KR20170082934A - System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation - Google Patents

System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation Download PDF

Info

Publication number
KR20170082934A
KR20170082934A KR1020160002286A KR20160002286A KR20170082934A KR 20170082934 A KR20170082934 A KR 20170082934A KR 1020160002286 A KR1020160002286 A KR 1020160002286A KR 20160002286 A KR20160002286 A KR 20160002286A KR 20170082934 A KR20170082934 A KR 20170082934A
Authority
KR
South Korea
Prior art keywords
behavior
abnormal
normal range
occurrence probability
profile
Prior art date
Application number
KR1020160002286A
Other languages
Korean (ko)
Inventor
김환국
김태은
조창민
나사랑
전지수
Original Assignee
한국인터넷진흥원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국인터넷진흥원 filed Critical 한국인터넷진흥원
Priority to KR1020160002286A priority Critical patent/KR20170082934A/en
Publication of KR20170082934A publication Critical patent/KR20170082934A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The abnormality detection unit of the abnormal behavior detection system according to the present invention may be configured such that when predetermined situation information is received from the situation information collection system in a BYOD (Bring Your Own Device) and a smart work environment, A detection request classifying module for classifying a detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module; and an abnormal behavior detection module An abnormal behavior analysis module for analyzing whether the user's use behavior is abnormal by performing a 'comparison of similarity of service page use order' and a 'use speed comparison' through an initial use behavior pattern analysis procedure; When the result of the analysis is stored, a normal or abnormal result is generated The abnormal behavior analysis module calculates an occurrence probability (X) of the currently used initial page sequence, sets a normal range interval for each occurrence probability (N) And an initial use behavior analyzing unit for determining whether the utilization probability of the current user is abnormal by checking whether the occurrence probability X is within a normal range.
Unlike existing network-based security devices through network traffic analysis, the present invention provides a method for detecting abnormal behavior by patterning actions based on various action factors such as time, location, access network, Respectively. The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an abnormality detection system,

The present invention relates to a system for protecting internal resources in a BYOD and a smart work environment, and more particularly, to a system for detecting abnormal behavior in a BYOD and a smart work environment.

The spread of the Internet infrastructure and the development of mobile communication have brought about a great change that can be seen as a transformation in our society. In particular, mobile devices such as smartphones have become deeply embedded in our lives beyond the means of communication. This trend has spread to our workplace and has introduced a new business environment called BYOD (Bring Your Own Device). BYOD is a concept that utilizes personal devices for business purposes. It is a proprietary mobile device such as a smart phone, laptop, or tablet that accesses internal IT resources such as databases and applications in the company, . BYOD can expect the speedy, efficient, and productive work through more efficient business process from the standpoint of the enterprise. Moreover, since BYOD utilizes the personal device, there is no economic burden to pay for the separate business device. As a result, many companies are struggling to successfully introduce BYOD, and users have already used personal devices for their work before they are ready.

The new IT environment, BYOD and smart work environment, accelerated the formation of wireless Internet environment, the popularization of smart devices such as tablet PCs and smart phones, increased use of desktop virtualization and cloud services, and emphasis on real-time communication and business continuity .

And, as the BYOD era comes, the internal infrastructure of the enterprise is being transformed from a closed environment to an open environment. Anytime, anywhere access to corporate infrastructure is allowed.

It is possible to access the corporate infrastructure through a wireless router (AP), switch, etc. inside the enterprise and access the corporate infrastructure from outside the company through mobile communication network, public Wi-Fi, It is possible.

As such, changes to an open environment have achieved business continuity and convenience, while a number of previously unexpected security threats can also occur. Above all, there is a high risk that internal data may be leaked as individual devices access the internal infrastructure of the enterprise. That is, there is a possibility of leakage of internal data due to the loss or theft of the personal device, and the corporate IT asset caused by accessing the internal intranet of the personal device infected by the malicious code may be threatened.

In order to solve these problems, the KISA implemented an abnormal behavior detection system (Korean Patent Laid-Open No. 10-2015-0000990, hereinafter referred to as "prior art") using a personalized initial use behavior pattern analysis.

However, the prior literature should determine whether the use behavior is normal according to the individual behavioral deviation, but it is limited in the calculation of the normal range. The process of judging whether or not the user's behavior is abnormal is somewhat inadequate and ineffective. There is a need for an additional analysis algorithm that can overcome these problems and improve the performance of abnormal behavior detection.

Korean Patent Laid-Open No. 10-2015-0000990 (entitled " abnormal behavior detection system using personalized initial use behavior pattern analysis "

SUMMARY OF THE INVENTION The present invention has been conceived to solve the above-described problems, and it is an object of the present invention to provide a device and a method for processing a status information of a BYOD and a smart work environment and detecting a device abnormal connection and detecting a real- The present invention provides an abnormal detection system that detects an abnormal behavior based on the detected abnormal behavior.

Another object of the present invention is to provide a method and apparatus for comparing an order and a use rate of a page used immediately after a user's connection with a pattern at a past connection through analysis of an initial use behavior pattern, And to provide a behavior detection system.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the present invention will be realized and attained by the structure particularly pointed out in the claims, as well as the following description and the annexed drawings.

Unlike existing network-based security devices through network traffic analysis, the present invention provides a method for detecting abnormal behavior by patterning actions based on various action factors such as time, location, access network, Respectively.

The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.

