WO2006077666A1

WO2006077666A1 - Observation data display device, observation data display method, observation data display program, and computer-readable recording medium containing the program

Info

Publication number: WO2006077666A1
Application number: PCT/JP2005/011997
Authority: WO
Inventors: Hiroki Takakura; Takayuki Itoh; Atsushi Sawada; Koji Koyamada
Original assignee: Kyoto University
Priority date: 2004-12-28
Filing date: 2005-06-29
Publication date: 2006-07-27
Also published as: JPWO2006077666A1

Abstract

Observation values obtained from a plenty of observation objects are 3-dimensionally displayed. An observation data display device displays observation values obtained by observing an observation object. The observation data display device includes: a data acquisition unit for acquiring a pair of observation object identifier for identifying an observation object and an observation value obtained by observing the observation object; a reference position arrangement unit for arranging a reference position for displaying the observation value of the observation object in the two-dimensional plane according to the observation object identifier; a height calculation unit for calculating a height based on the observation value for each of the observation values; and a three-dimensional display unit causing the display device to display the image expressed by the height calculated by the height calculation unit in the reference position where the observation value is arranged by the reference position arrangement unit. This enables three-dimensional display of observation values obtained by a plenty of monitoring objects.

Description

Specification

Observation data display device, observation data display method, observation data display program, and computer-readable recording medium recording the same

Technical field

[0001] The present invention relates to an observation data display device and an observation data display method for displaying observed data.

The present invention relates to an observation data display program and a computer-readable recording medium on which the observation data display program is recorded. Background art

[0002] In recent years, IDS has increased due to the increased damage caused by unauthorized access to the Internet and viruses.

(Intrusion Detection System) is actively researched and commercialized. Many of these IDS products detect fraud (incidents) without omission, assuming that certain safety measures have been taken for the monitored network. A number of methods for expressing the statistical tendency of incidents through information visualization have been announced.

[0003] As one of the conventional methods for representing incidents, Document 1 proposes a method of “visible log” t. In this method, the screen is divided horizontally, the number of incidents by time for the entire incident is displayed in a bar graph on the left side, and the breakdown of incidents at a specific time specified by the user is displayed on the right side. This method is characterized in that it can simultaneously express the overall trend and local trend of incidents.

[0004] Also, the power that differs in data structure from IDS In Reference 2, the coordinate system called Parallel Coordinate has the attribute type on the horizontal axis and the attribute value on the vertical axis for the access log file of one web server. A method for placing individual accesses in a system has been proposed. This method supports the understanding of the detailed nature of unauthorized access by expressing the correlation of unauthorized access attribute values.

[0005] In addition to the above-mentioned documents, various studies have been conducted (References 3 to 9). In addition, each group has launched unauthorized access detection systems, and these systems are also equipped with interfaces that express the statistical tendency of incidents.

[0006] However, the conventional technology described above is a three-dimensional display of the observation values obtained for a large number of monitoring target forces. If you can't do it, you have problems. The problems of the conventional technology will be described in detail below.

[0007] An unauthorized access detection system in a large-scale organization such as a university is operated in an environment in which thousands or more tens of thousands of monitoring targets (computers) issue 1,000 or more alarms per second. To use it, it is necessary to be able to handle a large number of monitoring targets. Also, 99% of alarms are false alarms, and true unauthorized access cannot be detected unless the false alarms are removed. Therefore, it is necessary to be able to intuitively recognize the contents of the alarm by displaying the incident information three-dimensionally.

[0008] However, for example, the techniques described in Documents 1 and 2 arrange data elements such as accesses and computers in a one-dimensional manner on a screen, and therefore, for large-scale data such as thousands and tens of thousands. Can only express very general trends. Also, it is difficult to understand such spatial correlations, saying, “This organization is aimed intensively!”.

[0009] In addition, in the system RNA developed by SourceFire, Inc. in the United States, the computer connection relationship is displayed in a three-dimensional space. As a result of actual evaluation by a large-scale organization, the number of computers exceeding 3,00 As a result, the display could not follow the large number of data, and the visibility dropped significantly.

[0010] As described above, in the conventional technology, the number of alarm changes along the time axis is graphed and the overall attack transition is displayed, or the relevance of a specific monitoring target or alarm is estimated. There is a proposal to select and display alarms, but there is no one that can display all monitored objects at the same time and grasp the individual situation. In addition, a system that displays alarms in a three-dimensional graph has also been proposed, but important information is hidden by misinformation that accounts for the majority. The reason is that these methods generally assume an environment with less than 100 monitoring targets and an alarm count of about 100 per hour.

(Reference 1) Takada, Koike, Appearance log: Log information browser using information visualization and text mining, Journal of Information Processing Society of Japan, 41, 12, pp. 3265-3275, 2002.

2) Axeisson Visualization for Intrusion Detection Hooking the Worm, Eur opean Symposium on Researcn in Computer Security 2003, pp. 309-325, 2003. Techniqu e for Visualizing Large Hierarchies, J. Visual Languages and Computing, 7, 1, 33—55, 1996.

(Reference 4) Carriere J., et al., Research Report: Interacting with Huge Hierarchies Be yond Cone Trees, IEEE Information Visualization '95, pp. 74-81, 1995.

(Reference 5) Koike H., Fractal Views: A Fractal-Based Method for Controlling Information Display, ACM Trans, on Information Systems, 13, 3, pp. 305-323, 1995.

(Reference 6) Johnson B., et al., Tree-Maps: A Space Filling Approach to the Visualizat ion of Hierarchical Information Space, IEEE Visualization '91, pp. 275-282, 1991. (Reference 7) The Information Cube: Using Transparency in 3D Information Visualizatio n, Third Annual Workshop on Information Technologies & Systems, pp. 125-132, 19 93.

(Reference 8) Sprenger T. C, et al, H- BLOB: A Hierarchical Visual Clustering Method Using Implicit Surfaces, IEEE Visualization 2000, pp. 61-68, 2000.

(Reference 9) Yamaguchi, Ito, Ikebata, Tominaga, Hierarchical Data Visualization Technique “Data Jewel Box” and Visualization of Websites, IEICE Transactions, Vol. 32, No. 4, pp. 407-417 , 2003.

Disclosure of the invention

The present invention has been made in view of the above problems, and an object thereof is to realize an observation data display device and an observation data display method capable of three-dimensionally displaying observation values obtained from a large number of monitoring targets. There is to do.

[0012] An observation data display device according to the present invention is an observation data display device that displays an observation value obtained by observing an observation target, and in order to solve the above-mentioned problem, the observation target identification for specifying the observation target is performed. Based on the observation target identification information, a data acquisition unit that acquires a set of information and observation values obtained by observing the observation target, and a reference position for displaying the observation value of the observation target in a two-dimensional plane The reference position placement section to be placed, the observation value plotting section that plots the observation value of the observation target as the height from the reference position placed by the reference position placement section, and the data generated by the above observation value plotting section And a three-dimensional display unit for three-dimensionally displaying the observation value on the display device.

[0013] According to the above configuration, the reference position arranging unit arranges the observation values in the two-dimensional plane. Many monitoring targets can be observed. In addition, the observation value plot section plots the observation value as the height of the reference position force, and the 3D display section displays it in 3D, so it is possible to display the observation values obtained from many monitoring targets in 3D It becomes.

[0014] The observation data display method according to the present invention is an observation data display method by an observation data display device that displays observation values obtained by observing an observation object. A data acquisition step for acquiring a set of observation target identification information for identifying the observation target and an observation value obtained by observing the observation target, and for displaying the observation value of the observation target based on the observation target identification information. A reference position placement step for placing the reference position in a two-dimensional plane; an observation value plotting step for plotting the observation value of the observation target as a height from the reference position placed by the reference position placement step; A three-dimensional display step for three-dimensionally displaying the observation value on the display device based on the data generated by the observation value plot step.

[0015] According to the above configuration, in the reference position arranging step, the observation values are arranged in the two-dimensional plane, so that a large number of monitoring objects can be observed. In the three-dimensional display step, the observation value plot step displays the three-dimensional display based on the data obtained by plotting the observation value as the height from the reference position. Dimensional display is possible.

[0016] Another observation data display device according to the present invention is an observation data display device that displays observation values obtained by observing an observation target. In order to solve the above problems, The data acquisition unit that acquires a set of the observation object identification information for identifying the observation object and the observation value obtained by observing the observation object, and the reference position for displaying the observation value of the observation object are A reference position placement unit arranged in a two-dimensional plane based on object identification information, a height calculation unit for calculating a height corresponding to the observation value for each observation value, and the observation value are obtained by the reference position placement unit. And a three-dimensional display unit that displays on the display device an image expressed by the height calculated by the height calculation unit at the arranged reference position.

[0017] Another observation data display method according to the present invention is an observation data display method for displaying an observation value obtained by observing an observation target, and for observing the observation target for identifying the observation target. Data acquisition that acquires a set of information and observation values obtained by observing the observation target A reference position placement step for placing a reference position for displaying the observation value of the observation target in a two-dimensional plane based on the observation target identification information, and observing the height according to the observation value The height calculation step calculated for each value and the observed value at the reference position arranged by the reference position arrangement unit, an image expressed by the height calculated by the height calculation unit is displayed on the display device. 3D display step to be displayed, and including!

[0018] According to the above configuration, since the reference position arranging unit arranges the observation values in the two-dimensional plane, the observation values obtained by observing a large number of monitoring targets can be displayed on a display device or the like. In addition, the height calculation unit calculates the observation value as the height of the reference position force, and displays the observation value in three dimensions according to the height, so that the observation values obtained with a large number of monitoring target forces can be displayed efficiently. Is possible.

