KR20190010956A - intelligence type security log analysis method - Google Patents

intelligence type security log analysis method Download PDF

Info

Publication number
KR20190010956A
KR20190010956A KR1020170093249A KR20170093249A KR20190010956A KR 20190010956 A KR20190010956 A KR 20190010956A KR 1020170093249 A KR1020170093249 A KR 1020170093249A KR 20170093249 A KR20170093249 A KR 20170093249A KR 20190010956 A KR20190010956 A KR 20190010956A
Authority
KR
South Korea
Prior art keywords
history
log
data
information
security
Prior art date
Application number
KR1020170093249A
Other languages
Korean (ko)
Other versions
KR102033169B1 (en
Inventor
함병철
Original Assignee
주식회사 시큐리티인사이드
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐리티인사이드 filed Critical 주식회사 시큐리티인사이드
Priority to KR1020170093249A priority Critical patent/KR102033169B1/en
Publication of KR20190010956A publication Critical patent/KR20190010956A/en
Application granted granted Critical
Publication of KR102033169B1 publication Critical patent/KR102033169B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Medical Informatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to an intelligent security log analysis method that analyzes a user's behavior using a machine learning technique to artificially analyze a security log, captures an anomaly based on the analyzed data in advance, and responds effectively in a short period of time. The system log is divided into a system log, a network log, a content log, an application log, and the like. The system log includes a system log for Unix, Linux, and Windows, a system log and an application log for Web / WAS, The system log, system access history, use command history, DB connection history, query and result history, query execution and blocking history are analyzed and the network log is allowed to allow for firewall, IPS, IDS, Web FW WIPS History / detection history / blocking history, traffic status for attack / target IP, attack event, URL filtering Traffic for Routers and Switches, traffic for Anti-Dodos, history of detection for Anti-Dodos, history of blocking of harmful sites for network access control, sensor information for network access control, blocking policy and target information, authentication and patch management, A system log, a user authentication history for VPN, traffic, and a system log. The content log includes a user authentication history for DRM / DLP, a document usage history, a document encryption / decryption history, , Media read / write history, media allow / block history, output and fax transmission history for output and fax security, personal information for personal information detection, business data in mobile device for mobile security And the application log defines web access history, error and debug logs for web application, History of malicious code blocking and detection for log, virus / ATP / web shell blocking, real-time monitoring execution, scan history, user authentication history for OTP, biometric authentication, PKI, SSO, history of vulnerability check for web and network vulnerability check , The PC login for the Active Directory (Active Directory), the authentication history, the software status, and the WSUS status. The other items are personnel information, organization information, groupware, business systems such as ERP, , Visitor registration, information on retirees and retirement prospects for personnel management, information on partner personnel, integrated account and authority information, and KISA, CERT, money security and security services for external threat information. A data collecting device for collecting data from the analysis target defined in the step A1 is installed and a communication (TCP / UDP) is connected to the data collecting device, and a database (DB) is connected to the data collecting device And collecting data by the data collection device by applying a system log and a simple network management protocol (SNMP) and applying a protocol such as Lightweight Directory Access Protocol (LDAP) do.

Figure P1020170093249

Description

Intelligence type security log analysis method [

The present invention relates to an intelligent security log analysis method, and more particularly, to an intelligent security log analysis method that analyzes a user's behavior using a machine learning technique to artificially analyze a security log, captures anomalous signs in advance based on the analyzed data, The present invention relates to an intelligent security log analysis method and a security log analysis method.

