1. Field
This invention relates in general to computer network security. Specifically, this invention relates to methods and systems for mapping network attacks.
2. General Background and Related Art
A goal of network security is to ensure safe and reliable network operations. Various network security components, such as firewalls, are designed to prevent illegal intrusions. These components often monitor network activities and record various types of information relating to these activities. For example, firewalls may keep a log file that lists all accesses to the computer systems protected by the firewalls. For each access, the ID of the user who made the access, the time of the access, the location of the access, and the manner in which the access took place (remotely or locally) may be recorded. Log files generated by network security components are typically voluminous.
To detect a security breach such as an attack by a hacker, one needs to understand the information embedded in log files. However, interpretation of log files, which contain information indicating the severity and extent of network problems, may require significant technical expertise. Attempts have been made to transform raw log data into understandable forms. For example, color-coded histograms may be generated from raw log files to provide graphical views of the information embedded therein. Yet, interpretation of histograms also requires substantial technical knowledge.
Log files generated by network security monitoring tools may contain vendor-specific types of information presented in distinct forms. This increases the burden on network system administrators and other users. For example, the log file for a particular type of firewall, generated by vendor A's security monitoring system, may be very different from the log file for a server computer, generated by vendor B's security monitoring system. The two log files may include different types of information in different vendor-specific formats.
The Intrusion Detection Message Exchange Format (IDMEF) has recently been proposed to define data formats and exchange procedures for sharing information between different network security tools. However, this format retains the low-level data semantics of log files generated by vendor-specific network security tools. Significant effort and technical expertise are required to analyze and understand IDMEF log files.
Therefore, what is needed is a system and method to effectively convey different types of log data to users.