KR20230073056A - Malicious event log automatic analysis device and method - Google Patents

Abstract

Disclosed is a method and apparatus for automatically analyzing a malicious event log, which is an endpoint threat event, by applying an artificial intelligence (AI)-based chatbot engine. The automatic analysis method processes logs by grouping by process for efficient analysis of event logs, generates sentences about process behavior through neuro-linguistic programming (NLP) techniques for AI analysis, and actually Convert malicious behaviors into data and use them as learning data for AI model learning, implement a transformer algorithm-based learning system to learn learning data, and analyze actual malicious behaviors to determine if the event is malicious based on BERT and LSTM algorithms. Event logs grouped through an automatic analyzer are checked in real time, and if the target of malicious activity has a certain degree of similarity, it is detected and automatically judged as a threat event.

Description

Malicious event log automatic analysis device and method {MALICIOUS EVENT LOG AUTOMATIC ANALYSIS DEVICE AND METHOD}

The present invention relates to a method for automatically analyzing malicious event logs, and more particularly, to a method for automatically analyzing malicious event logs, which are endpoint threat events, by applying an artificial intelligence (AI)-based chatbot engine, and It's about the device.

As the information and communication infrastructure continues to expand, various types of security threats using the information and communication (IT) infrastructure are rapidly increasing. Recently, these advanced persistent threats (Advanced Persistent Threats, hereinafter referred to as APTs) frequently cause major information leakage accidents within companies using malicious codes and weaken work concentration due to internal users' access to non-business sites, resulting in information leakage accidents. Countermeasures are desperately needed.

In order to respond to security threats that continue to cause damage, it is necessary to analyze a vast amount of malicious code and threat-related data. development is required.

On the other hand, overseas and domestic APT solution manufacturers related to existing malware detection and response technologies are presenting response solutions in various forms for each company to respond to new or variant malware, but respond in real time to security threats that are gradually becoming more massive and intelligent. It is not easy to do.

In response, endpoint detection & response (EDR) solution developers who are researching malware detection technology using machine learning actively utilize artificial intelligence (AI) technology to detect signature-based, rule-based It detects some cyber threats that are not detected by existing solutions such as

In addition, endpoint incident response solutions are being actively introduced to automatically detect and respond to signs of cyber attacks in real time through correlation analysis and machine learning by collecting information from endpoint devices.

In addition, various threat intelligence tools for distributed remote forensics are being developed as a preemptive response technology for malicious behavior in a business personal computer (PC). In addition, various static application security testing (SAST) tools that can test the security of software applications developed in various languages such as C/C++, Ruby, and Python are also being developed.

However, in order to effectively analyze and respond to the above-mentioned malicious codes or threat attacks, it is most desirable to directly analyze the malicious code inside the agent installed on the PC, terminal, server, etc., but such a type of solution has not yet been proposed. there is.

An object of the present invention is to provide an endpoint security solution capable of automatically analyzing and detecting threat events at an endpoint using a chatbot engine.

Another object of the present invention is to build an elastic search database management system (DBMS), which is a large-capacity database (database, DB) for building event log datasets, and to build a transformer for automatic analysis and detection of threat event logs. Establish a network and LSTM (long short-term memory) network-based learning system, and have an automated behavioral event analysis function that can effectively classify malicious behavioral events with a text classification function based on this, while endpoint event detection rules and It is to provide an automatic endpoint analysis device and method capable of performing malicious event detection in conjunction with each other.

Another object of the present invention is to provide an AI-based endpoint detection and response (EDR) solution to which a chatbot engine is applied.

Another object of the present invention is to build an AI database to store AI modules and event logs in an analysis server, install an agent on a user PC, analyze events on the user PC by rule matching in the agent, and analyze the analysis results. The analysis result is transmitted in conjunction with the AI database of the analysis server, grouping is performed using process ID and session information, and sentences are generated in the order of process actions in the order of progress and transmitted to the AI database to transmit data By constructing the set, it is intended to provide an endpoint automatic analysis device and method capable of automatically analyzing malicious event logs effectively.

Another object of the present invention is to automatically analyze threat processes based on artificial intelligence by collecting threat event data and event logs through the application of artificial intelligence technology, grouping by process identifier and session identifier, and grouping by process, and automatically analyzes threat processes based on artificial intelligence. An automatic endpoint analysis device and method capable of automatically determining a threat event based on a threat and providing an analysis result and a process tree of a transformer network to provide a detection basis are provided.

An automatic malicious event log analysis device according to an aspect of the present invention for solving the above technical problem is endpoint threat detection for automatic event analysis and detection using an artificial intelligence (AI) based chatbot engine. And an endpoint detection & response (EDR) device, including a processor and a memory, wherein the processor: processes the log into groupings by process for efficient analysis of event logs, and analyzes AI by at least one command stored in the memory. Sentences for process behavior are generated through NLP (Natural Language Processing) techniques for In order to implement a learning system based on learning and analyze actual malicious behavior, check grouped event logs in real time through an automatic analyzer for event maliciousness based on BERT (bidirectional encoder representations from transformers) and LSTM (long short-term memory) algorithms Thus, if the target of a malicious action has a certain degree of similarity or higher, it can be configured to detect and automatically judge it as a threat event.

In one embodiment, the deep learning-based chatbot engine for event log classification operates in a behavior sentence generation and labeling method for learning threat process behavior, and according to performance based on six encoder and decoder layers of the transformer architecture It is designed as an optimal layer, configured to adjust the learning rate according to the learning progress time for cost optimization required for model learning, and combines a transformer-based BERT model and a dense layer. It can be configured as a model, and an optimal model according to F1-score comparison between a transformer-based model and a traditional recurrent neural network (RNN) model based on LSTM and gated recurrent units (GRU) can be used. .

In one embodiment, an AI module for event analysis may interwork with the EDR system. Here, the AI module can provide an integrated service in conjunction with a cloud-based EDR solution.

In one embodiment, the AI module may be managed by a management server in the form of an appliance disposed for each site, or may be directly serviced on a network based on a cloud.

In the method for automatically analyzing malicious event logs according to another aspect of the present invention for solving the above technical problem, a database for storing an artificial intelligence module and an event log is built in an integrated analysis server, an agent is installed on an endpoint, and an event log in the agent is installed. A method of analyzing malicious event logs by performing rule matching on logs, comprising: grouping event logs by utilizing process ID and session information; generating sentences in order of process actions based on the event log; and automatically analyzing malicious event logs in the endpoint based on the dataset included in the sentences generated in the sequence of actions.

A method for automatically analyzing malicious event logs according to another aspect of the present invention for solving the above technical problem includes processing logs by grouping by process for efficient analysis of event logs; Generating sentences for process behavior through NLP (Natural Language Processing) techniques for AI analysis; Converting malicious behaviors that actually operate into data and using them as learning data for AI model learning; generating a learning system based on a transformer algorithm to learn learning data; Checking grouped event logs in real time through an automatic malicious event analyzer based on BERT and LSTM algorithms to analyze actual malicious behavior; and detecting and automatically judging a malicious action target as a threat event when the target has a certain degree of similarity or higher.

An automatic malicious event log analysis device according to another aspect of the present invention for solving the above technical problem is to build a database to store artificial intelligence modules and event logs in an integrated analysis server, install an agent on an endpoint, and in the agent An apparatus for analyzing a malicious event log by performing rule matching on an event log, comprising: a processor and a memory storing at least one command executed by the processor, the processor comprising: Grouping event logs using process ID and session information; generating sentences in order of process actions based on the event log; It is configured to perform the step of automatically analyzing malicious event logs in the endpoint based on the dataset included in the sentences generated in the sequence of actions.

An automatic malicious event log analysis device according to another aspect of the present invention for solving the above technical problem is an endpoint for endpoint detection & response (EDR) using an artificial intelligence (AI) based chatbot engine. As an automatic analysis device, it includes a processor and a memory, and by at least one command stored in the memory, the processor: processes the log into groupings by process for efficient analysis of event logs, and NLP (Natural Language Processing) for AI analysis Create sentences about process behavior through techniques, convert malicious behaviors that actually operate into data and use them as learning data for AI model learning, implement a transformer algorithm-based learning system to learn learning data, In order to analyze the actual malicious behavior, the grouped event logs are checked in real time through an event malicious automatic analyzer based on BERT (bidirectional encoder representations form transformers) and LSTM (long short-term memory) algorithms to determine if the malicious behavior target has a certain degree of similarity or higher. It is configured to detect and automatically judge it as a threat event.

In one embodiment, the transformer model for the transformer algorithm includes an encoder layer and a decoders layer, and an embedding dimension in an embedding vector of each word in positional encoding of an input layer. If the value obtained by adding 1 to the position of is an odd number, the position of the word may be calculated by using Equation 1, which is a cosine function, to generate location information of malicious behavior.

In one embodiment, the transformer model for the transformer algorithm includes an encoder layer and a decoders layer, and an embedding dimension in an embedding vector of each word in positional encoding of an input layer. If the value obtained by adding 1 to the position of is an even number, the position of the word may be calculated by using Equation 2 below, which is a sin function, thereby generating location information of malicious behavior.

In one embodiment, the decoder structure including the decoder layer is trained to predict a word of each view from a sentence matrix, and a layer masking words of a future view so as not to refer to words in the future is a front end of decoder sublayers. It can be configured to apply to.

According to the present invention described above, an automatic analysis device or method for malicious event logs to which an artificial intelligence (AI)-based chatbot engine is applied applies an endpoint detection & response (EDR) solution as a core engine to detect a large amount of logs. can be used as an analysis module for solutions that require efficient and fast classification and analysis, and can be used as a solution that automatically determines whether a threat is violated by AI without a professional analyst.

In addition, the automatic analysis using AI according to the present invention is not limited to endpoint event log analysis, and can significantly increase the reliability of the analysis result of malicious code and malicious behavior by applying it to a visualization platform capable of testing malicious code, It has the advantage of being immediately applicable to cloud-based security service products such as SECaaS (security as a service).

The above-described automatic malicious event log analysis device or method of the present invention can be effectively applied to the following fields. In the case of the APT response field, it can be applied to an on-premise type of solution for responding to intelligent persistent threats. In the case of the EDR solution field, it can be applied to endpoint event behavior analysis, cause analysis, and response solutions. In the case of SECaaS, it can be applied to cloud-based APT and Ransomware response solutions. And, in the case of the security control field, it can be applied to the endpoint threat information visualization field for security control automation.

1 is a diagram for explaining the main configuration and operation principle of an automatic event analysis and detection system (hereinafter referred to as an 'automatic analysis device') to which an artificial intelligence (AI)-based chatbot engine is applied according to an embodiment of the present invention.
FIG. 2 is a diagram for explaining an AI analysis process of an infringement threat applied to endpoint detection & response (EDR) that can be employed in the automatic analysis device of FIG. 1 .
FIG. 3 is a diagram for explaining an AI-based threat behavior detection function applied to EDR that can be employed in the automatic analysis device of FIG. 1 .
Figure 4 is a schematic illustration of the application of an AI analysis module that can be employed in the automatic analysis device of Figure 1.
5 is a schematic diagram illustrating an AI engine for automatic analysis of a threat event log based on a chatbot engine that can be employed in the automatic analysis device of FIG. 1 .
6 is a schematic configuration diagram of an EDR system to which an AI module to which a chatbot engine that can be employed in the automatic analysis device of FIG. 1 is applied is applied.
7 is a diagram for explaining an EDR solution and an AI module linkage interface that can be employed in the automatic analysis device of FIG. 1.
8 is a schematic block diagram of an AI module application configuration for event analysis that can be employed in the automatic analysis device of FIG. 1 .
9 is an exemplary diagram for explaining a process of grouping session IDs and process IDs by processor in an automatic malicious event log analysis method (hereinafter referred to simply as 'automatic analysis method') according to another embodiment of the present invention.
FIG. 10 is an exemplary diagram for explaining a malicious event in which normal behaviors are gathered and ransomware behaviors in the automatic analysis method of FIG. 9 .
FIG. 11 is an exemplary diagram for explaining a malicious event in which normal behaviors are gathered to collect network information or transmit information in the automatic analysis method of FIG. 9 .
FIG. 12 is an exemplary diagram for explaining a malicious event that does not include terminated as an event type in the automatic analysis method of FIG. 9 .
FIG. 13 is a block diagram of the architecture of a transformer model network that can be employed in the automatic analysis method of FIG. 9 .
14 is an exemplary diagram for explaining the structure of the transformer model of FIG. 13;
FIG. 15 is an exemplary diagram for explaining a text classification structure using BERT and a dense layer as another configuration that can be employed in the transformer model of FIG. 13 .
FIG. 16 is an exemplary diagram of text classification using the LSTM of FIG. 15 that can be used together with or replaced with the transformer model of FIG. 13 .
17 is a block diagram illustrating a form of security service by the automatic analysis device of FIG. 1;
FIG. 18 is a block diagram illustrating a performance evaluation process for automatic AI-based threat event analysis of the automatic analysis device of FIG. 1 .
19 is a block diagram illustrating the main configuration of an automatic analysis device according to another embodiment of the present invention.

