KR101938563B1 - Operating method of risk asset warning system - Google Patents

Abstract

Disclosed are a risk asset alarming system configured to generate an alarm for an asset which has a security vulnerability, and an operation method thereof. According to an embodiment of the present invention, a risk asset alarming system may include: an asset information reader reading asset information corresponding to information of a product based on the information of the product which has a security vulnerability; and a risk asset detector controlling to generate a risk asset alarm to the asset corresponding to the asset information.

Description

{Operating method of risk asset warning system}

The present invention relates to a risk asset notification system and an operation method thereof, and more particularly, to a risk asset notification system and an operation method thereof that generate an alert for an asset that is vulnerable to security.

Recently, a large amount of security threat information has been supplied through various channels such as Social Network Service (SNS), Internet News, and RSS (Really Simple Syndicate). Much of the security problems caused by these threats are due to software vulnerabilities. Security vulnerabilities inherent in software can easily be exploited to attack software or hardware on a computer system. Attackers can use Internet scanning tools to identify malicious Web services that are less secure. As a result, security administrators should be able to prevent malicious attacks using vulnerabilities that are publicly available

A security vulnerability is a property that is derived from fundamental problems in the software field and can cause a security incident. If a hacker exploits a security vulnerability, it may be a security vulnerability and cause security incidents.

The software vulnerability definition information used by the whole world includes Common Weakness Enumeration (CWE), which is a guideline for software vulnerability, and Common Vulnerability Enumeration (CVE), which is a reference code used for vulnerability analysis. Vulnerability is analyzed based on the contents of vulnerability definition information defined in CVE.

CWE is a grouping of software vulnerabilities from various perspectives in MITRE with support from the National Cyber Security Division of the US Department of Homeland Security and CVE is a collection of time- If CWE is a classification system for common vulnerabilities, CVE is a history record of discovered security vulnerabilities.

Most of the security intelligence acquired by the security administrator is unstructured data, and the security manager is forced to spend a lot of time and money in analyzing the severity of the security threat and the type, name, and version of the asset that the security threat affects, Analysis by manpower may result in inaccurate analysis.

The present invention provides a risk asset notification system and an operation method thereof that can automatically generate an alarm for an asset that is vulnerable to security.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, unless further departing from the spirit and scope of the invention as defined by the appended claims. It will be possible.

According to an aspect of the present invention, there is provided a risk asset notification system comprising: an asset information inquiry unit for inquiring asset information corresponding to product information based on product information on a security vulnerable product; And a risk asset detector for controlling the risk asset alarm to occur in the asset corresponding to the asset information.

According to an embodiment, the product information may include at least one of a product type, a supplier, a product name, and a version.

According to an embodiment, the asset information may be provided from an asset information database storing detailed information about the assets managed by the security manager.

A risk asset notification system according to another embodiment of the present invention includes: a data collector for collecting atypical data existing on a network; An asset information inquiry unit for inquiring asset information corresponding to product information based on product information determined from the atypical data; And a risk asset detector for controlling the risk asset alarm to occur in the asset corresponding to the asset information.

According to an embodiment, the atypical data may be an RSS feed, cyber threat information, or resource information.

According to an embodiment, the product information may include at least one of a product type, a supplier, a product name, and a version.

According to another aspect of the present invention, there is provided a risk asset notification system including: a data collector for collecting irregular data existing on a network; An asset information inquiry unit for inquiring asset information corresponding to product information based on product information determined from the atypical data; A risk asset detector for receiving the asset information and fixing the risk asset; And an alarm generator for generating a dangerous asset alarm for the risky asset.

According to an embodiment, the atypical data may be an RSS feed, cyber threat information, or resource information.

According to an embodiment, the asset information may be provided from an asset information database storing detailed information about the assets managed by the security manager.

According to an embodiment of the present invention, there is provided a method of operating a risk asset notification system, comprising: inquiring asset information corresponding to product information based on product information on a security vulnerable product; And controlling the risk asset alarm to occur in the asset corresponding to the asset information.

According to an embodiment, the product information may include at least one of a product type, a supplier, a product name, and a version.

According to an embodiment, the asset information may be provided from an asset information database storing detailed information about the assets managed by the security manager.

According to another aspect of the present invention, there is provided a method of operating a risk asset notification system, comprising: collecting atypical data existing on a network; Querying the asset information corresponding to the product information based on the product information determined from the atypical data; And controlling the risk asset alarm to occur in the asset corresponding to the asset information.

According to an embodiment, the atypical data may be an RSS feed, cyber threat information, or resource information.