The present invention relates to a method and apparatus for detecting unusual access / use behavior, including atypical data that can occur in a business scenario, that is, a type of used equipment, a connection time (e.g., work time, And usage time as user behavior pattern, system security is improved in BYOD and smart work environment.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is an illustration of a BYOD and smart work environment;
2 is a block diagram of an abnormal behavior detection system according to the present invention;
3 is a block diagram of an abnormal detection unit according to the present invention;
4 is a flowchart illustrating an operation of a status information processing unit according to the present invention.
5 is a block diagram of an initial use behavior analyzing unit according to the present invention;
6 is a block diagram of an initial usage behavior analyzing unit according to the present invention;
7A is a flowchart illustrating an operation of the abnormal detection unit according to the present invention.
7B is a flowchart illustrating an initial usage behavior pattern analysis procedure according to the present invention.
Figure 7c is a flow diagram illustrating a string similarity (LCS) comparison according to the present invention.
FIG. 8A is a diagram illustrating a process table of current occurrence information for pattern analysis and detection of an initial use behavior; FIG.
FIG. 8B is a diagram illustrating a processing table of past behavior information for pattern analysis and detection of an initial use behavior; FIG.
FIG. 9 is a diagram illustrating an example of an operation of analyzing and detecting an initial usage behavior pattern according to the present invention; FIG.
10 is an exemplary view showing a method of obtaining an average occurrence probability N of past past page use procedures according to the present invention.

In order to accomplish the object of the present invention as described above, the abnormal detection unit of the abnormal behavior detection system according to the present invention, when receiving predetermined situation information from the situation information collection system in the BYOD (Bring Your Own Device) And an abnormality detection unit of an abnormal behavior detection system that detects an abnormal use behavior by comparing a user's use behavior pattern at the beginning of connection with a past usage behavior pattern,

A detection request classification module for classifying the detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module, and an initial usage behavior pattern analysis process for comparing the similarity of the service page usage order and the usage speed comparison An abnormality analysis module for analyzing whether the user's use behavior is abnormal or not, and an abnormality analysis module for generating an abnormal or abnormal result value according to the result of the abnormality analysis module, Wherein the abnormal behavior analysis module sets a normal range interval for each occurrence probability N after obtaining the occurrence probability X of the currently used initial page sequence, Is within the normal range and judges whether or not the use behavior of the current user is abnormal It is open configuration.

Preferably, the initial use behavior analyzing unit checks the service page usage amount (N) of the current connection session, and if the checked usage amount N is smaller than the reference value, it is determined that the initial behavior for analyzing the abnormal behavior is insufficient A usage order detecting unit for obtaining a current initial service page usage order when the service page usage amount N is larger than a reference value; A connection pattern analyzing unit for inquiring a past initial service page usage order having the same connection pattern and calculating an average utilization rate in the past, and a usage pattern analyzing unit for determining whether a user's initial use behavior pattern is within a normal range And determines whether or not the usage behavior of the user is abnormality by comparing the use behavior speed in the case of the normal range It is characterized in that comprises a seokbu.

Preferably, the usage pattern analyzing unit includes: a past average occurrence probability calculating unit that obtains an average occurrence probability (N) related to a past initial page use order with reference to profile information of a storage unit; A normal range selection unit for determining a normal range of the average occurrence probability X such that the width of the maximum / minimum value is reduced, and the similarity between the current 'service page use order' and all past 'service page use order' A current average occurrence probability calculating unit for calculating an average of the calculated similarity result values and obtaining an average occurrence probability X related to a current initial page use order; When the normal range is within the specified range, the normal result is output. If the range is larger than or smaller than the normal range, the abnormal range is output. A utilization rate comparing unit for comparing the present initial utilization rate with a past initial utilization rate when the occurrence probability X is within a normal range; And a normal state determination unit that determines that the current user's use behavior is a normal operation when the current usage state belongs to the normal user.

According to another aspect of the present invention, there is provided a method for detecting anomalous behavior of an abnormal detection unit in a abnormal operation detection system under BYOD (Bring Your Own Device) and a smart work environment, The present invention relates to an abnormal behavior detection method of an abnormal detection unit that detects an abnormal usage behavior by comparing a usage pattern of a user performed at the beginning of a connection with a past usage behavior pattern when context information is received,

A step in which the detection request classification module classifies the detection request message and transmits the classified information to each analysis section of the abnormal behavior analysis module; Analyzing whether the user's use behavior is abnormality by performing a comparison between the usage rate and the utilization rate of the user and analyzing whether the usage behavior of the user is abnormal when the analysis result of the abnormal behavior analysis module is stored; The abnormal behavior analysis module drives the initial use behavior analyzing unit to obtain an occurrence probability X related to a current initial page order and then generates an average occurrence probability N) is established, and it is confirmed whether the probability of occurrence (X) is within the normal range, And performs an initial use behavior pattern analysis procedure to determine whether the behavior is abnormal.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

BYOD and SmartWall service can analyze the status information of the user accessing / using the company internal service and judge whether the user behavior is abnormal in real time and control the connection / use of the user when necessary. The abnormal behavior detection system according to the present invention determines whether the user behavior is abnormal based on a previously stored normal profile, a previously set security policy, and a currently occurring behavior.

The status information refers to information related to connection, use, and termination of a user collected in the collection system and transmitted to the abnormal behavior detection system. The profile is an information set that identifies a user and quantifies a behavior of a user, and is information obtained by accumulating information on a user from the past and patterning the information. A series of behaviors for profile management such as profile creation, modification, deletion, and storage is called profiling.

1 is an exemplary view showing a BYOD and a smart work environment.

As shown in FIG. 1, the BYOD and smart work environment includes a situation information collection system 100, an abnormal behavior detection system 200, a control system 300, a personal use device 400, and a security system 500 : MDM server, NAC server, etc.).

The situation information collection system 100 collects status information related to authentication, connection, and connection termination from the personal use device 400 and the MDM agent device.

At this time, the collected situation information includes a connection address (e.g., id, affiliation, authority, current state, etc.), a connection pattern (authentication result, Time information. Such situation information exists as periodic transmission data and aperiodic (real time) transmission data, but the situation information collection system 100 collects these data as non-periodic transmission data.