According to the publication No. KR20100003099A (2010-01-07), "the present invention relates to a corporate network analysis system and method thereof, and more particularly, to an enterprise network analysis system and method thereof, Enterprise network analysis system and method to provide multidimensional comprehensive analysis report based on multi-dimensional analysis such as multi-homing and ISP stability analysis, customer value analysis, security threat analysis, etc. according to various customer (enterprise, network service provider) The present invention provides a corporate network analysis system that collects a security log from each intrusion prevention system installed on a corporate Internet dedicated line side, A traffic / security data collection device for collecting traffic from the device, A BGP DB for storing information obtained by analyzing BGP (Border Gateway Protocol) data on an Internet leased line, information collected by the traffic / security data collection device, information stored in the BGP DB, A network analyzer for analyzing the Internet leased line of the company based on the segmentation information about the customer and the segmentation information about the customer (network service provider, company) and the information analyzed by the enterprise network analyzing device Quot; includes the enterprise network DB for "

Publication No. KR20100003099A (2010-01-07)

However, the conventional security log analysis has the following problems.

First, there is a problem that the analytical work is due to manual operation, so that it is immediate and difficult to respond.

Second, in the past, data from and to the network was only a few megabytes to several hundreds of megabytes, so it was relatively easy to cope with the conventional technology. However, recently, the data coming and going from the network to several terabytes There is a problem that the manual analysis work has reached the limit.

Thirdly, conventionally, a log analysis object is defined, and it is stipulated that it corresponds only to a case where it corresponds to a pattern analyzed in the past, and when it is not an analyzed pattern, there is no practical countermeasure until a new response method is derived. There was a problem.

Disclosure of Invention Technical Problem [8] Accordingly, the present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to analyze a user's behavior using a machine learning technique for artificially analyzing a security log and to detect an abnormal symptom on the basis of the analyzed data, The purpose of the intelligent security log analysis method is to provide.

The present invention for achieving the above object has the following features.

The system log is divided into a system log, a network log, a content log, an application log, and the like. The system log includes a system log for Unix, Linux, and Windows, a system log and an application log for Web / WAS, The system log, system access history, use command history, DB connection history, query and result history, query execution and blocking history are analyzed and the network log is allowed to allow for firewall, IPS, IDS, Web FW WIPS History, history of attack / target IP, attack event, harmful site blocking history for URL filtering, sensor, node information, blocking policy and target information for network access control , Authentication and patch management, traffic status for Anti-Dodos, detection prevention history, traffic for routers and switches, system log, user for VPN The content log defines a history of user authentication for DRM / DLP, a history of document usage, a history of document encryption / decryption, a medium access history including USB for medium security, a medium read / It is defined as an analysis target of the writing history, the medium allow / block history, the output and fax transmission history for outputting and fax security, the presence of personal information for personal information detection, and the prevention of storing of business data in the mobile device for mobile security, The application log includes a web access history, an error and debug log for a web application, a container log, a malicious code blocking and detection history for blocking a virus / ATP / webshell, a real time monitoring execution scan history, an OTP, User authentication history for SSO, history of vulnerability checks for web and network vulnerability checking, history of Active Directory A computer login, an authentication history, a software status, and a WSUS status are defined as an analysis target. The above-mentioned items are classified into business information such as personnel information, organization information, groupware, ERP, gateway for physical security, visitor registration, Define the analysis services for the retirees and retirees information, partner company information, integrated account and authority information, KISA, CERT, money security and security service for external threat information A1; A data collecting device for collecting data from the analysis target defined in the step A1 is installed and a communication (TCP / UDP) is connected to the data collecting device, and a database (DB) is connected to the data collecting device And a step B1 of collecting data by the data collection device by applying a system log and a simple network management protocol (SNMP) and applying a protocol such as Lightweight Directory Access Protocol (LDAP).

In an embodiment, an internal server for preprocessing is provided for the data collected by the data collection device after the step B1, and the unused data in the analysis is pre-filtered by the internal server, A filtering process to prevent the use of resources, a parsing process to analyze the grammatical composition or syntax of each sentence, a normalization process that makes data easy to use by transforming according to certain rules, and a recommendation from government agencies (KIMO and KISA) A step C1 of performing encryption and compression processes for applying an encryption method for performing encryption and data encryption for security, and storing and transmitting compressed data to an external cluster for bandwidth reduction.

In the embodiment, after the step C1, there is provided an external cluster which provides a function of connecting a plurality of computers to a network to use a single high-performance large computer system for the user. By the external cluster, A storage / decompression process for expanding capacity, an indexing process for indexing to enable high-speed retrieval processing based on memory, a machine learning process for performing deep learning based on open source, an open source- A data visualization process for visualizing the data, a user action analysis process for analyzing the execution behavior per user, and a step D1 for analyzing the preprocessed data by an abnormal symptom detection process for responding to the infringement accident such as leakage of internal information .

In the embodiment, after the step D1, the correlated analysis scenarios between the collected data are provided for the policy / scenario, analysis of the cause and effect of the occurrence is supported through the collected data, Supports proactive response by reflecting security information. For dashboard, real-time status of important indexes is grasped, and managerial cognition ability of multidimensional data is improved through data visualization. For event / inquiry analysis, It supports high-speed retrieval of large-volume data, searches for per-user behavior, responds to internal threats, monitors employee and partner employees continuously through HR / organization information history, In case of detecting the behavior, support the vocabulary procedure for the user to prevent the insider threat and prevent it And a step E1 for managing the analyzed data by supporting a tool for creating a report in a format desired by the administrator for reporting.

According to the advantageous effects of the present invention, since the analysis work is performed manually, it is advantageous to maximize the efficiency of the analysis work by drastically improving the conventional analysis work that is immediate and difficult to cope with. By automating and artificially intelligentizing analytical work to terabytes, it is possible to achieve faster and more effective analysis efficiency than in the past,

1 is a flowchart illustrating an intelligent security log analysis method according to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a flowchart illustrating an intelligent security log analyzing method according to the present invention. The intelligent security log analyzing method according to the present invention includes a step A1 for defining an object of data to be collected, a step B1 for collecting defined data, A step C1 of analyzing the preprocessed data, and a step E1 of managing the analyzed data later.

In addition, the above steps are performed in detail for each step. We will look into each step in detail.

The analysis target is divided into the system log A2, the network log A3, the content log A4, the application log A5, and the other matters A6,

The system log A2 includes a system log for Unix, Linux, and Windows, a system log and an application log for Web / WAS, a system log for a DBMS, a system access log, a command history for use, a DB log record, , Query execution and blocking history are defined as analysis targets,

The network log A3 includes an allowance history / detection history / blocking history for a firewall, an IPS, an IDS, and a Web FW WIPS, a traffic status for an attack / target IP, an attack event, , Traffic information for anti-Dodos, detection history, routers and switches for network access control, sensor and node information, blocking policy and target information, authentication and patch management, User authentication history, traffic, and system log for traffic, system log, VPN,

The content log A4 includes a medium access history including a user authentication history for DRM / DLP, a document use history, a document encryption / decryption history, a USB for medium security, a medium read / write history, And fax transmission history for facsimile security, personal information for personal information detection, and whether or not to store business data in a mobile device for mobile security are defined as the analysis targets,

The application log A5 includes a web access history, an error and a debug log for a web application, a container log, a malicious code blocking and detection history for blocking a virus / ATP / web shell, a real time monitoring execution scan history, an OTP, , PKI, user authentication history for SSO, history of vulnerability check results for web and network vulnerability checking, PC login for Active Directory (Active Directory), authentication history, software status, and WSUS status.

The other items (A6) above include information such as personnel information, organization information, groupware, business systems such as ERP, gateway for physical security, visitor registration, information on retirees and retirees for managing personnel, information on partner personnel, Step A1, which defines the KISA, CERT, security source, and security vendor services for external threat information as an analysis target, is performed.

A data collecting device for collecting data from the analysis target defined in the step A1 is installed (B2), a communication (TCP / UDP) is connected with the network to the data collecting device (B3) (B5), and applying a protocol such as Lightweight Directory Access Protocol (LDAP) (B6) to the system management server A step B1 of collecting data by the device is performed.

