1. Technical Field
The present invention relates in general to the field of data processing, and, in particular, to an improved data processing system and method for responding to a malicious intrusion using a graphical representation of the intrusion's effect.
2. Description of the Related Art
Most modern enterprise networks include means for access by remote users, typically via the Internet. This access is designed to afford authorized users interaction with the network for purposes such as e-commerce, sharing content, and other electronic activities. Because these networks are designed to be easily accessible to authorized users, they are also prone to access by unauthorized users, specifically those with malicious intent for accessing the network. This malice is presenting in the form of an “intrusion” by the user. An intrusion is defined as a malicious electronic access of the network or a computer in the network. Examples of intrusions include viruses, unauthorized data mining (sometimes called “hacking of files”), and distributed denial of service (DDOS) attacks, in which a computer system is overloaded by the intrusion such that real work can no longer be performed.
An intrusion event is defined as the result (effect) of an intrusion. Examples of an intrusion event are data files being corrupted or illegally copied, system/computer crashes and system/computer slow-downs.
Countering intrusions is typically the job of a security administrator, an information technology specialist who monitors, with the aid of risk management software, a computer system for intrusions. While there are many known methods for detecting an intrusion and the intrusion event, managing responses to the intrusion is extremely complicated. That is, while detection of an event is well known and may be automatic, management and response actions are typically taken manually. Because of the complex nature of an intrusion, it is difficult for the security administrator to evaluate what type of intrusion is occurring, and how to respond appropriately.
Thus, there is a need for a method and system to assist the security administrator in responding to detected intrusions, preferably in an manner that is automatic or semi-automatic.