JP2008193302A - Communication log visualization apparatus, communication log visualization method and communication log visualization program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To find an installation location of communication equipment which performs suspicious communication. <P>SOLUTION: A communication tag visualization apparatus has: a log analysis part 11 for entering a communication log output from a network monitoring system 110, extracting and managing logic information showing an IP address or the like of the communication equipment and time information showing an amount of communication every prescribed period, and making location information for specifying a location of the communication equipment correspond to the logic information showing the communication equipment and managing them; and a visualization processing part 12 for reading each of the logic information, the time information and the location information and displaying them onto a logic information plane 210, a time information plane 220, and a location information plane 230 so that association of information displayed onto each information plane becomes clear. Thus, when a trace of illegal intrusion is found on the time information plane 220, it becomes possible to instantaneously check the location of the communication equipment on the location information plane 230, so that countermeasures can be quickly taken against the illegal intrusion. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for displaying a communication log obtained by network monitoring.

  In recent years, the importance of network security monitoring has increased. In general, the log output by the network monitoring apparatus is very large, and it is difficult for the monitor to analyze manually.

On the other hand, a system that reduces the burden on the observer by visualizing logs has been proposed. For example, a technique described in Non-Patent Document 1 is known as a technique for analyzing communication trends (types of viruses that are prevalent) in a wide area network.
Y. Hideshima, H. Koike, "Starmine: A visualization system for cyber attacks", Asia Pacific Symposium on Information Visualization, 2006, p.131-138

  However, monitoring of the internal network has different aspects from wide area network monitoring and monitoring for each communication device. In monitoring the internal network, when unauthorized access occurs to a computer, it is important to respond quickly by going directly to the installation location of the computer, stopping the computer, or physically disconnecting from the network.

  However, many conventional security log visualization systems display only time information indicating time-series changes in traffic volume, or display only logical information such as IP addresses. There is a problem that it is impossible to instantly determine where the computer where the unauthorized access has occurred is located.

  The technique shown in Non-Patent Document 1 is for monitoring a wide area network, and it cannot be used to specify a specific installation location of an attacked communication device. I can't.

  The present invention has been made in view of the above, and an object of the present invention is to make it possible to know the installation position of a communication device performing suspicious communication when monitoring an internal network. .

  A communication log visualization device according to a first aspect of the present invention includes a communication log input unit that inputs a communication log output from a monitoring system that monitors a packet flowing on a network and monitors unauthorized intrusion, and a communication log input unit. A communication log analysis unit that receives a communication log and extracts logical information such as an IP address and time information from the communication log; a logical information management unit that receives and manages the logical information extracted by the communication log analysis unit; The time information management means for inputting the information about the time extracted by the communication log analysis means, totaling the communication volume for each predetermined period and managing it as time information in association with the logical information, the logical information and the logical information Location information management means for managing the location information of related communication devices in association with location information, and logical information, time information and location information necessary for display. Information management means, time information management means and position information management means respectively read out information acquisition means, the logical information read by the information acquisition means and time information are displayed in association with each other, and logical information and position information are displayed in association with each other Display means.

  In the present invention, a communication log analysis unit that inputs a communication log output by a monitoring system that monitors a network, extracts logical information such as an IP address, and information related to time such as a time when a packet is captured, A logical information management means for managing logical information; a time information management means for collecting communication volume for each predetermined period based on the extracted time-related information; Time information management means for managing the positional information for specifying the arrangement location in association with the logical information indicating the communication device, and reading out each information of the logical information, the time information and the positional information to obtain the logical information and the time information. In addition to displaying information in association with each other, and having display means for displaying the logical information and the positional information in association with each other, the time information in which evidence of unauthorized intrusion can be seen It is possible to identify quickly the location of the communication device corresponding to the logical information corresponding to make it possible to quickly perform the countermeasure against unauthorized intrusion.

  In the communication log visualization device, the display unit arranges the logical information, time information, and position information on planes that intersect each other in the virtual three-dimensional space, and displays a surface for displaying the logical information and a surface for displaying the time information. The time information corresponding to the logical information displayed on the line intersecting with is displayed.

  In the present invention, by placing each information in a virtual three-dimensional space, all information can be confirmed and judged instantly, and the viewpoint can be changed and displayed. Can be displayed more clearly.

  In the communication log visualization apparatus, the surface on which the time information is displayed is movable in parallel to the surface on which the logical information is displayed.

