JP2008227931A - Ip address visualizing apparatus, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an IP address visualizing apparatus, program, and recording medium for easily recognizing a relation between transmitting-side and receiving-side IP addresses. <P>SOLUTION: A display control processing section 31, an axis display processing section 33 and a display image generating section 36 carry out processing for displaying, on an image display section 37, a first axis to display thereon address values of blocks constituting a first IP address and a second axis to display thereon address values of blocks constituting a second IP address. Furthermore, the display control processing section 31, a line display control section 34 and the display image generating section 36 carry out processing for displaying, on the image display section 37, a first line connecting points on the first axis corresponding to the address values of the blocks constituting the first IP address and a second line connecting points on the second axis corresponding to the address values of the blocks constituting the second IP address. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an IP address visualization device that visualizes an IP address related to communication executed on a network. The present invention also relates to a program for causing a computer to function as the IP address visualization device, and a recording medium on which the program is recorded.

  With various computer viruses and attacks appearing, attacks that change the attack signature included in packets and files have emerged in order to escape detection by Intrusion Detection System (IDS) and Anti Virus (AV). As a technique for finding such an attack, a technique has been proposed in which the relationship between IP addresses on both the transmitting side and the receiving side related to communication at the time of the attack is visualized to grasp an abnormality (for example, see Non-Patent Documents 1 to 4).

In Non-Patent Documents 1 to 3, two-dimensional notation of the IP address is realized. In general, the IPv4 protocol can express approximately 4.3 × 10 ⁹ IP addresses, and it is difficult to visualize all of Source IP (sender IP address) and Destination IP (receiver IP address) at the same time. . In the IPv4 protocol, the IP address is expressed as, for example, 192.168.0.1 (32 bits), and is composed of four blocks of address values of 8 bits each. In Non-Patent Documents 1 to 3, using this, Source IP and Destination IP are divided into 4 blocks, and the communication values observed on the graph with the address values of specific 2 blocks on the vertical and horizontal axes Such address values are plotted.

Non-Patent Document 4 introduces a tool called EtherApe. This tool does not distinguish between Source IP and Destination IP, but arranges the observed IP addresses in a circle and connects the pair of IP addresses on the sender and receiver sides related to the executed communication with a line. is there.
Fumiko Matsu, Yoshiaki Hori, Kenji Rikitake, Shunsuke Baba, Kazuya Suzuki, Koji Nakao, “Examination of user interface for network incident analysis system construction and operation”, Symposium on Cryptography and Information Security (SCIS2006), 2B3-3, January 2006 Hideki Koike, Kazuhiro Ohno, Yoshiyoshi Koizumi, “Proposal and Implementation of Visualization Method for Wide Area Network Monitoring”, Japan Society for Software Science and Technology, 21st Conference, 6A-3, 2004 Masaki Ishiguro, Koji Ito, Yozo Toda, Hironobu Suzuki, Kenichiro Akai, Ichiro Murase, “Characteristic analysis of distribution of malicious packets by port observation on the Internet”, Computer Security Symposium (CSS2005) Juan Toledo, Riccardo Ghetta, “Ether Ape, a graphical network monitor”, [online], [March 5, 2007 search], Internet, <URL: http://etherape.sourceforge.net/>

  However, in Non-Patent Documents 1 to 3, only two block address values can be expressed in one graph. Therefore, in order for the network administrator to grasp the relationship between Source IP and Destination IP, a plurality of displayed graphs are used. Must be referenced at the same time. For this reason, it is difficult to grasp the relationship between the IP addresses on the transmission side and the reception side.

It is also difficult to grasp the abnormality of communication from the graph. Furthermore, since it is difficult to grasp the regularity of abnormal communication, it is also difficult to create a filtering rule (set in a network device such as a router for the purpose of attack protection). In the IPv6 protocol, the number of IP addresses that can be expressed further increases to about 3.4 × 10 ³⁸ , so it is more difficult to visualize the relationship between the IP addresses on both the sending and receiving sides in a situation where many communications are mixed. Become.

  In Non-Patent Document 4, it is easier to grasp the relationship between the IP addresses on the transmitting side and the receiving side than in Non-Patent Documents 1 to 3, but communication errors occur when a large number of IP addresses are observed. It is difficult to grasp the characteristics and to create a filtering rule.

  The present invention has been made in view of the above-described problems, and provides an IP address visualization device, a program, and a recording medium that make it easy to grasp the relationship between the IP addresses on the transmission side and the reception side. Is the first purpose. A second object of the present invention is to provide an IP address visualization device, a program, and a recording medium that make it easy to grasp the abnormality of communication and to create a filtering rule.

  The present invention has been made to solve the above problems, and shows a relationship between display means for displaying information (corresponding to the image display unit 37 in FIG. 1) and transmission / reception related to communication executed on the network. Storage means (corresponding to the communication information storage unit 11 in FIG. 1) for storing the first IP address and the second IP address in association with each communication, and the address value of the block constituting the first IP address are displayed. The first axis (corresponding to the axes 4a, 4b, 4c, 4d in FIG. 2) and the second axis (addresses 4e, 4f in FIG. 2) for displaying the address values of the blocks constituting the second IP address , 4g, 4h) corresponding to the display processing means (corresponding to the display processing control section 31, the axis display processing section 33, and the display image generation section 36 in FIG. 1) for executing the processing for displaying on the display means, Each block that makes up one IP address The first line connecting the points on the first axis corresponding to the address value (corresponding to the lines 5a, 5b and 5c in FIG. 2) and the address value of each block constituting the second IP address Line display processing means (display shown in FIG. 1) for executing processing for causing the display means to display a second line (corresponding to lines 5e, 5f, 5g in FIG. 2) connecting the corresponding points on the second axis. The IP address visualization device includes a processing control unit 31, a line display processing unit 34, and a display image generation unit 36).

  The IP address visualization device of the present invention includes an abnormality detection means (corresponding to the communication analysis unit 21 in FIG. 1) for detecting abnormal communication based on communication characteristic information indicating characteristics of communication executed on the network. Extracting means for extracting the IP address related to the abnormal communication detected by the abnormality detecting means from the first IP address and the second IP address stored in the storage means (in FIG. 1) The axis display processing means and the line display processing means use the IP address extracted by the extraction means for processing.

