The present invention relates to an apparatus and method of dividing and displaying an IP address, and more particularly, to an apparatus and method of dividing and displaying an IP address capable of analyzing the type of network attack and the details of the attack. This work was supported by the IT R&D program of MIC/IITA [2007-S-022-01, The Development of Smart Monitoring and Tracing System against Cyber-attack in All-IP Network].
In recent years, with an increase in the use of networks, illegal access to the network has increased. Therefore, a network security technique for detecting a network error, such as illegal attack, and preventing the attack has become important.
In the related art, in order to detect a network error (that is, abnormal conditions of the network caused by the attack), the ratio of any one of the traffic information items of the network, such as a network (or system) address, a protocol, a port number, and the number of packets, is used to analyze the state of the corresponding item. As another method, data transmitted through the network is represented in a coordinate plane or a geometrical figure to display abnormal conditions in the form of the entire network.
However, these methods according to the related art are difficult to accurately classify and represent network conditions corresponding to a specific error or a specific attack, which makes it difficult to detect a network error due to a new attack. In addition, when a plurality of attacks, no a single attack, is made, a small number of attacks are not considered in many cases.
Further, a network state image or a graph represents only whether abnormal traffic occurs. That is, since the type of attack is not accurately represented, it is difficult to provide countermeasures for abnormal conditions. As a result, it takes a lot of time for the administrator to find harmful traffic causing the abnormal conditions and to provide countermeasures for the abnormal conditions.
The invention is designed to solve the above problems, and an object of the invention is to provide an apparatus and method of dividing and displaying an IP address that displays a combination of important attributes of security events to allow a user to intuitively recognize abnormal and harmful traffic that lowers the performance of a network and to easily determine security conditions in real time.
In order to achieve the object, an embodiment of the invention provides an apparatus for dividing and displaying an IP address. The apparatus includes: an event characteristic grouping unit that combines characteristic information items of collected security events to generate an event group; and division display unit that divides an IP address of the event group on the basis of an Internet address scheme, and displays the divided portions in a coordinate system.
The event characteristic grouping unit may include: a security event collecting unit that collects the security events; and an event grouping unit that aligns traffic for each protocol on the basis of the characteristic information items of the security events received from the security event collecting unit, and combines the characteristic information items of the security events for each protocol to generate the event group.
The event grouping unit may select one or two elements from the characteristic information items of the security events for each protocol and combine the selected elements.
The characteristic information items of the security events for each protocol may include a source IP address, a destination IP address, a destination port, and a source port.
The division display unit may display the IP address of the event group in a parallel coordinate system having two or more parallel axes. In this case, the division display unit may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding parallel axes.
The division display unit may display the IP address of the event group in a circular coordinate system having two or more circular axes. In this case, the division display unit may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding circular axes.
The division display unit may display the IP address of the event group in a parallel coordinate system having two or more parallel axes and in a circular coordinate system having two or more circular axes. In this case, the division display unit may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding circular axes and parallel axes.
The division display unit may connect the displayed points.
The division display unit may display the distribution of an IP address that does not participate in the combination in the event group in a coordinate system, the distribution of the IP address of the event group exceeding a threshold value.
Another embodiment of the invention provides a method of dividing and displaying an IP address. The method includes: n event group generating step of allowing an event characteristic collecting unit to combine characteristic information items of collected security events to generate an event group; and a division display step of allowing a division display unit to divide an IP address of the event group generated in the event group generating step, on the basis of an Internet address scheme, and to display the divided portions in a coordinate system. The event group generating step may include: a first step of collecting the security events; and a second step of aligning traffic for each protocol on the basis of the characteristic information items of the collected security events, and combining the characteristic information items of the security events for each protocol to generate the event group.
The second step may select one or two elements from the characteristic information items of the security events for each protocol and combines the selected elements.
The characteristic information items of the security events for each protocol may include a source IP address, a destination IP address, a destination port, and a source port.
