1. Field of the Invention
The present invention relates to a network security technology, and more particularly, to an apparatus and method of detecting a network attack situation in real time by processing alarms indicating intrusion detection with high efficiency.
2. Description of the Related Art
Network attack situation detection refers to analyzing interrelation among a plurality of alarms indicating intrusion detection, which are raised at a plurality of locations in a network, and presuming an attack situation based on the analysis. For example, if a plurality of alarms are raised about a host, it can be presumed that the host is being attacked. Since the network attack situation detection reflects a current network attack situation, real-time analysis is particularly important.
However, there are limitations on analyzing alarms in a network in real time through a conventional database inquiry. For example, when alarm “A” is raised, if the conventional database inquiry is made to determine the number of times that the same alarm has been repeatedly raised during a predetermined interval, the alarm “A” must be compared with a great number of other alarms. Also, if such comparisons are made for every alarm, the performance of an apparatus for detecting network attack situations will be severely undermined.
In particular, since network size is increasing and a tremendous number of alarms are being raised due to a high false-positive rate, it is required for the apparatus to process a large amount of data to analyze alarms indicating intrusion detection.