Brief Description of Drawings

FIG. 1 shows an embodiment of the present invention and is a diagram for explaining a basic technique used in an observation data display device.

FIG. 2, showing an embodiment of the present invention, is a diagram for explaining a basic technique used in an observation data display device.

FIG. 3, showing an embodiment of the present invention, is a diagram for explaining a basic technique used in an observation data display device.

FIG. 4 shows an embodiment of the present invention and is a diagram for explaining a basic technique used in an observation data display device.

FIG. 5, showing an embodiment of the present invention, is a diagram for explaining a basic technique used in an observation data display device.

FIG. 6, showing an embodiment of the present invention, is a diagram illustrating a processing process of a reference position arranging unit, which is a basic technique used in an observation data display device.

FIG. 7, showing an embodiment of the present invention, is a diagram showing an outline of a display result by an observation data display device.

FIG. 8, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device. FIG. 9, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 10, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 11, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 12, showing an embodiment of the present invention, is a diagram showing an outline of a display result by an observation data display device.

FIG. 13, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 14, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 15, showing an embodiment of the present invention, is a diagram showing an example of a display result by an observation data display device.

FIG. 16, showing an embodiment of the present invention, is a diagram showing an example in which eight computers are stored in hierarchical data with reference to IP addresses.

FIG. 17, showing an embodiment of the present invention, is a block diagram showing a functional configuration of an observation data display apparatus 100 according to Embodiment 1.

FIG. 18, showing an embodiment of the present invention, is a block diagram showing a functional configuration of an observation data display apparatus 200 according to Embodiment 2.

FIG. 19, showing an embodiment of the present invention, is a block diagram showing a functional configuration of an observation data display device 300 according to Embodiment 3.

BEST MODE FOR CARRYING OUT THE INVENTION

[Basic technology]

First, an example of a reference position arrangement unit serving as a basic technique common to observation data display apparatuses according to the embodiments of the present invention will be described with reference to FIGS. For this basic technology, Ito and Oyamada's “Heiankyo View-Visualization Method for Arranging Hierarchical Data in a Grid” (Abstracts of the 9th Visualization Conference, Visualization Society of Japan, 2 (Issued in 003).

[0021] Hierarchical data visualization is one of the most actively researched fields of information visualization. Typical methods include the following methods.

[0022] (1) A method of expressing a tree structure. Hyperbolic Tree (Reference 3), Cone Tree (Reference 4), Fract al Views (Reference 5), etc.

[0023] (2) A method by recursive division of the screen space. Treemap (Reference 6).

(3) A method of constructing a nested hierarchical structure in a three-dimensional space and displaying it semitransparently. Informatio n Cube (Reference 7), H-BLOB (Reference 8), etc.

[0025] (4) A method of nesting a hierarchical structure in a two-dimensional space. "Data jewelry box" (Reference 9).

In each of the embodiments described later, an observation data display device using a hierarchical data screen layout method based on the policy of “representing as much information as possible in a screen space as small as possible in a grid-like form” I will provide a. The basic technique used in the observation data display device according to each embodiment of the present invention is configured on the premise of conditions similar to the conventional visualization method “data jewelry box” by the inventors themselves. However, since the algorithm is greatly different, the visualization result is also greatly different.

[0027] The basic technique used in the observation data display device according to each embodiment of the present invention expresses hierarchical data by a rectangular nested structure, and specifically, leaves constituting the hierarchical data. Nodes are represented by icons, and branch nodes are represented by nested rectangular frames.

FIG. 1 shows a screen layout algorithm of hierarchical data by the observation data display device.

In the following description of the basic technology, unless otherwise specified, each processing is performed by the reference position placement unit.

In the observation data display device according to each embodiment of the present invention, first, icons corresponding to leaf nodes belonging to the lowest hierarchy (in the case of FIG. 1, squares) are arranged without gaps. Next, in order to represent the branch nodes belonging to this upper layer, a rectangle that includes icons is generated. Furthermore, rectangles representing branch nodes in the upper hierarchy are arranged without gaps, and similarly, rectangles that encompass these are generated. Perform the above processing from the lowest hierarchy to the highest hierarchy. Repeat to determine the placement of the entire data. The above processing procedure is the same as that of the “data jewelry box” described above.

[0030] Next, an outline of an algorithm for arranging the rectangular groups constituting each layer on the screen will be described. In the observation data display device according to each embodiment of the present invention, first, leaf nodes in the hierarchical data are represented by square icons and arranged in a grid pattern. Next, the branch nodes that are the parents of these leaf nodes are represented by rectangles surrounding the leaf nodes. Next, a large amount of information is expressed in a limited screen space by efficiently arranging branch nodes represented by rectangles on the screen.

[0031] In the observation data display device according to each embodiment of the present invention, it is assumed that a group of rectangles representing branch nodes are sequentially arranged one by one in parallel to the horizontal axis and the vertical axis of the screen space. At this time, the rectangles are arranged in the screen space so that the following conditions 1 and 2 are satisfied.

[Condition 1] A rectangle is arranged at a position that does not interfere with the rectangle already arranged.

[Condition 2] Among the positions satisfying [Condition 1], a rectangular shape is disposed at a position where the amount of expansion of the arrangement area is minimum.

[0034] Figure 6 shows a pseudo code summarizing the algorithm.

Next, the details of the screen arrangement algorithm for the rectangular group will be described. In the observation data display device according to each embodiment of the present invention, in order to manage the screen arrangement status of the rectangular group, the screen area is divided into a grid using the extension lines of the already arranged rectangle sides. (See Figure 2). At this time, for each grid area created by this division processing, it is determined and recorded whether the area has already been arranged with a rectangle or has not yet been arranged. In the case of FIG. 2 (right), the grid area painted in gray is an area in which rectangles are arranged, and the painted grid area is an area in which rectangles are arranged.

It is assumed that the screen space is divided into p areas in the X-axis direction and q areas in the y-axis direction by the above dividing method. At this time, the X coordinate values of the line segments that divide the screen space are sorted in ascending order and are expressed as X to x, and the y coordinate values are sorted in ascending order ¾y to y. Observation data at this time

O p 0 q

When arranging each rectangle, the display device sequentially searches the lattice region divided into p X q pieces, and confirms whether or not the rectangle can be arranged inside.

[0037] In the observation data display device according to each embodiment of the present invention, the position of the rectangle is determined. For this purpose, a plurality of candidate positions are set while searching for a lattice area, and an optimum position is selected from them.

The search order of the lattice area is as follows. First, the grid area including the center point of the screen space is specified. When this grid area is sth from the left and tth from the top, this chapter describes it as [s, t]. In the proposed method, the lattice region [s, t] is first searched, and then the search order of the lattice region is defined in a spiral shape (see Fig. 3 (left)). For example, [ _S- l, tl] to [sl, t + l] are searched, then [sl, t + l] to [s + l, t + l] are searched, and the lattice is searched in this order.

[0038] The reason for using such a procedure is that there is a high possibility that the amount of enlargement of the arrangement area is smaller when the rectangle is arranged inside than the outside of the screen space. In other words, by searching in the order of the grid area force inside the screen space, it is possible to find a position that satisfies both [Condition 1] and [Condition 2] at an early stage and contribute to high-speed processing.

Subsequently, the observation data display device attempts to arrange a rectangle in each searched lattice region. At this time, whether or not [Condition 1] is satisfied is confirmed by the interference judgment with the rectangle already arranged. Also, check whether the force satisfies [Condition 2] by calculating the amount of enlargement of the layout area due to the rectangular layout.

[0040] The observation data display device tries to arrange a rectangle at one of the following four points for one lattice region. First, let the length and width of the rectangle be (w, h). Also, the X coordinate values of the four vertices of the [s, t] -th grid area are X and X, and the y coordinate values are y and y. In this specification, s s + 1 t t + 1

Describe the position of the rectangle whose x coordinates of the four vertices are x, X and y coordinates are y, y and [x, x, y, y] and ab c d a b e d. At this time, the reference position placement unit of the observation data display device tries to place rectangles at the following four candidate positions so that one vertex of the rectangle and one vertex of the grid area overlap (see Fig. 3 (right)).

[0041] Candidate l: [x, (x + w), y, (y + h)]

s s t t

Candidate 2: [(x -w), x, y, (y + h)]

s + 1 s + 1 t t

Candidate 3: [x, (x + w), (y -h), y]

s s t + 1 t + 1

ネ 4: [(χ -w), x, (y -h), y]

s + 1 s + 1 t + 1 t + 1

Setting candidate positions as described above increases the possibility that one side of a rectangle is located on the same line as the side of an adjacent rectangle. This is the factor that shows the result of the rectangular arrangement "in a grid pattern" It is.

[0042] One of the candidate positions derived as described above is expressed as [χ, X, y, y]. Then a b e d

The observation data display device uses the following a b e d for the four values of X, X, y, y and the coordinate values of the grid edges

Relationship

X, X

i a i + 1 j b j + 1

y, y≤y ≤y

k c k + l 1 d 1 + 1

Identifies integer values i, j, k, 1 for which Subsequently, for the total (k−i + 1) X (l−j + l) lattice regions [i, k] to [j, l], the interference with the already arranged rectangles is determined. . If there is no interference, the position is determined to satisfy [Condition 1] (see Figure 4 (left)).

[0043] When the rectangular force screen space placed at this position does not protrude, it is determined that the position satisfies [Condition 2], and the proposed method interrupts the search for the lattice region and moves to that position. Decide to place a rectangle. When the screen space is extended, the amount of expansion of the screen space is calculated. At this time,

(a) If there is no other position that satisfies only [Condition 1], and

(b) If the amount of enlargement of the screen space is minimal compared to other positions that satisfy only [Condition 1], this position is set as a “temporary position” and recorded together with the amount of enlargement of the screen space. If the “position that does not extend beyond the screen space” has a strong power to see until the grid area search process is completed, a rectangle is placed at this “temporary position”.

