KR102055843B1 - Event-based Security Rule Real-time Optimization System and Its Method - Google Patents

Abstract

The present invention relates to an event-based security policy real-time optimization system and method thereof. More particularly, the present invention relates to an event-based security policy real-time optimization system and method thereof, which, in turn, minimize false positive or excessive detection of security events by configuring to create and apply periodic or real-time optimized security policies through machine learning algorithms for problems requiring manual updating of security policies for static security policies.

Description

Event-based Security Rule Real-time Optimization System and Its Method

The present invention relates to an event-based security policy real-time optimization system and method, and more particularly, to periodically or real-time through the machine learning algorithm for the problem that the security expert manually updates the security policy for the static security policy The present invention relates to an event-based security policy real-time optimization system and a security policy real-time optimization method that are configured to generate and apply an optimized security policy, thereby minimizing over-detection or false detection of security events.

As the importance of information and the amount of information in information assets has increased, so too has the importance of security on the network. Security equipment and security systems such as integrated security management system, threat management system, and firewall are used for the security of information assets. With the continuous and variable attempts to increase cyber breach, a large number of security events are occurring and efficient response to changing attacks is needed.

On the other hand, the number of users who use digital equipment has increased rapidly. Accordingly, the amount of logs and data, which are traces of users' use of digital equipment, has also increased exponentially, resulting in the so-called big data environment. Security events related to security breaches occurring in various user terminals, that is, endpoints or security systems on the network, are recorded in the event log.

The security officer can confirm the damage situation, type, route, etc. of the breach by analyzing the event log generated or reported, and can respond to the breach and / or take preventive measures. However, in the big data environment, the amount of data and usage logs is enormous, and the amount of security events has increased exponentially due to advanced cyber intrusion attempts. In this situation, it is almost impossible for the security officer to analyze all events manually to determine whether they are actually attacking, and it is easy to cause false positives and false negatives.

Accordingly, research has been conducted to collect and analyze security events in real time in order to effectively manage a large amount of security events. However, the existing researches had the disadvantage that it is difficult to cope with diversifying infringement by generating security events according to the defined security policy, and the researches that generate security policies to filter intrusion attempts of variability according to detection rules are also applied to the rapidly changing network environment. It caused many false positives.

In the existing security equipment and security system, environment analysis had to be preceded by the security officer to set the security policy. After analyzing the environment, we defined the security policy and applied the optimal policy filter value for each policy. However, as time goes by, the network environment can be expanded or contracted and the type of service can be changed. Therefore, it was very difficult for the security officer to continuously add, delete, or update the security policy according to the situation.

In addition, the initial security policy filter values depended on the expertise and / or experience of the security officer. Many site and domain address (DNS) security policies have substantially the same or similar security, despite the independence of each target. Policy and / or policy filter values are being applied.

1 is a view showing a conventional big data-based information protection method and apparatus disclosed in Korea Patent Publication No. 10-1503701. Referring to FIG. 1, a conventional big data-based information protection method and apparatus has a function of detecting a blocking target by receiving and analyzing information from a plurality of terminals. However, in the related art, since the threshold value is changed by a user's input in the monitoring device, it is difficult to adapt to a changing network environment, and it is very complicated and cumbersome for the user to manually change the threshold value.

Therefore, the related industry needs to develop a system that can effectively cope with diversified cyber intrusion attempts and effectively reduce false positive rate and optimize the filter value of security policy in response to changing internal network environment.

Korean Patent Publication No. 10-1503701 (2015.03.12)

The present invention has been made to solve the above problems,

SUMMARY OF THE INVENTION An object of the present invention is to collect logs delivered from network components, convert and process the logs into a regular format, and preprocess the logs, and periodically or in real time using a machine learning algorithm from the received preprocessed logs. A machine learning unit for generating an event-based security policy and a detection unit for receiving and recording the generated security policy and comparing the pre-processed log to process a real-time security event are configured to periodically derive an optimal filter value. It is to provide an event-based security policy real-time optimization system that increases the efficiency of security management tasks by minimizing over-detection and false-detection of security events by automatically applying it.

Another object of the present invention, the machine learning unit, a policy generation unit for deriving a policy model through the machine learning using the algorithm for the pre-processed log, and evaluates and synthesizes the policy model to periodically or real-time event-based security policy It is configured to include the policy decision making unit to generate the optimal filter value through machine learning, evaluates it automatically, and automatically applies it to minimize the over-detection and false-detection of security events, thereby increasing the efficiency of security management tasks. It is to provide a policy real-time optimization system.