  In the IP address visualization device according to the present invention, the line display processing unit may further include any one of adjacent ones when displaying a plurality of the first IP addresses having the same address value of at least the highest block. The display form of the first line connecting the points on the first axis corresponding to the address value of the adjacent block is controlled according to the frequency of the IP address having the same address value of the two blocks. It is characterized by that.

  In the IP address visualization device according to the present invention, the line display processing unit may further display any one of the adjacent second IP addresses when displaying a plurality of the second IP addresses having the same address value of at least the highest block. The display form of the second line connecting the points on the second axis corresponding to the address value of the adjacent block is controlled according to the frequency of the IP address having the same address value of the two blocks. It is characterized by that.

  In the IP address visualization device according to the present invention, the axis display processing means may further display any one of the blocks when displaying a plurality of the first IP addresses having the same address value in at least the highest block. When the address value is the same for any IP address, the display of the first axis corresponding to the lower block of the block is omitted.

  In the IP address visualization device according to the present invention, the axis display processing means may further display any one of the blocks when displaying a plurality of the second IP addresses having the same address value in at least the highest block. When the address value is the same for any IP address, the display of the second axis corresponding to the lower block of the block is omitted.

  The IP address visualization device of the present invention further includes input means (corresponding to the input unit 32 in FIG. 1) for a user to input an IP address search condition, and the axis display processing means and the line display processing. The means is characterized in that an IP address satisfying the search condition is used for processing from the first IP address and the second IP address extracted by the extracting means.

  In the IP address visualization device according to the present invention, the line display processing unit further includes the first IP address and the second IP address related to a plurality of communications including the first communication and the second communication. When the IP address on the transmitting side related to the first communication and the IP address on the receiving side related to the second communication are the same when displayed, the IP address that was the same is set to the first IP address. The processing is executed by fixing to one of the IP address and the second IP address.

  In the IP address visualization device of the present invention, the storage unit further stores the first IP address and the second IP address in association with time information for each communication, and the line display processing unit further includes The display timing of the first line and the second line displayed by the display means is controlled based on the time information.

  In the IP address visualization device according to the present invention, the storage means may further include a first port number and a second port number relating to communication executed on a network for each communication, the first IP address and the second port number. And storing the second IP address in association with a second IP address, wherein the extracting means further detects the abnormality detected by the abnormality detecting means out of the first port number and the second port number stored in the storing means. A port number related to abnormal communication is extracted, and the axis display processing means further determines a third axis (corresponding to the axis 4i in FIG. 13) for displaying the first port number, and the second port number. A process of displaying a fourth axis to be displayed (corresponding to axis 4j in FIG. 13) on the display means is executed, and the line display processing means further includes an address of any block constituting the first IP address. Before the value A third point connecting the point on the first axis (corresponding to the point 1301 in FIG. 13) and the point on the third axis corresponding to the first port number (corresponding to the point 1300 in FIG. 13). A line and a point on the second axis corresponding to the address value of one of the blocks constituting the second IP address (corresponding to the point 1303 in FIG. 13), and corresponding to the second Port number A process of displaying a fourth line connecting the point on the fourth axis (corresponding to the point 1302 in FIG. 13) on the display means is executed.

  In the IP address visualization device according to the present invention, the line display processing unit further includes a first intersection where any one of the first axes and the first line intersects (corresponding to the point 202 in FIG. 2). And a second intersection point (corresponding to the point 203 in FIG. 2) where any of the second axes and the second line intersect, and a line with an arrow indicating the communication direction ( The display means is displayed so as to display (corresponding to line 5d in FIG. 2).

  Further, the present invention is a program for causing a computer to function as the above IP address visualization device.

  The present invention is a computer-readable recording medium on which the above program is recorded.

  In the above description, the description in parentheses is for the purpose of associating the embodiment of the present invention described later with the components of the present invention for convenience, and the contents of the present invention are not limited by this description. Absent.

  According to the present invention, the transmission side and the reception side are displayed by displaying the respective IP addresses of the transmission side and the reception side by the axis for displaying the address value for each block and the line connecting the points on each axis. The effect that it becomes easy to grasp the relationship of the IP address of is obtained. In addition, according to the present invention, it is possible to obtain an effect that it is easy to grasp the abnormality of communication and create a filtering rule by displaying an IP address related to abnormal communication.

  Hereinafter, an embodiment of the present invention will be described with reference to the drawings. The main purpose of visualizing the relationship between IP addresses on both the sending and receiving sides involved in communication is detection of abnormal communication and creation of filtering rules. In order to detect abnormal communication, a visualization method that can express the concentration and diffusion of communication is required. In particular, a technique for visualizing the concentration of communication due to DDos (Distributed Denial of Service) attacks or the spread of communication due to the spread of virus infection as the degree of IP address bias (distribution) is desired. For creating filtering rules, it is desirable to visualize IP addresses and TCP / UDP protocol port numbers that appear frequently.

  As will be described later with reference to FIG. 2 and the like, in this embodiment, an axis for displaying the address value is displayed for each block constituting the IP address, and points on the axis corresponding to the address value of each block are displayed. A technique is used to visualize IP addresses by connecting lines with lines. Also, for the port number, the axis for displaying the port number is displayed, and the point on the axis corresponding to the port number and the point on the display axis of the IP address are connected by a line to visualize the port number. The method is used. The IP address will be described using an IPv4 address in the present embodiment, but the same applies to an IPv6 address. In the following, when the IPv4 address is ABCD, the block having the address value A is the first block (the most significant block), the block having the address value B is the second block, the block having the address value C is the third block, A block having the address value D is expressed as a fourth block (least significant block).

  FIG. 1 shows the configuration of an IP address visualization device according to the present embodiment. The IP address visualization apparatus shown in FIG. 1 includes a communication information management unit 1, an abnormality detection unit 2, and a display processing unit 3. The communication information management unit 1 manages communication information (such as an IP address and a port number) acquired by monitoring communication executed on the network. The abnormality detection unit 2 detects abnormal communication based on the communication information managed by the communication information management unit 1. The display processing unit 3 extracts an IP address and a port number related to abnormal communication detected by the abnormality detection unit 2 and executes a process of displaying (visualizing) the IP address and the port number.