According to an embodiment, the product information may include at least one of a product type, a supplier, a product name, and a version.

According to another aspect of the present invention, there is provided a method of operating a risk asset notification system, comprising: collecting atypical data existing on a network; Querying the asset information corresponding to the product information based on the product information determined from the atypical data; Receiving the asset information and establishing a risk asset; And generating a risk asset alert for the risk asset.

According to an embodiment, the atypical data may be an RSS feed, cyber threat information, or resource information.

According to an embodiment, the asset information may be provided from an asset information database storing detailed information about the assets managed by the security manager.

According to the risk asset notification system and the method of operation thereof according to the embodiment of the present invention configured as described above, it is possible to analyze a large amount of unstructured information on the Internet and to automatically provide threats to the assets, have.

The effects obtained by the present invention are not limited to the above-mentioned effects, and other effects not mentioned can be clearly understood by those skilled in the art from the following description will be.

1 is a diagram illustrating a risk asset notification system according to an embodiment of the present invention.
FIG. 2 is a diagram for explaining an operation in which a CVE code is extracted. FIG.
3 is a diagram for explaining a process of detecting a hazardous asset using a CPE code.
4 is a flowchart illustrating an operation method of a risk asset notification system according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It is to be understood, however, that the embodiments described below are only for explanation of the embodiments of the present invention so that those skilled in the art can easily carry out the invention, It does not mean anything. In describing various embodiments of the present invention, the same reference numerals are used for components having the same technical characteristics.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "electrically connected" with another part in between . Also, when an element is referred to as " comprising ", it means that it can include other elements as well, without departing from the other elements unless specifically stated otherwise.

The " terminal " referred to below can be implemented as a computer or a portable terminal that can access a server or other terminal through a network. Here, the computer includes, for example, a notebook computer, a desktop computer, a laptop computer, and the like, each of which is equipped with a web browser (WEB Browser), and the portable terminal may be a wireless communication device , International Mobile Telecommunication (IMT) -2000, Code Division Multiple Access (CDMA) -2000, W-CDMA (WCode Division Multiple Access), Wibro (Wireless Broadband Internet), LTE (Long Term Evolution) Tablet PCs, and the like. ≪ RTI ID = 0.0 > [0033] < / RTI > The term " network " may also be used in a wired network such as a local area network (LAN), a wide area network (WAN) or a value added network (VAN) And may be implemented in all kinds of wireless networks, such as communication networks.

1 is a diagram illustrating a risk asset notification system according to an embodiment of the present invention. FIG. 2 is a diagram for explaining an operation in which a CVE code is extracted. FIG. 3 is a diagram for explaining a process of detecting a hazardous asset using a CPE code.

Referring to FIG. 1, the risky asset notification system 10 includes various types of security threat information that may flow through various channels such as SNS (Social Network Service), Internet news, and RSS (Really Simple Syndicate) Is a system for collecting and analyzing security risks and identifying the assets that can cause security problems and notifying the security risks about the assets.

Here, the term " asset " means software or hardware managed by the risky asset notification system 10. The risky asset notification system 10 can be operated by a security manager that manages internal assets within a certain range.

The risky asset notification system 10 includes a data collector 100, a Common Vulnerability Enumeration (CVE) code extractor 200, a vulnerability information detector 300, a CPE (Common Platform Enumeration) code extractor 400, 500, a risk asset detector 600, and an alarm generator 700. Here, not all the configurations of the risky asset notification system 10 are necessarily essential, and at least one configuration may be omitted or other configurations may be added or combined according to the embodiment. Each configuration may be implemented in software, hardware, or a combination thereof.

The data collector 100 collects security information existing in a network to which the asset to be managed can access and includes an RSS feed collector 110, a C-TAS interlock 120, and a REST (Representational State Transfer) API Programming Interface) interleaver 130. Security information corresponds to unstructured data (unstructured information), which means information that does not have a predefined data model or is not organized in a predefined manner.

The RSS feed collector 110 may collect RSS feeds existing on the network. An RSS feed is intended to automatically feed some or all of the content uploaded to the site to the assets subscribed to the RSS service. The RSS feeds collected by the RSS feed collector 110 may be all RSS feeds existing on the network or representative RSS feeds or may be RSS feeds provided by the RSS service subscribed by the assets to be managed.

The C-TAS interworker 120 can collect cyber threat information in conjunction with the Cyber Threat Analysis & Sharing (C-TAS) system, a cyber threat information analysis / sharing system operated by the Korea Internet Development Agency (KISA).