Another object of the present invention, the policy generation unit, the variable extraction module for extracting the threat determination field from the preprocessed log received the input parameters, the algorithm for selecting at least one of the plurality of algorithms for the preprocessed log It consists of a selection module, a variable adjustment module that optimizes parameters for the accuracy of a policy model, and a learning module that performs machine learning using a selected algorithm or combination of algorithms. It is to provide an event-based security policy real-time optimization system that improves the accuracy of the policy model through the security management task.

Still another object of the present invention is to configure the parameters to include log field names, log field data types, and machine learning cycles, thereby deriving optimal filter values using variables presented by the administrator or determined by the system. It is to provide an event-based security policy real-time optimization system that increases efficiency.

Still another object of the present invention is that the policy generation unit further includes a classification module for classifying the provided preprocessed log into a number or string format, and the algorithm selection module is clustered with a time series selection module. By selecting the algorithm to be applied to the preprocessed log according to the classified format including the selection module, the event-based security policy real-time optimization system that selects the algorithm according to the type of security event to increase the efficiency of security management work. To provide.

Another object of the present invention, the learning module, including the prediction threshold value extraction module and the representative phrase extraction module, when the classified format is a number (Number) format to extract the maximum and / or minimum threshold value for each time, classification In case the text type is a text type, it is configured to extract a representative string for exception handling and create a policy model to derive the optimal rule filter value according to the type of security event to increase the efficiency of security management tasks. To provide a system.

Another object of the present invention, the policy decision unit is a model evaluation module for evaluating the policy model generated from the policy generation unit, a result analysis module for approving or approving the re-learning based on the evaluation result of the policy model and approval It is to provide an event-based security policy real-time optimization system that increases the efficiency of security management work by effectively evaluating the derived policy model by constructing a generation module that generates security policy by synthesizing the policy model.

Another object of the present invention, the detection unit receives the security policy generated by the policy generation unit and compares the policy receiving module, pre-processed log and the security policy applied to the existing security policy to detect threats and determine the risk It is to provide an event-based security policy real-time optimization system that detects a security event by applying an optimal rule filter value by configuring a decision module and a notification module that delivers the detected threats and risks to the user.

Still another object of the present invention is a collection step of collecting logs transmitted from network components, a preprocessing step of converting and processing the collected logs into a regular format, a machine model by using the algorithm to machine learning the policy model Policy generation step of generating a policy, policy generation step of evaluating and synthesizing the model generated in the policy generation step to generate a security policy periodically or in real time, receiving the security policy generated by the policy generation unit and applying to the existing security policy Optimal security policy by configuring policy receiving step, risk detection step to detect threats by comparing preprocessed log and security policy, and notification step to notify user of detected threats and / or risks. Automatically applying filter values periodically to increase the efficiency of security management tasks. Agent-based security policies to provide a real-time optimization.

Another object of the present invention, the policy generation step, the variable extraction step of extracting the threat determination filter from the preprocessed log received the input parameters received, at least one algorithm of a plurality of algorithms for the preprocessed log Deriving security policy through machine learning by including algorithm selection step, variable adjustment step optimizing parameters for policy model accuracy, and learning step for machine learning using selected algorithm or combination of algorithms It provides an event-based security policy real-time optimization method that increases the efficiency of security management by automatically applying the optimal rule filter.

Still another object of the present invention is to configure the parameters to include log field names, log field data types, and machine learning cycles to automatically apply optimal rule filter values based on variables provided by the user or determined by the system. It provides an event-based security policy real-time optimization method that increases efficiency.

Still another object of the present invention is that the policy generation step further includes a classification step of classifying the provided preprocessed log into a number format or a string format, wherein the algorithm selection step comprises a time series selection step; Event-based security policy that increases the efficiency of security management tasks by selecting algorithms to be applied to preprocessed logs according to the classified format including clustering selection step. It is to provide a real-time optimization method.

Another object of the present invention, the learning step, including the prediction threshold extraction step and the representative phrase extraction step, if the classified format is a number (Number) format, extracting the maximum and / or minimum threshold value for each hour, and classify Event-based security policy real-time to increase the efficiency of security management work by deriving different security policies according to types of security events by extracting representative strings for exceptions and creating a policy model when the formatted format is string type. To provide an optimization method.