Since the present invention can make various changes and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention. Like reference numerals have been used for like elements throughout the description of each figure.

Terms such as first, second, A, and B may be used to describe various components, but the components should not be limited by the terms. These terms are only used for the purpose of distinguishing one component from another. For example, a first element may be termed a second element, and similarly, a second element may be termed a first element, without departing from the scope of the present invention. The term “and/or” includes any combination of a plurality of related listed items or any of a plurality of related listed items.

It is understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, but other elements may exist in the middle. It should be. On the other hand, when an element is referred to as “directly connected” or “directly connected” to another element, it should be understood that no other element exists in the middle.

Terms used in this application are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly dictates otherwise. In this application, the terms "include" or "have" are intended to designate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, but one or more other features It should be understood that the presence or addition of numbers, steps, operations, components, parts, or combinations thereof is not precluded.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with the meaning in the context of the related art, and unless explicitly defined in the present application, they should not be interpreted in an ideal or excessively formal meaning. don't

Hereinafter, with reference to the accompanying drawings, preferred embodiments of the present invention will be described in more detail. In order to facilitate overall understanding in the description of the present invention, the same reference numerals are used for the same components in the drawings, and redundant descriptions of the same components are omitted.

1 is a schematic configuration of a device for automatically analyzing an event log of a malicious event, which is an endpoint threat event, by applying an artificial intelligence (AI) based chatbot engine according to an embodiment of the present invention (hereinafter referred to as an 'automatic analysis device' for short) And it is a drawing for explaining the operating principle.

Referring to FIG. 1 , the automatic analysis device 100 includes a first module 110 for grouping, a second module 120 for storage, a third module 130 for construction, and a fourth module for analysis. 140 and a fifth module 150 for automatic determination.

The first module 110 groups logs collected from a user's personal computer (PC). The second module 120 quantifies and stores the collected event logs or grouped logs. The third module 130 builds a dataset based on the quantified logs. The fourth module 140 automatically analyzes the event log based on the transformer model. The fifth module 150 automatically determines a threat event based on the result of automatic analysis of the event log.

The transformer model for the transformer algorithm has an encoder layer and a decoders layer, and in the positional encoding (PE) of the input layer, 1 is placed at the position of the embedding dimension in the embedding vector of each word. When the value obtained by adding is an odd number, the position information of the malicious act may be generated by calculating the position (pos) of the word using Equation 1, which is a cosine (cos) function.

In Equation 1, D represents the number of input dimensions of the event analyzer, and i represents the number of the input dimension.

In addition, the transformer model for the transformer algorithm has an encoder layer and a decoders layer, and in the positional encoding of the input side layer, 1 is placed at the position of the embedding dimension in the embedding vector of each word. When the value obtained by adding is an even number, the position information of the malicious act may be generated by calculating the position of the word using Equation 2 below, which is a sin function.

In Equation 2, D represents the number of input dimensions of the event analyzer, and i represents the number of the input dimension.

The automatic analysis device 100 may be connected to the artificial intelligence (AI) analysis web management system 200 through a network. The AI analysis web management system 200 can be mounted on an AI analysis server connected to a user's personal computer, and a module 210 performing user management for an administrator, a module 220 performing monitoring of collection or analysis status , a module 230 for managing the collection and analysis system, and a module 240 for managing the AI analysis status.

The aforementioned automatic analysis device 100 is an endpoint detection & response (EDR) device for automatically analyzing and detecting events using an artificial intelligence (AI)-based chatbot engine, and includes a processor and memory, , By at least one command stored in memory, the processor: Processes logs by grouping by process for efficient analysis of event logs, generates sentences about process behavior through NLP (Natural Language Processing) techniques for AI analysis, , Actual malicious behaviors are converted into data and used as learning data for AI model learning, a transformer algorithm-based learning system is implemented to learn the learning data, and BERT (bidirectional encoder) is used to analyze actual malicious behaviors. Representation form transformers) and LSTM (long short-term memory) algorithm-based event maliciousness automatic analyzer checks grouped event logs in real time, detects if the target of malicious action has a certain similarity or higher, and automatically judges it as a threat event.

The deep learning-based chatbot engine for event log classification operates by generating and labeling behavioral sentences to teach the chatbot engine threat process behavior, and optimizes the performance based on the six encoder and decoder layers of the Transformer architecture. , and is configured to adjust the speed according to the learning progress time for optimizing the cost required for model learning, and is a model combining a transformer-based BERT model and a dense layer. LSTM and GRU (gated recurrent unit) based traditional RNN (recurrent neural network) models and transformer-based models based on F1-score comparison according to the optimal model can be used.