[0044] After the position of the rectangle is determined by the above processing, the lattice area is divided by a line segment extending the side of the rectangle (see Fig. 4 (right)).

FIG. 5 shows a display example of hierarchical data by the observation data display device. The data used for this display includes 1067 leaf nodes and 67 branch nodes. The calculation time required for the screen layout calculation was about 0.1 seconds.

[0046] As described above, the observation data display device according to each embodiment of the present invention uses the basic technology (reference position arrangement unit) that can arrange information constituting hierarchical data on a screen in a grid pattern. Yes.

[Embodiment 1] Next, an observation data display apparatus according to an embodiment of the present invention will be described with reference to FIGS. The outline of the observation data display apparatus according to this embodiment is as follows.

[0048] With the spread of damage from Internet incidents and viruses, research on IDS (Intrusion Detection System) has been active in recent years, and its commercialization is also progressing. Many of these IDS products detect fraud (incidents) without omission, assuming that certain safety measures have been taken for the monitored network. However, when the IDS product was actually operated in a particularly large and highly open network, the following problems occurred (“Sawada, Takakura, Okabe, Open University”). IDS log monitoring support system for large-scale networks, IPSJ Transactions, Vol. 44, No. 8, pp. 1861-1871, 2003 ”).

(1) In an email notification system that sends one alert for each incident, the amount of alert emails is not only huge, but it is also difficult to understand the correlation and statistical trends.

(2) Recent incidents tend to be complicated, and there are many cases in which a series of incidents are composed of multiple signatures (incident types and patterns). Is not enough.

(3) Due to the large number of incidents, it is not easy to operate a database for post-analysis of incidents.

(4) The conventional exploratory browsing system using a GUI makes it difficult to search for important incidents, is difficult for busy administrators, and is not suitable for knowledge sharing among many administrators. There is a problem such as being unsuitable for the work.

[0049] There are several means for solving these problems and realizing a highly secure network operation. For example, there is research that supports post-incident analysis of incidents using an integrated management database that accumulates incidents detected by IDS (“Otani, Kuwata, Kosako, Inoue, analysis and intention analysis of incident detection information using an integrated database) Decision support system, 13th Data High Value Workshop, A1-6, 2002. ”). In addition, high accuracy using analytical methods such as text mailing and periodic analysis! , Look at incident analysis There is a research to point out ("Enomoto, Izumi, Tamura, Fukunaga, Network 'Server Operation Monitoring Support System, Journal of System Control Information Society, Vol. 15, No. 6, pp. 279-287, 2002.").

[0050] Several methods have been proposed to assist in understanding statistical trends in IDS through information visualization. Takada et al.'S “Visibility Log” method described in Reference 1 divides the screen horizontally, displays the total number of IDS by hour on the left side, and displays a bar graph on the right side. Displays a breakdown of IDS at a specified time. Although the data structure is different from IDS, in Reference 2, for the access log file of the web server, each coordinate system called Parallel Coordinate is arranged with the attribute type on the horizontal axis and the attribute value on the vertical axis. Axelsson has proposed a way to place access. However, since these methods arrange data elements such as access computers on a one-dimensional screen, only a very general tendency can be expressed for large-scale data such as thousands or tens of thousands. There are many cases. Also, it is difficult to understand such spatial correlations as “This organization is targeted intensively!”. For this reason, it is desirable to apply a visualization method in which data elements are arranged in a two-dimensional screen rather than a one-dimensional manner, and large-scale information is looked down on.

[0051] In this embodiment, an observation data display apparatus for the purpose of expressing all of the damage and damage caused by IDS of thousands and tens of thousands of computers constituting a large-scale network on one screen will be described. The observation data display device of this embodiment displays distribution maps of thousands and tens of thousands of computers using the basic technology (reference position placement unit) described above for large-scale hierarchical data, and its statistics. The whole picture is displayed on one screen. According to the observation data display device of this embodiment, it is considered that the tendency of a large number of incidents can be grasped in a short time.

[0052] As described above in [Basic Technology], the observation data display device according to the present embodiment is a device that can visualize large-scale hierarchical data. FIG. 5 shows an example of arrangement of reference positions for displaying hierarchical data by the observation data display apparatus according to the present embodiment. In the observation data display device according to the present embodiment, leaf nodes constituting hierarchical data are represented by icons, branch nodes are represented by rectangular frames, and the hierarchical structure is represented by a nested structure of rectangular frames.

In the observation data display device according to the present embodiment, first, an icon representing a leaf node is displayed. Arrange them on the screen space without any gaps. Next, in order to represent the branch nodes belonging to this higher hierarchy, a rectangle that includes icons is generated. In addition, the rectangles representing the branch nodes in the upper hierarchy are arranged without gaps, and a rectangle that includes them is generated in the same way. By repeating the above processing from the lowest layer to the highest layer, the arrangement of the reference position of the entire data is determined. FIG. 1 shows a screen layout procedure of leaf nodes and branch nodes by the observation data display apparatus according to the present embodiment. This algorithm is the same as that described in the above section [Basic technology].

At this time, in the observation data display device, the rectangular groups representing leaf nodes and branch nodes are arranged on the screen so as to satisfy the following two conditions.

[Condition 1] Already placed! Do not interfere with the rectangle! Place the rectangle at the position.

[Condition 2] Of the positions satisfying [Condition 1], place a rectangle at the position where the amount of expansion of the layout area is the smallest.

[0055] By realizing a screen layout that satisfies this condition, the entire picture of large-scale hierarchical data can be expressed without being limited to a limited screen space.

[0056] The observation data display device according to the present embodiment, with respect to hierarchical data having thousands and tens of thousands of leaf nodes, also keeps the screen space as small as possible without overlapping each other on the screen. Leaf nodes can be represented in equal size. The purpose of this embodiment, for example

(a) For a large-scale network environment with thousands of tens of thousands of IP addresses, the entire statistical trend of incidents related to individual IP addresses is represented on a single screen! / ヽ

(b) I want to roughly understand the incident tendency of a group of computers belonging to the same organization (= a group of computers with the same upper and second digits of the IP address (the unit of digits is octets)) as an `` incident group ''

For this purpose, it can be said that the observation data display device according to the present embodiment is a very appropriate technology.

As an example, IDS data input to the observation data display device according to the present embodiment is the Cisco secure IDS 4320 (nttp: //www.Cisco.com/Japanese/warp/public/ 3 / jp / product / security / ids / index.html) The one based can be used. In this system, incidents are detected based on a typical pattern called signature. Of the data output to the log file for one detected incident detection, in the present embodiment, the following data is referred to as an example.

'Source IP address

• Recipient IP address

•time of occurrence

• Positive integer ID indicating the type of illegal

• Levels of importance (5 levels)

In the observation data display device according to the present embodiment, the IP addresses described in the transmission source and the reception destination are listed for a large number of incidents described in the log file, and the observation target classification unit 11 displays the IP addresses. Build a hierarchical structure by referring to the value of each note.

[0058] Next, for each IP address, the incident that is the transmission source and the incident that is the reception destination are aggregated. In other words, the number of unauthorized accesses and the number of unauthorized accesses are counted for each IP address. At this time, by adding conditions such as the range of occurrence time, the type and severity of incidents, only the incidents that satisfy the conditions are counted.

[0059] Subsequently, hierarchical data constituted by the IP addresses of the computers constituting the network is displayed on the observation data display device. At this time, the observation value plot unit gives the leaf nodes corresponding to each IP address to express the number of incidents that are the source and destination of each IP address. In addition, as shown in Fig. 7, the number of incidents can be superimposed (stacked) so that bar graphs are superimposed by expressing different numbers of incidents as senders and incidents as recipients. It is preferable to express Then, the three-dimensional display unit displays the observation value three-dimensionally on the display device based on the data generated by the observation value plot unit.

A configuration for realizing such an observation data display device will be described below.

FIG. 17 is a block diagram showing functional blocks of the observation data display apparatus 100 according to the present embodiment. As shown in Fig. 17, the observation data display device 100 includes a data acquisition unit 10, It has a target classification unit 11, a reference position placement unit 12, a height calculation unit 13, and a 3D display unit 14.

[0061] The data acquisition unit 10 includes an IP address (observation target identification information) for identifying a computer (observation target) in a computer network, the number of cases where the computer has made unauthorized access and the number of cases received (incident number, It is for acquiring a set with (observed value). For example, as described above, the data acquisition unit 10 extracts a set of the IP address and the number of incidents from the log file output for the incident. The data acquisition unit 10 also acquires the time of occurrence, positive integer ID indicating the type of fraud, level (5 levels) indicating importance, etc., and restricts incidents for log file power extraction based on these parameters. May be.

The observation target classification unit 11 is for classifying computers (observation targets) into hierarchical clusters based on IP addresses (observation target identification information)! An IP address has a hierarchical structure. For example, the IPv4 standard consists of four octets. Here, the first (ie, first) octet indicates the position in the highest hierarchy, and the position in the lower hierarchy as it approaches the end. The observation target classifying unit 11 treats each computer as a leaf node. Then, the computers corresponding to the leaf nodes are clustered so as to correspond to the topology of the computer network defined by the IP address. For example, a hierarchy is set for each octet, and a cluster of the number of octet types (that is, 256) is created in each hierarchy, and the octet of the IP address of the computer matches the octet of the IP address of the cluster. You may classify | categorize according to it. In addition, the method of classifying into a cluster is not limited to this. For example, the clusters created by the above method may be integrated based on some rule in each hierarchy! /. In the present embodiment, the perspective relationship between the nodes in the same cluster may be ignored.