The C-TAS system collects malicious code, attack IP, and other infringement information on the Internet, collects various cyber threat information generated through reputation verification and statistical / association analysis of the collected information on the C-TAS system Shared to external affiliated organizations. At this time, the C-TAS system shares the cyber threat information through the API or the homepage. The C-TAS interworker 120 can automatically receive the cyber threat information by installing the API of the C-TAS system.

The REST API interfacer 130 may collect resource information existing on the network.

REST is a framework for delivering data to the HTTP protocol without adding additional layers or session management. It also simplifies implementation and enhances scalability and performance by tightly separating components between client and server.

REST is settled in Web applications that can easily access resources that are open to the Web remotely or locally. RESTful Web services are services and applications that are defined and used according to the REST architecture style. A resource is a core element of the REST architecture, meaning any resource that is open to share with others on the web, including websites, blogs, images, music, users, maps, search results, Resources in a REST structure have their own URL and can be accessed only with the default method of HTTP, GET / PUT / POST / DELETE.

RESTful Web services are called resource-based architectures (ROAs) because of the nature of resource-driven representation, delivery, and approach. ROA is referred to as a service-oriented SOA-compatible concept. In other words, a RESTful web service can be said to be a service accessible only by the HTTP protocol regardless of the type of the web server and the web client if the resource URL is known.

The resource information collected by the REST API interfacer 130 means information about an open resource that can be accessed using the REST-based HTTP protocol.

1 is illustrated as including a RSS feed collector 110, a C-TAS interlock 120 and a REST API interlock 130 in a configuration in which the data collector 100 collects security information, But the present invention is not limited thereto and may further include a crawler for collecting other kinds of information.

The CVE code extractor 200 can extract a CVE code from the security information collected by the data collector 100, that is, RSS feed, cyber threat information, and resource information.

The CVE code was first created and run by MITER in 1999, a US non-profit company. Since then, the National Institute of Standards and Technology (NIST) has created a National Vulnerability Database (NVD) to formulate and cooperate with the cooperative system, which is a unique notation for publicly known software security vulnerabilities. The CVE code is generated by combining any number with the year in which the vulnerability was found in the character 'CVE'. For example, the CVE value is denoted as " CVE-YYYY-NNNN ". Here, the arbitrary number is not limited to four digits but may be a number of five or more digits. In the present specification, it is assumed that the digits are four digits for convenience of explanation.

The CVE code extractor 200 can extract a CVE code using a regular expression to extract a CVE code from security information, which is unstructured data. A regular expression is a formal language used to represent a set of strings with a particular rule, and can be used to search for and replace strings with specific rules. Regular expressions can be created using the promised syntax to search for strings with specific rules.

The CVE code has a rule of " CVE-YYYY-NNNN ", and the CVE code extractor 200 can generate a regular expression for extracting the CVE code having such a rule and automatically extract the CVE code from the security information. That is, the CVE code extractor 200 generates a regular expression that searches for a string that is concatenated with a 3-digit string that matches "", a 4-digit string that matches "", and a 4-digit string that matches " . Here, in order to increase the speed of extracting the CVE code, the four-digit string corresponding to the intermediate "0 to 9" may be limited to 1 or 2 based on the year in which the vulnerability is found.

Referring to FIG. 2, when CVE-2018-5678 is included in the security information, which is unstructured data collected by the data collector 100, the CVE code extractor 200 uses a regular expression for extracting a CVE code "CVE-2018-5678" can be extracted.

If the CVE code is extracted using the regular expression, the time and cost required for extracting the CVE code can be reduced. If the format of the CVE code is changed, it can be easily handled by modifying the regular expression, Is possible.

Referring again to FIG. 1, the vulnerability information detector 300 accesses the National Vulnerability Database (NVD) (nvd.nist.gov) and downloads vulnerability information corresponding to the extracted CVE code. NVD is a database that provides vulnerability information corresponding to CVE code, and can easily access the vulnerability information by using HTTP protocol.

Vulnerability information includes Vulnerability ID (CVE Code), Source (Source of Vulnerability Information), Description Last Modified, CVSS (version xx) Severity and Metrics: Base Score, References to Advisories, Solutions and Tool (links to vulnerability countermeasures), Vulnerable software and versions (vulnerable software and versions shown using CPE notation). Here, Severity and Metrics: Base Score represents severity, and Vulnerable software and versions represents CPE code.