  In the communication information management unit 1, the communication monitoring unit 10 acquires a packet transmitted on the network and extracts communication information from the packet. The communication information storage unit 11 stores the communication information extracted by the communication monitoring unit 10. The communication information is information necessary for grasping the relationship between the transmission side and the reception side related to execution of communication. The communication information is also information indicating the characteristics of the communication executed on the network, and abnormal communication can be detected based on the communication information. The communication information of this embodiment includes time (Start Time, End Time), communication protocol (ICMP, TCP, UDP), IP address (Source IP, Destination IP), Port number (TCP port, UDP on the transmission side / reception side) Port) and a communication ID assigned for each communication within the IP address visualization device (different for each communication session).

  In the abnormality detection unit 2, the analysis target information acquisition unit 20 reads out communication information from the communication information storage unit 11 and extracts specific parameters in order to acquire information to be subjected to analysis processing for detecting abnormal communication. To do. The communication analysis unit 21 executes processing for detecting abnormal communication based on the parameters of the communication information read from the communication information storage unit 11 by the analysis target information acquisition unit 20. When the abnormal communication is detected by the process based on the above method, the communication analysis unit 21 notifies the communication information extraction unit 30 of the display processing unit 3 of the communication ID related to the abnormal communication.

  As a communication abnormality detection method, for example, the methods described in JP-A-2004-318552, JP-A-2005-128947, and JP-A-2005-151289 can be applied to this embodiment. is there.

  Japanese Patent Laid-Open No. 2004-318552 discloses past statistical distributions to the extent that the frequency per unit time increases rapidly for parameters such as Attack Signature, Source / Destination IP, and Destination Port included in the log output from IDS. The method used and evaluated is described. With this method, it is possible to extract an abnormal event to be noticed from among a large number of events included in the log by paying attention to the change amount of the attack frequency.

  In Japanese Patent Laid-Open No. 2005-128947, the degree of spread (dispersity) of Source / Destination IP and Destination Port is calculated as information entropy, and an abnormality is detected by the method described in Japanese Patent Laid-Open No. 2004-318552. The method is described. With this method, it is possible to easily calculate the degree of concentration of communication due to the spread of virus infections and DDos (Distributed Denial of Service) attacks.

  Japanese Patent Laid-Open No. 2005-151289 describes a method for detecting an abnormality by paying attention to the periodicity of the detection frequency of parameters such as Attack Signature, Source / Destination IP, and Destination Port. By this method, it is possible to detect a slowly increasing attack and an attack that tends to be hidden with low frequency, which cannot be detected by the method described in the above-mentioned JP-A-2004-318552.

  In the display processing unit 3, the communication information extraction unit 30 reads out communication information satisfying a predetermined condition notified from the communication analysis unit 21 and the input unit 32 from the communication information storage unit 11 of the communication information management unit 1. Extracts the communication information necessary for displaying the address and port number. The display processing control unit 31 controls processing related to display of an IP address and a port number. The input unit 32 includes a mouse and a keyboard operated by the user, and outputs a signal indicating a result of information input by the user to the communication information extraction unit 30 and the display processing control unit 31. The user inputs information to the input unit 32 to specify the display conditions for the IP address and port number (whether or not the port number is displayed, single communication / multiple communication specification conditions, communication time specification conditions, etc.). It is possible.

  The communication information extraction unit 30 of the present embodiment can extract communication information related to abnormal communication, and can also extract communication information that satisfies the conditions specified by the user regardless of whether there is an abnormality. is there. When the setting for extracting the communication information related to the abnormal communication is made, the communication information extracting unit 30 stores the communication information to which the communication ID notified from the communication analyzing unit 21 of the abnormality detecting unit 2 is given as the communication information. Read from unit 11. If the condition specified by the user is satisfied regardless of whether there is an abnormality, the communication information extraction unit 30 reads the communication information from the communication information storage unit 11 based on the information input to the input unit 32. For example, when the user designates a time range (Start Time, End Time), the communication information extraction unit 30 reads communication information related to communication performed at a time within the range from the communication information storage unit 11.

  The axis display processing unit 33 executes processing for displaying an address value axis for displaying an address value for each block constituting an IP address and a port number axis for displaying a port number. The line display processing unit 34 executes a process for displaying a line connecting the address value axis and the port number axis. The character display processing unit 35 executes processing for displaying characters (including numbers) indicating the IP address, the port number value, and the like.

  The display image generation unit 36 receives information indicating the display position of the address display axis and the port number display axis from the axis display processing unit 33 and receives information indicating the display position of the line from the line display processing unit 34. The information indicating the display position of the character is received from the character display processing unit 35, a display image is generated based on each information, and is output to the image display unit 37. The image display unit 37 displays a display image. As a result, a graph visualizing the IP address and the port number is displayed on the screen of the image display unit 37.

  Next, the IP address visualization method in this embodiment will be described. FIG. 2 shows a basic graph displaying IP addresses. This graph visualizes an IP address related to a single communication (one-to-one communication). The left side of the graph shows Source IP, and the right side shows Destination IP. The axes 4a, 4b, 4c, and 4d correspond to the blocks that make up the Source IP, and the axes 4e, 4f, 4g, and 4h correspond to the blocks that make up the Destination IP. The upper end of each axis corresponds to the address value 000 represented by 8 bits, and the lower end of each axis corresponds to the address value 255. The address value of each block is displayed on each axis.

  The axes 4a and 4b are connected by a line 5a, the axes 4b and 4c are connected by a line 5b, the axes 4c and 4d are connected by a line 5c, the axes 4d and 4e are connected by a line 5d, and the axes 4e and 4f are lines 5e, shafts 4f and 4g are connected by a line 5f, and shafts 4g and 4h are connected by a line 5g. Each line connects a point on each axis at a position corresponding to the address value of each block. For example, the line 5a connects the point 200 on the axis 4a corresponding to the address value of the first block of Source IP and the point 201 on the axis 4b corresponding to the address value of the second block.

