Conventionally, the abnormal condition of network traffic has been visualized and monitored by analyzing the variation of related features such as an address, a protocol, a port number, a packet number, or expressing related data of network condition as a coordinate plane or a geometry diagram according to a predetermined rule. Therefore, it is difficult to accurately discriminate or visualize a network condition made by a specific abnormal event or a specific type of attack. It is more difficult to detect an abnormal network condition created by new type of network attack. Furthermore, if a plurality of network attacks are in progress, some of them may be concealed by the others.
Also, conventionally visualized network condition images or graphs may show only an abnormal condition in network traffic, but does not accurately show a type of attack. Therefore, it is difficult to suggest a confront method for the detected network attack, and a manager may take a longer time to find harmful traffic causing the abnormal event and to deal with the detected abnormal event.