In addition, the AI module for event analysis can work with the EDR system. Here, the AI module can provide an integrated service in conjunction with a cloud-based EDR solution. These AI modules may be managed by a management server in the form of an appliance disposed for each site, or may be directly serviced on a network based on a cloud.

FIG. 2 is a diagram for explaining an AI analysis process of an infringement threat applied to endpoint detection & response (EDR) that can be employed in the automatic analysis device of FIG. 1 . FIG. 3 is a diagram for explaining an AI-based threat behavior detection function applied to EDR that can be employed in the automatic analysis device of FIG. 1 . And Figure 4 is a schematic illustration of the application of the AI analysis module that can be employed in the automatic analysis device of Figure 1.

2, the infringement threat AI analysis process applied to the EDR that can be employed in the automatic analysis device can standardize and store event logs by group in the analysis system AI DB in the EDR system or analysis system (S21).

Next, analysis logs for each process ID and session may be grouped (S22).

Next, an action sentence may be generated from the event log (S23).

Next, the action sentence can be analyzed based on AI (S24).

Next, a threat event may be automatically determined based on the analyzed action sentence (S25).

Next, the automatic determination result may be transmitted to a web server DB such as an elastic DB analysis and determination result to a distributed system AI DB, and to a display device to visualize the threat event tree and analysis information (S26 , S31).

And, the event log stored in the analysis system AI DB is delivered to the agent installed in the user's personal computer, and the agent can be used to collect infringement threat information (S27).

Next, based on the collected infringement threat information, the agent can automatically detect a threat (S28).

Next, the event log collected through the automatic threat behavior detection can be reported to the analysis system AI DB (S30).

That is, as shown in FIG. 3, in the AI-based threat behavior detection method applied to EDR, after the automatic determination of threat events (S31), the automatic analysis step (S32), the data collection step (S33), and the log grouping step (S34) ), threat detection step (S35) and threat event information visualization step (S36).

In other words, as shown in FIG. 4, after collecting event logs (S41), generating event action sentences (S42), AI model learning-based feature extraction is performed by applying a rule It may be configured to perform a step (S43), and a step (S44) of automatically determining whether the resulting data is malicious by transmitting.

As described above with reference to FIGS. 2 and 4, the threat event automatic analysis and detection AI module to which the chatbot engine, which is a kind of automatic analysis device, is applied, can work with the EDR system for endpoint security.

The AI module can be configured by performing an interface migration operation to forward the event log data, which was delivered to the existing web database, to the newly built AI analysis database for AI application to the existing EDR system.

In addition, the AI module may have an elastic search DBMS (DB management system), which is a large-capacity database (DB), to build an event log dataset.

In addition, the AI module may have a transformer algorithm-based learning system for automatic analysis and detection of threat event logs.

In addition, the AI module may have a function for automated behavior event analysis capable of classifying malicious behavior events with a text classification function, or a component corresponding to such a function.

In addition, the AI module may be configured to detect malicious events in conjunction with endpoint event detection rules.

For the above configuration, the AI module collects threat event data, collects event logs, groups them by processor identifier (process ID) and session identifier (session ID), and groups them by process to automatically analyze AI-based threat processes, automatically Automatic judgment of threat events according to the analysis results, automatic analysis of threat events through the web UI, and judgment results and process trees can be visualized and displayed.

As described above, in the present embodiment, it is possible to automatically determine whether an event log is malicious by automatically analyzing the event log, and two advantages of high accuracy and rapid analysis can be obtained by constructing an automated event analysis system.

5 is a schematic diagram for explaining an AI engine for automatic analysis of a chatbot-based threat event log that can be employed in the automatic analysis device of FIG. 1 .

Referring to FIG. 5, the AI engine that can be employed in the automatic analysis device is a kind of chatbot engine to which EDR is applied, and first analyzes the event extracted from the endpoint using a rule (S51, S52), the analysis results are stored in the AI analysis server DB (S53, 54), and the AI module can perform analysis log grouping by process ID and session identifier (session) for the stored data. The rule may include IOC (indicator of compromise) infringement indicators and MITER ATT&CK (adversarial tactics, techniques and common knowledge) attack techniques.

In addition, the AI engine may generate event action sentences considering the order of event groups and store the generated action sentences in an AI DB to collect data and build a dataset (S56). Using these datasets, a trained analyzer can be prepared by using a transformer-based model or RNN-based model learning.

According to this configuration, the input event log is automatically analyzed and the classification probability is calculated with the learned analyzer, based on this, automatic judgment of threat events is performed, analysis and judgment results are stored in the web server DB, and the web user interface manager ( web UI manager), the result of transformer-based automatic analysis and judgment and the order of process tree actions can be visualized and provided to the user.

In addition, the AI engine groups the action event logs collected through the agent using process IDs and sessions, generates threat action events as action sentences, and builds a dataset (S57). , Using the behavioral event data set constructed in this way, a transformer-based analyzer for speed and overall long sentence parsing among text classification techniques can automatically detect threat event logs based on the analysis results from the analyzer. Yes (S58, S59).

The automatically detected threat event is stored in a web server DB, such as an elastic DB, and can be used for automatic determination of the threat event (S59), and analysis and judgment results are stored in the web server DB or elastic DB (S60), and the user Analysis results or judgment results may be expressed through a user interface (UI) (S61).

6 is a schematic configuration diagram of an EDR system to which an AI module to which a chatbot engine that can be employed in the automatic analysis device of FIG. 1 is applied is applied. 7 is a diagram for explaining an EDR solution and an AI module linkage interface that can be employed in the automatic analysis device of FIG. 1.

Referring to FIG. 6, the AI-based EDR system 100 to which the chatbot engine is applied may include an AI module 160 and an AI database 170 to store event logs as a kind of automatic analysis device, Through the AI module, the agent installed on the user PC on the network analyzes the event of the user PC by performing rule matching, and the analysis result is linked with the AI database 170 of the analysis server to transfer the analysis result to the user PC on the network , may be configured to be transmitted to an analysis server, an elastic DB 260, and the like. A web browser-based user interface 270 is installed in the elastic DB 260 to permit access from a user PC and other user terminals and to communicate with the user PC.

The main operating principle of the AI module is described with reference to FIG. 7 as follows. A process described below may correspond to a component that performs a corresponding function.

When an event occurs, the AI module performs event log collection from the agent (71). Collected logs are saved in a specific folder. Next, rule matching is performed through a rule module 72 and the result is stored in a specific folder. The collected logs and matching results may be provided to a user PC on the web through a manager 73 or stored in a DB 74 . Here, the manager 73 is built as server hardware or a cloud environment and can work with an AI module like a DB server on a virtualized operating system.

Next, the logs stored in the DB 74 are grouped (75), and the grouped logs may be generated as action sentences (76). The generated action sentence 76 may be stored in the database 74.

In addition, machine learning (77) can be trained based on the logs and matching results stored in the DB (74), thereby creating a learning model file (78). . And, the previously generated action sentence 76 may be used to generate a learning model file.

Next, action sentence analyzed results (79) can be generated using the learning model file. Then, automatic judgment of threats is made based on the generated action sentence analysis result (79) and threshold setting (80) (81), and the judgment result is greater than or equal to a predetermined threshold result (82). When it is equal to or less than, the result may be configured to be stored in the manager DB 83 (83).

In other words, by calling the analysis results attempted by the agent, grouping is performed using process ID and session information, and sentences are generated in the order of progress and process action, and then stored in the artificial intelligence database (AI DB). You can build a dataset by sending

8 is a schematic block diagram of an AI module application configuration (EDR solution) for event analysis that can be employed in the automatic analysis device of FIG. 1.

Referring to FIG. 8 , the EDR system corresponding to the EDR solution may include an EDR integrated management server 300 and an agent 100 in a broad sense. That is, the EDR system of this embodiment can be built as an AI-based EDR system to which an AI module for event analysis is applied.

The EDR integrated management server (hereinafter referred to as 'integrated management server') 300 includes a user interface (UI, 310), an AI-based event analysis module 320, a database management system (DBMS, 330), and a plurality of behavior analysis engines 350 ), server-type operating system (360) such as Windows server 2016R2, Windows operating system (windows OS), ESXi installed on HPE ProLiant server, Amazon web services (AWS), cloud such as Microsoft Azure A platform 370 such as a computing service, a cloud infrastructure for public institutions such as NHN toast, and the like, and hardware 380 supporting it may be provided. Hardware 380 may be cloud-based hardware.

The EDR system collects event information from the agent (agent, 180) of the endpoint (100), transmits it to the integrated management server (300), and stores the information in the DB management system (330) in the integrated management server (300). can do. The stored information may be sequentially collected by the AI-based event analysis module 320 to perform AI-based event analysis and applied to the detection rule 182 within the endpoint 100 based on the analyzed result. .

The endpoint 100 may include a Windows operating system 102 and PC hardware (H/W) 104, but is not limited thereto, and provides an environment in which other agents 180 such as an Android operating system can be installed and operated. Other operating systems may be provided.

The AI-based event analysis module 320 of the integrated management server 300 or the agent 180 of the endpoint 100 according to this embodiment is a device that performs the automatic malicious event log analysis method of this embodiment, and is an event log processing logs by grouping by process for efficient analysis of; Generating sentences for process behavior through NLP (Natural Language Processing) techniques for AI analysis; Converting malicious behaviors that actually operate into data and using them as learning data for AI model learning; generating a learning system based on a transformer algorithm to learn learning data; Checking grouped event logs in real time through an automatic malicious event analyzer based on BERT and LSTM algorithms to analyze actual malicious behavior; It may be configured to perform a step of automatically determining a malicious action target as a threat event by detecting a similarity or higher.

9 is an exemplary diagram for explaining a process of grouping session IDs and process IDs by processor in an automatic analysis method for malicious event logs (short, automatic analysis method) according to another embodiment of the present invention.

Referring to FIG. 9 , the grouping process for automatically analyzing malicious event logs may include a log collection step (S91) and a grouping step (S92), and a UI display step (S93) for displaying the grouped data on the user interface. can include more.

In the log collection step S91, event logs are collected and stored for each session ID (SID) and process ID (PID).

In the grouping step (S92), the collected event logs are grouped by session identifier or process identifier.

FIG. 10 is an exemplary diagram for explaining a malicious event in which normal behaviors are gathered and ransomware behaviors in the automatic analysis method of FIG. 9 .

Referring to FIG. 10, the malicious event in which normal behaviors gather and act as ransomware includes registering a startup program for maintaining persistence (S101), changing the background screen for requesting money (S102), and changing the file name for file encryption. (S103) may be performed at the same time. Such concurrent events may be regarded as a kind of ransomware operation and may be determined as malicious behavior (S104).

FIG. 11 is an exemplary diagram for explaining a malicious event in which normal behaviors are gathered to collect network information or transmit information in the automatic analysis method of FIG. 9 .

Referring to FIG. 11, a malicious event in which normal actions gather to collect network information or transmit information includes a case in which process execution (S111), file creation or file writing (S112), and network communication (S113) are simultaneously performed. can do. Such concurrent events may be classified as suspected malicious events and determined as suspected malicious actions (S114).

As described above with reference to FIGS. 9 to 11 , the automatic analysis method may use an event log grouping technique for classification by process activity. That is, when only one event log is analyzed, the event log may be a threat action event, but in most cases, it is a normal action event, and actions determined as normal actions are gathered to proceed with the threat action, so that the parent process ID and the current process ID Grouping is performed in chronological order using the same session ID, and malicious events can be analyzed through this.

FIG. 12 is an exemplary diagram for explaining a malicious event that does not include terminated as an event type in the automatic analysis method of FIG. 9 .

Referring to FIG. 12 , the automatic analysis method may use a process action sentence generation process using an event log for an NLP technique. That is, if there is no action terminated (Terminated, S122) among the grouped event logs, it means that it does not proceed until the end of the process. Sentences can be created considering the sequence of actions in the path, and malicious event logs can be automatically analyzed using this.

In addition, to create a learning model, a data set can be constructed with action sequence sentences. In this case, the sentence generated by the event action sentence generator may be stored in the DB of the AI analysis server, and the event action sentence generated to detect the threat event may be labeled.

FIG. 13 is a block diagram of the architecture of a transformer model network that can be employed in the automatic analysis method of FIG. 9 .

Referring to FIG. 13 , the automatic analysis device may use a transformer algorithm-based learning system for AI analysis.

The transformer algorithm-based learning system is capable of parallel processing and has excellent performance in understanding meaning between words, and can be composed of 6 layers of encoders and decoders.

For example, the automatic analysis device inputs data obtained by positional encoding the embedding of the event log in relation to the occurrence position to the first module, and through the first process (S132) of the first module, The input data is processed through encoder self-attention with multi-head self-attention, and the result of processing the input data and encoder self-attention is combined and normalized (add & norm). , it is possible to perform FFNN (based on location, add the result with generalized data, and generalize it and output it.

Next, the automatic analysis device may input the processing result of the first process ( S132 ) to the multi-head self-attention of the second process of the second module. The second process S134 of the second module further includes masked decoder self-attention with masked multi-head self-attention as a previous stage of multi-head self-attention. can do. The processing result of the mask decoder self-attention can be input to the multi-head self-attention after being combined with the input data of the corresponding module and generalized. In this case, multi-head self-attention may correspond to encoder-decoder attention.

The output of the second process ( S134 ) may be output through an output terminal such as softmax of a dense neural network.

The above-described relationship between the two steps S132 and S134 of the first module and the second module may be equally applied to two adjacent layers of a plurality of processes respectively performed in the plurality of layers. That is, the automatic analysis device can simultaneously and parallelly perform automatic determination for each event log group through the transformer algorithm.

In addition, when proceeding with attention, in the case of heads that proceed in parallel, it is set to 8, and the loss function may adopt a cross entropy function to solve the multi-class classification problem. In the case of the learning rate for optimizing the loss function, the value can be tuned so that the loss function converges more easily by gradually reducing the size of the learning rate according to the progress of learning.

14 is an exemplary diagram for explaining the structure of the transformer model of FIG. 13;

Referring to FIG. 14, the transformer model may include an encoder layer (S142) and a decoder layer (S144). In the positional encoding of the input layer, the positional information can be added to the embedding vector of each word and used as a model input.

Also, the decoder structure may be configured such that a sentence matrix is input after positional encoding in the same manner as the encoder structure. And the decoder structure can be trained to predict the word at each time point from the sentence matrix. In addition, a layer masking future words to prevent future words from being referred to may be applied to the front end of decoder sublayers.

FIG. 15 is an exemplary diagram for explaining a text classification structure using BERT and a dense layer as another configuration that can be employed in the transformer model of FIG. 13 .

Referring to FIG. 15, the automatic analysis device may use an automatic event analyzer (S136) using BERT and LSTM models. This analyzer (S136) can utilize the BERT model, which has the advantage of fine-tuning, to solve problems of finding and classifying sentence topics. In this case, the BERT model can be pre-learned and used by attaching dense layers (S138) having as many outputs as the number of labels to be learned during final classification.

In addition, when using the LSTM model, it is superior to traditional RNNs in processing long sequence inputs and has a high possibility of forming long sentences due to the sequential event characteristics of the threat process. In addition, since it is widely used in various natural language processing such as text classification and chatbot systems, it is possible to selectively use it according to performance comparison with transformer-based models.

FIG. 16 is an exemplary diagram of text classification using the LSTM of FIG. 15 that can be used together with or replaced with the transformer model of FIG. 13 .

Referring to FIG. 16, the transformer-based BERT model and the model using LSTM and GRU are trained as text classification or question-answer models using the same data set, and the results of the verification data and the test data set are compared to obtain an excellent f1-score. The model can optionally be used.

For example, after preprocessing the text input "I always hate foot-and-mouth disease" in a plurality of LSTMs (S162) through an embedding layer (S161), learning in a convolution layer (S163), Max An automatic analysis result can be output through a pooling layer (S164) and a fully-connected layer (FCL, S165). The automatic analysis result can be set as malicious event (+), not malicious event (-), or judgment pending (0).

A computing device for event analysis described above (corresponding to an automatic analysis device) or an AI module constituting at least a part of the computing device may be constructed in conjunction with the EDR system.

It can be implemented in the form of an EDR system linked with a buildable AI module that can manage and service security agents by placing an appliance-type management server for each site, or in the form of SECaaS that manages and services security agents based on the Cloud.

According to this embodiment, the AI module can provide an integrated service in conjunction with a cloud-based EDR solution that already provides a predetermined service. In this case, the setting interface of the AI module and the analyzed result information may be configured to be provided in conjunction with the GUI, which is the management system of the EDR system.

In addition, the intelligent EDR analysis system (hereinafter simply referred to as the analysis system) may include an endpoint security solution to which threat event automatic analysis and detection technology using a chatbot engine is applied. This analysis system is implemented in the form of installing an agent on a user PC for event collection, and the collected events can be stored in an AI DB after the primary analysis using Yara rules. In addition, after processing the analysis results collected in the AI DB into event groupings by process ID and session, the processed events are automatically analyzed through the AI analyzer, and the event automatic judgment results based on the automatic analysis results are stored in the web server DB. there is.

In addition, the analysis system may utilize a web browser-based user interface to visualize and display analysis results and judgment results.

In addition, the analysis system can automatically detect threat events through AI-based syntax analysis of event behavior as a type of automatic threat event detection. In addition, a threat event can be automatically determined based on the result of the automatic detection. In addition, the blacklist can be updated through the web user interface after determining the threat process through behavior analysis in conjunction with the blacklist for blocking the inflow of new variant malicious code. In addition, the analysis system may be configured to detect threat events by utilizing Yara rules for events collected from the user's PC for event detection using Yara rules.

In addition, the analysis system collects process, registry, network, and file information occurring on endpoints, such as user PCs, and receives attack tactics, attack techniques, and attack method information provided by MITER ATT&CK, and detects a high rate of None, It can provide detection functions below Telemetry, General Behavior, and Tactic.

In addition, the analysis system can automatically analyze event logs through an AI analysis function, determine maliciousness and infringement, and express judgment information. This judgment information includes attack tactics, attack techniques, and attack method information provided by MITRE ATT&CK, and can be stored after increasing to General Behavior and Tactic levels or higher.

17 is a block diagram illustrating a form of security service by the automatic analysis device of FIG. 1;

Referring to FIG. 17, the security service type can be implemented in the form of an endpoint threat behavior detection EDR product to which a chatbot engine is applied.

The automatic analysis device for this security service can be built as an external server 400 for learning data collection, security notification, and backup, and can communicate with other devices through HTTP. The external server 400 includes a short message service server 410, an update server 420, a virus total server 430, a bitdefender server 440, a mail server 450, a backup server 460, and the like. can include

Here, the integrated management server 300 for EDR solution management, as a kind of manager, is built as server hardware or a cloud environment and is installed on a virtualized operating system and may be installed to work with a DB server.

In addition, the AI-based event analysis system using an automatic analysis device can be mounted on the endpoint 100 or the integrated management server 300, implemented in PC hardware or a virtual environment of a cloud environment, and operating systems such as Windows servers. can operate in In addition, an agent (Agent, 180) for endpoint event collection and threat event response can be configured to operate on a specific endpoint, such as Windows 7 or Windows 10.

In addition, the endpoint threat behavior detection system to which the chatbot engine is applied is a type of AI-based event analysis system that uses an automatic analysis device. Rule matching is performed on the event log generated on the user PC to log the user PC event log to the DBMS. After grouping the user PC event logs collected in the DBMS into process trees, storing them in the DBMS, generating sentences from the collected event log process trees in the order of actions, and converting the generated sentences into AI model training datasets. It can be used to create transporter-based or LSTM-based deep learning-based AI models.

In addition, the above-described system transmits the event log generated in the endpoint 100 such as the actual user PC to the AI analysis system of the integrated management server 300 to perform automatic analysis on the generated AI model to output the degree of similarity. The threat process automatic judgment analysis result and automatic judgment result are transmitted to the DBMS, and the process tree and AI automatic analysis and judgment results can be visualized and displayed through the Web UI.

In addition, the endpoint threat behavior detection system to which the aforementioned chatbot engine is applied may have the following module configuration. That is, the system includes a process tree action sequence sentence generation module; Transformer network and LSTM-based network model training module using the tensorflow framework; Automatic analysis and similarity output module utilizing transformer network-based and LSTM network-based learning models; library for processing datasets; Automatic analysis result-based threat process automatic detection module; Analysis results and automatic judgment results may include a visualization module through a web user interface.

The library may include one or more selected from scikit-learn, pandas, and numpy libraries.

According to this embodiment, when behavioral information is collected from endpoints, stored in a storage central server, and security threat event automatic analysis is performed through AI analysis of stored behavioral information, a large amount of logs are efficiently and quickly classified and analyzed. This is possible, and when a threatening act occurs by AI, it can automatically determine whether it is infringed without a professional analyst.

In addition, automatic analysis using AI can significantly increase the reliability of the analysis result of malicious code and malicious behavior by applying it to a visualization platform that can test malicious code as well as endpoint event log analysis, and cloud-based security such as SECaaS. It has the advantage of being immediately applicable to service products, etc.

FIG. 18 is a block diagram illustrating a performance evaluation process for automatic AI-based threat event analysis of the automatic analysis device of FIG. 1 .

Referring to FIG. 18 , performance evaluation of the AI-based automatic threat event analysis method may be performed as follows.

First, in the event log collection step (S181), malicious information is collected from five known malicious information collection channels according to the execution of malicious code, such as Virus Total, Virus Sign, and Bitdefender. Therefore, 200 malicious files and 1000 normal files owned by each malicious information collection channel can be used as samples for performance evaluation.

Here, the 'virtualization-based passive analysis visualization platform for malicious behavior', which is a kind of automatic analysis device described in this embodiment, can be used to build a test bed to evaluate automatic analysis of threat events.

Next, when the event log is collected according to the execution of the malicious code, the threat event is automatically detected through the chatbot engine (S182). The result of automatic detection according to the execution of the malicious code on the endpoint, etc. may be configured to be visualized on the user interface together with the result of the rule analysis (S185) (S186). Through the visualized information, detection performance check and report can be provided to the user.

Next, the automatic detection result may be delivered to the visualization system (S184) through an automatic event analysis process (S183).

Next, the event automatic analysis result can be checked through the EDR GUI of the visualization system (S184) linked with the AI module, and the test result can be measured by checking the test bed UI.

According to the above-described embodiments, it is possible to effectively respond to unknown security threats and new and variant threats that neutralize existing anti-virus. In addition, by establishing an automatic cyber threat response system through IOC-based forensic analysis, human errors and temporal limitations that depended on manual analysis can be greatly improved. In addition, by introducing AI-based event analysis technology, it is possible to efficiently build a self-evolving threat response system by creating and distributing rules through an automated analysis system. In addition, it is possible to create and distribute reliable information by sharing the latest threat information with other organizations and other systems, and it can contribute to minimizing cyber damage by shortening the response time to malicious threats.

19 is a block diagram illustrating the main components of an image-based malicious code detection device according to another embodiment of the present invention.

The automatic malicious event log analysis device 1000 (briefly, the automatic analysis device) of the present embodiment may be installed as at least a part of a component of a server-side EDR system or as at least a part of an endpoint agent.

Referring to FIG. 19 , the automatic analysis device 1000 may include at least one processor 1100, a memory 1200, and a transceiver 1300 connected to a network to perform communication. In addition, the automatic analysis device 1000 may further include an input interface device 1400, an output interface device 1500, and a storage device 1600. Each component included in the automatic analysis device 1000 may be connected by a bus 1700 to communicate with each other.

However, each component included in the automatic analysis device 1000 may be connected through an individual interface or individual bus centered on the processor 1100 instead of the common bus 1700 . For example, the processor 1100 may be connected to at least one of the memory 1200, the transmission/reception device 1300, the input interface device 1400, the output interface device 1500, and the storage device 1600 through a dedicated interface. .

The processor 1100 may execute a program command stored in at least one of the memory 1200 and the storage device 1600 . The processor 1100 may mean a central processing unit (CPU), a graphics processing unit (GPU), or a dedicated processor on which methods according to embodiments of the present invention are performed.

Each of the memory 1200 and the storage device 1600 may include at least one of a volatile storage medium and a non-volatile storage medium. For example, the memory 1200 may include at least one of a read only memory (ROM) and a random access memory (RAM).

At least one command stored in the memory 1200 or the storage device 1600 or loaded and executed by the processor 1100 may include; Processing logs by grouping by process for efficient analysis of event logs; Generating sentences for process behavior through NLP (Natural Language Processing) techniques for AI analysis; Converting malicious behaviors that actually operate into data and using them as learning data for AI model learning; Creating a learning system based on the Transformer algorithm to learn the learning data; Checking grouped event logs in real time through an automatic malicious event analyzer based on BERT and LSTM algorithms to analyze actual malicious behavior; It may be configured to perform a step of automatically determining a malicious action target as a threat event by detecting a similarity or higher.

In addition, the operation of the method according to the above-described embodiments of the present invention can be implemented as a computer-readable program or code on a computer-readable recording medium. A computer-readable recording medium includes all types of recording devices in which data that can be read by a computer system is stored. In addition, computer-readable recording media may be distributed to computer systems connected through a network to store and execute computer-readable programs or codes in a distributed manner.

In addition, the computer-readable recording medium may include hardware devices specially configured to store and execute program instructions, such as ROM, RAM, and flash memory. The program command may include high-level language codes that can be executed by a computer using an interpreter or the like as well as machine code generated by a compiler.

Although some aspects of the present invention have been described in the context of an apparatus, it may also represent a description according to a corresponding method, where a block or apparatus corresponds to a method step or feature of a method step. Similarly, aspects described in the context of a method may also be represented by a corresponding block or item or a corresponding feature of a device. Some or all of the method steps may be performed by (or using) a hardware device such as, for example, a microprocessor, programmable computer, or electronic circuitry. In some embodiments, one or more of the most important method steps may be performed by such an apparatus.

In embodiments, a programmable logic device (eg, a field programmable gate array) may be used to perform some or all of the functions of the methods described herein. In embodiments, a field programmable gate array may operate in conjunction with a microprocessor to perform one of the methods described herein. Generally, methods are preferably performed by some hardware device.

Claims (7)

A method of analyzing malicious event logs by building a database to store artificial intelligence modules and event logs in an integrated analysis server, installing an agent on an endpoint, and performing rule matching on the event log in the agent,
Grouping event logs using process ID and session information;
generating sentences in order of process actions based on the event log;
Automatically analyzing a malicious event log in an endpoint based on a dataset included in a sentence generated in the sequence of actions;
Endpoint automatic analysis method comprising a. Processing logs by grouping by process for efficient analysis of event logs;
Generating sentences for process behavior through NLP (Natural Language Processing) techniques for AI analysis;
Converting malicious behaviors that actually operate into data and using them as learning data for AI model learning;
generating a learning system based on a transformer algorithm to learn learning data;
Checking grouped event logs in real time through an automatic malicious event analyzer based on BERT and LSTM algorithms to analyze actual malicious behavior; and
An endpoint automatic analysis method comprising the step of detecting and automatically determining a malicious behavior target as a threat event if the target has a certain degree of similarity or higher. A device that builds a database to store artificial intelligence modules and event logs in an integrated analysis server, installs an agent on an endpoint, and analyzes a malicious event log by performing rule matching on the event log in the agent,
processor; and
and a memory for storing at least one instruction executed by the processor, wherein the processor, by the at least one instruction,
Grouping event logs using process ID and session information;
generating sentences in order of process actions based on the event log;
Automatically analyzing a malicious event log in an endpoint based on a dataset included in a sentence generated in the sequence of actions;
An endpoint auto-analysis device that performs As an endpoint automatic analysis device for endpoint detection & response (EDR) using an artificial intelligence (AI)-based chatbot engine,
comprising a processor and a memory, wherein at least one instruction stored in the memory causes the processor to:
Processing logs by grouping by process for efficient analysis of event logs, generating sentences about process behavior through NLP (Natural Language Processing) techniques for AI analysis, and data of malicious behaviors that actually operate to improve AI model learning. BERT (bidirectional encoder representations form transformers) and LSTM (long short-term memory) to implement a transformer algorithm-based learning system to learn learning data, and to analyze actual malicious behavior An automatic endpoint analysis device that checks grouped event logs through an algorithm-based event automatic analyzer in real time and detects if the target of malicious activity has a certain similarity or higher and automatically judges it as a threat event. The method of claim 4,
The transformer model for the transformer algorithm has an encoder layer and a decoders layer, and in the positional encoding of the input side layer, 1 is assigned to the position of the embedding dimension in the embedding vector of each word. An automatic endpoint analysis device configured to generate position information of a malicious act by calculating a position (pos) of a word by using Equation 1, which is a cosine function, when the sum is an odd number;
[Equation 1]

. The method of claim 4,
The transformer model for the transformer algorithm has an encoder layer and a decoders layer, and in the positional encoding of the input side layer, 1 is assigned to the position of the embedding dimension in the embedding vector of each word. An automatic endpoint analysis device configured to generate position information of a malicious act by calculating a position (pos) of a word by using Equation 2 below, which is a sin function when the sum is an even number;
[Equation 2]

. The method of claim 5,
The decoder structure including the decoder layer is trained to predict words of each view from a sentence matrix, and applies a layer masking words of future views to the front end of decoder sublayers so that words in the future are not referred to. Point automatic analysis device.

Images