1, the abnormal behavior detection system 200 includes a status information receiving unit, a status information processing unit, and an abnormal behavior detection unit. The abnormal situation detection unit 200 receives status information from the status information collection system 100, Performs behavior detection, and transmits the detected result to the control system 300 (dynamic access control middleware) side.

The abnormal behavior detection system 200 classifies the situation information received from the situation information collection system 100 into service connection sessions, processes and processes the situation information as needed, generates a connection ID, a device ID generation, And generates additional information such as information. In addition, the accumulated data is patterned for each user ID to generate and update the profile. Service connection · The processing information of the user is judged abnormal based on the security policy and the normal profile of the user. The detection result of the system is transmitted to the control system 300 in real time.

The control system 300 receives the abnormal behavior information detected by the abnormal behavior detection system 200, controls the user through the GUI, or establishes and manages the security policy, and interlocks with the external security device. The control system 300 is connected to the abnormal behavior detection system 300 and an external security device (e.g., a genie, a waffle).

The personal use device 400 is a personal mobile device such as a smart phone, a laptop, and a tablet. The personal use device 400 can access IT resources inside the company such as a database and an application in the company. .

The personal use device 400 generates status information related to authentication at the time of connection and termination of authentication in BYOD (Bring Your Own Device) and smart work environment. At this time, the situation information is as described above.

The security system 500 is located in a DMZ or a screened subnet and includes a gateway for communication such as an authentication connection between the in-house network and the personal use device 400, a direct push update, Function. A plurality of agents are connected to the security system 500 to generate the situation information described above.

2 is a block diagram of an abnormal behavior detection system according to the present invention.

2, the abnormal behavior detection system 200 according to the present invention includes a situation information receiving unit 210, a situation information processing unit 220, an abnormal detection unit 230, a profile management unit 250, (260), and a storage unit (270).

The situation information receiving unit 210 receives various status information such as 'network connection', 'service use', 'connection termination', etc. from the physically separated status information collecting system 100, 220 and the information analysis unit 260, respectively.

All the received status information is transmitted to the status information processing unit 220. However, the information analysis unit 260 may use the web service use request / response information, DB SQL batch request / response information, DB RPC request / response information Situation information is conveyed. The information analysis unit 260 receives the usage information and analyzes the web site and DB utilization information.

As shown in FIG. 4, the status information processing unit 220 classifies status information data received from the status information collecting system 100 according to types, processes the processed status information, and stores the processed status information data for each user's connection session.

The situation information processing unit 220 receives and processes the status information of the 'network connection', 'service use', and 'connection termination' received through the situation information receiving unit 210 and transmits the status information to the temporary storage unit of the storage unit 270 . At this time, the type of the temporary storage may be DB, file, memory, or the like.

The situation information processing unit 220 combines and processes the situation information on the basis of the connection ID, stores it in the temporary storage, and uses the processed information in the detection module. The connection ID is a combination of a connection address and a session ID.

If the status information related to the 'network connection' is received, the situation information processing unit 220 performs the process of adding or updating the connection information according to the authentication result and existence of the user connection information. The context information related to the 'network connection' includes general authentication success, general authentication failure, reinforced authentication, Agent installation authentication, and Agent access information.

When the situation information on 'service use' is received, the situation information processing unit 220 updates the service use information based on the same connection ID.

Then, when the status information on 'DB use' is received, the information is updated to the processed information. When the status information on the 'Agent variation' is received, the UAID is inquired and updated to the processing information of the user matching the corresponding information. When the status information on 'connection termination' is received, the process of terminating the current connection ID and the connection termination time are updated.

Thereafter, when all the context information is received, a detection request message is generated and transmitted to the abnormal detection unit 230.

Next, the abnormal detection unit 230 classifies the detection request message received from the status information processing unit 220 and compares the user's use behavior pattern at the initial connection with the past usage behavior pattern to determine an abnormal use behavior As shown in FIG. 3, the apparatus includes a detection request classification module 232, an abnormal behavior analysis module 234, and an abnormal behavior detection module 236. 3 is a block diagram of an abnormal detection unit according to the present invention.

Upon inputting various types of context information, the detection request classification module 232 classifies the detection request message and transmits the classified detection request message to the analysis sections 234a to 234g of the abnormal behavior analysis module 234 to be analyzed.

The abnormal behavior analysis module 234 is a module for analyzing various abnormal behaviors and includes normal profile based behavior analysis units 234a, 234b and 234c, a continuous behavior analysis unit 234d, an abnormal web usage analysis unit 234e, A policy analysis unit 234f, and a user tracking unit 234g. Each of the analysis units 234a to 234g of the abnormal behavior analysis module 234 performs different information analysis according to the type of the input context information.

The normal profile-based behavior analysis units 234a, 234b, and 234c compare the access period full usage behavior, the initial usage behavior, and the abnormal access behavior with the analysis values of the past normal profile information, and analyze the difference from the normal behavior.

The continuous action analyzer 234d analyzes whether the usage information continuously input in the current connection session repeatedly executes the same action.

The abnormal web usage analysis unit 234e compares the URI of the usage information currently input on the previous service utilization page of the user through the structure of the pre-analyzed service web site to determine the abnormal behavior .

The policy analyzing unit 234f determines whether or not the current service connection, the user processing information in use, and the profile are abnormal. The policy analysis unit 234f determines normal and abnormal by using the previously set security policy as a criterion.

The security policy set by the administrator is composed of a series of conditions (criteria) and control results applied when the conditions are met. The security policy of the development target system uses the type of information used for constructing the user's processing information and profile information Setting.

The user tracking unit 234g tracks an abnormal behavior-incapable user using DB-query occurrence information created in advance when an abnormal behavior is detected according to a set policy of the DB use situation information.

When the behavior analysis result is stored in the abnormal behavior analysis module 234, the abnormal behavior detection module 236 determines whether the behavior analysis value is abnormal, generates the detection information, and transmits the detection information to the control system 240. If an abnormal behavior is not detected when the user connection end status information is input, the profile management unit 250 sends a profile creation message to the profile management unit 250. Then, the profile management unit 250 creates a profile with content of normal / connection termination.

As shown in FIG. 6B, the profile management unit 250 creates, manages, stores, and manages profile information by profiling context information according to various usage activities of a user.

When the situation information receiver 210 receives various status information such as 'network connection', 'service use', 'connection termination', and the like, the information analyzer 260 analyzes the status information Analysis of DB use information, and analysis of initial use behavior normal range.

Next, the storage unit 270 stores the processed information and profile information into connection, use, and agent status information. The situation information collected by the situation information collection system 100 is processed into connection, use, and agent status information, and status information at the time of connection termination is processed into profile information and then stored in the storage unit 270.

At this time, the stored profile information includes a user profile, a terminal device profile, an access behavior profile, and a usage behavior profile. Wherein the terminal profile includes at least one of a device ID, a type, an OS, a browser, a device name, a MAC, a user ID, a user ID, a total authentication failure time, Whether or not the agent is installed, whether the screen is locked, installation program information, automatic login setting, and the latest connection date and time. The connection behavior profile includes connection behavior pattern information, and the usage behavior profile includes user's initial usage behavior pattern information.

The storage unit 270 maintains a significant number (e.g., 100 or more) of initial usage behavior profiles for each user so as to have a meaning as a pattern. The present invention is described on the assumption that the above-mentioned significant number is 100.

The present invention stores (& manages) 100 initial usage behavior profiles (or connection behavior profiles) for each user in the storage unit 270, and when the 101st new profile is additionally stored, 100 profile numbers are stored (Deletes) the oldest profile (e.g., the first profile) so as to be retained in the second portion 270. [

4 is a flowchart illustrating an operation of the status information processing unit according to the present invention.

As shown in FIG. 4, the status information processing unit 220 according to the present invention classifies the status information codes according to the status information codes, and stores the processed information in the temporary storage through processing. The context information input through the context information receiver 210 is classified according to context information because each information is different in type, and is stored based on information that can identify the user such as a connection ID, a user ID, a UAID, and the like.

In the case of the 'connection' status information, the status information processing unit 220 generates a new connection if the current connection information does not exist, and updates the existing connection information if there is existing connection information.

In the case of 'service utilization' status information, the service utilization information is updated by searching for the session being accessed based on the connection ID, and the related behavior analysis information is calculated.

Also, in case of 'DB use' situation information, keep the information in the repository until the information is utilized and delete the old list that is older than a certain time.

Also, in the case of the agent change / end information, the user having the corresponding UAID is searched to update the change information.

In the case of the 'end' status information, the connection of the corresponding connection ID is terminated and the processing information is updated.

5 is a block diagram of an initial use behavior analyzing unit according to the present invention.

The normal profile-based behavior analysis units 234a, 234b, and 234c include an overall usage behavior analysis unit 234a, an initial usage behavior analysis unit 234b, and an abnormal connection behavior analysis unit 234c. The patterns of the use behavior, patterns of the initial use behavior, patterns of the abnormal access behavior are compared with the analysis values of the past normal profile information, and the difference from the normal behavior is analyzed.

Among the elements constituting the normal profile-based behavior analysis unit, the initial usage behavior analysis unit 234b performs a pattern analysis on the initial use behavior of the user. As shown in FIG. 5, A usage pattern detector 234b-20, a usage pattern detector 234b-20, a utilization rate calculator 234b-30, a connection pattern analyzer 234b-40 and a usage pattern analyzer 234b-50 .

When the status information on 'Web service use' is inputted to the abnormal activity detection system 200 and the detection request message is received from the status information processing unit 220, the page usage checking unit 234b- Check the service page usage (N) of the current connection session. In this process, the page usage confirmation unit 234b-10 groups the service units of the usage activity as shown in 9a) and counts the number of each usage activity. 9 is a diagram illustrating an operation of analyzing and detecting an initial usage behavior pattern according to the present invention.

If the checked service page usage amount N is smaller than the reference value, the page usage checking unit 234b-10 determines that the initial behavior for analyzing the abnormal behavior is insufficient and finishes the analysis.

If the service page usage amount N is greater than a reference value (e.g., 3), the usage order detection unit 234b-20 determines that sufficient initial action has been performed for analyzing the abnormal behavior. In order to analyze the pattern, Obtain the service page order.

Then, the utilization rate calculator 234b-30 calculates the utilization rate of the current initial service.

The connection pattern analyzing unit 234b-40 then inquires the past initial service page use order having the same connection pattern for analyzing the connection pattern of the initial use behavior, and calculates the past average utilization rate.

6, the usage pattern analyzing unit 234b-50 includes a past average occurrence probability calculating unit 234b-51, a normal range selecting unit 234b-52, a similarity calculating unit 234b-53, The current occurrence probability calculation unit 234b-54, the normal range determination unit 234b-55, the utilization rate comparison unit 234b-56, and the normalization determination unit 234b-57. It is determined whether the usage pattern is within the normal range. If the usage pattern is in the normal range, it is determined whether the user's usage is abnormal through the comparison of the use behavior speed. 6 is a block diagram of an initial use behavior analyzing unit according to the present invention.

The similarity calculating unit 234b-53 refers to the inquiry result of the connection pattern analyzing unit 234b-40 to calculate the degree of similarity between the current 'service page use order' and all past 'service page use order' .

The similarity calculating unit 234b-53 first generates a predetermined comparison matrix and initializes the values of the respective rows and columns of the comparison matrix. As shown in FIG. 7C, similarity calculation is performed to compare the current 'service page use order' and all past 'service page use order' data, and the calculated comparison values are stored in the comparison matrix do.