  In the present invention, it is possible to quickly change the logical information to be displayed by making the surface on which the time information is displayed parallel to the surface on which the logical information is displayed.

  In the communication log visualization apparatus, the logical information includes a port number, and the display means displays the port number and time information corresponding to the port number.

  In the present invention, by displaying the port number and the time information corresponding to the port number, it is possible to know the target and type of unauthorized intrusion.

  The communication log visualization method according to the second aspect of the present invention includes a step of inputting a communication log output by a monitoring system that monitors a packet flowing on a network and monitors unauthorized intrusion by a communication log input unit; In the step of receiving the communication log input in the step of inputting the communication log by the analyzing unit, extracting the logical information such as the IP address and the time information from the communication log, and in the extracting step of the logical information management unit Input and manage the extracted logical information and input the information about the time extracted in the extracting step by the time information management means, total the traffic for each predetermined period and correspond to the logical information as time information Logical information and time information required for display by the information acquisition step and information acquisition means. Reading out the position information from the position information management means for managing the correspondence between the logical information and the position information for specifying the arrangement location of the communication device related to the logical information, and the display means. And displaying the logical information and time information read in association with each other in the reading step, and displaying the logical information and position information in association with each other.

  In the communication log visualization method, the displaying step arranges the logical information, the time information, and the position information on planes intersecting each other in the virtual three-dimensional space, and displays the surface for displaying the logical information and the time information. Time information corresponding to logical information displayed on a line intersecting with the surface is displayed.

  In the communication log visualization method, the time information display surface is movable in parallel to the logical information display surface.

  In the communication log visualization method, the logical information includes a port number, and the displaying step displays the port number and time information corresponding to the port number.

  A communication log visualization program according to a third aspect of the present invention includes a step of inputting a communication log output by a monitoring system that monitors a packet flowing on a network and monitors unauthorized intrusion by a communication log input unit; In the step of receiving the communication log input in the step of inputting the communication log by the analyzing unit, extracting the logical information such as the IP address and the time information from the communication log, and in the extracting step of the logical information management unit Input and manage the extracted logical information and input the information about the time extracted in the extracting step by the time information management means, total the traffic for each predetermined period and correspond to the logical information as time information Logical information required for display and time information by the information acquisition means. Reading information from the information management means and the time information management means, respectively, and reading out the position information from the position information management means for managing the logical information and the positional information for specifying the location of the communication device related to the logical information in association with each other; The logical means and time information read in the reading step by the display means are displayed in association with each other, and the computer is caused to execute the step of displaying the logical information and position information in association with each other.

  In the communication log visualization program, the displaying step arranges the logical information, the time information, and the position information on planes intersecting each other in the virtual three-dimensional space, and displays the surface for displaying the logical information and the time information. Time information corresponding to logical information displayed on a line intersecting with the surface is displayed.

  In the communication log visualization program, the surface on which the time information is displayed is movable in parallel to the surface on which the logical information is displayed.

  In the communication log visualization program, the logical information includes a port number, and the displaying step displays the port number and time information corresponding to the port number.

  According to the present invention, when monitoring an internal network, it is possible to know the installation position of a communication device performing suspicious communication.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a block diagram showing a configuration of a communication log visualization system using a communication log visualization device 10 according to the present embodiment. As shown in the figure, the communication log visualization system includes a communication log visualization device 10 including a log analysis unit 11 and a visualization processing unit 12, a database 20, an input device 30, and a display 40. It is provided with various logs output from the network monitoring system 110 and the network exploration system 120, and communication log information is output in a form convenient for network management and monitoring. The communication log visualization device 10 can be configured by a computer including an arithmetic processing device, a storage device, a memory, and the like, and the processing of each unit is executed by a program. This program is stored in a storage device or the like provided in the communication log visualization device 10 and can be recorded on a recording medium or provided through a network.

  First, the log analysis unit 11 of the communication log visualization device 10 will be described. As shown in FIG. 1, the log analysis unit 11 includes a communication log input analysis unit 111, a search log input analysis unit 112, a time information management unit 113, a logical information management unit 114, and a location information management unit 115.

