KR101987031B1 - Method for providing visualization of information for network management and apparatus using the same - Google Patents

Abstract

In the present disclosure, disclosed are a method for providing visualization of information for network control and a computing device using the same. More particularly, in the method of the present invention, the computing device provides visualized information on a predetermined user interface for controlling a network when at least one of a packet and a log is obtained from at least one node belonging to the network, wherein the user interface comprises: a first area displaying at least a part of information of an event detected from at least one of the packet and the log; a second area displaying a topology of the network; and a third area displaying network analysis information that is a result of analyzing the network.

Description

[0001] METHOD FOR PROVIDING VISUALIZATION OF INFORMATION FOR NETWORK MANAGEMENT AND APPARATUS USING THE SAME [0002]

Disclosed herein is a method for providing visualization of information for network management and a computing device using the same. Specifically, in accordance with the method according to the present invention, when at least one of a packet and a log is obtained from at least one node belonging to a network, the computing device provides visualized information for control of the network on a predetermined user interface Wherein the user interface comprises: a first area for displaying at least a portion of information of an event to be detected from at least one of the packet and the log; A second area for indicating a topology of the network; And a third area for displaying network analysis information as a result of analyzing the network.

BACKGROUND ART [0002] With the development of network and wireless communication technologies such as the Internet, the use of wired and wireless communication continues to increase.

However, in recent years, a variety of malicious traffic attacks such as a malicious traffic attack such as a denial of service (DoS) attack and a structured query language (SQL) injection attack frequently occur on a wire / wireless communication network Problems are emerging. Attacks that attack malicious nodes (or devices) connected to the network and cause them to run out of resources for their intended purpose, intentionally exploiting security loopholes in applications (application programs) Such as an attack to unauthorized manipulation of a database by causing the attack to be executed by an attacker or a victim of the attack, Or the function of the Internet site or service may be interrupted or interrupted temporarily or indefinitely. Therefore, it is necessary to prepare for detection of such malicious behavior.

In the conventional packet or log collection and analysis system, various user interfaces are provided in order to detect and respond to such specific attack or abnormal event. In such a collection and analysis system, it is important to quickly detect the event and notify the user (real-time property), but trade-off occurs because it is also important to accurately detect and notify (accuracy).

In this document, threats and compliance information from detected events are comprehensively displayed, and information on interlocking equipment, protection assets, and end-point equipment in the organization that is the target of control and protection is visualized through 3D network topology A method for assisting real time control and precise control of various kinds of events by providing them to users, and a device using the method.

10-1695278 B

The present invention aims at assisting a user in analyzing multiple threats and comprehensive security management by displaying three-dimensional globe-type visualization, network topology visualization, detailed traffic analysis information, and detailed information of an associated asset by means of event analysis .

The characteristic configuration of the present invention for achieving the object of the present invention as described above and realizing the characteristic effects of the present invention described below is as follows.

According to an aspect of the invention, there is provided a method of providing visualization of information for network management, wherein at least one of a packet and a log is obtained from at least one node in the network, Wherein the device provides visualized information for control of the network on a predetermined user interface or other device associated with the computing device to provide the visualized information on the user interface, A first area for displaying at least a portion of information of an event to be detected from at least one of the packet and the log; A second area for indicating a topology of the network; And a third area for displaying network analysis information as a result of analyzing the network.

According to another aspect of the present invention, there is also provided a computer program comprising instructions implemented to perform the method according to the present invention.

According to another aspect of the present invention there is provided a computing device for providing visualization of information for network management, the computing device comprising: a communication unit for obtaining at least one of a packet and a log from at least one node belonging to the network; And when at least one of the packet and the log is acquired, providing visualized information for the control of the network on a predetermined user interface, or allowing other devices connected through the communication unit to display the visualized information on the user interface Wherein the user interface comprises: a first region for displaying at least a portion of information of an event to be detected from at least one of the packet and the log; A second area for indicating a topology of the network; And a third area for displaying network analysis information as a result of analyzing the network.