The current average occurrence probability calculation unit 234b-54 calculates an average of the calculated similarity result values and obtains an average occurrence probability X related to the current initial page use order according to a predetermined formula.

The past average occurrence probability calculation unit 234b-51 refers to the profile information stored in the storage unit 270 and obtains an average occurrence probability N about the past initial page use order as shown in FIG. 10 . FIG. 10 is a diagram illustrating an example of a method for obtaining an average occurrence probability N about past past page use procedures according to the present invention.

The past average occurrence probability calculation unit 234b-51 first obtains the occurrence probability related to the initial page use order from the first profile (profile 1) to the 100th profile (profile 100). The equation for obtaining the probability of occurrence of each profile (profile 1) is shown in the following equation (1).

[Equation 1]

Profile I = ((similarity of profile 1 + similarity of profile 2 +

                   + Similarity of profile 100) - similarity of profile I) / 99

(Where I is an integer from 1 to 100)

The probability of occurrence of the first profile (profile 1) is obtained by adding all similarities from the second profile (profile 2) to the 100th profile (profile 100) and dividing the sum by the number of profiles (99).

The probability of occurrence of the second profile (profile 2) is calculated by adding all similarities of the profiles other than the second profile (profile 2) (for example, profile 1, profile 3 to profile 100) We divide it.

The past average occurrence probability calculation unit 234b-51 obtains the occurrence probability with respect to the initial page use order from the first profile (profile 1) to the 100th profile (profile 100) through the above-described expression (1).

If all the occurrence probabilities of the first profile (profile 1) to the 100th profile (profile 100) are obtained, the probability of occurrence of these profiles is all added, and the resultant value is divided by the total number of profiles (100) The average occurrence probability (N) regarding the order of use is obtained.

The normal range selection unit 234b-52 selects a normal range of the average occurrence probability X by referring to the average occurrence probability N. The normal range selection unit 234b-52 determines a normal range of the average occurrence probability X such that the width of the maximum / minimum value decreases as the average occurrence probability value N becomes larger.

For example, the normal range of the average occurrence probability (X) is set so that the maximum and minimum are in the range of N ± 3% when the average occurrence probability (N) is 90% or more and less than 100%. A user with an average probability of occurrence (N) of 90% or more uses the initial service in an almost similar pattern, so the width of the normal range can be caught at about 3%.

If the average occurrence probability N is 92%, the normal range of the average occurrence probability X will be 89% <X <95%, and if the average occurrence probability N is 96% The normal range of the average occurrence probability X becomes 96% < X < 100% when the average occurrence probability N is 99% will be.

When the average occurrence probability N is 80% or more and less than 90%, the normal range selection unit 234b-52 sets the normal range of the average occurrence probability X such that the maximum and minimum are in the range of N ± 5% .

If the maximum and minimum are 70% or more and less than 80%, the normal range is set to have a range of N ± 10%. If the average occurrence probability (N) is 60% or more and less than 70% If the average occurrence probability (N) is between 50% and 60%, the normal range is determined to have a range of N ± 30%. If the average occurrence probability (N) is less than 50% 40%, and if the average occurrence probability (N) is 30% or more and less than 40%, the normal range is set to have a range of N ± 50%.

Since a user having an average occurrence probability (N) of 30% or more and less than 40% uses an initial service page in a pattern that is not substantially the same, the width of the normal range is estimated to be about 50% Pattern.

The present invention is based on a conventional method (for example, a method of setting only a reference value) in which a normal range estimation based on an individual behavior variation is limited by setting a normal range of the average occurrence probability (X) according to the average occurrence probability (N) Can be solved.

As described above, the normal range setting method of the present invention analyzes the past average profile similarity average for each user to determine how many users use the service initially in the same order or randomly use the service (Using the initial page) (considering the deviation from each user), thereby making a difference in the width of the normal range.

The normal range determination unit 234b-55 outputs a normal result value or an abnormal result value depending on whether the occurrence probability X is included in the normal range period. The normal range determination unit 234b-55 outputs a normal result value when the occurrence probability X is within the normal range interval defined by the normal range selection unit 234b-52, (X) is greater than or less than the normal range, an abnormal result is output.

When the normal range determining unit 234b-55 outputs a normal result value, that is, when the occurrence probability X is within a normal range, the utilization rate comparing unit 234b-56 compares the current initial utilization rate With the past initial utilization rate and outputs the comparison result.

The normal-state determining unit 234b-57 determines normal and abnormal states of the user-use behavior according to the comparison result of the utilization-speed comparison unit 234b-56. When the current initial use speed belongs to the normal range of the past initial use speed, the normal presence / absence determination unit 234b-57 determines that the current user's use behavior is a normal operation.

FIG. 7A is an operation flowchart of the abnormality detecting unit according to the present invention, and particularly relates to analysis of an initial use behavior pattern of a normal profile-based behavior analyzing unit constituting the abnormality detecting unit.

As shown in FIG. 3, the abnormal detection unit 230 includes a detection request classification module 232, an abnormality detection unit 230, A behavior analysis module 234, and an abnormal behavior detection module 236. [

The abnormal behavior analysis module 234 is a module for analyzing various patterns of abnormal behavior and includes normal profile-based behavior analysis units 234a, 234b, and 234c, a continuous behavior analysis unit 234d, Unit 234e, a policy analysis unit 234f, and a user tracking unit 234g.

The normal profile-based behavior analysis units 234a, 234b, and 234c compare the pattern of the access period total usage behavior, the pattern of the initial use behavior, and the pattern of the abnormal access behavior with the analysis values of the past normal profile information, . FIG. 8A is a diagram of a process table of current occurrence information for pattern analysis and detection of an initial use behavior, FIG. 8B is a diagram for a profile for pattern analysis and detection of an initial use behavior, that is, to be.

The initial use behavior analyzing unit 234b receives the situation information related to 'use of the web service' in the abnormal behavior detection system 200 and receives the detection request message from the situation information processing unit 220, First, the service page usage amount (N) of the current connection session is confirmed. (S10 to S20)

In step S20, if the service page usage amount N is larger than a reference value (e.g., 3), it is determined that sufficient initial action has been performed for the abnormal behavior analysis and the initial usage behavior pattern analysis is started.

The initial usage behavior analyzing unit 234b first calculates the current initial service page usage order and calculates the usage rate for analyzing the initial usage behavior pattern. (S30) Then, the past initial service page usage order having the same connection pattern is inquired (profile management unit 250), and the past average utilization rate is calculated. (S40)

Thereafter, as shown in FIG. 7B, 'comparison of similarity of service page usage order' and 'comparison of utilization rate' are performed through an initial usage behavior pattern analysis procedure to determine whether or not it is an abnormal behavior. (S50) FIG. 7B is a flowchart illustrating an initial usage behavior pattern analysis procedure according to the present invention.

As shown in FIG. 7C, the initial use behavior analyzer 234b may compare the current 'initial service page use order' data of the process S30 to the ' (S40) of the past 'initial service page use order' data. Then, the values of the respective rows and columns of the comparison matrix are initialized ('0'). (S52a) FIG. 7C is a flowchart showing the comparison of the LCS of the present invention.

Thereafter, as shown in FIG. 7C, similarity between the current and past 'service page use order' is calculated and stored in the comparison matrix. (S52b, S52c), and the similarity calculation procedure (S52a, LCS comparison) is repeatedly performed to calculate similarity for all past actions. (S52d)

Then, as the following expression (2), the average value of all similarity result values thus obtained is obtained. (S54) At this time, the obtained average value is the occurrence probability (X) of the initial page order used at present.

&Quot; (2) &quot;

Probability of occurrence (X) = total likelihood / total inquiry item

9B, the initial use behavior analyzing unit 234b calculates the probability X of occurrence of the above equation (2) in a normal range section defined by the normal range selecting section 234b-52 Is included. (S56)

The initial use behavior analyzing unit 234b outputs a normal result value when the occurrence probability X is within the normal range interval and outputs an abnormal result value when the occurrence probability X is larger or smaller than the normal range .

If the occurrence probability X value is included in the normal range period, the initial use behavior analyzing unit 234b again determines the current initial use rate as the initial initial use rate as shown in FIG. Compare with speed. (S58)

Then, in accordance with the comparison result (S58), it is finally determined whether or not the current user's use behavior is an abnormal behavior. (S59)

If the current initial utilization rate belongs to the normal range of the initial utilization rate of the past (for example, within Z%), the initial usage behavior analysis unit 234b determines that the current user's usage activity is a normal activity.

On the other hand, if the occurrence probability X is not included in the normal range period or the current initial use rate deviates from the normal range (e.g., Z%) of the past initial usage rate, It is determined to be an abnormal behavior.

The abnormal behavior detection module 236 generates normal or abnormal detection result information and transmits the abnormal detection result information to the control system 240 when the abnormality determination is made for the use behavior of the current user.

If the result of the judgment (S60) is normal (normal behavior), the abnormal behavior detection module 236 generates a normal behavior detection result and updates processing information (e.g., initial use service). (S70 to S80)

If the result of the determination (S60) is abnormal (abnormal behavior), the abnormal behavior detection module 236 generates an abnormal detection result and outputs the generated detection result (e.g., normal behavior or abnormal behavior) . (S90, S95)

The abnormal behavior detection system 200 according to the present invention can be implemented in a computer-readable recording medium using software, hardware, or a combination thereof.

According to a hardware implementation, the abnormal behavior detection system 200 described herein may be applied to various devices such as Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs) Field Programmable Gate Arrays, processors, controllers, micro-controllers, microprocessors, and electrical units for performing functions. In some cases, the embodiments described herein may be implemented with the anomaly detection system 200 itself.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. May be constructed by selectively or in combination. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

As described above, according to the present invention, unlike existing network-based security equipment through network traffic analysis, actions are patterned based on various behavior factors such as time, location, access network, We implemented a method to detect abnormal behavior.

The abnormal behavior detection system according to the present invention is to improve the system security in the BYOD and smart work environment. After processing the status information into connection, use, agent situation information and profile information, And the abnormal occurrence and the occurrence probability of the terminal.

The present invention relates to a method and apparatus for detecting unusual access / use behavior, including atypical data that can occur in a business scenario, that is, a type of used equipment, a connection time (e.g., work time, And usage time as user behavior pattern, system security is improved in BYOD and smart work environment.

100: situation information collection system 200: abnormal behavior detection system
210: Situation information receiving unit 220: Situation information processing unit
230: abnormal detection unit 232: detection request classification module
234: abnormal behavior analysis module 234a: total usage behavior analysis section
234b: initial use behavior analysis unit 234c: abnormal connection behavior analysis unit
234d: continuous action analysis unit 234e: abnormal web use analysis unit
234f: policy analysis unit 234g: user tracking unit
234b-10: a page usage checking unit 234b-20:
234b-30: Usage rate calculation unit 234b-40: Connection pattern analysis unit
234b-50: usage pattern analyzing unit 234b-51: past average occurrence probability calculating unit
234b-52: normal range selection unit 234b-53:
234b-54: current average occurrence probability calculation unit 234b-55: normal range determination unit
234b-56: Usage speed comparison unit 234b-57:
236: abnormal behavior detection module 250:
260: information analysis unit 270: storage unit
300: Control system 400: Personal use device
500: Security system

Claims (12)