The division display step may display the IP address of the event group in a parallel coordinate system having two or more parallel axes. In this case, the division display step may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding parallel axes.
The division display step may display the IP address of the event group in a circular coordinate system having two or more circular axes. In this case, the division display step may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding circular axes.
The division display step may display the IP address of the event group in a parallel coordinate system having two or more parallel axes and in a circular coordinate system having two or more circular axes. In this case, the division display step may divide the IP address of the event group into two or more sub-network values, and display the divided two or more sub-network values in the shapes of points on the corresponding circular axes and parallel axes.
The division display step may connect the displayed points.
The division display step may display the distribution of an IP address that does not participate in the combination in the event group in a coordinate system, the distribution of the IP address of the event group exceeding a threshold value.
According to the above-described embodiments of the invention, it is possible to easily determine and detect abnormal traffic or attacks that lower the performance of a network by displaying the distribution of source and destination IP addresses of an event group in a parallel coordinate system and/or a circular coordinate system, according to the result of a combination of main attributes of security events (particularly, events related to traffic).
It is possible to rapidly provide countermeasures for abnormal conditions without the interruption of an administrator, by automating these processes with a program.
Further, it is possible to allow the administrator to rapidly recognize a network error and to provide countermeasures for the network error by providing a parallel coordinate chart and a circular coordinate chart of IP addresses that are capable of providing easy viewing of abnormal conditions, and abnormal traffic information or harmful traffic causing the abnormal conditions. It is possible to easily detect the current traffic address and destination host conditions. In particularly, it is possible to easily monitor, for example, the access states of the main servers, which provide services, to the host, a scanning attack, and an Internet-worm attack.
Hereinafter, an apparatus and method of dividing and displaying an IP address according to an exemplary embodiment of the invention will be described with reference to the accompanying drawings.
The event characteristic grouping unit 10 includes a security event collecting unit 12 and an event grouping unit 14.
The security event collecting unit 12 collects security events transmitted from network security apparatuses (not shown), such as a fire wall, an intrusion detection system, and a router.
The event grouping unit 14 aligns traffic for each protocol on the basis of the characteristic information of the security events collected by the security event collecting unit 12, and generates event groups on the basis of the characteristic information of the security events for each protocol. The event grouping unit 14 stores the event groups in the event information storage unit 40. In
In order to generate the event groups, the event grouping unit 14 selects one or two elements from the characteristic information of the security events for each protocol, that is, the source IP address, the destination IP address, the destination port, and the source port, and combines the selected elements. As the result of the combination, the event grouping unit 14 extracts a group of events “(source IP address), (destination IP address), (destination port), (source port), (source IP address, destination IP address), (source IP address, destination port), (source IP address, source port), (destination IP address, destination port), (destination IP address, source port), and (destination port, source port)”. Of course, the event grouping unit may select three elements and combine the selected elements.
For example, assuming that the source IP address is combined with the source port, the security events in which the source IP address is identical with the source port are grouped. An event group (that is, a group of events) generated by combining the same elements includes events having a plurality of destination ports and a plurality of destination IP addresses, which do not participate in the combination. That is, when two elements are combined, the distribution of the other two elements that do not participate in the combination occurs in the event group. The event information storage unit 40 stores information of the event group as well as the security events for each protocol.
The division display unit 20 divides the source IP address or the destination IP address that does not participate in the combination in each of the event groups received from the event grouping unit 14, on the basis of an IP address scheme, and displays the divided portions in a parallel coordinate system and a circular coordinate system. In the division display of the IP address in the coordinate systems, it is preferable that the division display unit 20 divide the IP address of the event group that exceeds a specific threshold value (set value) and display the divided portion in the parallel coordinate system and the circular coordinate system. The division display unit 20 counts the number of event groups provided from the event grouping unit 14. The specific threshold value means a predetermined count number. For example, when an event to be analyzed uses netflow for 5 minutes in a 155M network environment, the specific threshold value may be set to “50”. The specific threshold value (set value) depends on a user and a network environment. This is to easily determine whether errors and abnormal traffic occur by displaying only the distribution of the source and destination IP addresses of the event group that exceeds the threshold value, when the main attributes of the events related to traffic generated for each protocol are combined.