According to the exemplary embodiment of the present disclosure, there is an advantage that not only can the detected threat information be provided to the user in real time, but also can assist the user to acquire the related information accurately.

Therefore, detection accuracy and real-time property are improved.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention to those skilled in the art Other drawings can be obtained based on these figures without the need for effort to the novel invention.
1 is a conceptual diagram schematically illustrating an exemplary configuration of a computing device that performs a method of providing visualization of information for network control (hereinafter referred to as "network management information visualization method") according to an embodiment of the present invention .
2 is a conceptual diagram illustrating a hardware and software architecture of a computing device performing a network management information visualization method according to an embodiment of the present invention.
3 is a flowchart illustrating a method of visualizing network management information according to an exemplary embodiment of the present invention.
FIG. 4A is a conceptual diagram illustrating a user interface provided in the network control information visualization method according to an exemplary embodiment of the present invention. FIGS. 4B to 4E illustrate a first to fourth regions of the UI shown in FIG. More specifically, FIG.
FIG. 5A is a conceptual view illustrating a state in which the user interface is changed in response to a user's manipulation of the user interface illustrated in FIG. 4A, FIGS. 5B and 5C are diagrams illustrating the elements of the user interface shown in FIG. These are the drawings.

The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of example, specific embodiments in which the invention may be practiced in order to clarify the objects, technical solutions and advantages of the invention. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and a duplicate description thereof will be omitted.

Specific structural or functional descriptions of embodiments are set forth for illustrative purposes only, and may be embodied with various changes and modifications. Accordingly, the embodiments are not intended to be limited to the particular forms disclosed, and the scope of the present disclosure includes changes, equivalents, or alternatives included in the technical idea.

The terms first or second, etc. may be used to describe various elements, but such terms should be interpreted solely for the purpose of distinguishing one element from another. For example, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

It is to be understood that when an element is referred to as being "connected" to another element, it may be directly connected or connected to the other element, although other elements may be present in between.

The singular expressions include plural expressions unless the context clearly dictates otherwise. In this specification, the terms "comprises" or "having", etc. are intended to designate the presence of stated features, integers, steps, operations, components, parts or combinations thereof, , &Quot; an ", " an ", " an "

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning of the context in the relevant art and, unless explicitly defined herein, are to be interpreted as ideal or overly formal Do not.

Throughout the description and claims of this disclosure, an 'address' refers to an IP address, a MAC address, or the like.

An IP address is a special number that a device in a computer network uses to recognize and communicate with each other. Whether the device connected to the network is a router or a general server, all machines must have this special number. A message can be sent on behalf of the sender and delivered to the intended destination towards the recipient. An IP address is abbreviated as IP.

The MAC address is a unique identifier assigned to the network interface for communication at the data link layer of the network segment. MAC addresses are used as network addresses in most IEEE 802 network technologies, including Ethernet and Wi-Fi. Logically, the MAC address is used in the lower layer of the OSI N model called the Medium Access Control Protocol. A more detailed description of addresses including IP addresses, MAC addresses, etc. will be omitted in order to avoid obscuring the gist of the present invention.

Moreover, the present invention encompasses all possible combinations of embodiments shown herein. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with one embodiment. It should also be understood that the position or arrangement of individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is to be limited only by the appended claims, along with the full scope of equivalents to which such claims are entitled, if properly explained. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

Unless otherwise indicated herein or clearly contradicted by context, items referred to in the singular are intended to encompass a plurality unless otherwise specified in the context. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

1 is a conceptual diagram schematically illustrating an exemplary configuration of a computing device that performs a network management information visualization method according to an embodiment of the present invention.

1, a computing device 100 according to an embodiment of the present invention includes a communication unit 110 and a processor 120. The communication unit 110 communicates with an external computing device (not shown) Communication is possible.

