In most of the prior art network abnormal condition detection technologies using traffic, a network (or system) address, a protocol, a port number, and the number of packets, and the like are used to analyze the state of the corresponding item. As another method, data is represented in a coordinate plane or a geometrical figure depending on a certain rule to display abnormal conditions. For example, in a two-dimensional (2D) coordinate system, an X-axis is set as an address (or port) of a source, and an Y-axis is set as an address (or port) of a destination to display the correlation between the source and destination of traffic or represent the occurrence frequency, thereby predicting and detecting an abnormal condition.
In this method, a displayed network state image or graph is used to represent only whether abnormal traffic occurs (that is, multiple normal servers and network attacks are included). Since it is difficult to accurately classify and represent a normal server providing a network service and traffic causing an attack, it is difficult to provide countermeasures for abnormal conditions. As a result, it takes a lot of time for the administrator to find harmful traffic causing the abnormal conditions and to provide countermeasures for the abnormal conditions, causing great damage.
In addition, when multiple attacks, rather than a single attack, are simultaneously made, or a new attack other than the existing attacks occurs, it becomes much more difficult to detect and display the attacks.