The division display unit 20 includes a parallel coordinate division display unit 22 and a circular coordinate division display unit 24.
The parallel coordinate division display unit 22 receives an event group (that is, a group of events) from the event grouping unit 14. The parallel coordinate division display unit 22 divides the source IP address or the destination IP address that does not participate in the combination in each of the received event groups, on the basis of an IP address scheme, and displays the divided portions in the parallel coordinate system.
The circular coordinate division display unit 24 receives an event group (that is, a group of events) from the event grouping unit 14. The circular coordinate division display unit 24 divides the source IP address or the destination IP address that does not participate in the combination in each of the received event groups, on the basis of an IP address scheme, and displays the divided portions in the circular coordinate system.
The division display unit 20 may receive security events and event groups from an external apparatus other than the event grouping unit 14.
When receiving a signal indicating that events have been completely grouped, not information on the event group, from the event grouping unit 14, the parallel coordinate division display unit 22 and the circular coordinate division display unit 24 may divide the IP address and display the divided portions in the parallel coordinate system and the circular coordinate system, on the basis of information stored in the event information storage unit 40.
The error determining unit 30 determines whether a network error occurs on the basis of information displayed by the division display unit 20. In addition, the error determining unit 30 detects abnormal traffic or harmful traffic causing the network error and reports the result of the detection. The error determining unit 30 includes a parallel coordinate error determining unit 32 and a circular coordinate error determining unit 34.
The parallel coordinate error determining unit 32 detects a network error on the parallel coordinates displayed by the parallel coordinate division display unit 22, and classifies the detected network error. The parallel coordinate error determining unit 32 detects abnormal traffic or harmful traffic causing the classified network error, and reports the result of the detection to an administrator or an operator.
The circular coordinate error determining unit 34 detects a network error on the circular coordinates displayed by the circular coordinate division display unit 24, and classifies the detected network error. The circular coordinate error determining unit 34 detects abnormal traffic or harmful traffic causing the classified network error, and reports the result of the detection to the administrator or the operator.
The parallel coordinate error determining unit 32 and the circular coordinate error determining unit 34 may report the result of the detection in various forms, such as the output of a print-out from a printer, the generation of an alarm sound from a buzzer, the output of a voice message from a speaker, and the display of characters and figures on a monitor.
Those skilled in the art can easily understand the operation of the error determining unit 30 determining the network error and the type of errors and detecting harmful traffic or abnormal traffic on the basis of information displayed by the division display unit 20.
In a parallel coordinate chart 200, reference numeral 201 denotes a title indicating the attribute of an IP address (for example, a source IP address or a destination IP address). Reference numeral 202 denotes an IP address represented by an Internet address scheme. The IP address 202 generally has a length of 32 bits, and includes four attribute fields “a.b.c.d” (each of which is composed of 8 bits). The IP address 202 is divided into four 8-bit sub-network values. The divided sub-network values (one sub-network value is composed of one attribute field) are represented on each parallel axis on the X-axis in the forms of identifiers (that is, a, b, c, and d). Reference numeral 203 denotes the number of events (cnt) that increases whenever the event composed of “a.b.c.d” is generated. The event number 203 is represented as the last parallel axis on the X-axis.
Numerical values “0”, “26”, “50”, “100”, “150”, “200”, and “250” represented on the Y-axis is to improve the identification of the range of the IP address 202. The value of “a” (“26”), which is the first attribute field of the IP address 202, is represented on the Y-axis to improve the identification performance. The values of “b”, “c”, and “d” (“100”, “150”, and “50”), which are the other attribute fields of the IP address 202, are represented in the forms of points 206 at the points where the parallel axes intersect the Y-axis. The points 206 may be represented in the shapes of triangles or rectangles. Of course, the event number 203 is also represented in the shape of a point.