In particular, the computing device 100 may be any type of computing device, including, but not limited to, devices that may include elements of conventional computer hardware (e.g., a computer, a processor, memory, storage, input devices and output devices, , Electronic communication devices such as switches, electronic-information storage systems such as network-attached storage (NAS) and storage area networks (SAN), and computer software (i.e., ≪ RTI ID = 0.0 > and / or < / RTI > functions to achieve desired system performance. The storage may include storage devices such as a hard disk, a universal serial bus (USB) memory, as well as storage devices based on a network connection such as a cloud server.

The communication unit 110 of the computing device can transmit and receive a request and a response to and from other computing devices that are interlocked. For example, the request and the response are transmitted by the same transmission control protocol (TCP) But not limited to, a user datagram protocol (UDP) datagram, for example.

Specifically, the communication unit 110 may be implemented in the form of a communication module including a communication interface. For example, the communication interface may be a wireless LAN (WLAN), a wireless fidelity (WIFI) Direct, a digital living network alliance (DLNA), a wireless broadband (Wibro), a world interoperability for microwave access (Wimax), a high speed downlink packet access And a short range communication interface such as Bluetooth (TM), radio frequency identification (RFID), infrared data association (IrDA), ultra-wideband (UWB), ZigBee and near field communication can do. In addition, the communication interface may represent any interface (e.g., a wired interface) capable of communicating with the outside.

For example, the communication unit 110 can acquire logs, packets, and the like from an external device through the appropriate communication interface. In addition, in a broad sense, the communication unit 110 may include or be associated with a keyboard, a mouse, an external input device, a printing device, a display, and other external output devices for receiving commands or instructions.

The processor 120 of the computing device may also be a micro processing unit (MPU), a central processing unit (CPU), a graphics processing unit (GPU), a neural processing unit (NPU) or a tensor processing unit ), A data bus, and the like. It may further include a software configuration of an operating system and an application that performs a specific purpose.

2 is a conceptual diagram illustrating a hardware and software architecture of a computing device performing a network management information visualization method according to an embodiment of the present invention.

2, the computing device 100 may implement the log / packet acquisition module 210. The log /

The log / packet acquisition module 210 may obtain at least one of a packet and a log from at least one node belonging to the network. For example, it includes a security threat detection system 305 for detecting an attack on information communication equipment such as a server, a database device, etc., for example, an intrusion detection system (IDS), an intrusion prevention system ), A web application firewall (WAF), and the like.

At least one of the acquired log and the packet includes items such as an HTTP header, a source IP, a destination IP, a payload, a port, and the like. Once delivered, the detection module 220 may determine a malicious activity event, an aggressive behavior event, or a suspicious behavior event based on these items. This is largely due to a compliance event (e.g., a PC or server connection during off hours, a large printout or copy of a large file, etc.) that refers to a suspicious event, such as breaching an organization regulation, (E.g., IPS, F / W, DRM, etc.), but the present invention is not limited thereto.

The detected events detected by the detection module 220 are delivered to the user interface module 230 and the user interface module 230 provides a predetermined user interface 400 on an output device, To the user.

Here, the user includes a user of the computing device or the server 100 that performs the method according to the present invention, a user who is in charge of the management and security of the network, the administrator, the supervisor, etc. In addition, It is to be understood that any subject may be included in any subject in need thereof. When the user is a human, the computing device 100 may provide visualized information to a user via a user interface displayed on a predetermined output device, e.g., a display.

This network management information visualization method will be described later in more detail.

2 may be implemented by, for example, the communication unit 110 or the processor 120 included in the computing device 100, or the interworking of the communication unit 110 and the processor 120 Will be understood by those of ordinary skill in the art and will be described in more detail below with respect to its functions and effects.

Now, a method of visualizing network control information according to the present invention will be described in detail with reference to FIGS. 3 to 5C. FIG.

3 is a flowchart illustrating a method of visualizing network management information according to an exemplary embodiment of the present invention.

3, the method for visualizing network management information according to the present invention includes the steps of: first, a log / packet acquisition module 210 implemented by a computing device 100, for example, a server, from at least one node belonging to a network (S100) of acquiring at least one of a packet, a log, and a log or supporting another device (not shown) interlocked with the computing device 100 to acquire at least one of the packet and the log.

The method for visualizing the network control information according to the present invention is characterized in that the user interface module 230 implemented by the computing device 100 displays visualized information for controlling the network through a predetermined user interface , 400) or supporting the other device to provide the visualized information on the user interface (S200). Wherein information for control of the network, in particular event information, can be detected by the detection module 220 implemented by the computing device 100 based on at least one of the packet and the log, or assist the other device to detect have.

FIG. 4A is a conceptual diagram illustrating a user interface provided in the network control information visualization method according to an exemplary embodiment of the present invention.

Referring to FIG. 4A, the user interface 400 includes a first area 410 for displaying at least a part of information of a detected event from at least one of the packet and the log, a topology And a third area 430 for displaying network analysis information as a result of analyzing the network. According to an embodiment, the user interface 400 may further comprise a fourth area for displaying on the map a geographical location of at least one of a source address and a destination address of one or more specific events of the detected events have.

4B to 4E are views showing the first to fourth regions 410 to 440 of the UI shown in FIG. 4A in more detail.

Referring to FIG. 4B, an event classification is provided in the first area 410 as a graphical object according to an event classification. The event classification includes, for example, an overseas SSH connection, a harmful IP connection, But it should be understood by those of ordinary skill in the art that there may be, but are not limited to, the following compliance events, harmful IP access, unidentified IP access, abnormal contact attempts, threat events such as unauthorized access to external authorized IPs, It is possible to use various system classification schemes related to an event such as a large classification (for example, compliance, threat) and a small classification belonging to each major classification (for example, harmful IP access, etc.) as shown in FIG. 4B. For the convenience of the user, the name of each event category may be displayed together with the graphic object of each event category.

Referring to FIG. 4C, a topology of an exemplary network in the second area 420 is illustrated as a three-dimensional model, and the user interface module 230 of the computing device 100 includes a three- It can provide rotation, zooming and zooming functions for the model. Wherein the network topology may include nodes and at least one line segment connecting the nodes.

Preferably, the network topology may include protected assets that are subject to control.

Referring to FIG. 4D, an example in which network analysis information is displayed in the third area 430 includes network analysis information including at least one of traffic analysis information of a specific node (or asset) and asset information of the specific node May be included. The traffic analysis information includes maximum traffic information for each device, maximum traffic information for each source address, maximum traffic information for each destination address, maximum traffic information for each port, ) Of the maximum traffic information.

Here, the maximum traffic information may be composed of one or more items in order of rank. For example, in FIG. 4d, a maximum of five items (top 5) are illustrated. As illustrated in FIG. 4D, the traffic analysis information may be displayed differentially according to an incoming direction (denoted IN in FIG. 4D) and an outgoing direction (denoted OUT in FIG. 4D).

Referring to FIG. 4E, a map for displaying a geographical location is shown in a fourth area 440, wherein the map may be provided in the form of a two-dimensional map or a three-dimensional globe (3d globe) as illustrated. This is for indicating the geographical location of at least one of the source address and the destination address of one or more specific events of the detected events.

3, the method for visualizing network control information according to an exemplary embodiment of the present invention is a method for visualizing network control information according to an embodiment of the present invention. The user interface module 230, through the communication unit 110 of the computing device 100, (S300) of detecting the selection operation of the selection device or supporting the other device to detect the selection operation.

FIG. 5A is a conceptual view illustrating a state in which the user interface is changed in response to a user's manipulation of the user interface illustrated in FIG. 4A, FIGS. 5B and 5C are diagrams illustrating the elements of the user interface shown in FIG. These are the drawings.

5A, a user interface module 230 implemented by the computing device 100, in response to a user's operation on a graphic object according to an event classification in the first area 410, The event information belonging to the event category can be displayed as the event list 416. FIG. 5B is an enlarged view of the event list 416 shown in FIG. 5A. In this case, the selection operation may be for a specific event displayed in the event list 416. [

Here, the event information may include at least one of an event occurrence time, an event name, an event detection condition, an event classification, an event class, and an event occurrence count. The event detection condition may include an event detection reference field, an event detection reference time, etc. Illustratively, the event detection reference field may include a cause of detection as a corresponding event among fields extracted from at least one of a packet and a log And the event detection reference time refers to a time period during which at least one of a packet and a log satisfying the event detection condition is repeatedly detected as an event.