  The communication log input analysis unit 111 receives a communication log output from the network monitoring system 110, and extracts information on time indicating the time when the packet is inspected and logical information such as an IP address and a port number from the communication log. . Based on the information related to the extracted time, the communication amount for each predetermined period is totaled and stored in the time information management unit 113 as time information in association with logical information. The extracted logical information is stored in the logical information management unit 114. The logical information may include information useful for network monitoring such as a packet direction (outbound and inbound) and flags included in various protocols. The communication log may be input for a certain period of time in a lump, but an unauthorized intrusion can be detected earlier by inputting it whenever the network monitoring system 110 outputs.

  For the network monitoring system 110, for example, an intrusion detection system (IDS) such as Proventia (registered trademark) or snort is used. The intrusion detection system inspects packets flowing through the network, detects unauthorized intrusions and notifies the network administrator, and outputs a large amount of information such as packet supplement time, packet source, and destination as a communication log. To do.

  The search log input analysis unit 112 inputs a search log output from the network search system 120 and extracts logical information such as an IP address and a port number of a communication device that is actually operating. Logical information such as an IP address to which an actually operating communication device is connected and an available port is stored and managed in the logical information management unit 114. Since communication devices are rarely connected to all IP addresses assigned to the network, and are often invaded from vacant ports, communication devices operating using the network exploration system 120, Check available ports, running services, etc. This makes it possible to filter unnecessary items such as communication logs related to attacks against invalid IP addresses.

  For the network exploration system 120, for example, a port scan tool such as nmap is used. The port scan tool accesses a communication device such as a server through a network and searches for a security hole. With the port scan tool, it is possible to know the type of OS of the communication device, the available port number, the type of application software that is running, and the like.

  The database 20 stores an IP address and location information regarding the installation location of the communication device to which the IP address is assigned in association with each other, and the location information management unit 115 refers to the database 20 and stores information such as the IP address. Obtain location information corresponding to logical information. The location information management unit 115 may include the database 20.

  As described above, the log analysis unit 11 extracts time information and logical information from various logs output from the network monitoring system 110 and the network search system 120, and acquires position information from the database 20. The network monitoring system 110 is always in operation because the purpose is to monitor the network, but the network exploration system 120 is changed when the network configuration is changed, for example, once a week. It may be operated appropriately to update the logical information. The information indicating the relationship between the IP address and the position stored in the database 20 may be updated when the network configuration is changed.

  Next, the visualization processing unit 12 of the communication log visualization device 10 will be described. As illustrated in FIG. 1, the visualization processing unit 12 includes a data acquisition unit 121 and a display unit 122, and an input device 30 and a display 40 are connected to the visualization processing unit 12. For example, a pointing device such as a mouse or a keyboard is used as the input device 30 and can be operated intuitively via a GUI (Graphical User Interface), or can be quickly operated by directly inputting a command using the keyboard. . Hereinafter, processing of each unit will be described in detail.

  The data acquisition unit 121 reads the logical information to be displayed from the logical information management unit 114 of the log analysis unit 11, reads the time information corresponding to the read logical information from the time information management unit 113, and corresponds to the read logical information. The position information is read from the position information management unit 115. Further, the user inputs logical information to be displayed to the data acquisition unit 121 via the input device 30. Examples of the logical information to be input include an IP address, a network address, a port number, and a packet direction (outbound and inbound). In this way, by selecting the information to be displayed and filtering the information that is not necessary, it is possible to display the information that is desired to be noticed without being buried in other information.

  The display unit 122 displays in an integrated manner so that the relationship between the time information, the logical information, and the position information read by the data acquisition unit 121 can be understood. The time information and the logical information are displayed in association with each other, and the logical information and the position information are displayed in association with each other, so that the IP address of the communication device corresponding to the time information can be obtained from the evidence of unauthorized intrusion obtained from the time information. You can quickly find out the location information of the communication device from the IP address. Further, the user can change the display form via the input device 30.

  Next, the displayed screen will be described. FIG. 2 is a diagram illustrating a configuration of a screen output by the display unit 122. As shown in the figure, the displayed screen is arranged in a virtual three-dimensional space so that the logical information plane 210, the time information plane 220, and the position information plane 230 intersect each other vertically, A port information area 215 indicating information related to the port is provided. The user uses the connected input device 30 to instruct to change the viewpoint so that the information surface such as the time information surface 220 is viewed from the front, or to expand and display each information surface. Can do. Hereinafter, each information surface will be described in detail.