In order to improve the identification performance, the parallel coordinate division display unit 22 links the points 206 and the event number 203 on the parallel coordinate chart 200 to draw a line graph.
In a circular coordinate chart 300, reference numeral 301 denotes a title indicating the attribute of an IP address (for example, a source IP address or a destination IP address). Reference numeral 302 denotes a circular axis that divides the attribute field of the IP address. That is, the IP address generally has a length of 32 bits, and includes four attribute fields “a.b.c.d” (each of which is composed of 8 bits). The IP address is divided into four 8-bit sub-network values. The divided sub-network values are represented on the corresponding circular axes. The circular axes include four circular axes. In
In this embodiment, the parallel coordinate division display unit 22 and the circular coordinate division display unit 24 divide the IP address and display the divided portions, but the IP address may be replaced with a port range. For example, the parallel axes and the circular axes may be changed to the port range defined by IANA (Internet assigned number authority), that is, a well known port range of 0 to 1023, a registered port range of 1024 to 49151), a dynamic and/or private port range of 49152 to 65535.
Further, in this embodiment of the invention, since it is assumed that the address scheme of the IP address is “a.b.c.d”, four parallel axes and four circular axes are used. If the address scheme of the IP address is changed, the number of parallel axes and circular axes are changed in correspondence with the change in the address scheme.
As can be seen from a photograph 410 of a parallel coordinate chart and a photograph 420 of the circular coordinate chart, the Internet-worm attack is uniformly distributed over the entire range of the IP address. For example, assuming that the IP address is represented by the address scheme “a.b.c.d”, the values of “b, c, and d” are distributed in a range of 0 to 255.
The error determining unit 30 can determine that the Internet-worm attack is being made, on the basis of this structure, and detect abnormal traffic or harmful traffic causing a network error.
As can be seen from a photograph 510 of the parallel coordinate chart and a photograph 520 of the circular coordinate chart, the host scanning attack is continuously distributed in a predetermined range of the IP address. For example, assuming that the IP address is represented by the address scheme “a.b.c.d”, the value of “d” is distributed in a range of 37 to 75. The error determining unit 30 can determine that the host scanning attack is being made, on the basis of this structure, and detect abnormal traffic or harmful traffic causing a network error.
First, the security event collecting unit 12 collects security events transmitted from a network security apparatus (not shown), such as a fire wall, an intrusion detection system, or a router (S10). The collected security events are transmitted to the event grouping unit 14.
The event grouping unit 14 aligns traffics for each protocol, on the basis of characteristic information of the received security events, selects one or two elements from the characteristic information of the security events for each protocol, and combines the selected elements. A group of events is extracted by the combination of the elements by the event grouping unit 14 (S12). For example, assuming that the source IP address and the source port are combined, the security events having the same source IP address and source port are grouped. As a result, an event group (that is, a group of events) generated by the event grouping unit 14 has events including a plurality of destination ports and a plurality of destination IP addresses that do not participate in the combination. That is, when two elements are combined, the distribution of the other elements that do not participate in the combination occurs in the event group.
Then, the parallel coordinate division display unit 22 of the division display unit 20 divides the source IP address or the destination IP address that does not participate in the combination in each of the event groups received from the event grouping unit 14, on the basis of an IP address scheme, and displays the divided portions in the parallel coordinate system shown in
The error determining unit 30 determines whether a network error occurs (S16), and determines the type of error (S18), on the basis of the content displayed by the division display unit 20. Then, the error determining unit 30 detects the type of abnormal traffic or harmful traffic causing the determined error, and reports the result of the detection (S20).
While the invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
10-2007-0133083 | Dec 2007 | KR | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/KR08/05175 | 9/3/2008 | WO | 00 | 6/17/2010 |