The reference position arrangement unit 12 is for determining a reference position for displaying the number of incidents (observed values) of the computer (leaf node) by height. Here, the reference position placement unit 12 determines the reference position of each computer based on the clusters classified by the observation target classification unit 11. In addition, the determination method of the reference position is as described in the basic technology, Each computer is treated as a leaf node, and the hierarchical cluster to which the computer belongs is treated as a branch node. Here, the reference position is expressed by the X and Y coordinates in the XY plane coordinate system.

[0064] In order to express the number of incidents acquired for each computer by the data acquisition unit 10 as the height of the bar graph shown in FIG. 7, the height calculation unit 13 is based on the number of incidents for each computer having each IP address. Calculate the height. In the present embodiment, as the number of incidents, both the number of unauthorized accesses and the number of unauthorized accesses are displayed separately, so that the height calculation unit 13 determines the first number based on the number of unauthorized accesses. Calculate the height and calculate the second height based on the number of unauthorized accesses. Here, the calculated first height and second height are the heights corresponding to the number of unauthorized access, the number of unauthorized access, and the number of unauthorized access, respectively.

[0065] The three-dimensional display unit 14 is configured such that the number of incidents of each computer is the reference position arranged by the reference position arranging unit 12 and the first and second heights calculated by the height calculating unit 13. Create image data expressed in 3D. For example, the 3D display unit 14 sets the XYZ space coordinate system as a modeling coordinate system, and the X and Y coordinates determined by the reference position placement unit 12 and the Z coordinate 0 are set to the reference position of the computer. And Then, each of the three-dimensional bar graphs extended by the first and second heights calculated by the height calculation unit 13 in the + Z direction from the reference position is created. Here, the bar graph having the first height and the bar graph having the second height are created by being stacked. That is, two bar graphs are connected in the Z-axis direction.

[0066] The three-dimensional display unit 14 creates the bar graph for all the computers. When bar graphs are created for all computers, the created 3D model is displayed in a planar display area, and the created 3D model is converted from a modeling coordinate system to a screen coordinate system. Do. As a result, it is possible to create image data in which the number of illegal accesses as shown in FIG. 7 is expressed as a three-dimensional height.

In this embodiment, the observation data display device that displays the statistical tendency of incidents on a large-scale network on one screen has been described. This device is considered to have the following advantages. • The statistical trend of incidents for a large-scale network with a large number of computers such as thousands and tens of thousands can be displayed on a single screen.

'Suitable for understanding incident trends that correlate with locations in computer space.

In addition, the following functions may be further added to the observation data display device.

• A function that highlights highly malicious incidents, the magnitude of damage, and incidents in cooperation with data mining and database technologies.

• An information visualization function that effectively displays the information presented by the observation data device according to this embodiment on the screen.

• An information visualization function suitable for analyzing the trend of incidents over a long period of one week or one month, not as short as 5-10 minutes.

[Embodiment 2]

Next, an observation data display apparatus according to another embodiment of the present invention will be described with reference to FIGS. The outline of the observation data display apparatus according to this embodiment is as follows.

[0070] In recent years, IDS has increased due to the increase in damage caused by unauthorized access to the Internet and viruses.

(Intrusion Detection System) is actively researched and commercialized. Many of these IDS products detect fraud (incidents) without omission, assuming that certain safety measures have been taken for the monitored network. However, when we actually operated IDS products in a large-scale and highly open network, the following problems occurred (Sawada, Takakura, Okabe, “Open-type large”). IDS log monitoring support system for large-scale networks ”, IPSJ Transactions, Vol. 44, No. 8, pp. 1861 -1871, 2003.) o

• Not only is the volume of alert emails enormous, it is also difficult to understand their correlation and statistical trends.

'There are many cases where a series of incidents are composed of multiple signatures (incident types and patterns), which is not enough to grasp the whole picture.

• Due to the large number of incidents, it is not easy to operate a database for post-analysis of incidents. • The conventional exploratory browsing system using GUI has many operational problems.

[0071] In order to solve these problems and realize highly secure network operation, research using an integrated management database (Otani, Kuwata, Kosako, Inoue, “Incident detection information using integrated database” Analysis and decision support system ”, 13th Data Expensive Workshop, A1-6, 2002.) and research using analytical methods such as text mining and periodicity analysis (Enomoto, Izumi, Tamura, Fukunaga, "Network 'server operation monitoring support system", Transactions of the Institute of Systems, Control and Information Engineers, Vol. 15, No. 6, pp. 279-287, 2002.) has been reported.

[0072] Several methods that support the understanding of statistical trends in unauthorized access through information visualization have been reported (References 1 and 2). These methods are suitable for understanding temporal changes and attributes of unauthorized access, but understand local trends for large networks with thousands of computers, such as thousands and tens of thousands. It is difficult. For example, in order to understand the spatial correlation such as “this organization is focused on”, it is desirable to apply a visualization method that allows you to look down on a large computer network space.

[0073] As described above, the present inventors display distribution maps of thousands and tens of thousands of computers using the above-mentioned basic technology for large-scale hierarchical data, and statistically analyze the distribution maps. An observation data display device that displays the entire trend on one screen is provided. With this device, the distribution of a large number of incidents on the computer network space can be grasped in a short time.

In the present embodiment, as a modification of the first embodiment, an observation data display device having a function of further emphasizing the characteristic tendency of incidents on the IDS visualization screen will be described. In the present embodiment, a function for performing the following processing is added to the IDS visualized by the observation data display device according to the first embodiment described above.

• Ability to highlight computers with characteristic statistical trends

• A function that displays incidents with a specific computer as the source or destination as a line segment between computers.

[0075] These features can help understand the following statistical trends for incidents:

• Regular errors that occur due to configuration mistakes and malfunctions, , Distinction from severe troubles affecting the network

• Spatial correlation of incidents originating from a specific computer with recipients. Or the spatial correlation of the incident with a specific computer as a recipient to the sender.

[0076] As described in [Basic Technology] above, the observation data display device according to the present embodiment is a device for visualizing large-scale hierarchical data. FIG. 5 shows a display example of hierarchical data by the observation data display device according to the present embodiment. In the observation data display device according to the present embodiment, leaf nodes constituting hierarchical data are represented by icons, branch nodes are represented by rectangular frames, and the hierarchical structure is represented by a nested structure of rectangular frames.

At this time, in the observation data display device according to the present embodiment, the rectangular groups representing leaf nodes and branch nodes are arranged on the screen so as to satisfy the following two conditions.

By realizing a screen layout that satisfies this condition, the entire picture of large-scale hierarchical data can be expressed without being limited in a limited screen space.

[0079] The observation data display device according to the present embodiment, with respect to hierarchical data having thousands and tens of thousands of leaf nodes, also keeps the screen space as small as possible without overlapping each other on the screen. Leaf nodes can be represented in equal size. The purpose of this report, for example

'For a large-scale network environment with thousands and tens of thousands of IP addresses, all aspects of the statistical trend of incidents related to individual IP addresses are displayed on a single screen.

• Schematic understanding of the incident tendency of computer groups belonging to the same organization (= computer groups with the same top two or three digits of IP address) as “incident groups” ヽ

[0080] Next, in order to make the relationship between the first embodiment and the present embodiment easier to understand, the IDS visualization method described in the first embodiment will be briefly described again. The IDS data used as input data by the observation data display device according to the present embodiment is the above-mentioned Cisco Secur of Cisco. e Based on IDS log data file output by IDS 4320. Of the data output to the log file for one detected incident detection, the observation data display apparatus according to this embodiment refers to the following data.

'Source IP address

• Recipient IP address

•time of occurrence

• Positive integer ID indicating the type of illegal

• Levels representing the risk level (5 levels).

[0081] In the observation data display device according to the present embodiment, the data acquisition unit first lists IP addresses described in the transmission source and reception destination for a large number of incidents described in the log file, and A hierarchical structure is constructed by referring to the value of each byte of the address.

Subsequently, the data acquisition unit totals the incidents that are the transmission source and the incidents that are the reception destination for each IP address. In other words, the number of unauthorized accesses and the number of unauthorized accesses are counted for each IP address. At this time, conditions such as the time of occurrence, the type and severity of incidents, etc. can be counted, and only incidents that satisfy the conditions can be calculated.

[0083] Subsequently, the hierarchical data configured by the IP address of the computer connected to the reference position arrangement component network is displayed on the observation data display device. At this time, the height calculator gives the leaf nodes corresponding to each IP address to express the number of incidents that are the source and destination of each IP address. In addition, as shown in Fig. 12, the number of incidents can be superimposed (stacked) so that bar graphs can be superimposed by expressing different numbers of incidents as senders and incidents as recipients. Is preferably expressed. Then, the 3D display unit displays the observation values on the display device in 3D based on the data generated by the height calculation unit.

[0084] Next, a new function expansion for the observation data display device of Embodiment 1 will be described. In the present embodiment, the following function expansion was attempted with respect to the observation data display device of the first embodiment.

[0085] [Function extension 1] Function to highlight computers with characteristic statistical trends With this function, it is now possible to implement a plug-in function that performs the process of detecting computers with incident groups that satisfy certain rules. The highlight section highlights computers with characteristic statistical trends by displaying the computers detected by this plug-in function in dark colors. In this embodiment, a plug-in function that detects a computer that has continuously transmitted (or received) an incident n times or more in a very short time interval is implemented. In this specification, “the computer that sent the incident” and “the sender of the incident” refer to the computer that attempted unauthorized access, and “the computer that received the incident” and “the recipient of the incident”. "Means a computer that has been attempted to gain unauthorized access. This function is thought to have the effect of highlighting man-made and persistent attacks, severe troubles with large impacts, and so on.

[0086] [Function Extension 2] Function to display incidents with a specific computer as a sender or receiver as a line segment between computers

In this function, the observation target link display section displays incidents that are received from a specific computer (for example, specified by tapping the mouse on the screen) or an incident that is received from a specific computer. The transmission source computer is displayed as a line segment on the screen. With this function, whether the attack sources (or attack targets) of computers that receive (or originate) a characteristic attack are widely distributed or concentrated in a specific organization, 1 It is thought that it has the effect of understanding the power of specializing in computers.

Note that members having the same functions as those of the first embodiment described above are denoted by the same member numbers, and description thereof is omitted. FIG. 18 is a block diagram showing functional blocks of the observation data display apparatus 200 according to the present embodiment. As shown in FIG. 18, the observation data display device 200 includes a data acquisition unit 20, an observation target classification unit 11, a reference position arrangement unit 12, a height calculation unit 13, a three-dimensional display unit 14, and a highlight unit. 21 and an observation target connection display section 22.

[0088] The data acquisition unit 20 includes an IP address (observation target identification information) for identifying a computer (observation target) in a computer network, and the number of cases where the computer has made unauthorized access and the number of incidents (incident number, It is for acquiring a set with (observed value). Day For example, as described above, the data acquisition unit 20 extracts a pair of the IP address and the number of incidents from the log file output for the incident.

In the present embodiment, the data acquisition unit 20 also acquires information on the occurrence time of each incident.

The observation target classifying unit 11, the reference position arranging unit 12, the height calculating unit 13, and the three-dimensional display unit 14 are the same as those in the first embodiment described above.

The highlight unit 21 is for highlighting a specific observation value among the observation values displayed by the three-dimensional display unit 14. In this embodiment, the highlight unit 21 receives incidents n times or more at a predetermined time interval or less based on incident information (source IP address, destination IP address, occurrence time) acquired by the data acquisition unit 20. Extract computers that have been sent (or received) continuously, and highlight the number of incidents for the extracted computers. Here, examples of the highlighting method include increasing the brightness of the bar graph that represents the number of incidents for the detected computer.

Note that the highlight unit 21 may highlight the number of incidents by superimposing a bar graph with increased brightness on the image created by the three-dimensional display unit 14 on the display device 50, or When the 3D display unit 14 creates a bar graph, highlight the number of incidents by causing the 3D display unit 14 to create a bar graph with increased brightness.

[0092] The observation target connection display unit 22 is for presenting the reception destination of each incident transmitted by a specific computer or for indicating the transmission source of each incident received by a specific computer. . The former will be described in detail. The observation target connection display unit 22 displays an image in which a specific computer and a computer that has received an incident transmitted from the computer are connected by a line segment. The same applies to the latter, and will not be described below.

[0093] Based on the incident information acquired by the data acquisition unit 20 (the IP address of the transmission source and the IP address of the reception destination), the observation target connection display unit 22 becomes the transmission source of a specific computer (IP address). Incidents are extracted and the destination computer (IP address) is identified. Then, create an image that connects the source computer and the identified destination computer with line segments. . The specific computer is preferably selected by, for example, the user clicking a bar graph representing the number of incidents with a mouse or the like.

Note that the observation target connection display unit 22 may display the relationship between the transmission source and the reception destination by superimposing a line segment on the image created by the three-dimensional display unit 14 on the display device 50. Alternatively, when the 3D display unit 14 creates a bar graph, the relationship between the transmission source and the reception destination may be displayed by causing the 3D display unit 14 to create an image including a line segment.

In this embodiment, the observation data display device of Embodiment 1 is compared with

• Highlights of computers with statistical features

, Line segment display between computers sending and receiving incidents

Two enhancements were made. As a result, the following effects can be obtained.

• Distinguish between regular incidents that occur due to misconfigurations or malfunctions, and human-induced concentrated attack incidents or severe troubles that affect the network.

[0096] Further, the observation data display apparatus according to the present embodiment is further expanded by the following functions.

• Ability to improve the identification of highly malicious incidents, the magnitude of damage, and incidents through linkage with data mining and database technology

• Display function that makes the display of incidents with low maliciousness and damage inconspicuous

• Information visualization function that effectively expresses time-series changes in unauthorized access trends

[Embodiment 3]

An observation data display apparatus according to still another embodiment of the present invention will be described with reference to FIGS. The outline of the observation data display apparatus according to this embodiment is as follows.

[0098] IDS (Intrusion Detection System) has recently been used for the purpose of security maintenance management of computer networks. ) Technology research and development is progressing. However, the current IDS products still have problems such as the huge amount of log output information and the lack of analysis technology for complicated network attacks. In the present embodiment, as one means for improving this problem, a technology for supporting an overview understanding and detailed search of network intrusion detection data by applying an information visualization technology is provided. In this embodiment, a group of computers distributed in the computer network is hierarchized by IP address and displayed on the screen using the information visualization technology based on the basic technology described above. By mapping the statistics of intrusion detection data on this screen display, it is possible to observe several realistic network intrusion detection behaviors.

[0099] With the spread of damage caused by unauthorized access to the Internet and viruses, IDS

(Intrusion Detection System) is actively researched and commercialized. Many of these IDS products detect fraud (incidents) without omission, assuming that certain safety measures have been taken for the monitored network. However, when actually operating IDS products in a large-scale and highly open network, the following problems occurred (Sawada, Takakura, Okabe, “Open-type large”). IDS log monitoring support system for large-scale networks, ”IPSJ Transactions, 44, 8, pp. 1861-1871, 2 003).

'In an email notification system that sends one alert for each incident, the volume of alert emails is enormous and it is difficult to understand the correlation and statistical trends.

• Recent unauthorized access tends to be complicated, and there are many cases in which a series of unauthorized access consists of multiple signatures (incident types and patterns). It is not enough.

• Due to the large number of incidents, it is not easy to operate a database for post-analysis of incidents.

• The conventional exploratory browsing system using GUI makes it difficult to search for important incidents. It is difficult for busy administrators to handle, and is not suitable for sharing knowledge among many administrators. There are problems such as not suitable for.

[0100] The means to solve these problems and realize highly secure network operation is Some are possible. In the present embodiment, an observation data display device to which a technology called “information visualization” that presents information features by CG technology will be described. The observation data display device of this embodiment uses the basic technology described above for large-scale hierarchical data, and provides statistics on incidents spread over large networks with thousands or tens of thousands of computers. The whole picture is displayed on one screen. With the observation data display device according to this embodiment, it is considered that the problem of conventional G UI technology that can easily grasp the tendency of a large number of incidents can be improved.

[0101] Unauthorized access detection, warning, and analysis technologies have already been commercialized. Neither product has solved the above-mentioned problems. Several improvement methods have been proposed for this problem. For example, there is a study that supports post-incident analysis of incidents using an integrated management database that accumulates incidents detected by IDS (Otani, Kuwata, Kosako, Inoue, “Analysis of unauthorized access detection information using integrated database and Decision Support System ”, 13th Data Expensive Workshop, A1-6, 2002.) There is also research aiming at high-precision incident analysis using analytical methods such as text mining and periodicity analysis. (Enomoto, Izumi, Tamura, Fukunaga, “Network 'Server Operation and Monitoring Support System, Journal of System Control Information Society”, 15, 6, pp. 279-287, 2002.) ₀

[0102] A number of techniques for expressing statistical trends of incidents through information visualization have been published. Reference 1 proposes a technique called “appearance log”. In this method, the screen is divided horizontally, the number of incidents by time for the entire incident is displayed in a column on the left side, and the breakdown of incidents at a certain time specified by the user is displayed on the right side. This method is characterized in that it can simultaneously express the overall trend and local trend of incidents. Also, the power of the data structure differs from IDS. In Reference 2, the access log file of one web server is targeted, and the coordinate system called Parallel Coordinate is arranged with the attribute type on the horizontal axis and the attribute value on the vertical axis. Axelsson has proposed a method for allocating access. This method supports the understanding of the detailed nature of unauthorized access by expressing the correlation between the attribute values of unauthorized access.

[0103] Unlike the conventional method described above, the observation data display apparatus of this embodiment is intended for a large-scale network to which a large number of computers of thousands or tens of thousands are connected. The purpose is to visualize the distribution of incidents sent and received on a computer in the computer network space. The proposed method of this report is based on artificial factors lurking in a large amount of unauthorized access, such as

• Attack a large number of computers from one computer.

• Attack a single computer from a large number of computers.

• When an external force virus is placed on a computer belonging to a specific organization, the computer turns into an attacker and attacks others all at once.

• Attack a large number of computers belonging to a specific organization simultaneously from outside the organization.

Thus, it is considered to be suitable for visualizing human factors related to the spatial distribution of computers.

The observation data display apparatus according to the present embodiment is intended to represent the entire picture of large-scale hierarchical data on one screen. In the observation data display device according to the present embodiment, leaf nodes constituting hierarchical data are represented by icons, and branch nodes are represented by nested rectangular frames. Note that these functions are obtained by the reference position arrangement unit.