  FIG. 3 is a diagram for explaining the logical information plane 210 shown in FIG. In the logical information plane 210, an IP address space is expressed using an IP Matrix. In the present embodiment, the lower 16 bits of the IP address expressed in 32 bits are used, the third octet is taken on the vertical axis, the fourth octet is taken on the horizontal axis, and the IP address of the actually operating communication device. Is expressed as a point. By displaying only the communication devices that are actually operating, it is possible to pay attention to and monitor the communication devices that are likely to be attacked, and to detect early communication devices that are in a dangerous state. In addition, the color of the point drawn on the logical information surface 210 is changed according to the type of OS used for the communication device extracted from the search log of the network search system 120. Since attacks from the outside are often effective only against a specific OS, if the type of OS can be determined on the logical information plane 210, it is urgently necessary to cope with the attacked communication device. It is possible to quickly determine whether or not there is.

  4A and 4B are diagrams for explaining the port information area 215. FIG. In the port information area 215 shown in FIG. 4A, information on the attack destination port is displayed among the logical information managed by the logical information management unit 114, the port number is shown on the vertical axis, and the horizontal axis shows the port number. It shows the logarithm of the attack amount against each port. In addition, 25% from the bottom of the vertical axis indicates ports from 0 to 1024 called well known ports, and the remaining 75% indicates ports from 65535. Well known ports are often used for important services such as web, email, DNS, etc., and are subject to attack, so they should be monitored carefully, so they have more display area than other ports. This ensures that important information is not overlooked.

  FIG. 4B is a diagram for explaining a state when the port information area 215 is selected by a pointing device or the like. When the port information area 215 is selected, as shown on the right side of FIG. 4B, the portion corresponding to 1% above and below the selected portion is enlarged and displayed at 20%. Can be obtained in more detail. By specifying a port in the port information area 215, only information related to the specified port can be displayed on the screen, so the information displayed on the screen is carefully selected, so that unauthorized intrusion can be made easier. You can make a discovery.

  FIG. 5 is a diagram for explaining the time information surface 220. In the time information plane 220, the horizontal axis indicates time, and the vertical axis indicates the communication amount (attack amount) per predetermined time detected by the network monitoring system 110. The time series graph 223 displayed on the time information plane 220 is a graph showing the communication amount for the corresponding logical information in a time series, and the position indicated by the reference numeral 222 is the current communication amount and is shown on the left side of the figure. The past traffic volume is shown toward. In this embodiment, the amount of communication per hour is calculated and drawn as a time series graph.

  As shown in the figure, the time information plane 220 is arranged perpendicular to the logical information plane 210 in the virtual three-dimensional space, and the logical information existing on the line where the logical information plane 210 and the time information plane 220 intersect. The amount of communication with respect to is displayed as a time series graph 223. The time series graph 223 is drawn with the intersection of the current time indicated by the reference numeral 222 and the baseline 221 defined by the value of the third octet of the IP address as the origin, and the logical information plane 210 and the time information plane 220 are drawn. It is connected by a straight line with points indicating logical information existing on the intersecting lines. Since a plurality of time series graphs 223 are displayed on the time information surface 220, the time information plane 220 is drawn using different colors depending on the position of the base line 221 of each time series graph in order to easily distinguish them.

  The time information plane 220 can be slid in parallel with the horizontal axis of the logical information plane 210, and the time series of individual IP addresses for each fourth octet set on the horizontal axis of the logical information plane 210. A graph can be displayed. For example, in general, the value of the fourth octet of the router is often 1 or 254. Therefore, by setting the time information plane 220 so that the value of the fourth octet becomes 1 or 254, the traffic to the router is summarized. You can see. When the time information plane 220 is set so that the value of the fourth octet becomes 0, the total amount of traffic for each subnet designated by the value up to the third octet of the IP address is displayed. ing.

  When the vertical axis and the horizontal axis are interchanged with the vertical axis of the logical information plane 210 being the fourth octet and the horizontal axis being the third octet, the time information plane 220 is designated by a value up to the third octet of the IP address. A time series graph of each IP address included in the subnet is displayed, so that communication logs for communication devices included in the subnet can be displayed together.

