KR20140078329A - Method and apparatus for defensing local network attacks - Google Patents
Method and apparatus for defensing local network attacks Download PDFInfo
- Publication number
- KR20140078329A KR20140078329A KR1020120147589A KR20120147589A KR20140078329A KR 20140078329 A KR20140078329 A KR 20140078329A KR 1020120147589 A KR1020120147589 A KR 1020120147589A KR 20120147589 A KR20120147589 A KR 20120147589A KR 20140078329 A KR20140078329 A KR 20140078329A
- Authority
- KR
- South Korea
- Prior art keywords
- network
- attack
- event
- detection sensor
- present
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The internal network target attack countermeasure device tracks and responds to the attack step by step based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) in the behavior profile.
Description
The present invention relates to an apparatus and method for countering an internal network target attack.
Since 2009, government and private sectors have spent tens of billions of won in budget for DDoS defense system. As a result, dedicated equipment has been installed in most government and private sectors to respond to DDoS. However, there are many cases in which such equipment does not successfully defend against an attack on well-equipped organs. This is because the current attack defense is centered on the defense function of the equipment, and it does not respond appropriately to evolving attacks such as attack using a new technique or simple modification to an existing attack. Also, Because of the structure in which large deviation occurs. In addition, the demand for internal network security control is also increasing.
An object of the present invention is to provide an internal network target attack countermeasure apparatus and method.
The internal network target attack countermeasure apparatus according to an embodiment of the present invention tracks and responds to attacks step by step based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) in the behavior profile.
According to the embodiment of the present invention, the attack profile can be tracked based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration). According to the embodiment of the present invention, it is possible to provide a tracking function and a related visualization function according to an attack progress state. In addition, according to the embodiment of the present invention, a tracking unit such as a service, a host, a network, an institution, and the like can be generated, and the degree of cooperation and the threat situation according to each attack step can be analyzed.
1 is a view for explaining a threat analysis method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
2 is a view for explaining an attack tracking method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
3 is a configuration diagram of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
4 is a diagram illustrating a detection policy of a counterpart apparatus according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.
Next, an internal network target attack countermeasure apparatus and method will be described.
1 is a view for explaining a threat analysis method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
Referring to FIG. 1, an internal network target attack countermeasure device (hereinafter referred to as "counterpart device") determines an event corresponding to a threat analysis target.
An event is classified into each event based on the information protection context included in the event. All events include host and service (port) information that generated the event. The corresponding device classifies the event as a trigger event, a tracking event, and a general event according to each information protection context classification. Trigger events and trace events can be classified into several events according to the ECDMAX methodology. Here, ECDMAX means Exploit, C2, Download, Lateral Movement, External Network Attack, and Exfiltration.
The corresponding device tracks malicious activity based on the event, and each event is shown in Table 1.
Trigger events include, for example, events in which a particular host sends an icmp echo request to its internal network more than 12 times in 2 seconds, an event in which a particular host within the internal network sends an icmp unreachable event more than 3 times a second, An event in which the traffic information not included in the internal network address is detected more than 10 times, an event in which a request is made for a service that does not exist in the internal network host, a request response in the internal network host is an internal security policy A violation event, an event in which an incorrect authentication attempt to the internal network host occurs more than three times a minute, and an event in which the internal network host receives periodic data through continuous communication with an external host.
2 is a view for explaining an attack tracking method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
Referring to FIG. 2, a counterpart device generates a tracking object. The corresponding device generates a trace object when trigger event is generated and conducts a behavior profile for the generated host. The responding device associates attack step-by-step tracking events according to ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) The counterpart device can expand general events and aggregate corresponding units.
The corresponding device specifies the tracking unit. Tracking units can be composed of six stages: Exploit, C2, Download, Lateral Movement, External Network Attack and Exfiltration. The corresponding device distinguishes trigger event and trace event by ECDMAX and adds tag information to each occurrence log. The corresponding device can provide a tracking function and related visualization function according to the attack progress. The responding device generates tracking units such as service, host, network, and institution, and analyzes the degree of connection and threat situation according to each attack step.
