The Internet is a global public network of interconnected computer networks that utilize a standard set of communication and configuration protocols. It consists of many private, public, business, school, and government networks. Within each of the different networks are numerous host devices such as workstations, servers, cellular phones, portable computer devices, to name a few examples. These host devices are able to connect to devices within their own network or to other devices within different networks through communication devices such as hubs, switches, routers, and firewalls, to list a few examples.
Due to growing problems associated with security threats to networks that exploit the Internet, network providers monitor for network threats while monitoring traffic flow. For example, networks and network devices are increasingly affected by the damages caused by Denial of Service (“DoS”) attacks. A DoS attack is defined as an action aimed at a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent normal response to legitimate requests. The flooding may consume all of the available bandwidth of the targeted network, or it may exhaust the computational resources of the targeted system.
Other network security threats include Trojan horse attacks that may be embedded in harmless software, viruses that can reproduce themselves and attach to executable files, worms that can spread via stored collections of e-mail addresses, and logic bombs that can remain dormant until triggered by an event (e.g., a date, user action, random trigger, etc.).
Network monitoring produces large amounts of information about network threats and traffic flow. For example, thousands of network threat events related to different types of violations can be detected in an hour time period. Correlations may exist between characteristics of the different threats and characteristics of traffic flow. Administrators supervising a network can observe data output by network monitors monitoring the network, and make decisions about operation of the network based on their observations. However, due to the vast amount of data related to characteristics of network threats and traffic flow, the administrators' abilities to make correlations and informed decisions can be limited.
Such conventional methods and systems have generally been considered satisfactory for their intended purpose. However, there is still a need in the art for improved tools that present information conducive to recognition of relationships and associations between characteristics of suspicious network traffic as well as network traffic flow. The present disclosure provides a solution for these problems.