3, the method for visualizing network control information according to this embodiment is characterized in that, after step S300, the computing device 100 performs processes corresponding to the selection operation, (S400: S400a to S400c).

Wherein the processes corresponding to the selection operation include the steps of: (i) visualizing, in the second region, the data flow of associated assets that are assets associated with the particular event among the protected assets that are the objects of the control; and (ii) Traffic analysis information and asset information of the associated asset in the third region as the network analysis information.

Each of the segments corresponding to the data flow between the associated assets associated with the specific event in the second region 420 may be displayed visually distinguishable from other segments such as a color or a pattern (dashed, dotted, A broken line, a one-dot chain line, etc.) may be used or an animation effect such as blinking may be used. Of course, those skilled in the art will understand that the method of visually distinguishing and displaying is not limited to this.

5C, asset information is visualized as network analysis information together with traffic analysis information in a third area 430. The asset information may include an address of an associated asset, an asset type, affiliation, a user name, and the like But is not limited thereto.

As a modification of the above embodiment, referring to FIG. 5A, processes corresponding to the selection operation are added to (iii) a geographical location of at least one of a source address and a destination address extracted from a packet or log of the specific event 4 < / RTI > area 440. The process of FIG.

In this variant, an indication on the map of the geographical location corresponding to the source address can be visually distinguished from the indication on the map of the geographical location corresponding to the destination address, It helps the user to intuitively understand where to go and where to go.

Preferably, a point corresponding to the source address and a destination point corresponding to the destination address on the map may be displayed to be connected to each other by a straight line or a curve.

Although the components shown in FIGS. 2 through 5C are illustrated as being implemented in one computing device for convenience of explanation, it is understood that the server 100 performing the method of the present invention may be configured such that a plurality of devices are interlocked with each other Will be. It will thus be appreciated that each of the steps of the inventive method described above may be performed by one computing device directly or by supporting the one computing device to perform another computing device associated with the one computing device.

Thus, the present invention visualizes the detection threat information by the event analysis and displays the detailed traffic analysis information and the detailed information of the related asset together with the detailed information of all the above-mentioned embodiments, so that the user can perform a comprehensive and comprehensive security management analysis It is possible to carry out the present invention.

Advantages of the techniques described herein as the above embodiments are that it provides a user interface that assists the user in intuitively understanding the event status and assists in making a quick and accurate determination through the user interface, Such as security professionals, who are in an imminent and busy environment where they need to accurately analyze and respond even though they are exposed to the Internet.

Based on the description of various embodiments of the present disclosure, one of ordinary skill in the art will appreciate that the method and / or processes of the present invention and the steps thereof may be implemented in hardware, software, It is to be clearly understood that the present invention can be realized in any combination. The hardware may include special features or components of a general purpose computer and / or a dedicated computing device or a specific computing device or a particular computing device. Such processes may include one or more processors, e.g., microprocessors, controllers, such as microcontrollers, embedded microcontrollers, microcomputers, arithmetic logic units (ALUs), digital signal processors, For example, a programmable digital signal processor or other programmable device. Additionally or alternatively, the processes may be implemented in an application specific integrated circuit (ASIC), a programmable gate array, such as a field programmable gate array (FPGA), a programmable logic unit (PLU) Any other device capable of executing and responding to Programmable Array Logic (PAL) or other instructions, any other device or combination of devices that can be configured to process electronic signals. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to execution of the software. For ease of understanding, the processing apparatus may be described as being used singly, but those skilled in the art will recognize that the processing apparatus may have a plurality of processing elements and / As shown in FIG. For example, the processing apparatus may comprise a plurality of processors or one processor and one controller. Other processing configurations are also possible, such as a parallel processor.