FIG. 5 shows a visualization example of hierarchical data by the observation data display device according to the present embodiment. The observation data display device is equivalent to hierarchical data having thousands and tens of thousands of leaf nodes, and leaves all leaf nodes on a screen as large as possible without overlapping each other on the screen. It has an advantage over other hierarchical data visualization devices in that it can be expressed as

In the observation data display apparatus according to the present embodiment, the computer group is grouped by paying attention to the IP address of the computer connected to the network. First, group the computers with the same upper 1 byte (octet) of the IP address, then group the computers with the same upper 2 bytes, and then group the computers with the same upper 2 bytes. As a result, hierarchical data having four levels of hierarchy is constructed. FIG. 16 is a diagram showing an example in which eight computers are stored in hierarchical data with reference to IP addresses. By visualizing this with the basic technology described above, a distribution map of computers on the network is expressed.

[0107] By displaying each computer as an icon using the observation data display device according to the present embodiment, data relating to each computer can be represented on the screen without overlapping, and the IP Computer groups with the same high-order byte of the dress (in many cases, computer groups belonging to the same organization) can be recognized as a group on the screen. Such an expression is the purpose of this embodiment, for example,

'Thousands' tens of thousands of IP addresses for a large-scale network environment, all aspects of unauthorized access statistical trends related to individual IP addresses are displayed on a single screen ヽ

• Understand the unauthorized access tendency of computers belonging to the same organization (= computers with the same top 2 or 3 digits of IP address) as “illegal access groups” ヽ

It can be said that this technique is very suitable for such purposes.

[0108] Unauthorized access data, which is data input to the observation data display device of the present embodiment, is based on the IDS log data file output from Cisco's Cisco Secure IDS 4320 described above. This system detects unauthorized access based on a typical pattern called signature. The data acquisition unit performs the following processing. Of the data output to the log file for one detected unauthorized access detection, the observation data display apparatus according to this embodiment refers to the following data.

'Source IP address.

• Destination IP address.

'time of occurrence.

• A positive integer ID representing the type of fraud.

• Levels representing the risk level (5 levels).

In this embodiment, for a large number of unauthorized accesses described in the log file, the data acquisition unit first lists the IP addresses described in the transmission source and reception destination, and sets the value of each byte of the IP address. Build a hierarchical structure by referring to it.

[0110] Next, for each IP address, the data acquisition unit aggregates the number of unauthorized accesses that became the transmission source and the number of unauthorized accesses that became the reception destination. At this time, it is possible to allow the user to set conditions such as the range of occurrence time, the type and importance of fraudulent access, and to calculate the number of fraudulent cases that satisfy the condition.

[0111] Subsequently, the reference position arrangement unit displays the hierarchical data constituted by the IP address by the basic technique described above. At this time, the height is given to the leaf node corresponding to each IP address. This expresses the number of unauthorized accesses that became the source and destination of each IP address. As shown in Fig. 12, by assigning different colors to the number of unauthorized accesses that became the sender and the number of unauthorized accesses that became the recipient, it is possible to express the number of unauthorized accesses so as to bundle the bar graphs. preferable.

[0112] In order to enhance the effect of unauthorized access visualization, the observation data display device of this embodiment preferably has the following extended functions. These extended functions enable the above-mentioned literature (Sawada, Takakura, Okabe, “IDS log monitoring support system for open large-scale networks”, IPSJ Journal, 44, 8, pp. 1861-1871, 2003 The log monitoring support system policy proposed in) can be satisfied. Specifically, the following expanded functions (1) and (2) will enable detailed analysis of the entire statistical distribution of unauthorized access, as well as an overview. In addition, the following extended function (3) can reduce the manual operation by the administrator and provide a general browsing means using a Web browser.

[0113] (1) Unusual and illegal functions of unauthorized access

As the extended function (1), for example, the highlight section has a function of expressing a bar graph having an unauthorized access group having a numerically unique tendency in a particularly bright color. For example,

• Unauthorized access from the same source to a large number of recipients, • Unauthorized access from a large number of recipients at the same destination

IP address where the number of unauthorized access increases rapidly compared to the previous time zone

Highlighting can alert the network administrator.

[0114] (2) Visualization function focusing on specific IP address

As the extended function (2), for example, when a bar graph corresponding to a specific IP address is clicked on the screen, only the unauthorized access that uses that IP address as the source or destination is re-aggregated and displayed, and The observation target connection display unit 22 displays a line segment connecting the transmission destination and the reception destination. This function allows the network administrator to search for details of unauthorized access related to a specific computer. However, this function cannot be realized by the report function on the Web browser introduced in the extended function (3) below.

[0115] (3) —Report function at regular intervals As the extended function (3), the number of unauthorized accesses is tabulated and visualized at regular time intervals (eg every 5 minutes), and the results are stored in the JPEG image by the observation result storage unit. By automatically generating a Web page that can be used as a table of contents for the JPEG image group, the appearance tendency of unauthorized access can be observed only with a Web browser without using the user interface unique to this method.

[0116] A configuration for realizing such an observation data display device will be described below.

Note that members having the same functions as those in the first and second embodiments described above are denoted by the same component numbers, and description thereof is omitted. FIG. 19 is a block diagram showing functional blocks of the observation data display device 300 according to the present embodiment. As shown in FIG. 18, the observation data display device 300 includes a data acquisition unit 30, an observation target classification unit 11, a reference position arrangement unit 12, a height calculation unit 13, a 3D display unit 14, a highlight unit 21, and an observation unit. The target connection display unit 22, an observation result storage unit 31, and an observation data image database 32 are further provided.

[0117] The data acquisition unit 30 has an IP address (observation target identification information) for identifying a computer (observation target) in a computer network, the number of cases where the computer has made unauthorized access and the number of cases received (incident number, It is for acquiring a set with (observed value). For example, as described above, the data acquisition unit 30 extracts a set of the IP address and the number of incidents from the log file output for the incident.

The data acquisition unit 30 also acquires information on the occurrence time of each incident. In the present embodiment, the data acquisition unit 30 totals incidents at regular intervals (for example, every 5 minutes) based on the information on the occurrence time.

[0118] The observation target classification unit 11, the reference position arrangement unit 12, the height calculation unit 13, the three-dimensional display unit 14, the highlight unit 21, and the observation target connection display unit 22 are the same as in the first and second embodiments described above. Is

The observation result storage unit 31 stores an image to be displayed on the display device 50 by the three-dimensional display unit 14 in the observation data image database 32. As described above, since the data acquisition unit 30 aggregates incidents at regular intervals, images indicating observation results at regular intervals are accumulated in the observation data image database 32. In addition, when the observation data display device 300 includes the highlight section 21, the display is highlighted. It is preferred to save the image. Therefore, the observation result storage unit 31 stores an image in which the highlight effect by the highlight unit 21 is reflected on the image created by the three-dimensional display unit 14 in the observation data image database 32. The observation data image database 32 is realized by various storage devices such as RAM or HDD that can store image data.

[0120] In the present embodiment, the observation data display device has been described that displays the statistical tendency of unauthorized access to a large-scale network on one screen using the basic technology described above. The observation apparatus 100 according to the present embodiment is a computer whose observation target is connected to a computer network, and the observation target identification information is address information having a hierarchical structure in the computer network assigned to the computer. The reference position placement unit divides the address information into partial information for each layer, and groups the computers having the same partial information in the order of the partial information in the upper layer, so that the reference position of each computer is doubled. Each group is arranged in a two-dimensional plane.

[0121] The observation data display apparatus according to the present embodiment may be further added with the following extended functions.

(a) An information visualization function that can effectively warn of unauthorized access with high maliciousness and unauthorized access through linkage with data mining and database technology.

(b) An information visualization function suitable for analyzing the tendency of unauthorized access for a long period of one week or one month, not as short as 5 to 10 minutes.

(c) An information visualization function that effectively represents time-series changes in unauthorized access trends.

[0122] The observation data display device according to the present embodiment extends the basic technology described above to classify inspection objects and measurement values into a three-dimensional space based on IP addresses, and displays the number of alarms as a bar graph. In addition, we developed a function that displays the relevance of an attack target as a line segment and displays the time change as a movie, and a device that removes unnecessary alarms from the display. This makes it possible to identify phenomena occurring before and after unauthorized access, and after unauthorized access precursors (reconnaissance activity) and countermeasures against unauthorized access, which were difficult to identify with conventional detection systems. Even secondary damage (retaliatory attacks and attacks that try to avoid detection of a very small number) can be seen. In addition, the change of viewpoint that the visualization system should be equipped as standard. Furthermore, it is preferable to support enlargement / reduction display.

[0123] Further, the observation data display device according to each embodiment may further include a mechanism (interface) capable of performing a moving image display of the visualized information and a further classification 'filtering operation on the visualized information.

[0124] The observation data display device according to the present embodiment three-dimensionally displays the measurement values of about 10 to 100 million monitoring targets. Furthermore, while the majority of monitoring targets measure values close to zero as normal values, a very small number of targets have values of several thousand or more per second, and 99% of the force is measured as false detections. True outliers can be highlighted.

[0125] Finally, each function of the observation data display device, in particular, the data acquisition unit, the reference position arrangement unit, the observation value plot unit, the height calculation unit, the three-dimensional display unit, the highlight unit, the observation target connection display unit, The observation result storage unit may be configured by hardware logic, or may be realized by software using a CPU as shown below!

That is, the observation data display device expands the CPU (central processing unit) that executes the instructions of the control program that realizes each function, the ROM (read only memory) that stores the program, and the program. A random access memory (RAM), a storage device (recording medium) such as a memory for storing the above program and various data, and the like. An object of the present invention is a recording in which the program code (execution format program, intermediate code program, source program) of the control program of the observation data display device, which is software that realizes the above-described functions, is recorded in a computer-readable manner. This can also be achieved by supplying the medium to the observation data display device and reading and executing the program code recorded on the recording medium by the computer (or CPU or MPU).

