KR100729151B1 - Method for estimating damage based on markov process, recording medium and apparatus thereof - Google Patents

Abstract

A method and a device for estimating damage based on a Markov process, and a recording medium thereof are provided to explain risk generation probability and frequency of whole system by using the Markov process, apply to various risks of the whole system, and check correlation among the risks through covariance and a correlation coefficient. A risk definer(210) defines a set of risk states generable in important information communication infrastructure by collecting and analyzing risk generation data for a lone period. A matrix calculator(220) calculates a risk state transition matrix by mapping a generation frequency of each risk included in the risk generation data and the risk state set. An initial value calculator(230) calculates an initial probability of the risk state set by using the risk generation data later than the long period risk generation data. A risk estimator(240) generates risk frequency estimation information of the risk generable in the important information communication infrastructure by using the risk state transition matrix and the initial probability.

Description

Method for estimating damage based on Markov process, its recording medium and its device {Method for estimating damage based on markov process, Recording medium and Apparatus}

1 illustrates various damage propagation areas to which the present invention is applied.

2 is a block diagram of a Markov process based damage estimation apparatus according to the present invention.

3 is a flowchart of a Markov process based damage estimation method according to the present invention.

4 is a detailed flowchart of the state set definition process of FIG. 3.

5 is a detailed flowchart of a process of calculating a threat state transition matrix of FIG. 3.

6 is a detailed flowchart of an initial probability calculation process of FIG. 3.

7 is a detailed flowchart of the threat prediction process of FIG. 3.

8A and 8B illustrate a threat state in an application case of the present invention.

9 to 13b are graphs of simulation results according to the present invention.

The present invention relates to network security, and more particularly, to a method for estimating damage based on a Markov process, a recording medium thereof, and an apparatus thereof.

Recently, due to the rapid development of the Internet technology, the processing of business in the enterprise or institution depends on the Internet-based technology. In addition, as the network dependence and coupling of major telecommunication facilities increases, the number of cyber security incidents such as infringement acts on vulnerabilities in the system greatly increases. Accordingly, research on risk analysis and damage propagation related to the infringement of computer resources as well as personal information is required.

Accurate risk analysis enables the selection of appropriate security countermeasures and, as a result, greatly reduces the likelihood of a risk occurring, greatly reducing the magnitude of possible future security incidents. Such a risk analysis is meaningful in order to prevent security incidents in advance, and much research has been conducted in practice.

The epidemic model is a model for explaining the population relationship between infected individuals exposed to infections and those healed over time, assuming that a pathogen occurs within a specific population. Through this, it is possible to explain the spreading force of the worm propagating on the actual network.

Basically, the classical simple epidemic model, which is a biological classic model, is used to explain the damage spread of threats having propagation characteristics that can occur in the network. The most widely used model is the Kermack-Mckendrick model (or traditional SIR propagation model). In this model, the state of the host changed by the worm is divided into three categories: S (Susceptible), I (Infectious), and R (Removed). The host exposed to the worm initially becomes vulnerable to the worm (S) and becomes infected (I) when caught by the worm. Finally, the infected host is converted to a state where the worm is cured or the worm is completely lost its function.

The SIRS model is a propagation model that is an improvement over the conventional SIR model. In general, we considered the infected host I (t) over time, the host S (t) exposed to infection, and the removed host R (t) in the SIRS model. It is assumed that the host can be infected. In other words, as infection occurs in a host exposed to the infection, the host's status can be re-infected instead of completely removed after a certain period of time.

Finally, the TWO Factor Model was proposed by adding two elements that were not included in the conventional SIR and SIRS models. This is a newly proposed model after the Code Red accident. This model considered human countermeasures and decreasing infection rates. From the worm's point of view, human countermeasures remove certain hosts from the worm spread distribution. Hosts to be removed include both infected and still vulnerable hosts.

In contrast, the concept of damage propagation has not yet been established, and conventional damage propagation models are inadequate to adequately reflect the nature of incident types for the current IT environment.

Therefore, the conventional damage estimation methods suggest damage propagation models for specific threats such as viruses or worms, and thus are difficult to apply to various threats of the entire system, and are generated when threats occur. For the threat area to be analyzed, it is difficult to analyze the relationship between threats or the temporal factors.

Therefore, the first technical problem to be achieved by the present invention is to describe the probability and frequency of occurrence of threats in the entire system by using the Markov process and to apply them to various threats of the entire system instead of one specific threat. In other words, it provides a method for damage estimation based on the Markov process that can identify the degree of correlation between threats through covariance and correlation coefficient.

A second technical object of the present invention is to provide a computer-readable recording medium having recorded thereon a program for executing the above-mentioned damage processing method based on the Markov process on a computer.

A third technical problem to be achieved by the present invention is to provide a Markov process-based damage estimation apparatus to which the Markov process-based damage estimation method is applied.

In order to achieve the first technical problem, the present invention collects and analyzes long-term threat occurrence data to define a set of threat states that may occur in the main information communication infrastructure, the frequency of occurrence of each threat of the threat occurrence data, and the threat. Calculating a threat state transition matrix using a mapping between state sets, calculating an initial probability of occurrence of the threat state set using threat occurrence data more recent than the long term threat occurrence data, and the threat state transition matrix And generating prediction information on the frequency of occurrence of threats that may occur in the main information and communication infrastructure using the initial occurrence probability.

In order to achieve the second technical problem, the present invention provides a computer-readable recording medium having recorded thereon a program for executing the above-mentioned damage processing method based on the Markov process on a computer.

In order to achieve the third technical problem, the present invention collects and analyzes long-term threat occurrence data to define a threat state set that may occur in the main information and communication infrastructure, and a frequency of occurrence of each threat of the threat occurrence data. A matrix calculator for calculating a threat state transition matrix by using the mapping between the threat state sets, and calculating an initial value for calculating an initial occurrence probability of the threat state set by using threat occurrence data more recent than the long-term threat occurrence data It provides a Markov process-based damage estimation apparatus comprising a threat prediction unit for generating a frequency prediction information of threats that may occur in the main information communication infrastructure using the wealth and the threat state transition matrix and the initial probability of occurrence.

The damage propagation area depends on the type of threat or the relationship between the threats, so the damage propagation model must meet these requirements.

Therefore, the present invention provides a markov porcess-based probability for comprehensively predicting and analyzing the damage spread over time and the relationship between threats of the information system based on past threat occurrence data. Provides an enemy damage ramification model.

Through the damage propagation model provided by the present invention, it is possible to predict the threat occurrence probability and the threat occurrence frequency in advance with respect to the main threats, and to use the threat countermeasures according to the degree of damage propagation. It is also applicable to analyzing the correlation between each threat.

First, the Markov process applied to design the damage propagation model is described . The Markov process refers to a process in which transitions between states depend solely on the previous n states. In this case, this model is called an n-dimensional model, where n is the number of states that influence the determination of the next state. It is also called a memoryless process in that it does not remember the state of the past.

라 하면 임의의 시간

에 대해

가 이산값이면

이고

가 연속값이면

로 마코프 성질이 기술된다. Markov process

Say random time

About

Is a discrete value

ego

Is a continuous value

Markov properties are described.

는 현재,

은 미래, 그리고

은 과거의 시점이 다. 마코프 프로세서의 값이 이산값이면 마코프 체인(markov chain)이라고 한다. 마코프 체인은

가 이산적이냐 연속적이냐에 따라 이산시간 마코프 프로세스(discrete-time markov provess), 연속시간 마코프 프로세스(continuous-time markov chain)로 나뉜다.In the above expression

Is currently

Is the future, and

Is a past point of time. If the value of a Markov processor is discrete, it is called a markov chain. Markov Chain

Is divided into discrete-time markov provess and continuous-time markov chains.

The Markov process refers to any system that can be described in three ways:

First, a set of state is a set of all possible states from a process. Next, the π vector (initial probability) is an initialization probability vector of the system, and a state transition matrix indicates a transition probability between states.

The present invention designs and applies the damage propagation model by defining three components of the Markov process.

The Markov process-based stochastic damage propagation model refers to a probabilistic approach that predicts the impact of an independent or single system damage on the entire system associated with that system. The damage propagation model and the damage propagation rate of the entire system can vary depending on the time of day or the type of threat. The damage propagation model based on the Markov process uses the Markov process to describe the threat transfer probability and the threat occurrence probability for the major threats in the entire system.

Hereinafter, with reference to the drawings will be described a preferred embodiment of the present invention. However, embodiments of the present invention illustrated below may be modified in many different forms, and the scope of the present invention is not limited to the embodiments described below.

1 illustrates various damage propagation areas to which the present invention is applied.

Figure 1 shows the damage spread model according to the type of threat (T ₁ , T ₂ , T ₃ , ..., T ₈ ). As shown in FIG. 1, the damage propagation model may be formed in various forms by the types of threats, the relationship between the threats, and countermeasures against threat behaviors. The damage propagation model based on the Markov process according to the present invention is applicable not only to various threats but also to various damage propagation areas as shown in Figure 1 based on the degree of correlation (closeness) between them. To this end, the stochastic damage propagation model must meet several requirements. First, the area of damage spread over time should be considered. In other words, organizations or users can patch or upgrade threats over time, thereby changing the scope of the damage. Second, the damage propagation speed can vary depending on the threat and vulnerability, so the damage propagation model should be designed to be applied to various kinds of threats.

Several assumptions are needed to design a damage propagation model based on the Markov process that meets the above mentioned requirements. First, historical data related to threats is sufficient and reliable. In order to design a model using the Markov process, reliable historical data collection is paramount. Second, the damage ripple of information assets is spread by discrete time. That is, it is spread by discrete time or by a specific event.

This means that if an asset in a telecommunications facility is completely damaged, it will only propagate the damage to the asset associated with it. Third, the entire system has one or more defined threats. In other words, the damage propagation model should be able to calculate the damage estimation and damage effects of the entire system against the defined threats. Fourth, institutions and users can establish and apply countermeasures over time. Accordingly, the damage spread area can be increased or decreased. Finally, the Markov process transition probability is a probability that applies to the threat state of the entire system.

Therefore, it can be applied to one or more threat states. The damage propagation model based on the Markov process is achieved by defining the elements of the Markov process described above: state sets, π vectors (initial probabilities), and transition probabilities.

In the present invention, Equation 1 is used to quantitatively express the damage loss of the entire system with respect to the damage spread.

RISK (s, t) = Loss (s, t) × Prob. (S, t)

In Equation 1, RISK refers to the amount of loss (damage) when a threat occurs in a weak part of an asset, resulting in loss or damage of the asset, and the concept of space (s, scope) and time (t, time). Considered together. Space is an area concept for calculating the size of the damage propagation system, that is, the spread and decrease of the damage area after a specific event. Time t is an element for considering the degree of damage spread over time to apply the change in the shape and size of the damage area by a certain time or a specific event. In other words, the damage spread is calculated based on the extent to which the asset falls due to the occurrence of a particular threat (Loss) and the probability of a threat (Prob.).

2 is a block diagram of a Markov process based damage estimation apparatus according to the present invention.

The threat definition unit 210 collects and analyzes long-term threat occurrence data to define a set of threat states that may occur in the main information and communication infrastructure.

The matrix calculator 220 calculates a threat state transition matrix using a mapping between a frequency of occurrence of each threat of the threat occurrence data and a threat state set.

The initial value calculator 230 calculates an initial occurrence probability of the threat state set using the latest threat occurrence data rather than the long term threat occurrence data.

The threat prediction unit 240 generates prediction information on the frequency of occurrence of threats that may occur in the main information communication infrastructure using the threat state transition matrix and the initial probability of occurrence.

Preferably, the threat definer 210 and the initial value calculator 230 may be connected to a database that stores a large amount of threat occurrence data. Preferably, the threat definer 210, the matrix calculator 220, the initial value calculator 230, and the threat predictor 240 may be manufactured as a program routine executable on a computer. Preferably, the threat prediction unit 240 may be connected to a display device for visually displaying the frequency occurrence prediction information of threats.

3 is a flowchart of a Markov process based damage estimation method according to the present invention.

The stochastic damage propagation model based on the Markov process according to the present invention is generated through the process as shown in FIG. 3, and is largely defined by the state set (310 process), the threat state transition matrix calculation (320 process), and the initial probability calculation (330 process). , Threat prediction (340).

First, the state set definition process 310 defines the states that can be taken by threats held by an organization or organization. A state is a state of a threat that a major telecommunications infrastructure possesses. A state set represents a range of values that a threat state can have, or it can be a pair (combination) of several threat states. .

Once the threat state set is defined, the process of calculating the threat state transition matrix (step 320) calculates a transition matrix between threat states by using threat state and threat occurrence frequency data defined in the state set.

Next, the initial probability calculation process 330 calculates the probability that each defined threat state may occur in the initial state.

Finally, in the threat prediction process (340), the threat probability or frequency of the future threat may be predicted through the threat state transition matrix and the initial probability value obtained in the previous step.

4 is a detailed flowchart of the state set definition process 310 of FIG. 3.

The state set definition process (step 310) examines the types of threats possessed by the main ICT infrastructure, collects and analyzes threat occurrence data, and defines a set of threat states that the entire system can have.

The definition of the state set follows the detailed process as shown in FIG.

First, in the threat generation data collection process (step 411), it is a step of collecting past threat generation data owned by the organization or organization. In the Markov process-based damage propagation model, reliable and large data collection is important, as this historical data accounts for a higher proportion than other factors. For example, the Korea Information Security Agency (KISA) can analyze and use hacking virus statistics and analysis monthly reports reported from January 2001 to June 2005 to increase confidence in the data.

After data collection is complete, the threat analysis process (step 412) is an important process in identifying damages by identifying potential threats that may adversely affect the value of the asset, and identifying potential occurrences. Threat analysis consists of threat identification and threat ranking. Threat identification categorizes and investigates threats by type and calculates the frequency of each threat. For example, threat types can be classified into hacking, virus, and scan detection based on the Korea Information Security Agency's report. The threat ranking determines the threat ranking that should be considered most based on the severity of the threat based on the identified threat cycle. This is necessary to determine the importance of threats that can have the most impact on the organization, and to prepare more effective countermeasures by considering the threats that can damage the organization. This determines the threats that should be applied first to the Markov process-based damage propagation model. For example, hacking virus statistics and analysis monthly reports reported by the Korea Information Security Agency can analyze the threat cycle for each threat type to select a representative threat.

Finally, the threat state set definition process (step 413) defines the threat state by analyzing the threat cycle to determine an appropriate threshold of threat occurrences. If S is a set of threat states, we can define

T = {T ₁ , T ₂ ,... , T _n } is a set of thresholds, T _i is a specific threat such as a hack, virus, worm, etc., S = {S ₁ , S ₂ ,. , Si _,. , S _n } is a set of threat states, S _i = (T _α , T _β ,..., T _γ ) is the threshold pair of different threats, and α, β, and γ are different threats.

The threat state set is 'Do threats occur independently?' Or 'Do threats occur with a relationship between threats?' In the former case, the threat state set is a set of threshold ranges that a threat can have. In the latter case, the state set is defined by a combination of threshold ranges of the various threats. Therefore, the number and complexity of threat states vary according to how the threshold value of each threat cycle is set in detail, and the number and complexity of elements included in the transition matrix also vary. In other words, the more the threshold range of each threat is subdivided, the larger the set of generated threat states, and the complexity increases.

FIG. 5 is a detailed flowchart of the threat state transition matrix calculation process 320 of FIG. 3.

The process of calculating the threat state transition matrix (step 320) is a step of obtaining a transition probability between threat states defined in the state set definition process (310). The threat state transition matrix is obtained by mapping the frequency of occurrence of each threat analyzed and the state set defined in the previous step.

To obtain the threat state transition matrix, two detailed processes are performed as shown in FIG.

First, states are generated by mapping occurrence frequency data for each threat to a threat state set (step 521). Next, the enumerated states are analyzed to determine the number of transitions from one threat state to another state, and the transition matrix is used to obtain a transition matrix (step 522). The mapping between the threat occurrence frequency and the threat state set is shown in Equation 2 below.

Threat status: S → 2 ^T , mapping the frequency of threat occurrences to threat status

Similar to the state set definition process (step 310), the threat state transition matrix calculation process 320 is a case where threats occur independently of each other to obtain a state transition matrix for each threat, and multiple threats are associated with each other. Can be divided. Threat state transition matrices created by threats occurring independently of each other are of low complexity and can be easily generated by mapping the frequency of threat occurrences to a defined set of states. On the other hand, the transition matrix in the case where several threats are related to each other increases in size and complexity of the transition matrix according to the number of associated threats and the number of states defined for each threat. To make the complexity appropriate, you need to define the appropriate number of threat states by setting the appropriate threshold range for each threat in the state set definition step.

The state transition matrix P generated in the threat state transition matrix step is represented by Equation 3 and satisfies Equation 4.

At this time, P _ij = P (S _j at t + 1 | S _i at t) (t is time).

, i = 1, 2, ... , n이다.At this time, P _ij ≥0,

, i = 1, 2, ..., n.

Each row represents the probability of one threat state to another, and the sum of each row must be one.

6 is a detailed flowchart of an initial probability calculation process 330 of FIG. 3.

The initial probability (π vector) calculation process 330 is a threat occurrence probability that each threat state defined in the entire system has in the initial state, and follows the detailed process as shown in FIG. 6.

First, in order to obtain an initial probability value of a threat state, first, the latest occurrence data of the threat to be obtained is examined (step 631). The recent threat occurrence data for the initial probability is used in units of three months, six months, nine months, and one year. The recent threat occurrence data is analyzed and calculated as in Equation 5, and the occurrence frequency and initial probability for each threat state satisfying Equation 6 are calculated (step 632).

However, α, β, γ, δ are the number of occurrences in each state (S ₁ , S ₂ , S _k , S _n ).

In addition, since the total sum of the initial threat probabilities must be 1, Equation 7 is satisfied.

At this time, S represents a threat state.

7 is a detailed flowchart of the threat prediction process 340 of FIG. 3.

The threat prediction process 741 predicts the probability or frequency of future threat occurrences using the threat state transition matrix and the initial probability values generated in the previous step.

To predict the frequency of threats, the average value or median of the threshold value (range value) is used as a representative value.

First, as shown in Equation 8 below, a threat occurrence probability is calculated using a threat state transition matrix and an initial probability (step 741). In addition, as shown in Equation 9, a probability of occurrence of a specific threat state among various threat states may be obtained.

(P(S₁) P(S₂)...P(S_k)... P(S_n))

(P (S ₁ ) P (S ₂ ) ... P (S _k ) ... P (S _n ))

= (P (S ₁ ) 'P (S ₂ )' .. P (S _k ) '.. P (S _n )')

S is the threat state, k is the specific threat state, n is the number of threat occurrence sets, P (S _i ) is the initial probability of each threat state, and P (S _i ) 'is the probability of the next occurrence of each threat state. Indicates.

Using the probability of threat occurrence and the average value of each state, an expected threat occurrence frequency as shown in Equation 10 may be obtained (step 742).

예상 위협 발생 빈도 =

Expected threat occurrences =

Where n is the number of threat state sets, P (S _i ) is the probability of occurrence of each threat state, and M (S _i ) is the average value of each threat state.

As an application example of the present invention, data reported in the hacking virus statistics and analysis monthly report reported by the Korea Information Security Agency from January 2001 to June 2005 can be used. First, in the definition stage of the state set, threat occurrence data is collected and the collected data is analyzed to classify threat types and rank threats. Threat types are divided into hacking, virus, and scan detection, and the representative threats and the number of occurrences per month are shown in Tables 1, 2, and 3.

T ₁ and Table 1 indicate hacking (illegal intrusion into communication networks using malicious programs). Among the hacking threat types, T ₁ is an 'illegal intrusion into the network' threat using programs that automatically attack vulnerabilities in the system along with attacks using malicious programs such as Netbus and Subseven. This threat is a hacking threat that is easily installed as a threat that is installed in the user's system and opens a back door to leak information or interfere with the normal operation of the system.

January February In March April In May June In July August September October November December sum 2001 85 125 70 89 85 64 65 495 268 77 51 97 1,571 In 2002 401 119 82 59 286 417 313 298 210 465 472 990 4,112 2003's 1148 557 1132 934 306 450 185 544 119 137 129 96 5,837 2004's 154 148 118 1066 493 181 72 22 16 24 125 90 2,509 2005's 29 20 15 3 15 36 118 Average 363.4 193.8 283.4 430.2 237.0 229.6 158.7 339.7 153.2 175.7 194.2 318.2

T ₂ and Table 2 represent viruses (Internet worms). T ₂ is the Internet threat, a type of virus threat that is caused by fast propagating computer programs or executable programs that independently reproduce and reproduce themselves.

January February In March April In May June In July August September October November December sum 2001 One 1529 2429 625 684 520 6106 5965 10772 4795 4068 3024 40,518 In 2002 2005 1384 1306 3165 2760 1774 1706 1458 1610 3566 3028 1684 25,446 2003's 1361 1320 2537 2350 3704 1854 1185 9748 19682 3999 11658 8949 68,347 2004's 4824 5750 9820 4233 19728 22767 15228 8132 3153 2658 2319 2117 100,727 2005's 1832 1205 1049 648 1302 1040 7,076 Average 2,004 2,237 3,428 2,204 5,635 5,591 6,056 6,325 8,804 3,754 5,268 3,943

T ₃ and Table 3 show scan detection (network eavesdropping and eavesdropping). T ₃ is a type of scan detection threat. It is a 'network eavesdropping and eavesdropping' threat that is mainly used as a proactive stage of hacking by scanning to check the operating system and configuration of the target system.

January February In March April In May June In July August September October November December sum In 2002 1665 1256 2080 2110 1776 1418 1177 1216 1601 2483 1596 1597 20335 2003's 648 593 656 402 345 1489 469 1168 3120 3560 2201 315 14966 2004's 2004 3389 10631 18546 11618 833 1591 1964 901 1794 2628 1381 57217 Average 1,439 1,746 4,455 7,019 4,579 1,246 1,079 1,449 1,874 2,612 2,141 1,097

Analyze the above threats and their frequency, then set the appropriate thresholds to define the threat state. Before defining a state set, we describe how each threat occurs independently of one another and when they occur in association with each other.

8A and 8B illustrate a threat state in an application case of the present invention.

The following is an example of application where each threat occurs independently of one another and is not associated with other threats. Therefore, each threat has a different threat state transition matrix. However, each time a threat occurs, it is assumed that each threat occurs under the same conditions. For example, they have security countermeasures against threats, system resources, and the same environment.

First, we define a set of states for the threat T ₁ (illegal intrusion into the network using malicious programs). The monthly occurrence frequency for T ₁ is shown in Table 1, and the state set (S) is defined as a range of thresholds as follows. S threshold range: S ₁ : 0 ~ 300, S ₂ : 301 ~ 600, S ₃ : 601 ~ 900, S ₄ : 901 ~ 1200, S = {S ₁ , S ₂ , S ₃ , S ₄ } to be.

In the present invention, the threshold is expressed by dividing the frequency of occurrence of the unit time (monthly) of the threat into several intervals.

If a threat occurs independently, the state set is simply determined by the threshold range of the threat. Next, as an example, the states are listed as follows by mapping the monthly threat occurrences from the defined state set (S) from January 2001 to June 2005.

S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₂ , S ₁ , S ₁ , S ₁ , S ₁ , S ₂ , S ₁ , S ₁ , S ₁ , S ₁ , S ₂ , S ₂ , S ₁ , S ₁ , S ₂ , S ₂ , S ₄ , S ₄ , S ₂ , S ₄ , S ₄ , S ₂ , S ₂ , S ₁ , S ₂ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₄ , S ₂ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁

From the enumerated states, the number of transitions from each state (S ₁ , S ₂ , S ₃ , S ₄ ) to another state is obtained and based on this, a state transition matrix is obtained as shown in Equation 11 below.

From Equation 11, the sum of the probability values of the transition from each threat to the other threat is one. The above threat state transition probability is shown in FIG. 8A.

The above shows the process of obtaining the transition matrix for T ₁ , and other threats can obtain the state transition matrix for each threat through the above process.

For example, to find the initial probability for threat T ₁ , you can use the frequency that occurred over the last six months (January to June 2005 in Table 1). The frequency and the probability of initial probability that occurred in the last 6 months are as follows. That is, frequency: 29, 20, 15, 3, 15, 36 = S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , initial probability: P (S ₁ S ₂ S ₃ S ₄ ) = P (1 0 0 0).

Threat state transition matrices and initial probabilities can be used to predict the probability of a next occurrence and also to predict the frequency of threat occurrences. That is, the threat occurrence probability may be calculated as in Equation 12.

From Equation 12 T ₁ can be predicted would occur with a probability of 0.03 in the following month S ₁ state 0.13, S ₄ state as 0.84, S ₂ state. That is, it can be seen that it will have a frequency of occurrence between 0 and 300.

Equation 10 is used to find a more specific frequency of threats for the next month. For this, the threat occurrence probability and the average value of each threshold value are used. In this application case, the threat incidence of delivery was used to calculate the mean value. The average value is calculated according to the range of thresholds defined above. That is, M (S ₁ ) = 36, M (S ₂ ) = 0, M (S ₃ ) = 0, and M (S ₄ ) = 0. In addition, the probability of occurrence for each threat state can be obtained. That is, P (S ₁ ) = 0.84, P (S ₂ ) = 0.13, P (S ₃ ) = 0, and P (S ₄ ) = 0.03.

= 0.84 × 36 ≒ 30 이다.Therefore, since the frequency of occurrence of threat is n = 4 in Equation 7, that is, when the number of threat states is four, it is calculated as follows. That is, the expected frequency of threats =

= 0.84 x 36 ≒ 30.

From the above results, the frequency of T _{1 in the} next month can be estimated to be about 30. For other threats T ₂ and T _3, the probability and frequency of each threat occurrence can be determined in the same way.

When each state is not independent of each other but occurs in association with each other, it is treated as a pair (combination) of threat states to reflect the relationship between these threats. In this section, for example, the threat state transition matrices related to T ₁ (illegal intrusion into the network using malicious programs) and T ₂ (Internet worms) are obtained. As with the example in Section 5.1, for each threat, the entire system is assumed to have all the same conditions. That is, they have the same system resources and environment.

Monthly incidences for T ₁ and T ₂ are shown in Tables 1 and 2, and define the ranges of the following threshold values for each threat. That is, the threshold of T ₁ is defined as H ₁ : 0 ~ 400, H ₂ : 401 ~ 800, H ₃ : 801 ~ 1200, and the threshold of T ₂ is W ₁ : 0 ~ 4000, W ₂ : 4001 ~ 8000, W ₃ : It can be defined as 8001 or more.

The threat state set defines a total of nine states by combining a pair of threshold values of T ₁ and T ₂ . In other words, the set of threat states is S = {S ₁ , S ₂ , S ₃ , S ₄ , S ₅ , S ₆ , S ₇ , S ₈ , S ₉ }.

However, S ₁ = (H ₁ , W ₁ ), S ₂ = (H ₁ , W ₂ ), S ₃ = (H ₁ , W ₃ ), S ₄ = (H ₂ , W ₁ ), S ₅ = ( H ₂ , W ₂ ), S ₆ = (H ₂ , W ₃ ), S ₇ = (H ₃ , W ₁ ), S ₈ = (H ₃ , W ₂ ), S ₉ = (H ₃ , W ₃ ) to be.

To save the threatened state transition matrix, one example from January 2001 using the monthly threat generated data for June T _1, T _2, 2005 be T _1, threats of T ₂ for each month the pair (T _1, T ₂ ) That is, (85, 1), (125, 1529), (70, 2429), (89, 625), (85, 684), (64, 520), (65, 6106), (495, 5965), (268, 10772), (77, 4795), (51, 4068), (97, 3024), ... Omitted intermediate ..., (29, 1832), (20, 1205), (15, 1049) , (3, 648), (15, 1302), and (36, 1040).

(H _i , W _j ) pairs are obtained by matching the above (T ₁ , T ₂ ) pairs to the thresholds of each threat (T ₁ , T ₂ thresholds). That is, (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₂ ), (H ₂ , W ₂ ), (H ₁ , W ₃ ), (H ₁ , W ₂ ), (H ₁ , W ₂ ), (H ₁ , W ₁ ), .. Omitting middle ..., (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ ), (H ₁ , W ₁ )

Enumerate states by mapping each (H _i , W _j ) pair with a defined set of threat states.

S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₂ , S ₅ , S ₃ , S ₂ , S ₂ , S ₁ , S ₄ , S ₁ , S ₁ , S ₁ , S ₁ , S ₄ , S ₁ , S ₁ , S ₁ , S ₄ , S ₄ , S ₇ , S ₇ , S ₄ , S ₇ , S ₇ , S ₁ , S ₄ , S ₁ , S ₆ , S ₃ , S ₁ , S ₃ , S ₃ , S ₂ , S ₂ , S ₄ , S ₂ , S ₆ , S ₃ , S ₃ , S ₃ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁

From the listed threat states, calculate the number of transitions from each state (S ₁ , S ₂ , S ₃ , S ₄ , S ₅ , S ₆ , S ₇ , S ₈ , S ₉ ) to other states and based on the transition matrix Is obtained as shown in Equation 13.

From Equation 13, it can be seen that the sum of the transition probability values from each state to the other state is 1. In addition, the threat state transition probability is shown in the state diagram as shown in Figure 8b.

To determine the initial probability of a threat state for T ₁ and T ₂ , we use the frequencies that occurred over the last year (July 2004 to June 2005 in Tables 1 and 2). Calculate the frequency pairs of T ₁ and T _{2 that} occurred in the last year and their initial probability values.

The frequency is (72, 15228), (22, 8132), (16, 3153), (24, 2658), (125, 2319), (90, 2117), (29, 1832), (20, 1205), (15, 1049), (3, 648), (15, 1302), (36, 1040) = S ₃ , S ₃ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , S ₁ , and the initial probability is P (S ₁ S ₂ S ₃ S ₄ S ₅ S ₆ S ₇ S ₈ S ₉ ) = P (0.83 0 0.17 0 0 0 0 0 0) do.

Threat state transition matrices and initial probabilities can be used to predict the probability of a next occurrence and also to predict the frequency of threat occurrences.

In other words,

= (0.66 0.08 0.10 0.13 0 0.03 0 0 0)

From the above results, it can be predicted that next month each threat condition (S _{1 ~} S ₉ ) will occur with probability of 0.66, 0.08, 0.10, 0.13, 0, 0.03, 0, 0, 0. This means that the probability of having the frequency of occurrence of the state of S ₁ , that is, the value of (H ₁ , W ₁ ) is greatest. Thus, it can be expected that T ₁ will occur between 0 and 400 and T ₂ between 0 and 4000. To predict the frequency of threats in T ₁ and T _{2 for} the next month, we use the threat probability and the average value (M) of each threat.

In this case, the threat incidence of transfer can be used to calculate the average value. First, the average value is calculated according to the threshold range of T ₁ and T ₂ classified in the state definition step.

The average value of T ₁ (M (H _i )) is M (H ₁ ) = 36, M (H ₂ ) = 0, M (H ₃ ) = 0, and the average value of T ₂ (M (W _i )) is M (W ₁ ) = 1040, M (W ₂ ) = 0, M (W ₃ ) = 0.

Before calculating the frequency of occurrence of each threat, the probability of occurrence of the threshold for each threat should be calculated. The probability of occurrence of the threat can be obtained using the threat probability value. The probability of occurrence of each threshold of threats T ₁ and T ₂ is as follows. That is, the threshold probability P (H _i ) of T ₁ is H ₁ : 0.66 + 0.08 + 0.10 = 0.84, H ₂ : 0.13 + 0 + 0.03 = 0.16, H ₃ : 0, and the threshold probability of T ₂ is (P (W _i )) is W ₁ : 0.66 + 0.13 + 0 = 0.79, W ₂ : 0.08 + 0 + 0 = 0.08, W ₃ : 0.10 + 0.03 + 0 = 0.13.

Finally, the expected frequency of each threat can be found.

= 예상 위협 발생 확률(임계값 확률) × 임계값의 평균값이다.Expected threat occurrences =

= Expected threat occurrence probability (threshold probability) x the mean value of the threshold.

= 0.84×36 ≒ 30 이고, T₂의 예상 발생 빈도 =

= 0.79×1040 ≒ 821 이다.In other words, the expected occurrence frequency of T ₁ =

= 0.84 × 36 ≒ 30 and the expected frequency of T ₂ =

= 0.79 × 1040 ≒ 821.

From the above results, we can predict that the frequency of T _{1 in the} next month is about 30 and the frequency of T ₂ in 821.

There are a variety of threats in information-based systems, and in order to have a clear relationship between them, you first need to analyze how relevant the threats are. These analyzes can explore threats that are related to each other, and are the basis for analyzing relationships between related threats. In the present invention, for this purpose, the degree of correlation between the covariance (Cov) and the threat using the correlation coefficient (corrleation coefficient) is analyzed.

Covariance represents the degree of correlation between variables and is defined as in Equation 14.

E (X) is the expectation of the variable X. When Cov (X, Y) = 0, it indicates that any variable X, Y values are irrelevant.

The correlation coefficient ρ (X, Y) is an index for evaluating the closeness of the relationship and is defined as in Equation 15 and satisfies Equation 16.

이다.only, ,

to be.

으로서, 특히 상관계수의 값 이 0일 경우에는 변수간의 관련성이 0인 경우이다. 상관계수의 값이 -1값에 가까울수록 X가 증가 할수록 Y는 감소하고, 1에 가까울수록 X가 증가 할수록 Y는 감소하는 관계를 가지고 있다.At this time,

In particular, when the value of the correlation coefficient is 0, the relation between variables is 0. As the value of the correlation coefficient is closer to -1, Y decreases as X increases, and as X increases, Y decreases as X increases.

Looking at the degree of correlation between the three threats T ₁ , T ₂ , T ₃ of the application case can be obtained by the following equation (15). That is, p (T1, T2) = -0.0401, p (T1, T3) = 0.19979, and p (T2, T3) = 0.25718. As a result, the two threats T ₂ and T ₃ can be analyzed as having the closest relation between the three threats with a closeness of 0.2571. In other words, it can be analyzed that the occurrence of threat T ₂ (virus: Internet worm) has some influence on the occurrence of threat T ₃ (scan detection: network eavesdropping and interception). In addition, the two threats T ₁ and T ₂ shown in the application case show that the closeness of the relationship is -0.040 and there is almost no relationship between T ₁ and T ₂ . In other words, it can be analyzed that the occurrence of the threat T ₁ (hacking: illegal intrusion into the communication network using a malicious program) has little effect on the occurrence of the threat T ₂ (virus: Internet worm).

In the present invention, although the degree of association is shown only for the three threats, the degree of correlation using covariance and correlation can be analyzed for various threats other than this threat. This can be used to determine which of a number of threats to apply to increase the performance for calculating damage estimates. Based on this, it can be used to analyze the clear relationship between each threat.

9 to 13b are graphs of simulation results according to the present invention.

To verify the probabilistic damage propagation model based on the Markov process according to the present invention, five scenarios may be configured to verify the model. Scenarios for the stochastic damage propagation model include both cases where each threat occurs independently and when the threats are related to each other.

In order to verify the model through simulation, first, the damage propagation model is generated by using the KISA published hacking virus statistics and analysis monthly data of 2001.1 ~ 2004.6. Analyze the frequency of occurrence. In other words, the data of 2001.1 ~ 2004.6 are used to define the threat status set, threat transition probability, and initial probability values, and predict the future occurrence rate (2004.7 ~ 2005.6) through the defined model. Compare and analyze. There are five scenarios.

In scenario 1, we analyzed the degree of impact on the frequency of threat occurrence by varying the application range of the representative value. In other words, we experimented with how the application of the representative value affected the frequency of threat by using the values of 1 month, 2 months and 6 months. Simulation conditions are as follows.

To calculate a representative value, the coverage is divided by the last 1 month, the average of the last 2 months, and the average frequency of the last 6 months, and the frequency of occurrence of the last 6 months is used to calculate the initial probability. The initial value changes every month. The threat state transition matrix is updated every six months.

Based on the above conditions, the simulation result is shown. Analyzing the results, we can see that the more recent data is used as the representative value, the closer the actual occurrence frequency (KISA of the graph) is. In other words, the frequency of the last month (1 month) is used as the representative value, which is closer to the actual occurrence frequency than the average value of the last two months (2 Months) or the average value of the last six months as the representative value (6 Months). You can get good results. This suggests that, as can be seen from the Markov chain definition, future events can be more accurately predicted by using the latest status, that is, the latest frequency data.

In scenario 2, we analyzed the degree of impact on the frequency of threat occurrence by varying the scope of application for the initial probability. In other words, the values of last 3 months, 6 months and 1 year were used to use the initial probability values. Simulation conditions are as follows.

The frequency of occurrence of delivery (last month) is used to calculate the representative value, and the representative value is updated monthly. In order to obtain the initial probability value, the threat frequency is divided into the frequency of occurrence of the last 3 months, the last 6 months, and the last year. The threat state transition matrix is updated every six months.

Simulation results based on the above conditions were obtained as shown in FIG. Referring to the simulation result value of scenario 2 based on FIG. 10, using the value of the last three months (3 Months) to obtain the initial probability value, the occurrence of the last six months (6 Months) or one year (1 Year) Rather than using frequency, good results are obtained that are closer to the actual frequency of occurrence (KISA of the graph). That is, as in scenario 1, the latest data can be used to predict the frequency data more accurately.

In scenario 3, we analyzed the degree of impact on threat frequency by changing the change cycle of threat state transition matrix. In other words, the experiments were performed by dividing the threat occurrence frequency used to make the threat state transition matrix into units of 1 month, 3 months and 6 months. The conditions for the simulation are as follows. The frequency of occurrence of delivery (last month) is used to calculate the representative value, and the representative value is updated monthly. To calculate the initial probability, the frequency of occurrence of the last six months is used, and the initial value is changed every month. To create a threat state transition matrix, the threat frequency is divided into one, three, and six month periods.

Based on the above conditions, the simulation result is shown in FIG. Looking at the simulation results above, it can be seen that the expected frequency is almost identical in all cases despite the different change cycles of the threat state transition matrix. This is because small value changes affect the entire matrix when generating the threat state transition matrix. This confirms that frequent changes of the transition matrix do not affect the prediction of the probability of occurrence.

In scenarios 1 to 3, four threat states were defined according to the threshold range. In scenario 4, we compared the case of four threat states by extending the threshold range to six, that is, six threat states. That is, the range of the threshold value (threat state) was divided into two cases and simulated. Simulation conditions are as follows.

That is, 4 threat states: = S1: 0-300, S2: 301-600, S3: 601-900, S4: 901-1200, 6 threat states: = S1: 0-200, S2: 201-400 , S3: 401-600, S4: 601-800, S5: 801-1000, S6: 1001-1200. The frequency of occurrence of delivery (last month) is used to calculate the representative value, and the representative value is updated monthly. To calculate the initial probability, the frequency of occurrence of the last six months is used, and the initial value is changed every month. The threat state transition matrix is updated every six months.

Simulation results with the above conditions yielded the same results as in FIG. 12. The simulation results for scenario 4 show that six threat states show little difference except for frequency values in July and August 2004, compared to four threat states. It is judged to be a result of lack of frequency data. In fact, a large amount of data can be said to have a greater effect. That is, the number of threat states is increased by making the range of the frequency threshold smaller, so that a more accurate value can be predicted. However, as the number of threat states increases, the complexity of the calculation increases, so an appropriate number of threat states should be determined according to the characteristics of the threat and the environment of the information system.

In scenario 5, we experimented with predicting the frequency of threats when two threats, T ₁ (illegal intrusion into malicious network) and T ₂ (Internet worm), were shown as application examples. The conditions for the simulation are as follows. That is, the threshold values of T ₁ are H ₁ : 0 ~ 400, H ₂ : 401 ~ 800, H ₃ : 801 ~ 1200, and the threshold values of T ₂ are W ₁ : 0 ~ 3000, W ₂ : 3001 ~ 6000, W ₃ : 6001 or more. The frequency of occurrence of the transfer (last month) is used to calculate the representative value, and the representative value is updated monthly. To calculate the initial probability, the frequency of occurrence of the last six months is used, and the initial value is changed every month. The threat state transition matrix is updated every six months.

Simulation results with the above conditions resulted in the same results as in FIGS. 13A and 13B. Simulation of scenario 5 shows that T ₁ is numerically slightly different from the case that occurs independently in scenarios 1-4. This is because the threshold ranges are different in cases where they occur independently and in association with each other. In other words, in case of independent occurrence, the range of threshold is divided into four, but in case of related occurrence (that is, in case of scenario 6), the range is widened. As we saw in scenario 4, we can see that the difference depends on the range of thresholds. However, you can see that the type of graph is almost the same as in scenarios 1-4. In the case of T ₂ , except for the first 1 and 2 months it can be confirmed that the occurrence occurs almost similar to the actual occurrence frequency (KISA of FIGS. 13A and 13B).

Simulation results based on five scenarios indicate that T ₁ is the only _one to be deployed in a specific hacking tool, T ₂ is the case where the incidence of threats varies greatly due to attacks by specific worms or viruses. Probabilistic damage propagation models based on the Cove process show that the predicted frequency of occurrence is close to the actual value.

The present invention provides a probabilistic damage propagation model based on the Markov process that can predict the degree of damage when attacked by various types of threats as well as viruses or worms. The model provided can be applied to the various threats that the entire system has, not just one specific one, by using the Markov process to describe the probability and frequency of occurrences of the threats across the entire system. In addition, the degree of correlation between threats can be determined through covariance and correlation coefficients.

Preferably, the Markov process-based damage estimation method of the present invention may be provided by recording a program for executing in a computer on a computer-readable recording medium.

The invention can be implemented via software. When implemented in software, the constituent means of the present invention are code segments that perform the necessary work. The program or code segments may be stored on a processor readable medium or transmitted by a computer data signal coupled with a carrier on a transmission medium or network.

The computer-readable recording medium includes all kinds of recording devices in which data is stored which can be read by a computer system. Examples of computer-readable recording devices include ROM, RAM, CD-ROM, DVD ± ROM, DVD-RAM, magnetic tape, floppy disks, hard disks, optical data storage devices, and the like. The computer readable recording medium can also be distributed over network coupled computer devices so that the computer readable code is stored and executed in a distributed fashion.

Although the present invention has been described with reference to one embodiment shown in the drawings, this is merely exemplary and will be understood by those of ordinary skill in the art that various modifications and variations can be made therefrom. However, such modifications should be considered to be within the technical protection scope of the present invention. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

As described above, according to the present invention, by providing a Markov process-based probabilistic damage spread model that can predict the extent of damage when attacked from various types of threats as well as viruses or worms, The probability and frequency of occurrence of threats can be described using the Markov process, and can be applied to various threats of the entire system rather than to one specific threat, and to threat areas that are created when a threat occurs. It is possible to grasp the relationship between them and the degree of correlation between threats through covariance and correlation coefficient.

Claims (8)

Collecting and analyzing long term threat occurrence data to define a set of threat states that may occur in the main telecommunication infrastructure; Calculating a threat state transition matrix using a mapping between the frequency of occurrence of each threat of the threat occurrence data and the threat state set; Calculating an initial probability of occurrence of the threat condition set using the latest threat occurrence data rather than the long term threat occurrence data; And And generating frequency prediction information of threats that may occur in the main information communication infrastructure by using the threat state transition matrix and the initial probability of occurrence. The method of claim 1, Defining the threat state set Collecting threat occurrence data recorded over a long period of time; Classifying threats by type from the threat generation data, calculating a period of each threat, and determining a threat ranking by using the period of each threat to determine representative threats according to the threat ranking; And And generating a threat state set consisting of range values for the frequency of occurrence of said representative threats. The method of claim 2, The threat state set is It consists of range values for the frequency of occurrence of one threat when one threat occurs independently, and range values for the frequency of occurrence of the plurality of threats when a plurality of threats are interrelated. Markov process-based damage estimation method, characterized in that composed in a combined form. The method of claim 1, Computing the threat state transition matrix Enumerating threat states by mapping the frequency of occurrence of each threat of the threat occurrence data and the threat state set with each other; Calculating the number of transitions from one threat state to another one of the threat states listed above, and calculating a threat state transition matrix using the number of transitions. Calculation method. The method of claim 1, The calculating of the initial occurrence probability Calculating a recent occurrence frequency for each threat state from the latest threat occurrence data rather than the long term threat occurrence data; And And calculating an initial occurrence probability of the set of threat states such that the total sum of initial occurrence probabilities is 1 from the recent occurrence frequency of each threat state. The method of claim 1, Generating predictive frequency of occurrence of the threats Calculating a damage propagation probability by multiplying the threat state transition matrix with the initial occurrence probability; And And multiplying the damage propagation probability by an average value of each threat state to generate predicted frequency of occurrence of threats. A computer-readable recording medium having recorded thereon a program for executing the method of any one of claims 1 to 6. A threat definition unit that collects and analyzes long-term threat occurrence data to define a set of threat states that may occur in the main information and communication infrastructure; A matrix calculator configured to calculate a threat state transition matrix using a mapping between a frequency of occurrence of each threat of the threat occurrence data and the threat state set; An initial value calculator configured to calculate an initial occurrence probability of the threat condition set by using threat occurrence data more recent than the long term threat occurrence data; And Markov process-based damage estimating apparatus comprising a threat prediction unit for generating information on the frequency of occurrence of threats that may occur in the main information communication infrastructure using the threat state transition matrix and the initial probability of occurrence.

Images