In the BYOD (Bring Your Own Device) and the smart work environment, when predetermined situation information is received from the situation information collection system, the usage behavior pattern of the user at the beginning of the connection is compared with the past usage behavior pattern to detect the abnormal usage behavior In the abnormal detection unit 230 of the abnormal behavior detection system,
A detection request classification module 232 for classifying the detection request message and transmitting the classified information to each analysis section of the abnormal behavior analysis module 234,
An abnormal behavior analysis module 234 for analyzing whether the user's use behavior is abnormal by performing 'comparison of similarity of service page use order' and 'use speed comparison' through an initial use behavior pattern analysis procedure,
And an abnormal behavior detection module 236 for generating an abnormal or abnormal result value when the analysis result of the abnormal behavior analysis module 234 is stored and transmitting the resultant result to the control system 240,
The abnormal behavior analysis module 234 determines the occurrence probability X of the currently used initial page order and then sets a normal range interval for each occurrence probability N and determines whether the occurrence probability X is within the normal range And an initial usage behavior analyzer 234b for determining whether the current user's usage is abnormal or not.
The method according to claim 1, wherein the initial use behavior analysis unit (234b)
Checking the service page usage amount N of the current connection session and determining that the initial action for analyzing the abnormal behavior is not sufficient if the checked usage amount N is smaller than the reference value, (234b-10)
A usage order detecting unit 234b-20 for obtaining a current initial service page usage order when the service page usage amount N is larger than a reference value,
A utilization rate calculator 234b-30 for calculating the utilization rate of the current initial service,
A connection pattern analyzing unit 234b-40 for inquiring the past initial service page use order having the same connection pattern and calculating the past average utilization speed,
And a usage pattern analyzer 234b-50 for determining whether the user's initial use behavior pattern is within the normal range, and for determining whether the user's use behavior is abnormal through comparison of the use behavior speed in the case of a normal range Characterized in that the abnormality detection unit of the abnormal behavior detection system.
The usage pattern analyzing apparatus according to claim 2, wherein the usage pattern analyzing unit (234b-50)
A past average occurrence probability calculation unit 234b-51 that obtains an average occurrence probability N regarding past past page use procedures by referring to the profile information of the storage unit 270,
A normal range selection unit 234b-52 for determining the normal range of the average occurrence probability X such that the width of the maximum / minimum value becomes smaller as the average occurrence probability value N becomes larger,
A similarity calculating unit 234b-53 for calculating the similarity between the current 'service page use order' and all past 'service page use order'
A current average occurrence probability calculation unit 234b-54 for calculating the average occurrence probability X related to the current initial page use order by calculating the average of the calculated similarity result values,
And outputs a normal result value when the occurrence probability X is within the normal range set by the normal range selection unit 234b-52, and outputs an abnormal result value when the occurrence probability X is larger or smaller than the normal range, (234b-55)
A utilization rate comparing unit 234b-56 for comparing the current initial utilization rate with a past initial utilization rate when the occurrence probability X is within a normal range,
And a normal state determining unit (234b-57) for determining that the current user's use behavior is a normal behavior when the current initial use speed belongs to a normal range of past initial use speed. Abnormal detection of detection system.
4. The method according to claim 3, wherein the past average occurrence probability calculation unit (234b-51)
According to the following equation
The probability of occurrence of the initial page use order from the first profile (profile 1) to the 100th profile (profile 100) is obtained,
And an average occurrence probability (N) related to a past initial page use order is obtained by adding all of the obtained profile occurrence probabilities and dividing the added value by the total number of profiles (100) part.
5. The apparatus according to claim 4, wherein the past average occurrence probability calculation unit (234b-51)
Wherein an occurrence probability of an initial page use order from a first profile (profile 1) to a 100th profile (profile 100) is obtained according to the following equation.
Profile I = ((similarity of profile 1 + similarity of profile 2 +
+ Similarity of profile 100) - similarity of profile I) / 99
(Where I is an integer from 1 to 100)
4. The apparatus of claim 3, wherein the normal range selection unit (234b-52)
When the average probability of occurrence (N) is 90 or more and less than 100, the normal range is set so that the maximum and minimum are in the range of N ± 3,
If it is 80 or more and less than 90, it is set to have a normal range of N ± 5,
If it is 70 or more and less than 80, it is set to have a normal range of N ± 10,
If it is less than 60 and less than 70, it is determined to have a normal range of N + 20,
50 to less than 60, it is determined to have a normal range of N ± 30,
40 to less than 50, it is determined to have a normal range of N ± 40,
And if it is 30 or more and less than 40, it has a normal range of N + 50.
In the abnormal behavior detection system under BYOD (Bring Your Own Device) and smart work environment, when predetermined situation information is received from the situation information collection system, the usage behavior pattern of the user at the beginning of connection is compared with the past usage behavior pattern, A method for detecting an abnormal behavior of an abnormal detection unit (230)
Classifying the detection request message by the detection request classification module 232 and delivering the classified information to the analysis sections of the abnormal behavior analysis module 234;
The abnormal behavior analysis module 234 analyzes the similarity of the service page use order and the use speed comparison through the initial use behavior pattern analysis procedure to analyze whether the user's use behavior is abnormal,
When the analysis result of the abnormal behavior analysis module is stored, the abnormal behavior detection module 236 generates a normal or abnormal result value and transmits it to the control system 240,
The abnormal behavior analysis module 234 drives the initial use behavior analysis unit 234b to obtain the occurrence probability X related to the current initial page order and then sets a normal range interval for each average occurrence probability N And performing an initial usage behavior pattern analysis procedure to determine whether the usage probability of the current user is abnormal by checking whether the occurrence probability X is within a normal range.
8. The method according to claim 7,
The page usage checking unit 234b-10 checks the service page usage amount N of the current connection session, and if the checked usage amount N is smaller than the reference value, the initial action for analyzing the abnormal behavior is not sufficient And terminating the analysis,
When the service page usage amount N is larger than a reference value, the use order detection unit 234b-20 obtains a current initial service page use order,
The utilization rate calculation unit 234b-30 calculates the utilization rate of the current initial service,
A process in which the connection pattern analyzing unit 234b-40 retrieves a past initial service page use order having the same connection pattern and calculates a past average use speed,
The usage pattern analyzing unit 234b-50 determines whether the user's initial use behavior pattern is within a normal range, and if the usage pattern analyzing unit 234b-50 determines that the user's use behavior is abnormal, And detecting an abnormal behavior of the abnormal detection unit.
The method according to claim 8, wherein the step of determining whether the user-
Calculating a mean occurrence probability N of the past initial page use order by referring to the profile information of the storage unit 270 by the past average occurrence probability calculation unit 234b-51,
The normal range selection unit 234b-52 determines a normal range of the average occurrence probability X such that the width of the maximum / minimum value becomes smaller as the average occurrence probability value N increases,
Calculating a degree of similarity between the current 'service page use order' and all past 'service page use order' by the similarity calculating unit 234b-53;
Calculating a mean occurrence probability (X) related to a current initial page usage order by the current average occurrence probability calculation unit 234b-54 calculating an average of the calculated similarity result values;
If the occurrence probability X is within the normal range defined by the normal range selection unit 234b-52, the normal range determination unit 234b-55 outputs a normal result value. If the occurrence probability X is larger or smaller than the normal range, And outputting a result of the comparison;
Comparing the present initial use speed with a past initial use speed when the occurrence probability X is within a normal range;
And determining that the current use utilization rate of the current user is a normal operation when the current initial utilization rate belongs to the normal range of the initial usage rate of the past. Detection of abnormal behavior of detection unit.
The method of claim 9, wherein the step of obtaining the average occurrence probability (N)
Obtaining probabilities of occurrence of the initial page use order from the first profile (profile 1) to the 100th profile (profile 100)
Calculating an average occurrence probability (N) related to a past initial page use order by adding all of the obtained profile occurrence probabilities and dividing the sum by the total number of profiles (100). Behavior detection method.
In the tenth, the probability of occurrence from the profile 1 to the profile 100 is
Wherein the abnormal behavior detecting unit detects the abnormal behavior of the abnormal detecting unit.
Profile I = ((similarity of profile 1 + similarity of profile 2 +
+ Similarity of profile 100) - similarity of profile I) / 99
(Where I is an integer from 1 to 100)
10. The method according to claim 9, wherein the step of determining the normal range of the average occurrence probability (X)
Determining a normal range such that a maximum and a minimum are in a range of N ± 3 when the average occurrence probability (N) is 90 or more and less than 100,
Determining a normal range to have a range of N &lt; RTI ID = 0.0 &gt; + 5 &lt; / RTI &
Determining a normal range so as to have a range of N +/- 10 when the ratio is 70 or more and less than 80,
Determining a normal range so as to have a range of N 20 if the ratio is less than 60 and less than 70;
Determining a normal range so as to have a range of N +/- 30 when the ratio is 50 or more and less than 60;
Determining a normal range so as to have a range of N +/- 40 when the ratio is less than 40 and less than 50;
And determining a normal range so as to have a range of N + 50 when the ratio is less than 30 and less than 40. The method of claim 1,
KR1020160002286A 2016-01-07 2016-01-07 System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation KR20170082934A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160002286A KR20170082934A (en) 2016-01-07 2016-01-07 System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160002286A KR20170082934A (en) 2016-01-07 2016-01-07 System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation

Publications (1)

Publication Number Publication Date
KR20170082934A true KR20170082934A (en) 2017-07-17

Family

ID=59442930

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160002286A KR20170082934A (en) 2016-01-07 2016-01-07 System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation

Country Status (1)

Country Link
KR (1) KR20170082934A (en)

Similar Documents

Publication Publication Date Title
KR101600295B1 (en) System for detecting abnomal behaviors using personalized the whole access period use behavior pattern analsis
KR101619414B1 (en) System for detecting abnomal behaviors using personalized early use behavior pattern analsis
KR20170082937A (en) System for detecting abnomal behaviors using personalized the whole access period use behavior second analysis
US11658992B2 (en) Lateral movement candidate detection in a computer network
KR101501669B1 (en) Behavior detection system for detecting abnormal behavior
US11003773B1 (en) System and method for automatically generating malware detection rule recommendations
KR20170082936A (en) System for detecting abnomal behaviors allowing for personalized the whole access period use behavior pattern error rate deviation
US9609010B2 (en) System and method for detecting insider threats
US11962611B2 (en) Cyber security system and method using intelligent agents
US20200045075A1 (en) Real-time mitigations for unfamiliar threat scenarios
CN111092852A (en) Network security monitoring method, device, equipment and storage medium based on big data
JP5363305B2 (en) Method for determining the ID of an electronic device
WO2020081603A1 (en) Multi-dimensional periodicity detection of iot device behavior
US20220094689A1 (en) Automatically Executing Responsive Actions Based on a Verification of an Account Lineage Chain
CN104871171B (en) Distributed mode is found
Wu et al. Efficient fingerprinting-based android device identification with zero-permission identifiers
US11811812B1 (en) Classification model to detect unauthorized network behavior
CN111510463B (en) Abnormal behavior recognition system
US20230362263A1 (en) Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain
US20070050755A1 (en) Identification of input sequences
KR101619419B1 (en) System for detecting abnomal behaviors using personalized continuative behavior pattern analsis
KR20170082934A (en) System for detecting abnomal behaviors allowing for personalized early use behavior occurrence probability deviation
CN112581129A (en) Block chain transaction data management method and device, computer equipment and storage medium
KR101500448B1 (en) Nonnormal access detection method using normal behavior profile
US11360883B1 (en) Intelligent real-time adaptive cohort selection for testing of computer security application features

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application