Another object of the present invention, the policy decision step, the model evaluation step of comparing the policy model generated from the learning unit, the result analysis step of requesting or approving the re-learning based on the evaluation result of the policy model and The policy-based real-time optimization method for event-based security policy that increases the efficiency of security management work by evaluating the derived policy model and applying the more accurate optimal rule filter by constructing it to include the creation step to generate the security policy by synthesizing the approved policy model. To provide.

The present invention is implemented by the embodiment having the following configuration in order to achieve the above object.

According to an embodiment of the present invention, the present invention comprises a log collection unit for collecting the log transmitted from the network components, converting and processing the log into a regular format, and a machine learning algorithm from the received preprocessed log By using the machine learning unit for generating an event-based security policy in a periodic or real-time, and receiving the recorded security policy generated and compared with the pre-processed log characterized in that it comprises a detection unit for processing a real-time security event .

According to another embodiment of the present invention, the present invention, the machine learning unit, a policy generation unit for deriving a policy model through machine learning using an algorithm for the pre-processed log, and evaluates and synthesizes the policy model periodically or And a policy decision unit for generating an event based security policy in real time.

According to another embodiment of the present invention, the present invention is characterized in that the parameter includes a log field name, a log field data format and a machine learning cycle.

According to another embodiment of the present invention, the present invention, the policy generation unit, further comprises a classification module for classifying the received pre-processed log in the Number (String) format or the String (String) format, the algorithm selection module Is characterized by selecting an algorithm to be applied to the preprocessed logs according to the classified format including the time series selection module and the clustering selection module.

According to another embodiment of the present invention, the learning module includes a prediction threshold extraction module and a representative phrase extraction module, and the maximum and / or minimum thresholds for each time when the classified format is a number format. The policy model is generated by extracting a value and extracting a representative string for exception handling when the classified type is a text type.

According to another embodiment of the present invention, the policy decision unit, the model evaluation module for evaluating the policy model generated from the policy generation unit, re-learning request or approval based on the evaluation result of the policy model And a generation module for generating a security policy by synthesizing the result analysis module and the approved policy model.

According to another embodiment of the present invention, the log collection unit, a collection module for collecting the log transmitted from the network components, and a pre-processing module for converting and processing the collected log in a regular format It is characterized by including.

According to another embodiment of the present invention, the log collection unit, characterized in that for simultaneously transmitting the log pre-processed through the pre-processing module to the policy generation unit and the policy application unit.

According to another embodiment of the present invention, the detection unit, the policy receiving module for receiving the security policy generated by the policy generator and apply to the existing security policy, the threat compared to the pre-processed log and the security policy Determination module for detecting the element and determine the risk and characterized in that it comprises a notification module for transmitting the detected threat and risk to the user.

According to another embodiment of the present invention, the present invention further comprises a storage unit for storing at least one or more of the preprocessed log, the generated security policy and the detected security event.

According to still another embodiment of the present invention, the present invention provides a collection step of collecting logs transmitted from network components, a preprocessing step of converting and processing the collected logs into a regular format, and using the preprocessed log algorithm. Policy generation step of machine learning to generate a policy model, evaluating and synthesizing the model generated in the policy generation step to generate a security policy periodically or in real time, and receiving the security policy generated by the policy generation unit. A policy reception step applied to an existing security policy, a risk determination step of detecting a threat and determining a risk by comparing a preprocessed log with a security policy, and a notification step of notifying the user of the detected threat and / or risk. It is characterized by.

According to another embodiment of the present invention, the policy generation step, the variable extraction step of extracting the threat factor determination filter from the preprocessed log received by receiving the parameter, a plurality of algorithms for the preprocessed log Algorithm selection step of selecting at least one of the algorithm, the variable adjustment step of optimizing the parameters for the accuracy of the policy model and the learning step of performing the machine learning using a combination of the selected algorithm or algorithm.

According to another embodiment of the present invention, the policy generating step further includes a classification step of classifying the received preprocessed log into a number or string format, and selecting the algorithm. The step may include selecting an algorithm to be applied to the preprocessed log according to the classified format including a time series selection step and a clustering selection step.

According to another embodiment of the present invention, the learning step includes a prediction threshold extraction step and a representative phrase extraction step, when the classified format is a number (number) format of the hourly maximum and / or minimum threshold value Extracting a value, and if the classified format is a string, extracts a representative string to be exception, and generates a policy model.

According to another embodiment of the present invention, the policy determination step, the model evaluation step of comparing the policy model generated from the learning unit, the re-learning request based on the evaluation result of the policy model or And a generation step of generating a security policy by integrating the approved result analysis step and the approved policy model.