  A line 5d connects a point 202 on the axis 4d corresponding to the address value of the fourth block of Source IP and a point 203 on the axis 4e corresponding to the address value of the first block of Destination IP. An arrow pointing in the direction from point to point 203 is attached. This direction indicates the communication direction, and the communication direction is easily understood visually by the line 5d. As another method for making the communication direction easier to understand visually, the line may be drawn slowly from left to right.

  FIG. 3 shows a graph for additionally displaying the port number in characters. In FIG. 3, the TCP port number on the transmitting side is displayed in characters near the axis 4a, and the TCP Port number on the receiving side is displayed in characters near the axis 4h. Further, characters (000, 255) serving as a scale of the block address value are displayed near the upper end and the lower end of the axis 4a.

  The procedure for displaying the graphs shown in FIGS. 2 and 3 will be described below with reference to FIG. The display processing control unit 31 receives the communication information extracted by the communication information extraction unit 30 from the communication information extraction unit 30. When visualizing an IP address related to a single communication, the display processing control unit 31 displays the Source IP, Destination IP, and, if necessary, the Port number included in the single communication information, the axis display processing unit 33, the line The display processing unit 34 and the character display processing unit 35 are notified (step S100).

  The axis display processing unit 33 calculates the display position of each axis and outputs the information to the display image generation unit 36. The line display processing unit 34 calculates the display position of each line and outputs the information to the display image generation unit 36. The character display processing unit 35 calculates the display position of each character and outputs the information together with the character information to the display image generation unit 36 (step S110). The display image generation unit 36 generates a display image based on the information output from each display processing unit, and outputs the display image to the image display unit 37 (step S120). The image display unit 37 generates a display image (step S130).

  Next, a method for visualizing IP addresses related to a plurality of communications will be described. FIG. 5 shows a graph displaying IP addresses related to two types of communication. Communication with Source IP 192.168.0.20 and Destination IP 192.26.48.201 (hereinafter referred to as Communication A) and Communication with Source IP 31.41.128.110 and Destination IP 211.225.190.22 (hereinafter referred to as Communication B) )) Is displayed. Further, in order to clearly indicate the address value of each axis, the address value is displayed in characters on the right side of each axis.

  FIG. 6 shows a graph visualizing the communication frequency. The line indicating communication B is thicker than that in FIG. The line display processing unit 34 controls the line thickness according to the communication frequency. Visualizing communication as shown in FIG. 5 makes it easy to grasp the degree of IP address bias (distribution). The communication frequency is notified from the display processing control unit 31 to the line display processing unit 34. The display processing control unit 31 acquires communication frequency information as follows.

  FIG. 7 shows a table used by the display processing control unit 31 to manage information related to communication. The table 700 is a table for managing information related to the communication A (Source IP: 192.168.0.20, Destination IP: 192.26.48.201), and the table 710 is a communication B (Source IP: 31.41.128.110, Destination IP: 211.225.190.22) is a table for managing information. Hereinafter, the structure of the table will be described using the table 700 as an example.

  The table 700 is composed of partial tables 701 to 706, a source IP 707, and a destination IP 708 indicating the correspondence and frequency of address values of adjacent blocks. The partial table 701 associates address values and frequencies of the first block and the second block of Source IP. The partial table 702 associates address values and frequencies of the second block and the third block of Source IP. The partial table 703 associates address values and frequencies of the third block and the fourth block of Source IP. Partial tables 704, 705, and 706 are similar partial tables for Destination IP. Although not shown, information is also added to the table 700 as appropriate for the port number.

  Hereinafter, the operation of the display processing control unit 31 will be described with reference to FIG. It is assumed that the above table has not yet been created before the start of the processing shown in FIG. The display processing control unit 31 refers to the communication information for one communication ID from the communication information extracted by the communication information extraction unit 30 (step S200). Subsequently, the display processing control unit 31 executes processing related to the above table (table creation or update processing) (step S210).

  In step S210, the display processing control unit 31 refers to the Source IP and Destination IP included in the communication information and determines whether a table storing IP addresses that match those IP addresses has already been created. When step S210 is executed for the first time after the processing shown in FIG. 8 is started, or when a table having an IP address that matches the IP address included in the communication information has not yet been created, the display processing control unit 31 creates a new one. A table is created, and the source IP, the destination IP, and the address value of each block are stored in the table, and the frequency is set to 1. When a table having an IP address that matches the IP address included in the communication information has already been created, the display processing control unit 31 updates the table by adding 1 to the frequency.

  Subsequent to step S210, the display processing control unit 31 determines whether or not all the communication information extracted by the communication information extraction unit 30 has been processed (step S220). If there is communication information that has not been processed, the process returns to step S200, and processing of communication information that has not been processed yet is executed. When all the communication information is processed, the display processing control unit 31 displays the source IP, the destination IP, the necessary port number, and the communication frequency as the axis display processing unit 33, the line display processing unit 34, the character display processing. The unit 35 is notified (step S230).

  In FIG. 6, a specific communication frequency value is not displayed, but a communication frequency value may be displayed. For example, the value of the communication frequency may always be displayed in the vicinity of a line connecting the axes, or the user moves the cursor on the screen by operating the mouse provided in the input unit 32, and the cursor moves over the line. The value of the communication frequency may be displayed in text when it overlaps with. In the above description, the line display processing unit 34 controls the line thickness according to the communication frequency. However, the line color may be controlled according to the communication frequency.

  Next, communication performed between one source IP and multiple destination IPs (one-to-many communication), communication performed between multiple source IPs and one destination IP (many-to-one communication), and A method for visualizing IP addresses related to communication (many-to-many communication) executed between a plurality of source IPs and a plurality of destination IPs will be described.

  FIG. 9 shows a graph displaying IP addresses related to one-to-many communication. The source IPs of the plurality of communications visualized in FIG. 9 are the same, but the destination IPs are different. More specifically, the address values of the first to third blocks of Destination IP are the same, but only the address values of the fourth block are different. For this reason, the shafts 4g and 4h are connected by a plurality of lines. The line connecting the shafts 4g and 4h is thinner than the line connecting the shafts 4a to 4g. In the case of many-to-one communication, a similar graph can be displayed only by reversing the concentration and diffusion of Source IP and Destination IP.