3 is a configuration diagram of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
Referring to FIG. 3, the corresponding device includes a detection sensor system that detects an attack in each region, and a central control device system that responds to an attack from the center in conjunction with a detection sensor system of each region.
The detection sensor may include a detection sensor module, a collection agent, a detection policy application module, and an asset information profile module.
The detection sensor collects network packets. The detection sensor detects the security policy operation of the central control device and the network abnormality signs. The detection sensor can collect session based content rather than packet based. Detection sensors can be forcefully bypassed at the network level for policy violation malicious traffic. Since the detection sensor is required to record all the normal behaviors out of the center of the information protection event, it is possible to record network activity information. Detection sensors can collect information across the network stack through the comprehensive traffic analysis from Layer 2 to Layer 7. Detection sensors can perform network protocol level analysis. Detection sensors are installed at multiple locations to collect information and transmit it to a central control device. The detection sensor can check the status of the network detection sensor and control the operation by the central control device.
The detection sensor can be configured with a passive response mode using a network tap and an active response mode using a network bridge.
The detection sensor can automatically recognize the network service that detects the host according to the network classification by analyzing the network communication traffic which is operating on the automatically recognized internal asset without using the host probe.
The detection sensor can automatically recognize the operating system that identifies the operating system of the host that generated the packet by analyzing the characteristics of the communication packet within the network.
The detection sensor can recognize application information such as a web browser that enables protocol-level content separation through analysis of application traffic operated in the network.
Detection sensors can detect real-time protocol violations that detect unauthorized protocol operation on port 80.
The detection sensor can detect policy violations that report as policy violation events in the event of five failed ssh logins for 10 seconds.
The malicious traffic bypass function of the detection sensor can bypass the policy violation traffic to the device such as active honeypot which can observe the behavior in the active response mode configured in the bridge mode.
The detection sensor can apply an intrusion detection device creation signature that applies a signature of a type generated by a general intrusion detection device.
The detection sensor can collect communication information between internal assets by collecting communication information between internal assets and communication fact aggregation function.
Detection sensor can apply policy downloading and real-time application from the central control device with the function of applying the policy without transferring the policy and restarting the equipment to the detection sensor installed at a plurality of points.
According to each installation environment, the detection sensor can apply the selective local policy according to the installation environment through the policy application and execution function that is specific to the region.
The detection sensor can collect logs including traffic information logs, application traffic information logs (DNS, HTTP, SSL), abnormal behavior information logs, and the like.
The detection module, which is implemented in the central control system that responds to attacks from the center in conjunction with the detection sensor system and the detection sensor system of each region, can detect the violation of the internal control through the audit of the DNS query, the irregular protocol control, External access to intrusions / malicious activity can be detected and blocked. In addition, the counterpart device can detect and block information disclosure and exposure attempts through specific harmful domain connection detection and Blacklist IP connection detection.
Detection module DNS query forcible bypass function can be configured to detect domain based countermeasure avoiding traffic. The detection module can detect protocol violations for key traffic such as HTTP, FTP, IRC, SMTP, SSH, FTP, and POP. The detection module can detect the use of external communication channel (backdoor) based on the kill chain model when malicious code is infected. The detection module can provide domain and IP level correspondence to harmful domain access traffic.
4 is a diagram illustrating a detection policy of a counterpart apparatus according to an embodiment of the present invention.
Referring to FIG. 4, the counterpart device defines all the information generated in the network as events that can occur in a step-by-step manner. And the corresponding device collects differential information through the Horizontal Meta Data Correlation Technique. The corresponding device can establish a differential context based information collection system by linking with the accumulated cyber threat knowledge system through the large capacity management module.
The counterpart device sets various security topologies for internal control. And the counterpart device can monitor the topology-specific situation and respond to attacks on various types of networks.
Different classification
As described above, according to the embodiment of the present invention, the attack profile can be tracked based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration). According to the embodiment of the present invention, it is possible to provide a tracking function and a related visualization function according to an attack progress state. In addition, according to the embodiment of the present invention, a tracking unit such as a service, a host, a network, an institution, and the like can be generated, and the degree of cooperation and the threat situation according to each attack step can be analyzed.