  FIG. 6 is a diagram showing a map displayed on the position information surface 230 displayed together with the logical information surface 210 and the time information surface 220. The point indicating the IP address displayed on the logical information surface 210 and the point on the map displayed on the position information surface 230 are connected by a line, and where the communication device having the IP address indicated on the logical information surface 210 is actually located. It is clearly displayed whether it exists. Since the line connecting the IP address and the point on the map is drawn using a color corresponding to the color on which the time series graph is drawn on the time information plane 220, there is a trace of unauthorized intrusion discovered on the time information plane 220. It is possible to instantaneously determine the location of a communication device having an IP address having a time series graph. Since there is generally no regularity between the IP address space and the position on the map, the IP address and the location of the communication device to which the IP address is assigned are stored in the database 20 in association with each other.

  Next, an example in which an unauthorized intrusion is detected using the communication log visualization system will be described. FIG. 7 is a display screen when a suspicious IRC (Internet Relay Chat) communication that seems to be a botnet is detected. For the sake of explanation, a part of the screen is enlarged and displayed. A botnet is a network composed of communication devices that allow a program called a bot to enter a computer and perform unauthorized remote operation from the outside. The bot connects to the IRC server to receive an external command and waits for an attacker's command.

  In FIG. 7, a command string indicated by reference numeral 610 is input so that only outbound (outward) communication is displayed at the 6667 port. As a result, it can be seen that a warning is issued when accessing the 6667th port from several IP addresses. Further, as indicated by reference numeral 225, the two communication devices show almost the same change in communication amount. By selecting the time series graph displayed on the time information plane 220, the point on the logical information plane 210 indicating the IP address corresponding to the time series graph and the installation location of the communication device having the IP address are shown. Since the points on the position information surface 230 are connected and displayed, the network administrator can quickly identify the installation location of the communication device suspected of unauthorized intrusion and can contact the administrator of the communication device. , You can head to the location of the communication equipment.

  As described above, according to the present embodiment, the communication log output from the network monitoring system 110 is input, the logical information indicating the IP address of the communication device, etc., and the time information indicating the communication amount for each predetermined period. And a log analysis unit 11 that manages positional information for specifying the location of the communication device in association with logical information indicating the communication device, and each of the logical information, time information, and positional information. By having the visualization processing unit 12 that reads out information and displays the information on each of the logical information plane 210, the time information plane 220, and the position information plane 230 so that the relation of the information displayed on each information plane can be understood. When a trace of unauthorized intrusion is found on the information surface 220, the location of the communication device can be instantly confirmed on the position information surface 230. Countermeasures can be performed quickly to.

  According to the present embodiment, the logical information surface 210, the time information surface 220, and the position information surface 230 are arranged in a virtual three-dimensional space so that the surfaces intersect each other vertically, thereby making it easy to grasp the whole. Further, since each information plane is arranged in the virtual three-dimensional space, the viewpoint can be changed, and the information can be known in more detail by changing the viewpoint. Further, by making the time information plane 220 movable in parallel to the logical information plane 210, the time series graph 223 of each communication device corresponding to the intersection line between the time information plane 220 and the logical information plane 210 is displayed on the time information plane 220. Can be displayed.

  According to the present embodiment, by displaying the communication amount for each port in the port information area 215, it is possible to estimate the type of unauthorized intrusion. Also, by designating the port in the port information area 215 and displaying only the information of the designated port, the information displayed on the screen is carefully selected, so that unauthorized intrusion can be detected more easily. it can.

  According to the present embodiment, a search log of the network search system 120 is input, and logical information (IP address, port number, etc.) of a communication device that is actually operating is acquired, so that an IP address that is not operating Unnecessary communication logs such as communication logs indicating attacks on the network can be filtered, so that unauthorized intrusion can be found more easily.

It is a block diagram which shows the structure of the communication log visualization system in one embodiment. It is explanatory drawing which shows the example of the display screen of the communication log visualization system of FIG. It is the schematic for demonstrating the logical information surface of the display screen of FIG. It is the schematic for demonstrating the port information area | region of the display screen of FIG. It is the schematic for demonstrating the time information surface of the display screen of FIG. It is the schematic for demonstrating the position information surface of the display screen of FIG. It is explanatory drawing which shows the display screen when an unauthorized intrusion is discovered by this communication log visualization system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Communication log visualization apparatus 11 ... Log analysis part 12 ... Visualization process part 110 ... Network monitoring system 111 ... Communication log input analysis part 112 ... Exploration log input analysis part 113 ... Time information management part 114 ... Logical information management part 115 Position information management unit 120 Network exploration system 121 Data acquisition unit 122 Display unit 20 Database 30 Input device 40 Display 210 Logical information surface 215 Port information area 220 Time information surface 230 Position information surface

Claims (12)

A communication log input means for inputting a communication log output by a monitoring system that inspects packets flowing on the network and monitors unauthorized intrusion;
A communication log analyzing unit that receives the communication log from the communication log input unit and extracts logical information such as an IP address and time information from the communication log;
Logical information management means for inputting and managing the logical information extracted by the communication log analysis means;
Time information management means for inputting the information about the time extracted by the communication log analysis means, totaling the communication volume for each predetermined period, and managing the time information as associated with the logical information;
Positional information management means for managing the logical information in association with positional information for specifying a location of a communication device related to the logical information;
Information acquisition means for reading logical information, time information and position information necessary for display from the logical information management means, the time information management means and the position information management means,
Displaying the logical information read by the information acquisition means and the time information in association with each other, and displaying the logical information and the position information in association with each other.
A communication log visualization device characterized by comprising:   The display means arranges the logical information, the time information, and the position information on planes intersecting each other in a virtual three-dimensional space, and includes a surface for displaying the logical information and a surface for displaying the time information. 2. The communication log visualization apparatus according to claim 1, wherein time information corresponding to logical information displayed on the intersecting lines is displayed.   The communication log visualization device according to claim 2, wherein the surface on which the time information is displayed is movable in parallel with the surface on which the logical information is displayed. The logical information includes a port number,
The communication log visualization apparatus according to claim 1, wherein the display unit displays a port number and the time information corresponding to the port number. A step of inputting a communication log output by a monitoring system that inspects packets flowing on the network and monitors unauthorized intrusion by means of a communication log input means;
Receiving the communication log input in the step of inputting the communication log by the communication log analysis means, and extracting logical information such as an IP address and time information from the communication log;
Inputting and managing the logical information extracted in the extracting step by logical information management means;
A step of inputting information related to the time extracted in the extracting step by a time information management means, totaling a communication amount for each predetermined period, and managing it in association with the logical information as time information;
Positions for reading the logical information and time information necessary for display by the information acquisition means from the logical information management means and the time information management means, respectively, and for specifying the location of the communication equipment related to the logical information and the logical information Reading the position information from position information management means for managing information in association with each other;
Displaying the logical information read in the reading step and the time information in association with each other by the display means, and displaying the logical information and the positional information in association with each other;
A communication log visualization method characterized by comprising:   The displaying step arranges the logic information, the time information, and the position information on planes intersecting each other in a virtual three-dimensional space, and displays a surface for displaying the logic information and a surface for displaying the time information. 6. The communication log visualization method according to claim 5, wherein time information corresponding to logical information displayed on a line intersecting with each other is displayed.   The communication log visualization method according to claim 6, wherein the surface on which the time information is displayed is movable in parallel with the surface on which the logical information is displayed.   8. The logical information according to claim 5, wherein the logical information includes a port number, and the displaying step displays the port number and the time information corresponding to the port number. Communication log visualization method. A step of inputting a communication log output by a monitoring system that inspects packets flowing on the network and monitors unauthorized intrusion by means of a communication log input means;
Receiving the communication log input in the step of inputting the communication log by the communication log analysis means, and extracting logical information such as an IP address and time information from the communication log;
Inputting and managing the logical information extracted in the extracting step by logical information management means;
A step of inputting information related to the time extracted in the extracting step by a time information management means, totaling a communication amount for each predetermined period, and managing it in association with the logical information as time information;
Positions for reading the logical information and time information necessary for display by the information acquisition means from the logical information management means and the time information management means, respectively, and for specifying the location of the communication equipment related to the logical information and the logical information Reading the position information from position information management means for managing information in association with each other;
Displaying the logical information read in the reading step and the time information in association with each other by the display means, and displaying the logical information and the positional information in association with each other;
A communication log visualization program characterized by causing a computer to execute.   The displaying step arranges the logic information, the time information, and the position information on planes intersecting each other in a virtual three-dimensional space, and displays a surface for displaying the logic information and a surface for displaying the time information. 10. The communication log visualization program according to claim 9, wherein time information corresponding to logical information displayed on a line intersecting with each other is displayed.   The communication log visualization program according to claim 10, wherein the surface on which the time information is displayed is movable in parallel with the surface on which the logical information is displayed.   12. The logical information according to claim 9, wherein the logical information includes a port number, and the displaying step displays the port number and the time information corresponding to the port number. Communication log visualization program.