1. Field of the Invention
Embodiments of the present invention generally relate to network monitoring and, more particularly, to a method and apparatus for analyzing source internet protocol (IP) activity in a network.
2. Description of the Related Art
Networks typically monitor for abnormal activities that may suggest some type of malicious attack is underway. When an event takes place an alarm is generated and a review of the activity leading to the event begins. One type of activity (that is reviewed) is internet Protocol (IP) activity emanating from a host computer. Each computer is identified by the Source IP Address (SIP). A review of SIP activity also includes actions taken by various network elements in the network in response to requests from the host identified with the SIP. Conventionally, SIP activity is reviewed manually by a network security analyst. The network security analyst typically chooses to manually execute queries to explain the abnormal SIP activity, such as port sweeping and scanning. However, such manual processing of log data is time consuming. By the time a network security analyst detects abnormal activity, the security of the network may be compromised, resulting in the loss or exposure of sensitive information and the ability of the network to function. Accordingly, there exists a need in the art for an improved method and apparatus for analyzing SIP activity in a network.