[0127] The recording medium includes, for example, a tape system such as a magnetic tape and a cassette tape, a magnetic disk such as a floppy disk Z hard disk, and an optical disk such as CD-ROMZMOZ MD / DVD / CD-R. Disk systems, IC cards (including memory cards) Z optical cards and other card systems, or mask ROMZEPROMZEEPROMZ flash ROM and other semiconductor memory systems can be used.

[0128] The observation data display device may be configured to be connectable to a communication network, and the program code may be supplied via the communication network. As this communication network, For example, the Internet, intranet, extranet, LAN, ISDN, VAN, CATV communication network, virtual private network, telephone line network, mobile communication network, satellite communication network, etc. can be used. is there. In addition, the transmission medium constituting the communication network is not particularly limited. For example, even with IEEE1394, USB, power line carrier, cable TV line, telephone line, ADSL line, etc., infrared rays such as IrDA and remote control, B1 It can also be used with radio such as uetooth (registered trademark), 802.11 radio, HDR, mobile phone network, satellite line, terrestrial digital network. The present invention can also be realized in the form of a computer data signal embedded in a carrier wave, in which the program code is embodied by electronic transmission.

[0129] As described above, the observation data display device of the present invention has a data acquisition unit that acquires a set of observation target identification information for specifying an observation target and an observation value obtained by observing the observation target. A reference position placement unit for placing a reference position for displaying the observation value of the observation target in the two-dimensional plane based on the observation target identification information, and a height corresponding to the observation value for each observation value. An image in which the height calculation unit to be calculated and the observed value are expressed by the height calculated by the height calculation unit at the reference position arranged by the reference position arrangement unit. And a three-dimensional display unit that displays the image on a display device. Therefore, as described above, it is possible to three-dimensionally display the observation values obtained from a large number of monitoring target forces.

[0130] In addition, the observation data display device further includes an observation target classification unit that classifies the observation target into a hierarchical cluster based on the observation target identification information, and the reference position arrangement unit includes the observation target classification unit. It is preferable to arrange the reference positions for displaying the observed values so as to have a nested structure in a two-dimensional plane based on the hierarchical cluster.

[0131] According to the above configuration, the reference position is arranged so as to have a nested structure based on the identification information for identifying the observation target. Therefore, when the observation value of each observation target is displayed, the observation target is grouped according to the identification information. For this reason, the user can easily grasp the relationship between the observation value and the observation target. For example, the number of unauthorized accesses as an observed value, and a computer connected to a computer network as an observation target If IP addresses are used as identification information, computers are grouped based on IP addresses (for example, for each segment), so users can easily understand how much unauthorized access exists on which network. can do.

[0132] In addition, it is preferable that the reference position arranging unit arranges the reference positions so that the reference positions of observation targets classified into the same cluster are gathered together.

[0133] Preferably, the observation target is a computer connected to a computer network, and the observation target identification information is address information having a hierarchical structure in the computer network assigned to the computer.

[0134] According to the above configuration, observation values obtained by observing a large number of computers connected to a computer network can be three-dimensionally displayed.

[0135] Further, it is preferable that the observed value is one or both of the number of attempts for unauthorized access and the number of attempts for unauthorized access.

[0136] According to the configuration described above, the number of unauthorized accesses obtained by observing a large number of computers connected to a computer network can be displayed in three dimensions.

[0137] In addition, the observation data display device described above shows a line segment indicating a correspondence relationship between a computer that has attempted unauthorized access and a computer that has attempted unauthorized access, as a reference position or a reference position of both computers. It is preferable to further include an observation target connection display unit for displaying the upper bar graph on the display device as both ends.

[0138] According to the above configuration, the relationship between a computer that has attempted unauthorized access and the computer that has been attempted unauthorized access can be clearly displayed.

[0139] The observation data display device further includes a storage unit that stores image data, and an observation result storage unit that stores image data of an image to be displayed on the display device by the three-dimensional display unit in the storage unit. I prefer to be prepared.

[0140] According to the above configuration, the image data indicating the observation result can be stored in the storage unit.

Therefore, it is possible to read out the image data later from the storage unit and view what the observed value of the observation object is as a three-dimensionally displayed image.

[0141] The observed value is one or both of the number of unauthorized access attempts and the number of unauthorized access attempts, and the data acquisition unit extracts the observed value at predetermined time intervals. Preferably, the observation result storage unit stores the image data of the image created for the observation value for each predetermined time in the storage unit.

[0142] According to the above configuration, the storage unit observes the number of unauthorized accesses per predetermined time and accumulates the displayed image data. Therefore, it is possible to identify the unauthorized access that occurred in relation to the unauthorized access before and after a certain unauthorized access, and the precursory phenomenon of unauthorized access related to each monitoring target that was difficult to grasp with the conventional detection system ( Reconnaissance activities) and secondary damage after countermeasures against unauthorized access (retaliatory attacks and attacks that attempted to avoid detection by a very small number) can be seen.

[0143] Further, the observation data display device is a computer in which the observation target is connected to a computer network, and the observation target identification information has a hierarchical structure in the computer network assigned to the computer. This is address information, and the reference position arrangement unit divides the address information into partial information for each layer, and groups computers having the same partial information in the order of partial information in the upper layer. The reference positions may be arranged in groups and arranged in a two-dimensional plane.

[0144] According to the above configuration, for example, computers on a network can be grouped based on address information having a hierarchical structure such as an IP address. Therefore, an observation data display device can be realized.

[0145] Further, in the observation data display device, the observed values are the number of unauthorized accesses that are transmitted from and received by the computer that is the object of observation, and the observed value plot unit is transmitted. The bar graph indicating the unauthorized access that is the original and the bar graph indicating the number of unauthorized accesses that are the reception destination may be overlapped and plotted at the reference position.

[0146] According to the above configuration, an observation data display device that can be suitably used for IDS (Intrusion Detection System) can be realized.

[0147] Further, the observation data display device displays a line segment indicating the correspondence relationship between the computer that has been the source of unauthorized access and the computer that has been the recipient of the unauthorized access. It may further include an observation target connection display unit for displaying each reference position of the user or a bar graph on the reference position as both ends.

[0148] According to the above configuration, the relationship between the unauthorized access source computer and the received destination computer is visually displayed, so that the unauthorized access source computer and / or the unauthorized access destination computer can be instantly identified. Can do.

In this case, the observation data display apparatus may be realized by a computer. In this case, the observation data display apparatus is realized by the computer by operating the computer as each unit. An observation data display program and a computer-readable recording medium on which the observation data display program is recorded also fall within the scope of the present invention.

[Example 1]

The force described with reference to FIGS. 8 to 11 for one example of the observation data display device described in the first embodiment is not limited to this.

[0151] A program for operating the observation data display device is implemented on Java (registered trademark) 1.4 and executed on IBM ThinkPad A31p (CPU 1.7GHz, RAM 756MB) and Microsoft Window s (registered trademark) 2000 did. The GUI was implemented using the Java (registered trademark) Swing library, and the 3D image generation function was implemented using the Java (registered trademark) AWT library.

[0152] The IDS log file used in the experiment was recorded over 6 hours in an existing network environment, with 61822 lines of incident records, and incidents detected over 3984 IP addresses. As a result of the measurement, it took 120 seconds to read the IDS log file, approximately 0.6 seconds in total for hierarchical data construction and view application, and 7.1 seconds on average to recount access counts and generate JPEG images.

[0153] In the image example presented below, for each IP address, the number of incidents that are the sender is displayed in blue, and the number of incidents that are the recipients is displayed in red. The leaf node corresponding to the IP address that was zero for both the destination and the receiver is displayed with a gray icon with a height of zero.

[0154] Fig. 8 shows the results of counting incidents for 5 minutes from a certain time, Fig. 9 shows the results of collecting data for 5 minutes immediately after that, Fig. 10 shows the results of counting for 5 minutes two hours later, and Fig. 11 shows the results of 2 5 minutes after time It is an example of visualizing the total results between each.

[0155] At the target time point in Fig. 8, there is a tendency that incident sources are set at many senders and that incidents are being tried at many recipients. At the target time in Fig. 9, it can be seen that the computer that successfully started the incident source is attacking intensively toward a specific recipient. At the time point shown in Fig. 9, the computer that was the source in Fig. 10 has already been dealt with, but a similar incident source is set on another computer to attack other recipients in a concentrated manner. You can see that In addition, Figure 11 shows that many computers in a specific domain are receiving incidents across the domain.

[Example 2]

The force described with reference to FIGS. 13 to 15 for one example of the observation data display apparatus described in the second embodiment is not limited to this.

[0157] A program for operating the observation data display device is implemented on Java (registered trademark) 1.4 and executed on IBM ThinkPad A31p (CPU 1.7GHz, RAM 756MB) and Microsoft Window s (registered trademark) 2000 did. The GUI was implemented using the Java (registered trademark) Swing library, and the 3D image generation function was implemented using the Java (registered trademark) AWT library.

[0158] The execution example shown below uses a one-hour IDS log file of an existing computer network. This log file contains 30306 incidents involving 1569 computers. It should be noted that part of the execution example cannot recognize the effect on paper printed in black and white!

[0159] Figure 13 shows the total number of incidents per hour. In the white circles, four computers with many incidents as recipients can be seen, but one of them has a dark bar graph color. This received incident is unlikely to be a persistent man-made attack or a severe problem with a large impact, so it is considered less dangerous than the other three. In this way, from Fig. 13, the power that can be seen by four computers that have been attacked in large numbers in one of the white circles. One of them recognizes that the bar graph color is dark, so the risk is lower than the other three. Can do.