After the step B1,

A filtering step (C2) of providing an internal server for preprocessing with respect to data collected by the data collection device, filtering the unused data for analysis by the internal server in advance to prevent unnecessary resource use, A parsing process (C3) for analyzing the grammatical composition or syntax of each sentence, a normalization process (C4) for making data easy to use by modifying the data according to a certain rule, the encryption recommended by government agencies (Kwanbo and KISA) (C5) for encrypting and compressing data to be encrypted, a data encryption process for security, and a storage and transmission process (C6) for transmitting compressed data to an external cluster for bandwidth reduction.

After the step C1,

An external cluster that provides functions such as connecting a plurality of computers to a network and using a single high performance large computer system for a user,

A storage / decompression process for expanding the capacity when required by parallel distributed processing, an indexing process (D2) for indexing to enable high-speed retrieval processing based on memory, a machine learning for performing deep source learning based on open source A data visualization process (D6) for visualizing multidimensional data based on an open source, a user action analysis process (D4) for analyzing per-user actions, and an abnormality And performs a step D1 of analyzing the preprocessed data by the symptom detection process (D5).

After the step D1,

For the policy / scenario, we provide the correlated analysis scenarios between the collected data, support the analysis of the cause and effect of the occurrence through the collected data, support the proactive response by reflecting external security information (E2),

For the dashboard, the real-time status of important indicators is grasped and the manager's perception of multidimensional data is enhanced through data visualization (E3)

For event / query analysis, it supports high-speed retrieval of large data through indexing, searches for per-user behavior, proactively responds to internal threats, and keeps track of personnel / Monitoring (E4),

In order to process the call, we support the call procedure for the user in detecting the abnormal behavior to prevent the insider threats and to deal with them afterwards (E5)

For reporting, the administrator performs a step E1 of managing the analyzed data by supporting a tool for creating a report in a desired format (E6).

A2; System log A3; Network log
A4; Content A5; application
A6; Other matters B2; Installing the Agent
B3; Network communication B4; DB connection
B5; Sylog / SNMP B6; LDAP
C2; Filtering C3; farthing
C4; Normalization C5; Encryption / Compression
C6; Storage / transmission D2; Parallel distributed processing
D3; Machine learning D4; User behavior analysis
D5; Real time automatic analysis D6; Data visualization
E2; Policy / Scenario E3; Dashboard
E4; Event / Query Analysis E5; Calling
E6; Report processing

Claims (4)