The present invention can achieve the following effects by the combination of the present embodiment and the configuration to be described below, the use relationship.

The present invention collects logs transmitted from network components, converts the logs into a regular format, and processes the logs in a pre-processed log collection unit, and from the received preprocessed logs, using a machine learning algorithm, periodically or in real time. It is configured to include a machine learning unit for generating a security policy and a detection unit for receiving and recording the generated security policy and comparing with the preprocessed log to process a real-time security event, thereby periodically obtaining an optimal filter value and automatically It is effective to provide an event-based security policy real-time optimization system that increases the efficiency of security management tasks by minimizing over-detection and false-detection of security events.

The present invention, the machine learning unit, the policy generation unit for deriving a policy model through the machine learning using the algorithm for the pre-processed log, the policy for evaluating and combining the policy model to generate an event-based security policy in a periodic or real time By including the decision part, the optimal filter value is periodically drawn through machine learning, evaluated, and automatically applied to minimize the overdetection and false detection of security events, thereby increasing the effectiveness of security management.

The present invention, the policy generation unit, the variable extraction module for extracting the threat determination field from the preprocessed log received the input parameters, the algorithm selection module for selecting at least one of the plurality of algorithms for the preprocessed log, policy It consists of a variable adjustment module that optimizes parameters for model accuracy and a learning module that performs machine learning using a selected algorithm or combination of algorithms. It is accompanied by the effect of providing an event-based security policy real-time optimization system to improve the accuracy of security management tasks by improving accuracy.

The present invention is configured to include a log field name, a log field data format, and a machine learning cycle, thereby deriving an optimal filter value using a variable presented by an administrator or determined by the system, thereby increasing the efficiency of security management tasks. It is effective to provide event-based security policy real-time optimization system.

The policy generation unit may further include a classification module that classifies the received preprocessed log into a number format or a string format, wherein the algorithm selection module includes a time series selection module and a clustering selection module. By selecting the algorithm to be applied to the preprocessed log according to the classified format, it is possible to select the algorithm according to the type of security event to provide an event-based security policy real-time optimization system that increases the efficiency of security management. Have

The present invention, the learning module, including the prediction threshold extraction module and the representative phrase extraction module, extracting the maximum and / or minimum threshold value for each time when the classified format is the number (Number) format, the classified type is text In case of type, it configures policy model by extracting representative string to handle exception and derives optimal rule filter value according to security event type to provide event-based security policy real-time optimization system that increases efficiency of security management task. .

The policy decision unit may include a model evaluation module for evaluating the policy model generated from the policy generation unit, a result analysis module for requesting or approving re-learning based on the evaluation result of the policy model, and an approved policy model. It is configured to include a generation module that generates security policy in total, thereby providing an event-based security policy real-time optimization system that effectively evaluates the derived policy model and increases the efficiency of security management.

The present invention, the detection unit receives the security policy generated by the policy generation unit and a policy receiving module to apply to the existing security policy, comparing the pre-processed log and the security policy to detect the threat factor and determine the risk and detection module It is configured to include a notification module that delivers a threat and a risk to a user, and thus, has an effect of providing an event-based security policy real-time optimization system that detects a security event by applying an optimal rule filter value.

The present invention provides a policy for generating a policy model by collecting a log transmitted from a network component, a preprocessing step of converting and processing the collected log into a regular format, and machine learning the preprocessed log using an algorithm. A policy decision step of generating a security policy periodically or in real time by evaluating and synthesizing the model generated in the policy generation step, the policy generation step, a policy reception step of receiving the security policy generated by the policy generation unit and applying it to an existing security policy, By comparing the preprocessed logs with the security policy, the optimal security policy filter values are periodically configured by including a risk determination step for detecting and determining a threat and a notification step for notifying the user of the detected threat and / or risk. Event-based security that automatically increases the efficiency of security management There is a book that provides real-time effects optimization.

In the policy generation step, the variable extracting step of extracting a threat determination filter from a preprocessed log received by receiving a parameter, selecting an algorithm for selecting at least one of a plurality of algorithms for the preprocessed log Step, variable tuning step for optimizing parameters for policy model accuracy, and learning step for machine learning using selected algorithms or combinations of algorithms. It is effective to provide the event-based security policy real-time optimization method that increases the efficiency of security management task by applying automatically.