[0160] Figure 14 shows a calculator in which the bar graph color is brighter among the four units shown as white circles in Figure 13. One of them is specified, and its destination is indicated by a yellow line. This result shows that there are a large number of computers that send unauthorized access to specific computers, but most of them are computers in the same organization in a broad sense. Also, if we focus on the incident of the computer that is the sender, we can see that many of these computers receive one or two incidents and send many incidents to the same computer. This fact suggests that a large number of sender computers may have turned to senders after receiving an incident. In this way, from Figure 14, the power of sending unauthorized access from a large number of computers to one computer. Most of the senders received 1 or 2 times of unauthorized access before transmission. Wow.

FIG. 15 shows an example in which another computer that has received a large number of incidents is designated. This calculator has received multiple computer power incidents in the same organization in a narrow sense. A closer examination revealed that this incident was detected as an incident, as it was an organizational necessity rather than a malicious attack, and the same computer was exceptionally accessed. . As shown in Fig. 15, unauthorized access is transmitted from multiple computers in the same organization to one computer.

[Example 3]

The force described with reference to FIGS. 8, 9, 10, 14 and 15 for one example of the observation data display apparatus described in the third embodiment is not limited to this.

[0163] In this example, we will present examples of visualization of a large number of incidents that actually occurred in a large-scale network, and explain what phenomena could be visually understood.

[0164] A program for operating the observation data display device is implemented on Java (registered trademark) 1.4 and executed on IBM ThinkPad A31p (CPU 1.7GHz, RAM 756MB) and Microsoft Window s (registered trademark) 2000 did. The GUI was implemented using the Java (registered trademark) Swing library, and the image generation function was implemented using the Java (registered trademark) AWT library. We have also developed a GUI that aggregates the number of unauthorized accesses by setting conditions such as the risk level and the time of occurrence.

[0165] An example of visualizing IDS data recorded in an existing network environment is shown below using Figs. In this example, the fraudulent source for each computer The number of accesses is displayed in blue, and the number of unauthorized accesses that have been received is displayed in red. Computers where both the destination and the receiving source are zero are indicated by a gray icon with a zero height. Note that some of the execution examples cannot be recognized on black and white printed paper.

[0166] Figs. 8 to 10 are examples of IDS having unauthorized access records of 61822 lines recorded over 6 hours and unauthorized access detected over 3984 IP addresses. As a result of the measurement, the observation data display device of the present example is 120 seconds for reading the IDS log file, about 0.6 seconds in total for building hierarchical data and applying views, and average for recounting the number of accesses and generating JPEG images. It took 7.1 seconds.

[0167] Figure 8 visualizes the results of unauthorized access for 5 minutes from a certain time, Figure 9 visualizes the results of aggregation for 5 minutes immediately after, and Figure 10 visualizes the results of aggregation for 5 minutes 2 hours later. An example. From these visualization results, the following unauthorized access groups could be observed.

[0168] At the target time point in Fig. 8, there is a tendency that a large number of transmission source computers seem to have tried unauthorized access to a large number of reception destination computers. At the target point in Fig. 9, it is likely that a computer that has successfully started the source of unauthorized access is attacking intensively toward a specific computer. At the target time in Fig. 10, although the computer that was the transmission source in Fig. 9 has already been dealt with, other computers have also been launched with unauthorized access sources, and another computer has been intensively attacked. I understand that. In Figures 8 to 10, the sender is a computer outside the network and the receiver is a computer in the network.

[0169] Figures 14 and 15 show an example in which another IDS data is visualized, a specific bar graph is clicked on the screen, and the IP address corresponding to the bar graph is the source or destination. This is an example in which access is expressed by a line segment.

[0170] In the example shown in Fig. 14, the power of one computer receiving a large number of computer powers also received unauthorized access. Most of the computer groups that sent the data received one or two times of unauthorized access. After that, it can be seen that a large number of unauthorized accesses are sent to the same computer. From this visualization result, it was determined that there was a possibility that the same computer may have been subjected to a concentrated attack as a result of a number of computers being hijacked in the same way, and this unauthorized access itself was a kind of misinformation. There was a certain power. [0171] In the example shown in FIG. 15, a single computer also receives unauthorized access by multiple computers belonging to the same organization. This result suggests the possibility of unauthorized access throughout the organization.

[0172] The present invention is not limited to the above-described embodiments and examples, and various modifications can be made within the scope shown in the claims, and technical means disclosed in different embodiments can be used. Embodiments obtained by appropriate combinations are also included in the technical scope of the present invention.

Industrial applicability

[0173] The observation data display device of the present invention can be applied to all environments in which abnormal values or singular values are generated in a very small portion of data generated at a pace of several thousand or more per second. Examples include unauthorized access detection systems in networks, analysis software for data generated in the ubiquitous computing environment, software for detecting stock price fluctuation abnormalities, and systems that highlight sudden changes in inpatient sensor data.

Claims

The scope of the claims

[1] An observation data display device that displays the observed values of the observation target,

A data acquisition unit for acquiring a set of observation target identification information for specifying an observation target and an observation value obtained by observing the observation target;

A reference position placement unit for placing a reference position in the two-dimensional plane for displaying an observation value of the observation target based on the observation target identification information;

An observation value plotting unit for plotting the observation value of the observation target as a height from the reference position arranged by the reference position arranging unit;

An observation data display device comprising: a three-dimensional display unit that three-dimensionally displays an observation value on a display device based on the data generated by the observation value plot unit.

[2] The observation target is a computer connected to a computer network,

The observation target identification information is address information having a hierarchical structure in the computer network assigned to the computer,

The reference position arranging unit divides the address information into partial information for each layer, and groups the computers having the same partial information in the order of partial information in the upper layer, thereby grouping the reference positions of the computers. 2. The observation data display device according to claim 1, wherein the observation data display devices are arranged in a two-dimensional plane.

[3] The above observed values are the number of unauthorized accesses that were sent from and received by the computer being observed, and

The observation value plot unit is configured to superimpose a bar graph indicating unauthorized access as a transmission source and a bar graph indicating the number of unauthorized accesses as a reception destination, and plots them at the reference position. 2. Observation data display device according to 2.

[4] A line segment indicating the correspondence between the computer that sent the unauthorized access and the computer that received the unauthorized access is shown as a bar graph above the reference location. The observation data display device according to claim 3, further comprising an observation target connection display unit that displays as both ends.

[5] An observation data display device that displays observation values obtained by observing the observation target, and is obtained by observing the observation target identification information for identifying the observation target and the observation target A data acquisition unit that acquires pairs with observation values;

A reference position placement unit for placing a reference position for displaying an observation value of the observation target in a two-dimensional plane based on the observation target identification information;

A height calculator for calculating the height according to the observed value for each observed value;

A three-dimensional display unit that displays on the display device an image represented by the height calculated by the height calculation unit at the reference position arranged by the reference position arrangement unit. An observation data display device characterized by that.

[6] An observation object classification unit for classifying observation objects into hierarchical clusters based on the above observation object identification information!

The reference position arranging unit arranges the reference position for displaying the observation value of the observation target so as to have a nested structure in a two-dimensional plane based on the hierarchical cluster. The observation data display device according to claim 5.

[7] The observation data display device according to [6], wherein the reference position arrangement unit arranges the reference positions so that the reference positions of the observation targets classified into the same cluster are gathered together. .

[8] The observation target is a computer connected to a computer network.

8. The observation data display device according to claim 5, wherein the observation target identification information is address information having a hierarchical structure in the computer network assigned to the computer.

9. The observation data display apparatus according to claim 8, wherein the observed value is one or both of the number of attempts for unauthorized access and the number of attempts for unauthorized access.

[10] Observation that displays on the display device the line segment indicating the correspondence between the computer that has attempted unauthorized access and the computer that has been attempted unauthorized access, using both the reference positions of both computers or the bar graph on the reference position as both ends 10. The observation data display device according to claim 9, further comprising a target connection display unit.

[11] a storage unit for storing image data;

11. An observation result storage unit for storing image data of an image to be displayed on a display device by a three-dimensional display unit in the storage unit. Observation data display device.

[12] The observed value is one or both of the number of attempts for unauthorized access and the number of attempts for unauthorized access.

The data acquisition unit extracts the observation value for each predetermined time, and the observation result storage unit stores the image data of the image created based on the observation value for the predetermined time in the storage unit. The observation data display device according to claim 11, wherein the observation data display device is stored in a storage device.

[13] An observation data display method by an observation data display device that displays observation values of observation targets,

A data acquisition step of acquiring a set of observation object identification information for identifying an observation object and an observation value obtained by observing the observation object;

A reference position placement step for placing a reference position in the two-dimensional plane for displaying the observation value of the observation object based on the observation object identification information;

An observation value plotting step for plotting the observation value of the observation target as a height from the reference position placed by the reference position placement step;

An observation data display method comprising: a three-dimensional display step of three-dimensionally displaying an observation value on a display device based on the data generated by the observation value plotting unit.

[14] An observation data display method for displaying observation values obtained by observing an observation target, which is a set of observation target identification information for identifying the observation target and an observation value obtained by observing the observation target. A data acquisition step for acquiring

A reference position arrangement step for arranging a reference position for displaying the observation value of the observation object in a two-dimensional plane based on the observation object identification information;

A height calculating step for calculating the height according to the observed value for each observed value;

A three-dimensional display step for causing the display device to display an image represented by the height calculated by the height calculation unit at the reference position arranged by the reference position arrangement unit. An observation data display method characterized by hitting with.

[15] An observation data display program for operating the observation data display device according to any one of claims 1 to 12, wherein the computer functions as each of the above-described units. Data display program.

A computer-readable recording medium on which the observation data display program according to claim 15 is recorded.