The CPE code extractor 400 can extract the CPE code using the regular expression from the downloaded vulnerability information. The CPE code is generated based on the CPE notation to indicate the Common Platform Enumeration. The CPE code is composed of a plurality of fields according to a URI (Uniform Resource Identifiers) method and has a format such as "cpe: CPE version: part: vendor: product: version: update: edition: language: sw_edition: target_sw: target_hw: other" . For example, "Microsoft Internet Explorer 11.0.70" installed on x86 hardware is configured as "cpe: 2.3: a: microsoft: internet_explorer: 11.0.70: *: *: *: *: *: x86: *" In the present specification, the CPE notation will be described based on version 2.3 for convenience of explanation.

In the CPE code, CPE version is added from CPE 2.3 version, and the part is divided into 'a' meaning application, 'o' meaning OS, and 'h' meaning hardware. Vendor, product, version, update, edition, language denote supplier, product name, version, update date, edit, language. Also, in the CPE code, 'sw_edition' means a distribution such as online and special, 'target_sw' means an operating system to be installed, and 'target_hw' means hardware to be installed.

The CPE code has a rule of "cpe: CPE version: part: vendor: product: version: update: edition: language: sw_edition: target_sw: target_hw: The CPE code can be automatically extracted from the vulnerability information by generating a regular expression for extraction. That is, the CPE code extractor 400 can generate a regular expression for extracting a total of 13 strings sequentially arranged from a 3-character string matching " " to " ".

3, the vulnerability information retrieval device 300 includes "cpe: 2.3: a: microsoft: internet_explorer: 11.0.70: *: *: *: *: x86: *" The CPE code extractor 400 extracts the CPE code using the regular expression for extracting the CPE code from the cpe: Can be extracted. Here, the character " " indicates that the value of the corresponding field is not specified and thus any value is irrelevant.

Referring again to FIG. 1, the CPE code extractor 400 may extract the severity from the vulnerability information before extracting the CPE code. If the severity is equal to or less than a predetermined reference value (for example, 5.0), the CPE code extractor 400 can skip the subsequent operation without extracting the CPE code for the vulnerability information. This is to increase the system performance by omitting the subsequent operation when the security threat level of the vulnerability information corresponding to the CVE code corresponding thereto is not serious and an alarm is not necessary. The reference value may be arbitrarily set and changed by the security manager.

If the severity exceeds a predetermined reference value, the CPE code extractor 400 may extract the CPE code for the vulnerability information and transmit the extracted CPE code to the risk asset detector 600.

The risky asset detector 600 may extract the product information from the CPE code and request the asset information inquirer 500 to inquire the asset information corresponding to the product information. Here, the product information may include a product type, a supplier, a product name, and a version, but the scope of the present invention is not limited thereto.

The asset information inquiry unit 500 can inquire asset information matching the product information extracted from the CPE code according to a request of the risk asset detector 600. [ At this time, the asset information inquirer 500 can access the asset information database 800 and inquire asset information that matches the product information.

The asset information database 800 is a database for storing detailed information on assets managed by the security manager, and can store and store information on the asset number, the product type, the supplier, the product name, and the version, which are identification numbers of the respective assets. According to the embodiment, the detailed information about the asset may further include information corresponding to each information contained in the CPE code.

3: a: microsoft: internet_explorer: 11.0.70: *: *: *: *: *: x86 The CPE code extracted by the CPE code extractor 400 (Product name), product name (application), supplier (Microsoft), product name (internet explorer), and version 11.0.70 from product information "*" . If the asset information database contains an asset having an asset number 120, which is an asset matching the product type (application), supplier (Microsoft), product name (internet explorer), and version 11.0.70, Information to the hazardous asset detector 600. [ Here, the asset information may include an asset number 120, a product type, a vendor (Microsoft), a product name (internet explorer), and a version 11.0.70. According to the embodiment, the product information may further include installation target hardware, and the asset information inquirer 500 may further verify whether the installation target hardware is x86 and determine the corresponding asset information.

Referring again to FIG. 1, when at least one asset information matching the product information of the CPE code is retrieved as a result of the asset information inquiry, the risk asset detector 600 determines whether the product information of the CPE code is consistent with at least one asset information And confirm the asset information as a risk asset.

The hazardous asset detector 600 may forward information about the hazardous assets to the alert generator 700. Here, the information on the risky asset may include an asset number, a product type, a supplier, a product name and a version, and may further include a severity, a link to a vulnerability countermeasure, etc. according to an embodiment.

The alert generator 700 may receive information about the risk asset and generate a risk asset alert on the asset corresponding to the asset number.

4 is a flowchart illustrating an operation method of a risk asset notification system according to an embodiment of the present invention.

Referring to FIG. 4, each of the RSS feed collector 110, the C-TAS interlock 120, and the REST API interlock 130 of the data collector 100 receives atypical data (RSS feed, cyber threat information, and resource information), which are security information (S10).

The CVE code extractor 200 may extract the CVE code from the security information collected by the data collector 100, that is, the RSS feed, the cyber threat information, and the resource information (S20). At this time, the CVE code extractor 200 can extract a CVE code from a large amount of security information using a regular expression conforming to the rule of the CVE code.

The vulnerability information detector 300 may access the NVD (nvd.nist.gov) and download vulnerability information corresponding to the extracted CVE code (S30).

The CPE code extractor 400 can extract the severity from the vulnerability information. If the severity is less than a predetermined standard value (NO in S40), the CPE code extractor 400 can perform step S10 again without extracting the CPE code for the vulnerability information. This is to increase the system performance by omitting the subsequent operation when the security threat level of the vulnerability information corresponding to the CVE code corresponding thereto is not serious and an alarm is not necessary.

If the severity exceeds a predetermined standard value (YES in S40), the CPE code extractor 400 extracts the CPE code for the vulnerability information and transmits the CPE code to the risky asset detector 600 (S50). At this time, the CPE code extractor 400 can extract the CPE code from the vulnerability information using the regular expression conforming to the rule of the CPE code.

The risky asset detector 600 extracts the product information from the CPE code, and controls the asset information inquirer 500 to inquire asset information corresponding to the product information (S60). The asset information inquirer 500 can inquire at least one asset information matching the product information extracted from the CPE code according to a request of the risk asset detector 600 and deliver it to the risk asset detector 600. The risky asset detector 600 can confirm that the product information of the CPE code is consistent with at least one asset information and then identify the asset information as a risky asset.

The alarm generator 700 receives the information about the determined risk asset and can generate the risk asset alert on the asset corresponding to the asset number (S70).

According to the risk asset notification system 10 according to the embodiment of the present invention, a large amount of unstructured information on the Internet can be analyzed to automatically provide threats to the assets before a cyber attack occurs.

The method described above can be implemented as computer-readable code on a computer-readable recording medium. The computer-readable recording medium includes all kinds of recording media storing data that can be decoded by a computer system. For example, it may be a ROM (Read Only Memory), a RAM (Random Access Memory), a magnetic tape, a magnetic disk, a flash memory, an optical data storage device, or the like. In addition, the computer-readable recording medium may be distributed and executed in a computer system connected to a computer network, and may be stored and executed as a code readable in a distributed manner.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the appended claims. It will be understood that various modifications and changes may be made.

Claims (9)

Collecting irregular security data that exists on the network by the data collector;
Extracting a CVE code included in the unstructured security data collected by the data collector using a regular expression by a Common Vulnerability Enumeration (CVE) code extractor;
Accessing a National Vulnerability Database (NVD) that provides vulnerability information corresponding to a CVE code and downloading vulnerability information corresponding to the extracted CVE code;
Extracting a CPE code from the vulnerability information downloaded from the vulnerability information detector using a regular expression by a CPE (Common Platform Enumeration) code extractor;
A step in which an asset information inquiry unit inquires asset information corresponding to product information based on product information on a product vulnerable to security; And
Controlling the risk asset detector to generate a risk asset alert on an asset corresponding to the asset information;
Wherein the alarm generator generates a risk asset alert on the risk asset under the control of the risk asset detector,
The atypical security data includes:
Means that the data model is not predefined or the data model is not organized in a predefined manner,
In the CVE code,
Means a vulnerability of a publicly known software stored in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD)
The vulnerability information,
Links to Solutions and Tools, Vulnerability ID, Vulnerability Source, Last Modified Description, Base Score by CVSS, References to Advisories, Vulnerability ID, CPE Notation Lt; RTI ID = 0.0 > software and versions, < / RTI >
The CPE code includes:
Based on the CPE notation, to indicate a Common Platform Enumeration,
The product information includes:
Product type, supplier, product name and version,
Wherein the collecting of unstructured security data present on the network by the data collector comprises:
The RSS feed collector collecting RSS feeds existing on the network;
Cyber Threat Analysis & Sharing (C-TAS) system, which is a cyber threat information analysis / sharing system operated by Korea Internet Development Agency (KISA), collects cyber threat information and detects malicious codes, Collecting IP attack information and other intrusion incident information and performing reputation verification and statistical / association analysis to share with an external organization subscribed to the C-TAS system;
A step of collecting a website, a blog, an image, a music, a user, a map and a search result by a http protocol in resource information existing on a network by a REST (Representational State Transfer) API (Application Programming Interface) How the Risk Asset Notification System Works. delete delete delete delete delete delete delete delete

Images