The analysis target is divided into system log, network log, content log, application log,
The system log includes a system log for Unix, Linux, and Windows, a system log and an application log for Web / WAS, a system log for a DBMS, a system access history, a history of commands used, a DB connection history, And blocking history are defined as analysis targets,
The network log includes a history of permitted history / detection history / interception history for firewall, IPS, IDS, Web FW WIPS, traffic status for attack / target IP, attack event, Site blocking history, sensor and node information for network access control, blocking policy and target information, authentication and patch management, traffic status for anti-Dodos, detection blocking history, traffic for routers and switches, system Log, VPN user authentication history, traffic, and system log,
The content log includes a user authentication history for DRM / DLP, a document use history, a document encryption / decryption history, a medium access history including USB for medium security, a medium read / write history, a medium allow / And whether or not to store personal data in the mobile device for mobile security is defined as the analysis target,
The application log includes a web access history, an error and a debug log for a web application, a container log, a malicious code blocking and detection history for blocking virus / ATP / web shell, a real time monitoring execution history, a scan history, an OTP, We define user authentication history for SSO, history of vulnerability check results for web and network vulnerability checking, PC login for Active Directory (Active Directory), authentication history, software status, and WSUS status.
The above items include information such as personnel information, organizational information, groupware, business systems such as ERP, gateway for physical security, visitor registration, information on retirees and retirees for personnel management, information on partner personnel, integrated account and authority information, external threat information Define KISA, CERT, money security, and security vendor services for analysis A1;
A data collecting device for collecting data from the analysis target defined in the step A1 is installed and a communication (TCP / UDP) is connected to the data collecting device, and a database (DB) is connected to the data collecting device And collecting data by the data collecting device by applying a protocol such as Lightweight Directory Access Protocol (LDAP), applying a system log and a simple network management protocol (SNMP) Analysis method.
The method according to claim 1,
After the step B1,
A filtering step of filtering data unused for analysis by the internal server to prevent unnecessary use of resources by providing an internal server for preprocessing the data collected by the data collection device, A parsing process for parsing the grammatical structure or syntax, a normalization process for modifying the data according to a certain rule to make it easy to use, an encryption and compression process for applying encryption recommended by government agencies (KISA and KISA) The method of claim 1, further comprising the step of performing a storage and transmission process of transmitting compressed data to an external cluster for bandwidth reduction after performing data encryption for security.
The method according to claim 1,
After the step C1,
An external cluster that provides functions such as connecting a plurality of computers to a network and using a single high performance large computer system for a user,
A storage / decompression process for expanding capacity when necessary for parallel distributed processing, an indexing process for indexing for enabling high-speed retrieval processing based on memory, a machine learning process for performing deep learning based on open source, and the like A data visualization process for visualizing the source-based multidimensional data, a user action analysis process for analyzing user-specific action, a step for analyzing the data processed by the abnormal symptom detection process to prevent infringement such as internal information leakage Lt; RTI ID = 0.0 > D1. ≪ / RTI >
The method according to claim 1,
After the step D1,
For the policy / scenario, we provide the correlated analysis scenarios between the collected data, support the analysis of the cause and effect of the occurrence through the collected data, support the proactive response by reflecting external security information ,
For the dashboard, the real-time status of important indicators is grasped, the manager's perception of multidimensional data is enhanced through data visualization,
For event / query analysis, it supports high-speed retrieval of large data through indexing, searches for per-user behavior, proactively responds to internal threats, and keeps track of personnel / Monitoring,
In order to process the call, we support the call procedure for the user in detecting the abnormal behavior,
A method for intelligent security log analysis, further comprising a step E1 of managing the analyzed data by supporting a tool for creating a report in a format desired by the administrator for reporting.
KR1020170093249A 2017-07-24 2017-07-24 intelligence type security log analysis method KR102033169B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020170093249A KR102033169B1 (en) 2017-07-24 2017-07-24 intelligence type security log analysis method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020170093249A KR102033169B1 (en) 2017-07-24 2017-07-24 intelligence type security log analysis method

Publications (2)

Publication Number Publication Date
KR20190010956A true KR20190010956A (en) 2019-02-01
KR102033169B1 KR102033169B1 (en) 2019-10-16

Family

ID=65367902

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020170093249A KR102033169B1 (en) 2017-07-24 2017-07-24 intelligence type security log analysis method

Country Status (1)

Country Link
KR (1) KR102033169B1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210057446A (en) 2019-11-12 2021-05-21 고려대학교 산학협력단 Method for assessment damage of malware attack, recording medium and device for performing the method
WO2021141326A1 (en) * 2020-01-06 2021-07-15 삼성전자주식회사 Electronic device and control method thereof
KR20220072697A (en) * 2020-11-25 2022-06-02 서울과학기술대학교 산학협력단 System for generating graph-based training data for cyber threat detection and method thereof
CN115442270A (en) * 2022-09-02 2022-12-06 南京信易达计算技术有限公司 Full-stack high-performance computing cluster monitoring system
CN116974973A (en) * 2023-08-09 2023-10-31 株洲车城机车配件股份有限公司 Intelligent dump protection method and system for locomotive video
CN117648689A (en) * 2024-01-29 2024-03-05 北京东方森太科技发展有限公司 Automatic response method for industrial control host safety event based on artificial intelligence