The software may comprise a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired, or to process it collectively or independently Device can be commanded. Software and / or data may be stored on any type of machine, component, physical device, virtual equipment, computer storage media, or device, such as a computer readable recording medium, , Or may be permanently or temporarily embodied in a transmitted signal wave. The software may be distributed over a networked computer system and stored or executed in a distributed manner. The software and data may be stored on one or more machine-readable recording media.

Moreover, the objects of the technical solution of the present invention or portions contributing to the prior art can be implemented in the form of program instructions that can be executed through various computer components and recorded in a machine-readable medium. The machine-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. Program instructions to be recorded on a machine-readable recording medium may be those specially designed and constructed for the embodiments or may be known and available to those of ordinary skill in the computer software arts. Examples of the machine-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and Blu-ray, optical disks such as floptical disks Magneto-optical media such as ROMs, random access memories (RAMs), flash memory, and the like, and hardware devices specifically configured to store and execute program instructions. Examples of program instructions include, but are not limited to, any of the above devices, as well as a heterogeneous combination of processors, processor architectures or combinations of different hardware and software, Which may be constructed using a structured programming language such as C, an object-oriented programming language such as C ++ or an advanced or low-level programming language (assembly language, hardware description languages and database programming languages and techniques) This includes not only bytecode, but also high-level language code that can be executed by a computer using an interpreter or the like.

Thus, in one aspect of the present invention, when the methods and combinations described above are performed by one or more computing devices, combinations of the methods and methods may be implemented as executable code that performs each of the steps. In another aspect, the method may be implemented as systems for performing the steps, and the methods may be distributed in various ways throughout the devices, or all functions may be integrated into one dedicated, stand-alone device, or other hardware. In yet another aspect, the means for performing the steps associated with the processes described above may include any of the hardware and / or software described above. All such sequential combinations and combinations are intended to be within the scope of this disclosure.

For example, the hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa. The hardware device may include a processor, such as an MPU, CPU, GPU, TPU, coupled to a memory, such as ROM / RAM, for storing program instructions and configured to execute instructions stored in the memory, And a communication unit capable of receiving and sending data. In addition, the hardware device may include a keyboard, a mouse, and other external input devices for receiving commands generated by the developers.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications and changes may be made thereto without departing from the scope of the present invention.

Therefore, the spirit of the present invention should not be construed as being limited to the above-described embodiment, and all of the equivalents or equivalents of the claims, as well as the claims attached hereto, As well as the other. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI > or equivalents, even if it is replaced or replaced.

Such equally or equivalently modified embodiments will include logically equivalent methods which can yield, for example, the same results as those of the method according to the present invention, The scope is not to be limited by the foregoing examples, but should be understood in the broadest sense permissible by law.

Claims (10)

