As it is well-known, since a plurality of computers or computing systems is connected to each other through various networks such as Internet, they can be exposed to attacks or intrusions conducted through a network or information system. Therefore, protecting the computers or computing systems from the attacks or intrusions has grown in importance.
As attacks or intrusions, there are computer viruses, computer worms, system component changes, service denial attacks, and additionally, misapplications of legal computer system properties.
To prevent such network attacks, academic world and security enterprises provide firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network security methods using a technology of virtual private network (VPN).
Generally, as methods of recognizing a network security state, there are a method based on a traffic pattern occurring in a network and a method of using security events occurring from security systems installed on a network.
However, in the case of the method based on a traffic pattern, when an amount of the traffic pattern exceeds a predetermined value, it is considered that stability of the network is affected. Accordingly, there is a restriction on analyzing an abnormal state by recognizing a correlation between generated traffic properties.
In the case of the method based on security events occurring from security systems, since a security state of the network was conventionally expressed in the form of a line using Source IP, Source Port, Destination IP, Destination Port, and Protocol a security event of the whole network was expressed from the viewpoint of IPs.
The security visualization based on IPs can provide detailed information for each IP, but it has a fundamental problem that it is difficult to recognize a state of each location of an organization to be controlled, a state of each security system, a state of each destination to be attacked, and so on. In addition, when a security manager takes a measure with regards to the security state, the response cannot be effectively conducted since the security manager should cope with each IP.