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102152338B1 (en) 2019-11-19 2020-09-07 충북대학교 산학협력단 System and method for converting rule between NIDPS engines
KR20220014086A (en) 2020-07-28 2022-02-04 한국전자통신연구원 Method and Apparatus for Intelligent Operation Management of Infrastructure
KR102524551B1 (en) 2020-11-26 2023-04-24 한국전력공사 System and Method for detecting security threats using log information
KR20220074638A (en) 2020-11-27 2022-06-03 광주과학기술원 A method and apparatus for determining sampling point and sampling rate for multiple traffic analyzers using reinforcement learning on software-defined networks

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100003099A (en) 2008-06-30 2010-01-07 주식회사 케이티 The enterprise network analysis system and its method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100003099A (en) 2008-06-30 2010-01-07 주식회사 케이티 The enterprise network analysis system and its method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"통합로그 관리 솔루션 LogCops" NileSoft 기술 설명서 (2014.)* *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210057446A (en) 2019-11-12 2021-05-21 고려대학교 산학협력단 Method for assessment damage of malware attack, recording medium and device for performing the method
WO2021141326A1 (en) * 2020-01-06 2021-07-15 삼성전자주식회사 Electronic device and control method thereof
KR20220072697A (en) * 2020-11-25 2022-06-02 서울과학기술대학교 산학협력단 System for generating graph-based training data for cyber threat detection and method thereof
CN115442270A (en) * 2022-09-02 2022-12-06 南京信易达计算技术有限公司 Full-stack high-performance computing cluster monitoring system
CN116974973A (en) * 2023-08-09 2023-10-31 株洲车城机车配件股份有限公司 Intelligent dump protection method and system for locomotive video
CN116974973B (en) * 2023-08-09 2024-04-05 株洲车城机车配件股份有限公司 Intelligent dump protection method and system for locomotive video
CN117648689A (en) * 2024-01-29 2024-03-05 北京东方森太科技发展有限公司 Automatic response method for industrial control host safety event based on artificial intelligence
CN117648689B (en) * 2024-01-29 2024-04-12 北京东方森太科技发展有限公司 Automatic response method for industrial control host safety event based on artificial intelligence

Also Published As

Publication number Publication date
KR102033169B1 (en) 2019-10-16

Similar Documents

Publication Publication Date Title
KR102033169B1 (en) intelligence type security log analysis method
US10917417B2 (en) Method, apparatus, server, and storage medium for network security joint defense
CN110149350B (en) Network attack event analysis method and device associated with alarm log
Montesino et al. Information security automation: how far can we go?
CN111245793A (en) Method and device for analyzing abnormity of network data
US20030135749A1 (en) System and method of defining the security vulnerabilities of a computer system
US20030084318A1 (en) System and method of graphically correlating data for an intrusion protection system
US9876813B2 (en) System and method for web-based log analysis
US20210281599A1 (en) Cyber Security System and Method Using Intelligent Agents
CN112637220A (en) Industrial control system safety protection method and device
CN107409134B (en) Forensic analysis method
US20030083847A1 (en) User interface for presenting data for an intrusion protection system
EP2415229A1 (en) Method and system for alert classification in a computer network
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN115134099B (en) Network attack behavior analysis method and device based on full flow
EP4185975B1 (en) Detection of anomalous count of new entities
KR20140035146A (en) Apparatus and method for information security
CN111274276A (en) Operation auditing method and device, electronic equipment and computer-readable storage medium
CN114553537A (en) Abnormal flow monitoring method and system for industrial Internet
EP3767913B1 (en) Systems and methods for correlating events to detect an information security incident
KR101201629B1 (en) Cloud computing system and Method for Security Management for each Tenant in Multi-tenancy Environment
Raut Log based intrusion detection system
Žgela et al. Security Information and Event Management–Capabilities, Challenges and Event Analysis in the Complex IT System
EP3220303B1 (en) Selective extended archiving of data
Dimitrios Security information and event management systems: benefits and inefficiencies

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant