KR101814368B1 - Information security network integrated management system using big data and artificial intelligence, and a method thereof - Google Patents

Abstract

The present invention relates to an information security network integrated management system, and a method thereof. More specifically, the present invention provides an information security network integrated management system using big data and artificial intelligence and a method thereof which can actively prepare for an intelligent continuous attack and a many-sided security threat, and can quickly respond by actively and integrally analyzing each component of a network in real time by using big data and artificial intelligence to verify and manage threat factors in advance.

Description

TECHNICAL FIELD [0001] The present invention relates to an information security network integrated management system using big data and artificial intelligence,

The present invention relates to an information security network integrated management system and method, and more particularly, to an information security network integrated management system and method thereof, and more particularly, Intelligent continuous attack, and information security network integrated management system using big data and artificial intelligence capable of actively preparing for and coping with multi-faceted security threats.

Along with the increase in information system assets, various operating systems (OS), application programs for mobile terminals (APPLICATION), and security solutions have been developed and used. Security events recorded in such various environments are also stored in various forms, and their capacity is also rapidly increasing.

Events related to security breaches occurring in various types of local terminals are recorded in the event log by a local terminal or a monitoring device on the network. The administrator analyzes the generated event log to check the damage of the security breach, and takes measures to prevent further infringement.

1 is a block diagram illustrating a network risk composite analysis system according to the prior art.

The plurality of detection sensors 10 included in the analysis system of FIG. 1 collect security events occurring in the respective networks in real time and store them in the DB in the form of a log file including the destination IP of the corresponding security event. The plurality of detection sensors 10 calculates the risk level and reliability of the collected security events using the risk level and reliability calculation formula set by the administrator based on the network security operation policy itself and calculates the calculated risk level and reliability Adds the log file to the log file, and stores the log file in the DB.

The log file normalization unit 11 collects log files of the security events from the DBs of the respective detection sensors 10 and stores log files of the security events in the log files of the respective security events as normalization information set by the administrator on the basis of the network security operation policy Into a normalized log file format.

The individual risk calculating section 13 calculates the risk value and the reliability, which are identified from the asset value of the IT asset of the network and the corresponding normalization log file calculated in correspondence with the normalization log file of the security event in the asset value calculating section 12, Based on the operation policy, it assigns to the risk calculation formula set by the administrator and calculates the individual risk of the security events. If the calculated risk exceeds the predetermined risk, the alarm occurrence signal is outputted.

However, in the related art, the generated network-based security event log is analyzed to measure the risk. In some cases, it is effective to group and analyze various security events related to each other. In addition, in the conventional technology for analyzing the network-based security event log, there is a problem in that it is difficult to efficiently cope with such a need because the related analysis method can not be provided.

That is, in the early days, the security control service operates a network security system, and the basic service level limited to monitoring various events occurring in the equipment is mainstream. Recently, hacking techniques such as alteration of homepage or leakage of important information have become more intelligent, specialized, advanced and time-consuming, and various personal information protection accidents have been experienced, and personal information protection is also recognized as an important point of security. However, And is not operated.

In order to solve the above problems, a company or a national institution performs risk management so as to be able to respond to various events (hereinafter referred to as security events) related to security breaches occurring in the network (hereinafter referred to as security events) To ensure the availability, integrity and confidentiality of multiple security solutions, we have developed an integrated security management system (ESM), a risk management system (RMS), a threat management system (TMS) A network security management system such as a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS) is constructed.

The risk management system (RMS) collects and analyzes security events for all information technology (IT) assets of the network, such as various security devices or network devices (e.g., servers, routers, Prevention of security incidents by responding to the detection and management of security level is always stable.

The threat management system (TMS) collects and analyzes security events occurring in the network to be managed, and particularly detects and identifies cyber threats of network traffic, and analyzes and comprehensively analyzes network traffic to provide early warning.

The firewall installs a router or an application gateway so that all information flows only through them, thereby selectively accepting, rejecting, or modifying information transmitted between a network in the enterprise or an organization and the Internet.

The intrusion detection system (IDS) collects and analyzes security events occurring in the network to be managed, and when the malicious network traffic is detected, the IDS performs a function of alarming the administrator.

The intrusion prevention system (IPS) collects and analyzes security events occurring in the network to be managed, and when the malicious network traffic is detected, the intrusion prevention system alerts and immediately blocks the administrator.

The normal network security management system operating as described above determines the threat level corresponding to the security event according to the security policy of the network. However, such a network security management system does not consider integrated, relevant analysis and unstructured data.

In addition, the rapid growth of the Internet provides various advantages, but at the same time, the Internet contains many problems. The biggest problem area is the security area. Many systems are now subject to attack, and these intrusion behaviors are classified according to the type of intrusion model, with misuse intrusions and abnormal intrusions. Many intrusion detection techniques are introduced and intrusion detection systems (IDS) equipped with them are commercialized, but most of them are detecting patterns and have a high false alarm rate. As described above, there is a problem in practically applying the intrusion detection information due to a high false rate to perform the actual control using only the intrusion detection information.

That is, the control system using the intrusion detection log information up to now has a disadvantage that it is difficult to confirm the actual intrusion information due to a large number of false positives.

On the other hand, methods using traffic statistics are proposed as attempts to detect external intrusions using statistical techniques. In the case of the method using the traffic statistics, abnormality detection is performed through the time series analysis of the traffic statistical information, for example, in the case where the amount of traffic increases rapidly or the amount of traffic of a specific port increases more than usual. However, this method can also be regarded as an attack against a normal use that causes a lot of traffic, and there is a problem that can not be detected for intrusion attempts that cause small traffic.

That is, the control system using the traffic statistic information provides a method of detecting the abnormal traffic by not utilizing the specific pattern unlike the intrusion detection system. Generally, the method using traffic statistic information compares the amount of traffic of the steady state with the statistic value of the traffic and the amount of the traffic statistic information collected at present to determine whether it is a steady state or an abnormal state. This method also uses only the statistical information of the traffic, so there is a difficulty in detecting the attack in the case of an attack with a high false alarm rate and a low traffic volume.

Korea Registered Patent [10-1113615] (Registered on Feb. 01, 2012) Korea registered patent [10-0748246] (Registered date: 2007.08.03)

SUMMARY OF THE INVENTION Accordingly, the present invention has been made to solve the above-mentioned problems occurring in the prior art, and it is an object of the present invention to proactively and integrally analyze elements of a network in real time using big data and artificial intelligence, The present invention provides an integrated information security management system and method using big data and artificial intelligence capable of actively preparing for intelligent continuous attacks and multi-faceted security threats and promptly responding.

The objects of the embodiments of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description .

According to an embodiment of the present invention, there is provided an information security network integrated management system using big data and artificial intelligence, comprising: a log collecting device for collecting logs transmitted from respective components of a network; ); A log conversion device (302) for converting the collected log into a regular format; A log analyzer 303 for analyzing the log converted into the regular format; An unstructured data collection device (304) for collecting unstructured data transmitted from each component of the network; An unstructured data analysis unit 305 for analyzing the collected unstructured data by a big data technique; A traffic collection device (306) for collecting traffic; A traffic analysis unit 307 for analyzing statistical information of the collected traffic; Generating a prediction model for generating a prediction model for a malicious code and a network risk situation according to the detection and learning of the threat based on the analysis result of the log analyzing apparatus and the analysis result of the atypical data analyzing apparatus and the analysis result of the traffic analyzing apparatus Device 308; A learning data storage device 309 storing malicious code and learned data; A correlation analyzer 310 for analyzing a correlation between an analysis result of the log analyzing apparatus and an analysis result of the atypical data analyzing apparatus; A user behavior pattern analyzer 311 for receiving the logically transformed log and user data and inspecting a user behavior pattern to detect an abnormal behavior pattern; A network self-diagnosis and confirmation device 312 for periodically receiving and receiving a self-diagnosis signal transmitted from each component of the network; A malicious code detection device (313) for detecting whether malicious code is stored in advance in the execution code executed on the network according to the analysis result of the traffic analysis device and the malicious code prediction model; As a result of the analysis by the association analyzing apparatus, an analysis result of the user behavior pattern analyzing apparatus, an analysis result of the network self-diagnosis and confirmation apparatus, an analysis result of the traffic analyzing apparatus, and a detection result of the malicious code detecting apparatus are integrated An event analysis and determination device 314 for determining whether an event has occurred; An event storage device 315 storing a security related event history; A risk calculation unit 316 for calculating a risk according to a predetermined security policy according to whether the event is generated or not; And a notification device 317 for informing the administrator and the user through a visualization and audition method according to the calculated risk.

Also, an integrated information security network management method using big data and artificial intelligence according to an embodiment of the present invention may include collecting (S601) collecting logs, traffic, and unstructured data, respectively; Analyzing each of the log, the traffic, and the unstructured data (S602); A prediction model generation step (S603) of synthesizing and analyzing the analysis result of the log, the analysis result of the traffic, and the analysis result of the atypical data to generate a prediction model; A correlation analyzing step (S604) of analyzing a correlation between the log and the atypical data; A user behavior pattern generation step (S605) of generating a user behavior pattern based on the user data and the log; A user behavior pattern analysis step (S606) of analyzing a user behavior pattern based on the user data and the event data; A state diagnosis step (S607) of diagnosing a network state based on a self-diagnosis signal of each component of the network; A malicious code detection step (S608) of detecting a malicious code in the traffic according to the generated prediction model; A step (S609) of determining whether an event has occurred according to an analysis result of the association analysis step, an analysis result of the user behavior pattern analysis step, a network state result of the state diagnosis step, a traffic analysis result, or a malicious code detection result; Calculating a risk of the generated event (S610); And a notification step S611 of informing the administrator and the user visually and audibly according to the calculated risk.

According to an integrated information security network management system and method using big data and artificial intelligence according to an embodiment of the present invention, active and integrated analysis of each network element in real time using big data and artificial intelligence, It is possible to actively prepare for intelligent continuous attacks and multi-faceted security threats and to respond promptly.

According to the information security network integrated management system using big data and artificial intelligence according to an embodiment of the present invention, the entrance is thoroughly monitored and information is analyzed in one place to establish a policy, There is an effect that a more efficient response can be achieved.

In addition, according to the integrated information security network management system and method using big data and artificial intelligence according to an embodiment of the present invention, it is possible to prevent the information leakage by preliminarily grasping the behavior of the user, And can provide reliable security services.

In addition, according to the integrated information security network management system using big data and artificial intelligence according to an embodiment of the present invention, it is possible to collect, analyze, and learn security events occurring in a plurality of security devices of a network in real time By consistently generating predictive models for malicious code and network risk by inferring them, it is possible to guarantee the availability, integrity and confidentiality of various security devices of the managed network by performing integrated management.

According to the information security network integrated management system using big data and artificial intelligence according to an embodiment of the present invention, according to the result of calculating the risk of each security event occurring in the network, It is possible to improve the reliability of the security violation alarm by preventing the false positive detection that the network administrator overlooks the security violation related to the important security violation even if a large number of security events occur, To quickly protect the IT assets of the managed network.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a network risk overall analysis system according to the prior art; FIG.
2 is a configuration diagram of an information security network to which the present invention is applied;
3 is a configuration diagram of an information security network integrated management system according to an embodiment of the present invention;
4 is a detailed block diagram of the predictive model generating apparatus of FIG.
FIG. 5 is a detailed block diagram of the user behavior pattern analyzing apparatus of FIG. 3;
FIG. 6 is a flowchart of an embodiment of an information security network integrated management method according to the present invention. FIG.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It is to be understood, however, that the invention is not to be limited to the specific embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, .

On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the term "comprises" or "having ", etc. is intended to specify the presence of stated features, integers, steps, operations, elements, parts, or combinations thereof, And does not preclude the presence or addition of one or more other features, integers, integers, steps, operations, elements, components, or combinations thereof.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the meaning in the context of the relevant art and are to be construed as ideal or overly formal in meaning unless explicitly defined in the present application Do not.

Hereinafter, the present invention will be described in more detail with reference to the accompanying drawings. Prior to this, terms and words used in the present specification and claims should not be construed as limited to ordinary or dictionary terms, and the inventor should appropriately interpret the concept of the term appropriately in order to describe its own invention in the best way. The present invention should be construed in accordance with the meaning and concept consistent with the technical idea of the present invention. Further, it is to be understood that, unless otherwise defined, technical terms and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Descriptions of known functions and configurations that may be unnecessarily blurred are omitted. The following drawings are provided by way of example so that those skilled in the art can fully understand the spirit of the present invention. Therefore, the present invention is not limited to the following drawings, but may be embodied in other forms. In addition, like reference numerals designate like elements throughout the specification. It is to be noted that the same elements among the drawings are denoted by the same reference numerals whenever possible.

2 is a configuration diagram of an information security network to which the present invention is applied.

As shown in FIG. 2, the information security network to which the present invention is applied includes an Internet connection section 10, a DMZ section 20, and a subsidiary business connection section 30.

The Internet connection section 10 is connected to the DMZ section 20 and the subsidiary business connection section 30 via the Internet L3 switch.

The DMZ section 20 is connected to the Internet via the Internet L3 switch and includes an L3 switch connected to a DDoS device, a QoS device, an IPS, a firewall, a web firewall, a personal information blocking system, a web server, and a mail server.

The affiliate business connection section 30 is connected to the Internet via the Internet L3 switch and includes a firewall, an IPS, a harmful site blocking, a DDoS, a switch, a VPN, an IPS, a backbone switch, a server farm firewall, And a server farm switch connected to the server for the main server.

Distributed Denial of Service (DDoS) equipment detects whether the traffic is normal traffic or abnormal traffic when it detects aggressive traffic, blocks it if it is abnormal traffic, and passes normal traffic.

Quality of Service (QoS) equipment is a device that guarantees traffic coming into the server, so that the service can be continuously maintained. The network operates almost exclusively in the best-effort mode. In this case, all traffic will have the same priority and the possibility of dropping at the time of congestion is also the same. When the QoS is set, the priority can be set according to the relative importance by selecting specific traffic, and congestion management and avoidance techniques can be used to increase the bandwidth utilization efficiency.

A firewall is a software, device, or system that blocks unauthorized access from outside the network to the inside or outside the network for security of the computer or network. A firewall is a system in which a certain rule is exceeded and the system exceeds the rule. However, there are many false positives.

Intrusion Prevention System (IPS) is a system that detects and blocks external intrusions. If a user or an external intruder intends to exploit or use computer system or network resources without permission, to be. And sets permits and denies according to the source ip, the destination ip, and the port.

Web firewalls are Web services-specific firewalls.

VPN (Virtual Private Network) equipment is a device that enables secure communication by applying encryption etc. in order to use the network between head office and branch office while blocking external connection.

The personal information blocking system is a device that guarantees the security of personal information by filtering personal information (homepage and attached file) and unlawful posts in the http and https communication sections.

A server farm firewall is a firewall located in the server farm area.

A server farm is a collection of computer servers and operating facilities in one place. Server farms can distribute loads when there is a high demand for services, and can immediately replace services with other servers It can be provided smoothly.

The information security network integrated management system 200 according to the present invention receives necessary data from the respective network security devices and collectively manages the security status of the network in real time using big data and artificial intelligence.

WannaCry attacks on May 12, 2017 infected 300,000 PCs in 150 countries around the world, including Russia, Europe, India, the United States, and Taiwan, as of May 16. The reason why the Warner Cry attack spreads so quickly is that it combines an unknown type with a known type of attack.

After exploiting a weakness of Windows OS, it exploited vulnerability to attack the internal network and then spread the damage to the terminal connected to the internal network by known attack of worm type through SMB vulnerability.

The most common way to respond when a client is infected with malicious code is to add a detection pattern to the security vendor to defend it. When a network attack such as DDoS occurs, the signature pattern of the network security equipment is updated and defended. This countermeasure has the limitation that it can not prevent the first attack which is unknown. The pattern or type of the attack most likely changes from unknown to known by security vendors' real time analysis after a certain period of time. Therefore, it is difficult to detect unknown attacks by monitoring Security Information & Event Management (SIEM) even if a cyber attack occurs if the signature patch of the equipment is not performed.

As a result, it is becoming more and more popular to use Threat Intelligence information together with SIEM to share IP and URL information of attacks occurred at external sites and respond more quickly to additional attacks.

On the other hand, it is difficult to respond to all security threats with only network security devices and security information and event management (SIEM) solutions. The SIEM solution focuses on collecting information from security solutions and extracting meaningful data.

The SIEM solution is responsible for analyzing and responding to threats detected by network access management (NAC) and antivirus (AV) from network security appliances such as firewalls and intrusion prevention systems (IPS).

However, there is a clear threat that these security devices can not filter. Intelligent Persistent Threat (APT) attacks, zero-day attacks, and insider information leakage accidents are out of the ordinary rules and can not be detected.

Ultimately, however, it will be possible to respond more effectively if the attack can be monitored thoroughly and the information on the information can be analyzed in one place and policies can be established.

If you look at the information of the DB where the accident occurred in the past, you can check all URLs that hackers have used or used. However, it is almost impossible for a person to check this one by one. It is possible to predict various future attacks by analyzing the IP (IP) that has maliciously acted and the packet (traffic) that the IP has exchanged with the previous data

In other words, we derive meaningful data through big data analysis and ultimately produce 'predictive model' through machine learning or cognitive learning. It is possible to preemptively respond to security threats as a result of statistical reasoning.

Through ongoing monitoring and learning of inflow traffic, it understands the influence and status of inflowed traffic on internal systems and equipment, and presents the unacknowledged attack threat, inflowing abnormal traffic, internal situation and countermeasures .

With the expansion of new types of multimedia content, social network services (SNS), and the dissemination and use of smart devices, the size of data generated and distributed on the web is increasing exponentially. A tremendous amount of data that exists and is still growing on the Web can be used to interpret the world. This is the Big Data. Big data means a vast amount of information digitized. It can filter out unnecessary data from big data and extract and analyze only useful information to read people's thoughts, opinions and trends and to predict their behavior in advance. Big Data is one of the next generation information technology (IT) technology that is not only in Korea but also in the world because of its usefulness.

Big data refers to data sets beyond the ability to collect, store, manage and analyze existing data. Big data can be classified into stereotyped data, semi-stereotyped data, and non-stereotyped data according to the degree of stereotyping.

Structured data refers to data stored in fixed fields. In other words, data is stored in a certain format. Semi-structured data refers to data that is not stored in a fixed field but contains metadata or schema. Examples of semi-structured data include Extensible Mark-up Language (XML) and Hypertext Mark-up Language (HTML). Unstructured data refers to data that is not stored in a fixed field. Examples of the unstructured data include text documents, image data, moving image data, and audio data.

The information security network integrated management system using the big data and artificial intelligence according to the present invention can collect and analyze the big data as described above. Big data analysis techniques include text mining, opinion mining, social network analysis, cluster analysis, neural network analysis, and the markov model. But are not limited to, the illustrated analytical techniques.

Text mining is a technique for extracting and processing useful information based on natural language processing techniques in semi-structured text data or unstructured text data. Natural Language Processing (NLP) technology is a technology that enables natural language understanding and natural language generation. Natural language is a term used by people to communicate and is the opposite of artificial language (computer language). Natural language understanding is the natural interpretation of the natural language to make it understandable to the computer. Natural Language Generation refers to the ability of a computer to output natural language. Natural language processing techniques consist of morpheme analysis, parsing, semantic analysis, and phonetic analysis.

Reputation analysis can be applied to social media such as blogs, social network services (SNS), wikis, UCCs, micro-blogs, It is a technology that collects and analyzes texts and determines the reputation (for example, affirmative, negative, neutral) of a product or service.

Social network analysis is a technique for analyzing and extracting user influence, interest, and propensity based on social network connection structure and connection strength.

Cluster analysis is a technique for collecting groups with similar characteristics, finally combining groups with similar characteristics.

On the other hand, artificial intelligence (AI) is one area that will not stop development as long as human beings survive. As all devices and objects are connected and intelligent, AI will play a role in ordering complex societies and working with predictable systems. This is the essence of the change that the fourth industrial revolution will bring.

These changes are vast complex operations and cognitive abilities necessary for development. Calculate the number of cases to make decisions and accumulate more choices through self-learning. The consistency of choice will continue to rise, and the human being will break through the limits of judgment that can not be overlooked. It is confirmed that AI Alpha has won the battle against the world's No. 1 goalkeeper twice already.

Although the term AI has been around for a long time, unlike the past, which was confined to specific areas such as computers and computation, we have studied the high-level information processing activities of humans such as cognition, learning, and reasoning. It has become a comprehensive concept.

AI technology is widely used in everyday areas such as robots, autonomous vehicles, virtual assistant services, and drunks. For this reason, the future creation science department has named 'intelligent information technology' instead of the name 'AI' and is trying to cope with 'intelligent' technology revolution.

IBM, which is considered to be the strongest in the AI field as well as the Alpha, developed the supercomputer "Watson", which won the US famous quiz show "Zephyr" in 2011, and expanded it into a new field of cognitive computing . In other words, cognitive learning is possible through artificial intelligence.

Here, cognitive learning refers to a form of learning, a form of learning that occurs through psychological processes, especially cognitive processes, that can not be observed directly or directly. Specifically, sub-types included in cognitive learning are insight learning, latent learning, observational learning, and the like.

Recently, artificial intelligence (AR) technology has been developed and attracted attention, and technologies using it have emerged. As a field of artificial intelligence technology, machine learning is being attracted to various media.

Machine learning, also called machine learning, is a technique that allows a computer to learn through data and to understand an object or situation, such as a person. The key is the algorithm that allows a computer to analyze data in a technological way that the computer trains itself and finds and classifies patterns. By sophisticating algorithms that leverage data, computers can learn by themselves and provide meaningful results to users.

Machine learning and other methods are self-learning, in which patterns of data entered based on data are analyzed and learned according to the classified patterns. It is a technique that uses the learned reasoning applied to the patterned site based on the learned type. It differs from machine learning, which improves performance on its own based on knowledge gained from experience in predictive models based on repetitive learning.

As a result, in the case of the conventional self-learning system, it is possible to store and control learning data through self-learning with respect to predefined, that is, frequently used, regular patterns, but it is possible to perform self-learning for new data, There was no. However, learning and inferencing of unstructured data have become possible through cognitive learning of big data and artificial intelligence.

FIG. 3 is a block diagram of a large data and information security network integrated management system according to an embodiment of the present invention.

3, the information security network integrated management system according to an embodiment of the present invention includes a log collecting apparatus 301, a log converting apparatus 302, a log analyzing apparatus 303, an unstructured data collecting apparatus A traffic analysis device 307, a predictive model generation device 308, a learning data storage device 309, a relevance analysis device 310, a user behavior A pattern analyzer 311, a network self-diagnosis and confirmation device 312, a malicious code detection device 313, an event analysis and judgment device 314, an event storage device 315, a risk calculation device 316, (317).

The log collection device 301 collects logs transmitted from each component of the network.

The log conversion apparatus 302 converts the log collected by the log collection apparatus 301 into a regular format.

For example, the normalized log is composed of data consisting of fields of "TIME, TYPE, HOST, SRC, DST, Origin PORT, Destination PORT, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE" Is a type of security event, HOST is the IP address or host name of the device (sensor) where the security event is detected, SRC is the origin IP of the security event, DST is the security event, CONTENTS_001 to CONTENTS_004 are the details of security events. LINKED_LOGTYPE is the definition of the target of the log to perform linkage analysis. It is a single event And a log-in event in which a security event of a predetermined threshold value or more occurs for a predetermined time before and after the time point.

The log analyzer 303 analyzes the log converted into the regular format. The log converted into the regular format can be subjected to various association analysis such as frequency analysis, crossover analysis, and correlation analysis.

The atypical data collection device 304 collects unstructured data transmitted from each component of the network.

The atypical data analyzing device 305 analyzes the atypical data collected by the atypical data collecting device 304 by a big data technique. Big data techniques include text mining, opinion mining, social network analysis, cluster analysis, neural network analysis, and markov model.

The traffic collection device 306 collects traffic.

The traffic analysis device 307 analyzes the statistical information of the traffic collected by the traffic collection device 306 individually.

The predictive model generation unit 308 generates a prediction model based on the analysis result of the log analysis apparatus 303, the analysis result of the irregular data analysis apparatus 305 and the analysis result of the traffic analysis apparatus 307 Detection or threat hunting) and learning to create predictive models of malware variants and network threats and hazards.

Here, threat hunting refers to activities that actively analyze network or data to find vulnerabilities that can be used in an attack, and to correct mistakes discovered through such a process as soon as possible or take appropriate action. In other words, unlike manual event monitoring or analysis, it refers to real-time event monitoring technology and technique that bypasses security equipment with aggressive willingness to identify a wide range of threats infiltrating the internal network.

Threat hunting is accomplished by collecting all logs from the client level to the network level and using the various analysis methods in an environment that can identify the collected logs by timeline, which should be performed repeatedly and not eventually .

The most important prerequisite for good threat hunting is data. Data should be gathered across the whole area to ensure spatial visibility and the collected events should be accessible to a variety of threats such as geographic, time series, network topology, pivot, and visualization analysis functions. Each stage feature from the analysis can be periodically analyzed based on the alarm generated through the scenario.

Threat hunting is not easy. Effective threat hunting requires endpoints such as network packet collection, endpoint detection and response (EDR), such as Deep Packet Inspection (DPI), which provides an Indicator Of Compromise (IOC) The HOST event is required, and continuous long-term analysis of these infringement indicators should be done in parallel. The combination of long-term analysis and real-time alerts of internal infringement indicators reveals the most vulnerable threats to the environment of each company or company, and the signs and information of attacks that humans have not thought of.

In order for security officers to defend against cyber attacks in increasingly intelligent security threats and complex IT environments, SIEM and threat hunting must be tied together to identify vulnerabilities of each company or organization and take the best measures quickly This will be the key to improving security.

The learning data storage 309 stores malicious codes and learned data.

The association analyzer 310 analyzes the analysis results of the log analyzer 303 and the analysis results of the atypical data analyzer 305.

The user behavior pattern analyzer 311 receives the log-transformed user data and the user-pattern data, and detects a user behavior pattern to detect abnormal behavior patterns.

Each component of the network periodically checks its own security status and system setting status, and transmits the check result to the network self-diagnosis and confirmation device 312.

The network self-diagnosis and confirmation device 312 periodically receives a self-diagnosis signal transmitted from a system or a network device, analyzes the pattern, analyzes whether the pattern is changed and biases are intensified, It can more accurately and quickly detect and analyze network and system risks and threats. It is necessary to analyze and detect any pattern that is consistently shown in the system log, the detection of network equipment, or the traffic volume, and to detect the risk or threat by pattern.

The self-diagnosis signal may include at least one of a log classification code, a log generation location, an occurrence location of an intrusion blocking device, a pre-classified device behavior, a pre-classified blocking policy, an IP (internet protocol) Protocol, internal / external packet direction, location of intrusion detection / prevention device occurrence, detection signature, pre-classified blocking policy, IP (internet protocol), port, protocol, An external packet direction, a protocol of an analysis target device capable of collecting traffic, an IP, a port, a session, a security event of the terminal security device, a log, and a type.

The malicious code detection apparatus 313 detects malicious code stored in advance according to the analysis result of the traffic analysis apparatus 307 and the execution code executed on the network according to the malicious code prediction model. The malicious code detection device 313 can automatically classify and discriminate variants and new malicious codes from existing malicious codes through a prediction model even if all of the samples of the malicious code that are growing exponentially are not analyzed.

The event analysis and determination apparatus 314 analyzes the analysis result of the user behavior pattern analyzing apparatus 311 and the network self diagnosis check apparatus 312 as a result of analysis by the association analyzing apparatus 310, The detection result of the code detection device 313 is integrated to determine whether an event has occurred. It can analyze risk information and infringement information from threat information and harmful information.

The event storage 315 stores a history of security related events.

The risk calculation unit 316 calculates a risk according to a predetermined security policy according to whether the event analysis and determination unit 314 generates an event. The risk level and reliability for the security events collected using the risk level and reliability calculation formula set by the administrator based on the network security operation policy are calculated.

The notifying device 317 notifies the administrator and the user through a visualization and auralization method according to the risk calculated by the risk calculating device 316.

If the risk of each event is higher than a predetermined risk, an alarm is generated in real time. In the collected security events, detection of more than the predetermined number of security events satisfying the control rule that defines conditions requiring alarm generation according to the network security operation policy The system calculates the risk corresponding to the corresponding security events and generates an alarm in real time if the calculated risk exceeds the predetermined risk.

4 is a detailed configuration diagram of the prediction model generation apparatus of FIG.

4, the prediction model generating apparatus according to the present invention includes a receiving unit 401, a threat checking unit 402, a learning unit 403, a reasoning unit 404, and a modeling unit 405 do.

The reception unit 401 receives the analysis result of the atypical data analysis apparatus 305 and the analysis result of the traffic analysis apparatus 307 as a result of analysis by the log analysis apparatus 303.

The threat checking unit 402 checks and detects the threat elements and the harmful components of the network components according to the analysis results received by the receiving unit 401.

The learning unit 403 learns the network threat elements and the harmful elements according to the threat elements and the harmful elements detected by the threat checking unit 402. [

The reasoning unit 404 deduces a variant of the malicious code, a network threat element and a harmful element according to the learning contents of the learning unit 403.

The modeling unit 405 generates a variant of the malicious code deduced from the reasoning unit 404 and a prediction model of the network threat component and the harmful component.

5 is a detailed block diagram of the user behavior pattern analyzing apparatus of FIG.

5, the apparatus for analyzing a user behavior pattern according to the present invention includes a collection unit 501, a storage unit 502, a user behavior pattern generation unit 503, and a user analysis unit 504. [

The collecting unit 501 collects user data generated through a user terminal connected to the network.

The storage unit 502 stores the user data collected by the collecting unit 501.

The user behavior pattern generation unit 503 generates a user behavior pattern using the collected user data and the normalized log.

The user analysis unit 504 analyzes the user behavior pattern generated in the user behavior pattern generation unit 503 and the recent event data to calculate the security risk of the user.

The event data may include at least one of access data, location data, sensitive information access data, and host traffic data.

6 is a flowchart illustrating an integrated management method for an information security network in an information security network integrated management system according to an embodiment of the present invention.

First, the log collection device 301, the traffic collection device 306, and the unstructured data collection device 304 of the information security network integrated management system 200 collect log, traffic, and irregular data (S601).

Thereafter, the log analyzing apparatus 303, the traffic analyzing apparatus 307, and the atypical data analyzing apparatus 305 respectively analyze the log, the traffic, and the atypical data (S602).

Thereafter, the prediction model generating unit 308 integrates and analyzes the log, the traffic, and the analysis result of the atypical data to generate a prediction model (S603).

The predictive model generation step (S603) receives the log analysis result, the atypical data analysis result, and the traffic analysis result, and checks the threat elements and the risk elements of each network component according to the received analysis results And detects network threat elements and harmful elements according to the detected threat elements and the harmful elements, deduces variants of malicious codes and network threat elements and harmful elements according to the learned contents, Generate predictive models of variants and network threats and hazards.

The association analysis apparatus 310 analyzes association between the log and the atypical data (S604).

The user behavior pattern analyzer 311 generates a user behavior pattern based on the user data and the normalized log (S605), and analyzes the user behavior pattern based on the user data and the event data (S606).

The user behavior pattern generation step S605 may include collecting the user data and the normalized log of the log, storing the collected user data, and using the collected user data and the normalized log, .

The user behavior pattern analysis step (S606) associates and analyzes the generated user behavior pattern and recent event data to calculate the security risk of the user.

The network self-diagnosis and confirmation device 312 diagnoses the network state based on the self-diagnosis signal of each component of the network (S607).

The malicious code detection device 313 detects a malicious code in the traffic according to the generated prediction model (S608). The malicious code detection device 313 can automatically classify and discriminate variants and new malicious codes from existing malicious codes through a prediction model even if all of the samples of the malicious code that are growing exponentially are not analyzed.

In operation S609, the event analysis and determination unit 314 determines whether an event has occurred in accordance with the association analysis result, the user behavior pattern analysis result, the network status diagnosis result, or the malicious code detection result.

The risk calculation unit 316 calculates the risk of the generated event (S610).

Then, the notification device 317 visually and audibly informs the administrator and the user according to the calculated risk (S611).

Accordingly, the present invention collects data on the basis of Big-Data in real time, continuously generates a prediction model through artificial intelligence learning, actively detects and detects a threat situation of a network, And users can be provided with various operational status monitoring.

Meanwhile, the functions of the elements 301 to 317 of the information security network integrated management system according to the present invention can be performed in a single control unit (not shown). At this time, the controller may represent a single chip or a plurality of chips, a processor, or a core. Each of the components 301 to 317 may represent a function, a library, a service, a process, a thread, or a module performed by the control unit.

Although the integrated information security management method using big data and artificial intelligence according to an embodiment of the present invention has been described above, it is possible to provide a computer readable storage medium storing a program for implementing an integrated information security network management method using big data and artificial intelligence Of course, it is also possible to implement a program stored in a computer-readable recording medium for implementing an information security network integrated management method using a recording medium and a large data and artificial intelligence.

That is, the integrated information security network management method using the big data and artificial intelligence described above can be provided in a recording medium readable by a computer by tangibly embodying a program of instructions for implementing the same. It will be easy to understand. In other words, it can be implemented in the form of a program command that can be executed through various computer means, and can be recorded on a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specially designed and configured for the present invention or may be those known and available to those skilled in the computer software. Examples of the computer-readable medium include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs and DVDs, and optical disks such as floppy disks. Magneto-optical media and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, USB memory, and the like. The computer-readable recording medium may be a transmission medium such as a light or metal line, a wave guide, or the like, including a carrier wave for transmitting a signal designating a program command, a data structure, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

200: Information security network integrated management system
301: log collecting device 302: log converting device
303: Log analyzing device 304: Unstructured data collecting device
305: Unstructured data analyzing apparatus 306: Traffic collecting apparatus
307: traffic analysis device 308: prediction model generation device
309: Learning data storage device 310: Association analysis device
311: User behavior pattern analyzing device 312: Network self-diagnosis checking device
313: malicious code detection device 314: event analysis and judgment device
315: Event storage device 316: Risk assessment device
317: Notification device 401: Receiver
402: Threat checking section 403: Learning section
404: Reasoning unit 405: Modeling unit
501: collecting unit 502: user behavior pattern generating unit
503: User analysis section

Claims (7)

In an information security network integrated management system using big data and artificial intelligence,
A log collection device (301) for collecting logs transmitted from each component of the network;
A log conversion device (302) for converting the collected log into a regular format;
A log analyzer 303 for analyzing the log converted into the regular format;
An unstructured data collection device (304) for collecting unstructured data transmitted from each component of the network;
An unstructured data analysis unit 305 for analyzing the collected unstructured data by a big data technique;
A traffic collection device (306) for collecting traffic;
A traffic analysis unit 307 for analyzing statistical information of the collected traffic;
Generating a prediction model for generating a prediction model for a malicious code and a network risk situation according to the detection and learning of the threat based on the analysis result of the log analyzing apparatus and the analysis result of the atypical data analyzing apparatus and the analysis result of the traffic analyzing apparatus Device 308;
A learning data storage device 309 storing malicious code and learned data;
A correlation analyzer 310 for analyzing a correlation between an analysis result of the log analyzing apparatus and an analysis result of the atypical data analyzing apparatus;
A user behavior pattern analyzer 311 for receiving the logically transformed log and user data and inspecting a user behavior pattern to detect an abnormal behavior pattern;
A network self-diagnosis and confirmation device 312 for periodically receiving and receiving a self-diagnosis signal transmitted from each component of the network;
A malicious code detection device (313) for detecting whether malicious code is stored in advance with respect to the execution code executed on the network according to the analysis result of the traffic analysis device and the prediction model;
As a result of the analysis by the association analyzing apparatus, an analysis result of the user behavior pattern analyzing apparatus, an analysis result of the network self-diagnosis and confirmation apparatus, an analysis result of the traffic analyzing apparatus, and a detection result of the malicious code detecting apparatus are integrated An event analysis and determination device 314 for determining whether an event has occurred;
An event storage device 315 storing a security related event history;
A risk calculation unit 316 for calculating a risk according to a predetermined security policy according to whether the event is generated or not; And
A notification device 317 for notifying the administrator and the user through the visualization and audition method according to the calculated risk,
Lt; / RTI >
The prediction model generation apparatus includes:
A receiving unit (401) for receiving the result of the log analysis, the result of the atypical data analysis, and the result of the traffic analysis;
A threat check unit (402) for checking and detecting threat elements and harmful elements of network components according to analysis results received by the receiving unit;
A learning unit (403) for learning network threat elements and harmful elements according to the threat elements and the hazard elements detected by the threat inspection unit;
A reasoning unit 404 for inferring a variant of malicious code, a network threat element and a risk factor according to the learning contents of the learning unit; And
A modeling unit 405 for generating a variant of the inferred malicious code and a predictive model of a network threat component and a harmful component,
And an information security network integrated management system using big data and artificial intelligence.
delete The method according to claim 1,
The atypical data analyzing apparatus comprises:
The atypical data (s) may be obtained by one or more methods of text mining, opinion mining, social network analysis, cluster analysis, neural network analysis, and markov model. Based on the result of the analysis and the analysis.
The method according to claim 1,
Wherein the user behavior pattern analyzing apparatus comprises:
A collection unit 501 for collecting user data generated through a user terminal connected to the network;
A storage unit (DB) 502 for storing the collected user data;
A behavior pattern generation unit (503) for generating a user behavior pattern using the collected user data and the normalized log; And
A user analysis unit 504 for analyzing the generated user behavior pattern and recent event data and calculating the security risk of the user,
And an information security network integrated management system using big data and artificial intelligence.
A method for integrated management of information security networks using big data and artificial intelligence,
A collection step (S601) of collecting logs, traffic, and unstructured data, respectively;
Analyzing each of the log, the traffic, and the unstructured data (S602);
A prediction model generation step (S603) of synthesizing and analyzing the analysis result of the log, the analysis result of the traffic, and the analysis result of the atypical data to generate a prediction model;
A correlation analyzing step (S604) of analyzing a correlation between the log and the atypical data;
A user behavior pattern generation step (S605) of generating a user behavior pattern based on the user data and the log;
A user behavior pattern analysis step (S606) of analyzing a user behavior pattern based on the user data and the event data;
A state diagnosis step (S607) of diagnosing a network state based on a self-diagnosis signal of each component of the network;
A malicious code detection step (S608) of detecting a malicious code in the traffic according to the generated prediction model;
A step (S609) of determining whether an event has occurred according to an analysis result of the association analysis step, an analysis result of the user behavior pattern analysis step, a network state result of the state diagnosis step, a traffic analysis result, or a malicious code detection result;
Calculating a risk of the generated event (S610); And
A notification step (S611) of visually and audibly notifying the administrator and the user according to the calculated risk,
Lt; / RTI >
The prediction model generation step includes:
Receiving a result of the log analysis, the atypical data analysis result, and the traffic analysis result;
A threat check step of checking and detecting threat elements and harmful elements of each network component according to the received analysis results;
Learning step of learning network threat elements and harmful elements according to the detected threat elements and risk factors:
A reasoning step of deducing a variant of malicious code, a network threat element and a risk element according to learning contents of the learning unit; And
A modeling step of generating a variant of the inferred malicious code and a predictive model of the network threat and risk factors
And an integrated information security network management method using big data and artificial intelligence.
delete 6. The method of claim 5,
The user behavior pattern generation step (S605)
A user data collection step of collecting the user data and the normalized log of the log;
Storing the collected user data; And
Generating a user behavior pattern using the collected user data and the normalized log;
Lt; / RTI >
The user behavior pattern analysis step (S606)
Analyzing the generated user behavior pattern and recent event data to calculate a security risk of the user
And an integrated information security network management method using big data and artificial intelligence.

Images