According to the present invention, the parameters are configured to include log field names, log field data formats, and machine learning cycles to increase the efficiency of security management tasks by automatically applying optimal rule filter values based on variables provided by the user or determined by the system. Event-based security policy can provide real-time optimization method.

Still another object of the present invention is that the policy generation step further includes a classification step of classifying the provided preprocessed log into a number format or a string format, wherein the algorithm selection step comprises a time series selection step; Event-based security policy that increases the efficiency of security management tasks by selecting algorithms to be applied to preprocessed logs according to the classified format including clustering selection step. It provides a real-time optimization method.

Another object of the present invention, the learning step, including the prediction threshold extraction step and the representative phrase extraction step, if the classified format is a number (Number) format, extracting the maximum and / or minimum threshold value for each hour, and classify Event-based security policy real-time to increase the efficiency of security management work by deriving different security policies according to types of security events by extracting representative strings for exceptions and creating a policy model when the formatted format is string type. It has the effect of providing an optimization method.

Another object of the present invention, the policy decision step, the model evaluation step of comparing the policy model generated from the learning unit, the result analysis step of requesting or approving the re-learning based on the evaluation result of the policy model and The policy-based real-time optimization method for event-based security policy that increases the efficiency of security management work by evaluating the derived policy model and applying the more accurate optimal rule filter by constructing it to include the creation step to generate the security policy by synthesizing the approved policy model. Derive the effect it provides.

1 is a diagram illustrating a conventional big data-based information protection system.
2 is a block diagram of an event-based security policy real-time optimization system according to an embodiment of the present invention.
3 is a block diagram illustrating a policy generation unit of FIG. 2.
4 is a flowchart illustrating a policy decision unit of FIG. 2.
5 is a flowchart of an event-based security policy real-time optimization method according to an embodiment of the present invention.
6 is a flowchart illustrating a policy model generation process of the policy generation step of FIG. 5.
7 is a flowchart illustrating a determination process of the policy decision step of FIG. 5.
FIG. 8 is a flowchart illustrating a mutual process between the policy generation step and the policy decision step of FIGS. 6 and 7.

Hereinafter, exemplary embodiments of an event-based security policy real-time optimization system and a method thereof according to the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, if it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. Unless otherwise defined, all terms in this specification are equivalent to the general meaning of the terms understood by those of ordinary skill in the art to which the present invention pertains, and if they conflict with the meanings of the terms used herein, Follow the definition used in the specification.

Throughout the specification, when a part is said to "include" a certain component, this means that does not exclude other components, unless otherwise stated, and may also include other components, and The terms "~ part", "~ module" and the like described refer to a unit that processes at least one or more functions or operations, and may be implemented by hardware or software or a combination of hardware and software. Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is an event-based security policy real-time optimization system and method according to an embodiment of the present invention. Referring to FIG. 2, the event-based security policy real-time optimization system 1 can effectively respond to diversified cyber intrusion attempts, effectively reduce false positive rates and optimize filter values of security policies in response to changing internal network environments. The automatic application can increase the efficiency of the security management task, and may include a log collecting unit 10, a machine learning unit 30, a detector 50 and a storage unit 70.

The log collecting unit 10 collects the logs transmitted from the security equipment and converts the collected logs into a regular format and processes them. Security equipment refers to machines, systems, and software that operate to protect network and / or information assets from internal and external threats, and include risk management systems (RMS), threat management systems (TMS), and intrusion detection systems (IDS). A security system is also possible and may be a device such as a firewall.

In the log collector 10 according to an embodiment of the present invention, a log transmitted from a firewall and the web may be collected and processed. However, the security equipment used for log collection in the present invention is not limited to the above-mentioned security system or security device, and may have any function of information security and may generate or transmit a log, and the log collection unit 10. In addition, logs collected and processed by WAS may also include other types of logs used for security control, not limited to logs delivered from firewalls and the web. The log collector 10 includes a collection module 11 and a preprocessing module 13.

The collection module 11 collects logs transmitted from the security equipment. The log is the data that contains the record of the system, and through the log data analysis, it is possible to detect and track intrusions from the outside and manage system performance. Web log and webtop log exist, and security log records each event as defined in the security policy set for each object.

The preprocessing module 13 converts or processes the log collected by the collection module 11 into a regular format. For example, the log may include source IP information, destination IP information, source port information, destination port information, host information, payload information, and the like. It may include at least one of HTTP referrer (hypertext transfer protocol referer) information and information on the number of security events.

