From large business transaction to personal financial management, almost every aspect of our daily life depends on the secure operation of computer networks, e.g., the Internet.
Over the past decades, different techniques have been developed to enhance the security of a computer network against attacks. For example, multiple security sensors such as intrusion detection sensors (IDS) are deployed over the Internet or a local area network (LAN) to detect suspicious network activities.
FIG. 1 illustrates a computer network having a plurality of security sensors attached to routers, firewalls, switches and hosts, etc. Each security sensor is configured such that whenever it detects any suspicious network traffic going through the device it is attached to, the security sensor sends a security event to a network security monitor system. The network security monitor system is responsible for analyzing security events coming from different sources and discovering possible network attacks. After that, the system presents the result to a user of the system, e.g., a network administrator, in a readily understandable form. In response, the user takes appropriate actions to reduce the loss caused by the attacks to a minimum level. Under some circumstances, it may be appropriate for the system to automatically block detected attacks.
Generally speaking, the information embedded in an individual security event only reveals a small aspect of a large network attack plan. The accuracy of such limited information may also be contaminated by other network devices. For example, a network address translation (NAT) device is commonly employed for translating the addresses and ports of network packets destined to or originating from internal hosts and servers within a local area network (LAN) to resolve the problem of limited address space offered by 32-bit addresses. As a result, NAT devices often hide the true source and destination address of an IP packet, which makes the packet more difficult to be analyzed.
Further, a network attack is a dynamic phenomenon that evolves with time. With the development of network technology, more complicated and better disguised attacking strategies emerge to break the current network protection measures. In response, new detection measures have to be developed to discover and defeat these new strategies.
Therefore, it would be highly desirable to have a method and system that can not only analyze security events in a real time fashion, but also present the result in an intuitive form so that the user can easily understand the characteristics of any potential or on-going attacks. It would also be desirable that the user can use the method and system to develop new strategies to catch not only current, but also future network attacks.