relevancy of the content to the search terms submitted by the user. The approach taken by Google et. al. through search algorithms like Google PageRank (PR) helps searchers quickly find the information they want, find an appropriate solution, and become engaged with your business.

[0003] Nowadays, there are techniques that exists which are used to detect anomalies. For example, reference can be made to US10042697B2 which discloses detecting anomalies in computing systems. Further, reference can be made to US9071535B2 which discloses detecting anomalies at datacenters.

OBJECTS OF THE INVENTION

[0004] The principal object of the present invention is to provide system that detects anomalous activity in a device to which it is connected

[0005] Other object of the present invention is to provide technique for providing plug-and-play gadget that does not require installation and is a strong log analysis tool.

[0006] Another object of the present invention is to provide techniques for determining firewall setting of a system.

[0007] Another object of the present invention is to provide technique for examining the data recorded to filter port scanning related packets before displaying these suspicious actions in a simple and easy to read format.

[0008] Another object of the present invention is to provide technique for reading the data on a regular basis and continuing to function until system is forced to stop, or the host system is turned off.

SUMMARY OF THE INVENTION

[0009] In one embodiment, a system for detecting anomalies in the system is disclosed. The system comprises a log analysis unit (102) configured to analyse log in the system, a port scanning unit (104) configured to scan ports present in the system, a firewall status unit (106) configured to detect status of firewall, and an anomaly detection unit (108) configured to detect anomalies in the system based on the analysed logs, scanned ports and detected status of firewall.

[0010] In another embodiment, a method for detecting anomalies in a system is disclosed. The method comprises analysing log in the system, scanning ports present in the system, detecting status of firewall, and detecting anomalies in the system based on the analysed logs, scanned ports and detected status of firewall.

BRIEF DESCRIPTION OF DRAWINGS
[0011] Figure 1 illustrates a system for detecting anomaly in the system, in accordance with one embodiment of the present invention.
[0012] Figure 2 illustrates a flowchart of a method for detecting anomaly in a system, in accordance with the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0013] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0014] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0015] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0016] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0017] Referring to FIG. 1, a system 100 for detecting anomaly in the system 100. The system 100 comprises a log analysis unit 102, a port scanning unit 104, a firewall status unit 106, an anomaly detection unit 108, a processor 110, an input unit 112 and a display unit 114. The system 100 may be any computing device such as a computer, a laptop, a mobile phone, a tablet, etc. An input may be received in the system 100 via the input unit 112. The processor 110 may be coupled to other units and may control the operations of the other units.
[0018] The system 100 may be connected to a server 116 via a network 118. The server 116 may be a content server which may be used to present content to the users requesting for the content. In one embodiment, there may be a plurality of servers present at various locations. A request from the user may be routed to the server 116 via the plurality of servers. The server 116 in this case may store the locations of all the servers via which the request has been routed. Further, the server 116 may also include address of the computing device from where the request has been received.
[0019] The log analysis unit 102 is configured to analyze logs of the system 100. The logs of the system may include time stamped documentation of events relevant to the particular system 100. In one embodiment, the events may be related to the operating system present in the system 100. In another embodiment, the events may include software runs with time stamps. In yet another embodiment, the logs may also include messages exchanged between the users. The logs can be messages or the time of sending the messages or address of devices between which the messages are exchanged.
[0020] The port scanning unit 104 is configured to scan various ports present in the system 100. The port scanning unit 104 may probe system 100, server 116 and the network 118. A port in the system 100 is a place where the data packets are sent and received. Running a port scan on the system 100, the server 116 and the network 118 reveals which ports are open and can/are receiving data packets.
[0021] The firewall status unit 106 The system here can determine whether the default firewall is enabled or disabled and, if so, enable it. The system then locates the firewall log files and examines the data recorded to filter port scanning related packets. By analyzing the log files, the firewall status unit 106 may analyze and record the status of the firewall. The status of the firewall may be enabled or disabled. If the status of the firewall is enabled, the firewall status unit 106 records the status as enabled. If the status of the firewall is disabled, the firewall status unit 106 records the status as disabled and may change the status to enabled.
[0022] The anomaly detection unit is configured to detect anomaly in the system 100. For example, the anomaly detection unit can analyze the results from the log analysis unit 102, the port scanning unit 104 and the firewall status unit 106. For example, the anomalies can be detected by analyzing the logs in the system 100, the port of the system 100/network/server and the firewall status. In one embodiment, a predetermined threshold may be defined for the anomaly detection unit for each of the parameters detected by the anomaly detection unit. When the parameter is more than the predetermined threshold value, it may be determined that the anomaly is detected. In one embodiment, the anomalies may be presented to a user/administrator via the display unit 114.
[0023] In one embodiment, a plug-and-play device may be provided in the system 100. The plug-and-play device that does not require installation and is a strong log analysis tool that may detect anomalous activity in a device to which it is connected. The device here can determine whether the default firewall is enabled or disabled and, if so, enable it. The system then locates the firewall log files and examines the data recorded to filter port scanning related packets before displaying these suspicious actions in a simple and easy to read format. The system reads the data on a regular basis and continues to function until it is forced to stop, or the host system is turned off.
[0024] In one embodiment, the system reads data from the pfirewall.log file to detect suspicious activity and read any port scanning-related activity. The system 100 may protect the log file's security by granting only admin permissions to the file. The system 100 may drop any packets, if detected, related to the port scanning activity thus preventing leakage of information. The system 100 works well with any operating system and can detect anomalous activity in the intranet and even on the Internet as well.
[0025] Referring to FIG. 2 now, a flowchart of a method for detecting anomaly in the system 100 is disclosed. At step 202, the method comprises analyzing logs in the system. At step 204, the method comprises scanning ports in the system/server/network. At step 206, the method comprises detecting status of the firewall. At step 208, the method comprises detecting anomalies based on the log, port scanning and firewall status.
[0026] The various actions, acts, blocks, steps, or the like in the flow diagram may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some of the actions, acts, blocks, steps, or the like may be omitted, added, modified, skipped, or the like without departing from the scope of the invention.
[0027] Although particular embodiments of the invention have been described in detail for purposes of illustration, various modifications and enhancements may be made without departing from the spirit and scope of the invention.
, C , Claims:I/We Claim:
1. A system for detecting anomalies comprising:
a log analysis unit (102) configured to analyse log in the system;
a port scanning unit (104) configured to scan ports present in the system;
a firewall status unit (106) configured to detect status of firewall; and
an anomaly detection unit (108) configured to detect anomalies in the system based on the analysed logs, scanned ports and detected status of firewall.

2. The system as claimed in claim 1, wherein the system is connected to a server (116) via a network (118).

3. The system as claimed in claim 2, wherein the port scanning unit (104) is configured to scan ports at the server and the network.

4. The system as claimed in claim 1, wherein the firewall status indicates disabled or enabled.

5. The system as claimed in claim 4, wherein when the status of the firewall is disabled, the firewall status unit is configured to enable the firewall.

6. A method for detecting anomalies in a system, the method comprising:
analysing log in the system;
scanning ports present in the system;
detecting status of firewall; and
detecting anomalies in the system based on the analysed logs, scanned ports and detected status of firewall.

7. The method as claimed in claim 6, wherein the system is connected to a server (116) via a network (118).

8. The method as claimed in claim 7, further comprising scanning ports at the server and the network.

9. The method as claimed in claim 6, wherein the firewall status indicates disabled or enabled.

10. The method as claimed in claim 9, wherein when the status of the firewall is disabled, the firewall status unit is configured to enable the firewall.