CLAIMS 1. A method for providing visualization of information for network management,
If at least one of a packet and a log is obtained from at least one node in the network, the computing device may provide the visualized information for control of the network on a predetermined user interface, or cause the other device associated with the computing device And to provide the visualized information on the user interface,
Wherein the user interface comprises:
A first area for displaying at least a part of event information, which is information of an event detected from at least one of the packet and the log, for each event classification, the event classification including a compliance event indicating an event in which a violation of regulation in a predetermined organization is suspected, And a threat event indicating an event occurring in the apparatus in the organization, wherein the compliance event includes an oversea SSH connection, a harmful IP connection due to geographical conditions, an out-of-hours connection and a personal information outflow due to a temporal condition, Wherein the threat event includes at least one of a harmful IP access, an unidentified IP access, an abnormal contact attempt, and an external authorized IP abnormal access;
A second region for indicating a network topology that is a topology of the network, the network topology comprising at least one line segment connecting nodes and nodes belonging to the network; And
A third area for displaying network analysis information as a result of analyzing the network,
/ RTI >
In the first region,
Wherein the event information classification number of the event information is displayed as a graphical object according to an event classification, the name of the individual event classification and the number of the event classification corresponding to the individual event classification are displayed in the graphic object for each event classification,
The method comprises:
In response to a user's operation on the graphic object according to the event category, the computing device displays the event information belonging to an event classification corresponding to the graphic object for each event category as an event list
Further comprising:
The method comprises:
(a) supporting the computing device to detect a selection operation of a user for a specific event among the events or to allow the other device to detect the selection operation; And
(b) in response to the selection operation, causing the computing device to: (i) send a data flow associated with the particular event among associated assets that are assets associated with the particular event among the protected assets that are objects of control, A process of visualizing each of the segments corresponding to the data flow so as to be visually distinguished from other segment segments; And (ii) visualizing traffic analysis information of the associated asset and asset information of the associated asset in the third area as the network analysis information, or to cause the other device to perform the steps (i) and (ii) Steps to Support the Process
Further comprising the step of: delete The method according to claim 1,
In the second region,
Wherein the network topology is displayed as a three-dimensional model,
The method comprises:
Wherein the computing device is configured to provide rotation, magnification and reduction functions for the three-dimensional model through the user interface
Further comprising the step of: The method according to claim 1,
Wherein the user interface comprises:
A fourth region for displaying on the map a geographical location of at least one of a source address and a destination address of one or more specific events of the detected events;
Further comprising the step of: delete The method according to claim 1,
Wherein the user interface further comprises a fourth area for displaying on the map a geographical location of at least one of a source address and a destination address of the specific event,
The step (b)
(iii) a process of visualizing, in the fourth area, a geographical location related to at least one of a source address and a destination address extracted from the packet or log of the specific event, or to support the other device to perform The network management information visualization method. A computer program stored in a machine-readable medium having instructions stored thereon for causing a computing device to perform the method of any one of claims 1, 3, 4, and 6. CLAIMS What is claimed is: 1. A computing device that provides visualization of information for network management,
A communication unit for obtaining at least one of a packet and a log from at least one node belonging to the network; And
When at least one of the packet and the log is acquired, providing visualized information for the control of the network on a predetermined user interface, or allowing other devices connected through the communication unit to provide the visualized information on the user interface A processor that supports
, ≪ / RTI &
Wherein the user interface comprises:
A first area for displaying at least a part of event information, which is information of an event detected from at least one of the packet and the log, for each event classification, the event classification including a compliance event indicating an event in which a violation of regulation in a predetermined organization is suspected, And a threat event indicating an event occurring in the apparatus in the organization, wherein the compliance event includes an oversea SSH connection, a harmful IP connection due to geographical conditions, an out-of-hours connection and a personal information outflow due to a temporal condition, Wherein the threat event includes at least one of a harmful IP access, an unidentified IP access, an abnormal contact attempt, and an external authorized IP abnormal access;
A second region for indicating a network topology that is a topology of the network, the network topology comprising at least one line segment connecting nodes and nodes belonging to the network; And
A third area for displaying network analysis information as a result of analyzing the network,
/ RTI >
In the first region,
Wherein the event information classification number of the event information is displayed as a graphical object according to an event classification, the name of the individual event classification and the number of the event classification corresponding to the individual event classification are displayed in the graphic object for each event classification,
The processor comprising:
Further performing a process of detecting a user's selection operation of a specific event among the events or supporting the other device to detect the selection operation,
In response to the selection operation, causing the processor to: (i) visualize, in the second region, a data flow associated with the particular event between associated assets that are assets associated with the particular event among protected assets that are objects of control Each of the segments corresponding to the data flow is visually distinguished from the other segments; And (ii) visualizing traffic analysis information of the associated asset and asset information of the associated asset in the third area as the network analysis information, or to cause the other device to perform the steps (i) and (ii) And to perform the process. delete 9. The method of claim 8,
Wherein the user interface further comprises a fourth area for displaying on the map a geographical location of at least one of a source address and a destination address of the specific event,
The processor comprising:
Further performing or visualizing a geographical location of at least one of a source address and a destination address extracted from a packet or log of the specific event in the fourth area or supporting the other device to perform a network management information visualization Device.

Images