  FIG. 10 shows a graph displaying IP addresses related to many-to-many communication. In the plurality of communications visualized in FIG. 10, the source IP and the destination IP are not one type but a plurality of types. However, the address value of at least the first block of each IP address is the same. Since there are a plurality of address values in the fourth block of Source IP and Destination IP, axes 4d and 4h intersect with a plurality of lines. In order to clarify the IP address range as a filtering rule, on the right side of the axis 4d, 4h of the fourth block where the address value is spread, not all address values but only the address values at both ends of the spread range are shown. It is displayed.

  FIG. 11 also shows a graph that displays IP addresses related to many-to-many communication. In the communication visualized in FIG. 11, the address value of the fourth block is spread for both the Source IP and Destination IP, but the communication frequency for each address value is biased. That is, the communication in which the address value of the fourth block of Source IP is 64 and the address value of the fourth block of Destination IP is 156 is more frequent than other communications. By visualizing communication as shown in FIGS. 9 to 11, it becomes easy to grasp the concentration and diffusion of communication.

  Hereinafter, a table used by the display processing control unit 31 for managing information related to communication when the communication is visualized as illustrated in FIGS. 9 to 11 will be described. Hereinafter, an example of visualizing the communication shown in FIG. 11 will be described with reference to FIG. In the table 1200 shown in FIG. 12, there are a plurality of partial tables showing the relationship between the address values of the third block and the fourth block and the frequency. Since there are a plurality of source IPs and destination IPs, a plurality of IP addresses are stored in the source IP 1210 and the destination IP 1220 of the table 1200.

  Hereinafter, processing contents of the display processing control unit 31 will be described using an example in which one piece of communication information (Source IP: 192.168.0.64, Destination IP: 192.26.48.156) is a processing target. In step S210 of FIG. 8, the display processing control unit 31 compares the address value of the first block of the Source IP with the address value of the first block of the Source IP 1210 of the table 1200 (or the address value of the first block of the partial table 1230). At the same time, the address value of the first block of the Destination IP included in the communication information is compared with the address value of the first block of the Destination IP 1220 of the table 1200 (or the address value of the first block of the partial table 1260).

  Since both address values match, the display processing control unit 31 recognizes that the table corresponding to the communication information to be processed is the table 1200. If any address value does not match, the same processing is performed for the other tables. Further, even if the same processing is performed for all the tables, if there is no table having the same address value, a new table needs to be created.

  Subsequently, the display processing control unit 31 compares the combination of the address values of the first block and the second block of the Source IP with the combination of the address values of the first block and the second block of the partial table 1230. Since both match, the display processing control unit 31 adds 1 to the frequency of the partial table 1230. If they do not match, it is necessary to add a new partial table.

  Subsequently, the display processing control unit 31 similarly compares the combination of the address values of the second block and the third block of the Source IP with the combination of the address values of the second block and the third block of the partial table 1240. Since both match, the display processing control unit 31 adds 1 to the frequency of the partial table 1240.

  Subsequently, the display processing control unit 31 combines the combination of the address values of the third block and the fourth block of the Source IP and the combination of the address values of the third block and the fourth block of the partial table 1250 relating to the third block and the fourth block. And compare. Since there are a plurality of partial tables 1250 related to the third block and the fourth block, the display processing control unit 31 executes comparison processing for each partial table. As a result, the display processing control unit 31 adds 1 to the frequency of the partial table 1251. Thereafter, 1 is added to the frequencies of the partial tables 1260, 1270, and 1281 in the same manner.

  In FIG. 11, the address values (64, 156) with high communication frequency are displayed without being omitted for the axes 4d, 4h. In order to determine whether or not to display without omitting the address value, processing based on the frequency distribution of address values of the same block (can be created from the table 1200 shown in FIG. 12) may be performed. . For example, the top N address values of the frequency distribution may be displayed without being omitted. Alternatively, a theoretical statistical distribution of frequencies may be created, and address values having a high frequency out of the 95% confidence interval may be displayed without being omitted.

  Next, a method for visualizing the port number along with the IP address will be described. FIG. 13 shows a graph displaying the IP address and the Port number. The axis 4i corresponds to the port number on the transmission side, and the axis 4j corresponds to the port number on the reception side. Further, a point 1300 on the axis 4i corresponding to the port number on the transmission side and a point 1301 on the axis 4a corresponding to the address value of the first block of Source IP are connected by a line 5h. Similarly, a point 1302 on the axis 4j and a point 1303 on the axis 4h are connected by a line 5i. In order to easily distinguish the IP address and the port number, the axes 4a to 4h and the axes 4i and 4j may be identified by colors.

  Next, a method for omitting display of axes corresponding to some blocks will be described. In the graph shown in FIG. 14, only the axis 4a is displayed for the Source IP, and only the axes 4e and 4h are displayed for the Destination IP. The reason why only the axis 4a is displayed regarding the source IP is that the source IPs related to all the communications are the same. In addition, only the axes 4e and 4h are displayed for the Destination IP because the address values from the first block to the third block of the Destination IP are the same in all communications, and only the address values of the fourth block are different. Because it was.

  On the axis 4a, the entire Source IP including address values from the second block to the fourth block corresponding to the omitted axis is displayed in characters. On the axis 4e, the address values from the first block to the third block including the address values of the second block and the third block corresponding to the omitted axis are displayed in characters. By omitting the display of the axes as shown in FIG. 14, it becomes easier to see the graph, and it becomes easier to grasp the concentration and diffusion of communication. In addition, when the axis display is omitted, the line passing through the point (points 1400 and 1401) at the center position of the axis corresponding to the upper block of the block in which the axis display is omitted is taken into consideration for easy viewing of the graph. Is drawn.

  The graph shown in FIG. 15 shows an example in which the display is omitted when the address value and the port number of the block of the IP address are spread. For example, the line connecting the axis 4i and the axis 4a for displaying the port number on the transmission side is omitted, and “xxx” is displayed on the axis 4i. “Xxx” means that display of values is omitted. In addition, the axes corresponding to the fourth block of Source IP and the fourth block of Destination IP in which address values are spread are omitted, and “xxx” is displayed on the axes 4c and 4g.

  As for the port number, even if the display is omitted, the axis remains. Regarding the IP address, the axis corresponding to the block whose display is omitted is integrated with the axis corresponding to the upper block. As shown in FIG. 15, by omitting the display of the axes related to the spread address values and port numbers, the graph becomes easier to see and the concentration of communication becomes easier to grasp.

  Whether to display the graph in the display format of FIG. 14 or FIG. 15 may be selected by the user as appropriate, or may be determined from the degree of dispersion of the address values and port numbers. When determining from the degree of dispersion of address values and port numbers, the information entropy value indicating the degree of information dispersion (variation) is calculated for the address values and port numbers. If the degree of dispersion is low, the display is not omitted. The display may be omitted when the degree of dispersion is high.

  14 and 15, when displaying a plurality of IP addresses having at least the same address value of the first block, which IP address is the address value of any of the first to third blocks. In the case of the same, the display of the axis corresponding to the lower block of the block is omitted. In order to perform such display, the display processing control unit 31 executes processing for determining whether or not to omit axis display.

  When visualizing communication as illustrated in FIG. 14, the display processing control unit 31 executes a determination process for determining whether or not to omit the display of the axis as follows. FIG. 16 shows a table for managing information related to the communication shown in FIG. The format of the table 1600 shown in FIG. 16 is almost the same as the table 700 shown in FIG. 7 and the table 1200 shown in FIG. 12, but the source port 1610 (transmission side) and the destination port 1620 (reception side) are added to the table. Has been.

  The display processing control unit 31 determines whether or not to omit the axis display based on the number of partial tables indicating the correspondence relationship between the address values of adjacent blocks. In the table 1600 of FIG. 16, there is one partial table 1630, 1640 indicating the relationship between the nth block and the (n−1) th block (n = 2, 3, 4) with respect to the source IP. The control unit 31 determines that the address value of the block is not diffused and the axis display can be omitted.

  Further, since there is only one partial table 1650 indicating the correspondence between the second block and the third block with respect to the Destination IP, the display processing control unit 31 does not diffuse the block address value and displays the axis. It is determined that it can be omitted. Furthermore, since there are a plurality of partial tables 1660 indicating the correspondence between the third block and the fourth block, the display processing control unit 31 has the address value of the fourth block spread, and the axis corresponding to the fourth block. Is determined not to be omitted.

  Also in the case of visualizing communication as shown in FIG. 15, the display processing control unit 31 determines whether or not to omit the axis display based on the number of partial tables indicating the correspondence relationship between the address values of adjacent blocks. Determine whether. However, if there are a plurality of partial tables and the address value of the block is spread, it is determined that the display of the axis corresponding to the block is omitted, the partial table is one, and the address value of the block is If it is not diffused, it is determined that the display of the axis corresponding to the block is not omitted.

  Next, a method for searching and visualizing an IP address or a port number that matches a desired search condition will be described. In the graph shown in FIG. 17, a pull-down menu (hereinafter referred to as a menu) for the user to specify a search condition is displayed. A menu 1700 is used to select a communication protocol. A menu 1710 is used to select a port number (Source Port). When the user selects a desired port number from the menu 1710, a graph relating to the port number is displayed.

  The menu 1720 is for selecting an address value of a block of IP addresses. When the user selects a desired address value from the menu 1720, a graph regarding the address value is displayed. When search conditions are specified in a plurality of menus, IP addresses and port numbers are searched using the search conditions specified in each menu as AND conditions. When the IP address or port number related to DDos attacks or virus infections can be identified, etc., the user can specify the search conditions as described above to extract and visualize only the relevant communication. Can do.

  When the user inputs information indicating a search condition for an address value or a port number to the input unit 32 (for example, when the user operates the above menu with a mouse or the like provided in the input unit 32), the display processing control unit 31 displays the input unit 32. On the basis of the information input in, processing is performed for the IP address and port number that satisfy the search condition specified by the user.

  The graph shown in FIG. 18 displays information on the top N items regarding the address value of the block represented by each axis and the frequency of the port number. The number “5” is selected in the menu 1800, which indicates that only the top five most frequently occurring address values of the first block corresponding to the axis 4a are displayed. Similarly, frequency search conditions are also selected in the menus 1810, 1820, and 1830, and IP addresses and port numbers are searched using these search conditions as AND conditions. As a result, only frequent communications are visualized, so that the status of frequent communications can be grasped.

  The graph shown in FIG. 19 displays information on a high frequency content rate regarding the address value of the block and the frequency of the port number represented by each axis. The number “10%” is selected in the menu 1900. This is an address having a frequency that is 10% or more of the total frequency of the address values for the address value of the first block corresponding to the axis 4a. Indicates that only the value is displayed. Similarly, search conditions relating to frequency are also selected in the menus 1910, 1920, and 1930, and IP addresses and port numbers are searched using these search conditions as AND conditions. As a result, only frequent communications are visualized, so that the status of frequent communications can be grasped.

  Next, a method for visualizing an IP address related to bidirectional communication will be described. In the graph shown in FIG. 2 and the like, communication from the left (Source IP) to the right (Destination IP) is visualized. In the case of the TCP protocol, this communication direction means, for example, the direction in which a SYN packet indicating the start of communication flows. In the FTP service of the UDP protocol or the TCP protocol, there is communication in which the communication direction is frequently switched. Even when the communication direction is switched, it is possible to easily express the connection state of communication by displaying bidirectional communication integrally with a set of lines.

  Hereinafter, a technique for visualizing an IP address related to bidirectional communication will be described using a DDos attack as an example. FIG. 20 shows a state of communication related to the DDos attack. First, communication for intrusion from the terminal of the intruder 2000 to the noticed terminal 2010 is performed, and the noticed terminal 2010 that has entered enters the platform and accesses the terminal of the attack commander 2020 in order to receive an attack instruction. Subsequently, based on the attack instruction received from the terminal of the attack commander 2020, the target terminal 2010 performs a DDos attack on the plurality of terminals 2030.

The IP address related to this DDos attack communication is visualized as follows. The DDos attack consists of the following three steps.
Step1. The intruder exploits the vulnerability of the device of interest and succeeds in the intrusion, and embeds the virus code for the platform on the device of interest.
Step2. In order to receive an attack command for embedding an infected code in a plurality of terminals, the target terminal connects to the terminal of the attack commander.
Step3. According to the command, the target terminal attacks the other terminal.

  FIG. 21A shows the state of communication in Step 1, and FIG. 21B shows a graph displaying IP addresses related to communication. The left side of the graph shows the intruder's terminal (IP address: 60.0.84.57), and the right side of the graph shows the terminal of interest (IP address: 192.26.48.201).

  FIG. 22A shows a state of communication up to Step 2, and FIG. 22B shows a graph displaying IP addresses related to communication. In order to receive an attack command, the terminal of interest is shown connecting to the terminal of the attack commander (IP address: 80.151.182.10). In FIG. 2 and the like, the left side of the graph indicates the transmitting side, and the right side of the graph indicates the receiving side. However, in FIG. 22B, the IP address of the terminal of interest that transmitted and received is fixedly displayed on the right side of the graph. The The arrow indicating the communication direction indicates the start direction of the first communication (in the case of the TCP protocol, the transmission direction of the SYN packet), and the reply packet to the transmission packet is visualized by the same line.

  When the source IP related to one communication and the destination IP related to the other communication are the same between the two types of communication, the display processing control unit 31 sets the same IP address as the right side of the graph. Each display processing unit is controlled so as to be visualized by fixing only to one of the left side. For example, when the graph shown in FIG. 22B is displayed, the display processing control unit 31 fixes the IP address of the terminal of interest as the IP address to be displayed on the axes 4e to 4h, and performs line and character display processing. Control.

  FIG. 23A shows a state of communication up to Step 3, and FIG. 23B shows a graph displaying IP addresses related to communication. A state in which the terminal of interest attacks a plurality of terminals is shown. The graphs shown in FIGS. 21B, 22B, and 23B are sequentially displayed as moving images. This makes it possible to grasp the flow of the attack.

  When visualizing communication as described above, the display processing control unit 31 executes the following processing. FIG. 24 shows a table for managing information related to the communication. In the tables 2400, 2410, and 2420 shown in FIG. 24, times 2401, 2411, and 2421 are added as compared with the above-described table. The table creation method is as described above, and the time included in the communication information is stored in the times 2401, 2141, and 2421 of each table. When a plurality of pieces of communication information are stored in the table, a plurality of times are stored in the table.

  The display processing control unit 31 identifies a series of communication flows based on times 2401, 2141, and 2421. In addition, based on the times 2401, 2141, and 421, the display timing of communication in moving image display is controlled. The display processing control unit 31 first notifies the information of the table 2400 to the axis display processing unit 33, the line display processing unit 34, and the character display processing unit 35 in order to visualize the information of the table 2400. Each display processing unit executes processing necessary for displaying each information, and outputs information indicating the processing result to the display image generating unit 36. The display image generation unit 36 generates a display image based on the information output from each display processing unit and outputs the display image to the image display unit 37. The image display unit 37 generates a display image. As a result, the graph shown in FIG. 21B is displayed.

  Subsequently, the display processing control unit 31 notifies the axis display processing unit 33, the line display processing unit 34, and the character display processing unit 35 of the information of the table 2410 in order to visualize the information of the table 2410. Each display processing unit executes processing necessary for displaying each information included in the table 2410 together with the table 2400, and outputs information indicating the processing result to the display image generation unit 36. The display image generation unit 36 generates a display image based on the information output from each display processing unit and outputs the display image to the image display unit 37. The image display unit 37 generates a display image. As a result, the graph shown in FIG. 22B is displayed.

  Subsequently, the display processing control unit 31 notifies the axis display processing unit 33, the line display processing unit 34, and the character display processing unit 35 of the information of the table 2420 in order to visualize the information of the table 2420. Each display processing unit executes processing necessary for displaying each information included in the table 2420 together with the tables 2400 and 2410, and outputs information indicating the processing result to the display image generation unit 36. The display image generation unit 36 generates a display image based on the information output from each display processing unit and outputs the display image to the image display unit 37. The image display unit 37 generates a display image. As a result, the graph shown in FIG. 23B is displayed.

  In FIG. 21 (b), FIG. 22 (b), and FIG. 23 (b), the line related to the newly visualized communication is displayed as a real image, and the line related to communication performed before that is used as an afterimage. It may be displayed. For example, a line displayed as a real image may be displayed brightly and a line displayed as an afterimage may be displayed darkly. It is also possible to change the speed of the moving image display, and it is possible to display at a normal display speed (for example, 30 frames / second), or display with fast forward or slow forward.

  As described above, according to the present embodiment, by displaying the IP addresses of the transmitting side and the receiving side with the axis for displaying the address value for each block and the line connecting the points on each axis, It becomes easy to grasp the relationship between the IP address of the transmission side and the reception side only by looking at one graph. Furthermore, the communication direction can be easily understood by connecting the axes of the transmission side and the reception side with a line with an arrow indicating the communication direction. In addition, by visualizing the port number, it becomes easy to understand the abnormality related to the port number and create a filtering rule.

  Further, by displaying the IP address related to the abnormal communication extracted by the communication analysis unit 21 and the communication information extraction unit 30 operating in cooperation, it is easy to grasp the abnormality of the communication. Furthermore, since it becomes easy to grasp the regularity of abnormal communication, it becomes easy to create a filtering rule.

  Also, by controlling the display mode (thickness and color) of the line according to the communication frequency, it becomes easy to understand the concentration and diffusion of communication, so it is possible to grasp the abnormalities of communication and create filtering rules Becomes easier. Furthermore, omitting the display of the axes as shown in FIG. 14 and FIG. 15 makes it easier to see the graph, making it easier to grasp the abnormalities of communication and create filtering rules.

  In addition, as shown in FIGS. 17 to 19, by displaying the IP address and the port number satisfying the search condition, it becomes possible to more clearly grasp the behavior of the communication that is desired to be noticed or frequently communicated. .

  As shown in FIGS. 21 to 23, when visualizing a plurality of communications in which the same IP address appears on both the transmission side and the reception side, the IP address is fixed and displayed on the right or left side of the graph. By executing the process, it becomes easier to grasp the status of a plurality of communications in which the communication directions are switched. Furthermore, by controlling the display timing of the IP address and the Port number based on the communication time and displaying the moving image, it becomes possible to grasp a series of communication flows related to the attack.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the IP address visualization device according to the above-described embodiment is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by the computer and executed. May be.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the IP address visualization apparatus by one Embodiment of this invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. It is a flowchart which shows the visualization procedure of the IP address in one Embodiment of this invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. In one Embodiment of this invention, it is a reference figure which shows the content of the table which a display process control part uses for a process. It is a flowchart which shows the operation | movement procedure of the display process control part in one Embodiment of this invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. It is a reference diagram showing a graph of IP address in one embodiment of the present invention. In one Embodiment of this invention, it is a reference figure which shows the content of the table which a display process control part uses for a process. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. In one Embodiment of this invention, it is a reference figure which shows the content of the table which a display process control part uses for a process. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. It is a reference figure which shows the graph of the IP address and Port number in one Embodiment of this invention. It is a reference figure which shows the mode of communication concerning a DDos attack. It is a reference figure which shows the state of the communication which concerns on DDos attack, and the graph of an IP address and a Port number. It is a reference figure which shows the state of the communication which concerns on DDos attack, and the graph of an IP address and a Port number. It is a reference figure which shows the state of the communication which concerns on DDos attack, and the graph of an IP address and a Port number. In one Embodiment of this invention, it is a reference figure which shows the content of the table which a display process control part uses for a process.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Communication information management part, 2 ... Abnormality detection part, 3 ... Display processing part, 10 ... Communication monitoring part, 11 ... Communication information storage part, 20 ... Acquisition of analysis object information Part, 21 ... communication analysis part, 30 ... communication information extraction part, 31 ... display processing control part, 32 ... input part, 33 ... axis display processing part, 34 ... line display Processing unit, 35... Character display processing unit, 36... Display image generation unit, 37.

Claims (13)

Display means for displaying information;
Storage means for storing a first IP address and a second IP address indicating a transmission / reception relationship relating to communication executed on a network in association with each communication;
Processing for causing the display means to display a first axis for displaying an address value of a block constituting the first IP address and a second axis for displaying an address value of a block constituting the second IP address Axis display processing means for executing
Corresponding to the first line connecting the points on the first axis corresponding to the address value of each block constituting the first IP address, and the address value of each block constituting the second IP address Line display processing means for executing processing for displaying the second line connecting the points on the second axis on the display means;
An IP address visualization device characterized by comprising: An abnormality detection means for detecting abnormal communication based on communication characteristic information indicating characteristics of communication executed on the network;
An extraction means for extracting an IP address related to the abnormal communication detected by the abnormality detection means out of the first IP address and the second IP address stored in the storage means;
The IP address visualization device according to claim 1, wherein the axis display processing unit and the line display processing unit use the IP address extracted by the extraction unit for processing.   The line display processing means further displays an IP address having the same address value of any two adjacent blocks when displaying a plurality of the first IP addresses having the same address value of at least the highest block. The IP display mode according to claim 2, wherein the display form of the first line connecting points on the first axis corresponding to the address value of the adjacent block is controlled according to the frequency of the IP. Address visualization device.   The line display processing means further displays an IP address having the same address value of any two adjacent blocks when displaying a plurality of the second IP addresses having the same address value of at least the highest block. The display form of the second line connecting the points on the second axis corresponding to the address value of the adjacent block is controlled according to the frequency of the second block. IP address visualization device described in 1.   The axis display processing means further displays the plurality of first IP addresses having the same address value of at least the highest block, and when the address value of any block is the same for any IP address 5. The IP address visualization apparatus according to claim 2, wherein display of the first axis corresponding to a block below the block is omitted.   The axis display processing means further displays a plurality of the second IP addresses having the same address value of at least the highest block, and when the address value of any block is the same for any IP address 5. The IP address visualization apparatus according to claim 2, wherein display of the second axis corresponding to a block below the block is omitted. It further comprises an input means for the user to enter IP address search conditions,
The axis display processing means and the line display processing means use an IP address satisfying the search condition from the first IP address and the second IP address extracted by the extraction means for processing. The IP address visualization device according to any one of claims 2 to 6, wherein:   The line display processing unit further relates to the first communication when displaying the first IP address and the second IP address related to a plurality of communications including the first communication and the second communication. When the IP address on the transmission side and the IP address on the reception side related to the second communication are the same, the same IP address is set as one of the first IP address and the second IP address. The IP address visualization apparatus according to claim 2, wherein the process is executed while being fixed to the IP address. The storage means further stores the first IP address and the second IP address in association with time information for each communication,
The line display processing means further controls display timing of the first line and the second line displayed by the display means based on the time information. The IP address visualization device according to any one of the above. The storage means further stores a first port number and a second port number related to communication executed on the network in association with the first IP address and the second IP address for each communication,
The extraction means further extracts a port number related to the abnormal communication detected by the abnormality detection means from the first port number and the second port number stored in the storage means,
The axis display processing means further executes a process of causing the display means to display a third axis for displaying the first Port number and a fourth axis for displaying the second Port number,
The line display processing means further includes a point on the first axis corresponding to an address value of any block constituting the first IP address, and the third port corresponding to the first port number. Corresponding to the second port number and the third line connecting the point on the axis and the point on the second axis corresponding to the address value of any block constituting the second IP address The IP address visualization apparatus according to any one of claims 2 to 9, wherein a process of displaying a fourth line connecting the point on the fourth axis on the display unit is executed. .   The line display processing means further includes a first intersection point where any one of the first axes and the first line intersects, and a second point where any one of the second axes and the second line intersects. The IP address according to any one of claims 2 to 10, wherein a process for displaying a line with an arrow indicating a communication direction on the display means is performed. Visualization device.   The program for functioning a computer as an IP address visualization apparatus in any one of Claims 1-11.   A computer-readable recording medium on which the program according to claim 12 is recorded.

Images