The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120147589A KR20140078329A (en) | 2012-12-17 | 2012-12-17 | Method and apparatus for defensing local network attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120147589A KR20140078329A (en) | 2012-12-17 | 2012-12-17 | Method and apparatus for defensing local network attacks |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140078329A true KR20140078329A (en) | 2014-06-25 |
Family
ID=51129965
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120147589A KR20140078329A (en) | 2012-12-17 | 2012-12-17 | Method and apparatus for defensing local network attacks |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140078329A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105530243A (en) * | 2015-12-03 | 2016-04-27 | 中国南方电网有限责任公司信息中心 | Realizing method of network attack event quantitative hierarchical algorithm |
KR102018348B1 (en) | 2019-03-06 | 2019-09-05 | 엘에스웨어(주) | User behavior analysis based target account exploit detection apparatus |
KR102002560B1 (en) | 2019-01-09 | 2019-10-01 | 엘에스웨어(주) | Artificial intelligence based target account reconnaissance behavior detection apparatus |
CN114363023A (en) * | 2021-12-23 | 2022-04-15 | 国家电网有限公司 | Method and system for implementing Web safety protection system and adjusting and optimizing strategy |
-
2012
- 2012-12-17 KR KR1020120147589A patent/KR20140078329A/en not_active Application Discontinuation
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105530243A (en) * | 2015-12-03 | 2016-04-27 | 中国南方电网有限责任公司信息中心 | Realizing method of network attack event quantitative hierarchical algorithm |
CN105530243B (en) * | 2015-12-03 | 2016-11-16 | 中国南方电网有限责任公司信息中心 | A kind of implementation method of assault quantitative classification algorithm |
KR102002560B1 (en) | 2019-01-09 | 2019-10-01 | 엘에스웨어(주) | Artificial intelligence based target account reconnaissance behavior detection apparatus |
KR102018348B1 (en) | 2019-03-06 | 2019-09-05 | 엘에스웨어(주) | User behavior analysis based target account exploit detection apparatus |
CN114363023A (en) * | 2021-12-23 | 2022-04-15 | 国家电网有限公司 | Method and system for implementing Web safety protection system and adjusting and optimizing strategy |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Pilli et al. | Network forensic frameworks: Survey and research challenges | |
US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
US7493659B1 (en) | Network intrusion detection and analysis system and method | |
US7596807B2 (en) | Method and system for reducing scope of self-propagating attack code in network | |
US20050216956A1 (en) | Method and system for authentication event security policy generation | |
US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
Beg et al. | Feasibility of intrusion detection system with high performance computing: A survey | |
Krishnan et al. | An adaptive distributed intrusion detection system for cloud computing framework | |
Lin et al. | Implementation of an SDN-based security defense mechanism against DDoS attacks | |
KR20140078329A (en) | Method and apparatus for defensing local network attacks | |
KR20020072618A (en) | Network based intrusion detection system | |
CN117614717A (en) | Whole-flow handling system and method based on network security alarm event | |
Zaheer et al. | Intrusion detection and mitigation framework for SDN controlled IoTs network | |
Araújo et al. | EICIDS-elastic and internal cloud-based detection system | |
Chen et al. | Active event correlation in Bro IDS to detect multi-stage attacks | |
JP2006018527A (en) | Method, device and program for monitoring operation of computer network | |
JP2006050442A (en) | Traffic monitoring method and system | |
Kumar et al. | IPv6 network security using Snort | |
Fanfara et al. | Autonomous hybrid honeypot as the future of distributed computer systems security | |
Anand et al. | Network intrusion detection and prevention | |
Kumar et al. | Recent advances in intrusion detection systems: An analytical evaluation and comparative study | |
Rawat et al. | Securing WMN using hybrid honeypot system | |
Rizvi et al. | A review on intrusion detection system | |
KR20100041533A (en) | Network management method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |