Recently, as sampling methods used in collecting and analyzing security events on a network, there are a systematic sampling method extracting security events at regular intervals, a random sampling method randomly extracting a security event from security events, and a stratified random sampling method dividing security events into homogeneous layers and randomly extracting from the homogeneous layers.
In association with this, there is Korean Patent Application No. 10-2005-032363 entitled “Apparatus for Collecting Internet Protocol Packets, Which Has Sampling and Signature Retrieving Functions and a Method Therefore, Particularly Capable of Reducing a Lot of Computing Resources Required for Collecting Traffic on High-Speed Internet Lines, and Effectively Constructing a Monitoring System Capable of Conducting More Exact Real-Time Analysis,” which embodies sampling function and signature searching function in hardware and supports periodical sampling, random sampling, and hash-based sampling to improve performance of sampling. However, there is still a problem of distortions of content characteristics of security events before and after sampling.
Generally, contents of security events include a source Internet protocol (IP) address, a destination IP address, a source port, a destination port, and a protocol. Distribution of information included in the contents of the security events becomes important characteristics to determine a security state of a network.
Also, cyber attacks presently performed on a network use a method of fixing both of a source port and a destination port, a method of fixing a source port and randomly varying a destination port, and a method of randomly varying both of a source port and a destination port. Accordingly, distribution of a relation between a source port and a destination port plays an important role in analyzing and visualizing a cyber attack state.
Since security events are sampled without using content characteristic information of the security events in conventional sampling methods, content characteristics of security events after sampling become different from content characteristics of security events prior to sampling. That is, when sampling without using contents of security events, information on distribution of a relation between a source port and destination port is damaged, thereby deteriorating performance of a network visualization and analysis apparatus.