The preprocessing module 13 converts the collected logs into a regular format. For example, the normalized log may be composed of data including fields including Time, Type, SentIP, DestIP, Payload, and the like. In this case, Time may be an event detection time, Type may be an event type, SentIP may be a source IP, DestIP may be a destination IP of an event, and payload may be information of an attack recorded in a log. Information and / or fields included in the log and the normalized log are exemplary, and it can be seen that other information and / or fields necessary for security control may be included. Collected data may lack some of the above information, may be included in duplicate, or may have different types of field values. Accordingly, the preprocessing module 13 may perform data purification such as converting to a normal form and filling in missing values or erasing duplicate values. Thereafter, the preprocessing module 13 may simultaneously or selectively transmit the preprocessed log to the machine learning unit, the detector, and the storage unit.

The machine learning unit 30 generates an event based security policy periodically or in real time using a machine learning algorithm from the provided preprocessed log. Machine learning, also called machine learning, is a technology that allows computers to learn from data and to understand something or a situation like a person. The key is the algorithm that allows the computer to analyze the data in a technical way that the computer trains itself to identify and classify patterns. By elaborating algorithms that utilize data, the computer learns itself and provides a model that is the learning result. In one embodiment of the present invention, the machine learning unit 30 provides a policy model that is an element of the security policy as a learning result, and includes a policy generation unit 31 and a policy decision unit 33.

3 is a block diagram of the policy generation unit 31 according to an embodiment of the present invention. Hereinafter, the policy generation unit 31 will be described with reference to FIG. 3. The policy generation unit 31 derives a policy model through machine learning using an algorithm or a combination of algorithms. In one embodiment of the event-based security policy real-time optimization system according to the present invention, the policy generator 31 is a variable extraction module 311, algorithm selection module 315, variable adjustment module 317 and learning module 319 It may include, preferably may further include a classification module (313).

The variable extraction module 311 may extract a threat factor determination field from a preprocessed log that receives a parameter. The parameter may be input by a user, or the system may determine and input a suitable parameter by itself. In addition, the interface as a path through which the parameter is input may be a command line interface (CLI), and another known or to be known interface used for parameter input is also possible.

The input parameter may include a field name, a field data format, and a machine learning cycle of the preprocessed log. The log field name is an index indicating what data stored in the normalized log such as Time, Type, and SentIP is. The field data type refers to a format of data stored in the field, and includes a number type and a string type. The number format is a data format that is recognized as a number on the system, such as traffic indicating which DNS address has been applied for from which IP and how many times. The string format is a data format recognized by the system as a character. For example, a file name executed by a malicious code accompanying a payload may be used. The machine learning cycle refers to a cycle for deriving a policy model corresponding to the learning result according to machine learning, and may include machine learning cycle parameters such as 1 day, 1 hour, 1 minute, 1 second, or real time. In addition, the parameter may include a plurality of field names, and both a number format and a string format may be input as the field data format, or another format may be input. Furthermore, the machine learning cycle parameter may be input as a variable that changes according to a function instead of a fixed constant value.

When the parameter is input, the variable extraction module 311 extracts a field serving as a reference of a machine learning process from a preprocessed log provided according to the input parameter.

The classification module 313 classifies the provided preprocessed log into a number format or a string format. In one embodiment according to the present invention, the traffic volume for a certain DNS address may be classified in a number format, and the IP of the DNS address may be classified in a string format.

The algorithm selection module 315 selects at least one of a plurality of algorithms with respect to the preprocessed log. If the format of the data is classified by the classification module 313, at least one of a time series algorithm when the format of the data is a number format and a clustering algorithm is selected when the format of the data is string. The algorithm selection module 315 may include a time series selection module 3151 and a clustering selection module 3153.

The time series selection module 3151 is a module for selecting an algorithm when the classified log has a number format. The algorithm selected may correspond to logistic regression, SVM, decision tree, random forest, and the like, and may be used in combination with the above algorithms. The algorithms correspond to algorithms used for supervised learning, and the time series selection module 3151 may select an algorithm used for supervised learning, but may also select an algorithm used for nonsupervised learning.

The clustering selection module 3153 is a module for selecting an algorithm when the classified log is in a string format. Algorithms such as k-means, GMM, hierarchical clustering may be selected, and combinations of the above algorithms may be selected. In addition, a single known algorithm or combination of algorithms used for machine learning may be selected, not limited to the enumerated algorithms.

The variable adjustment module 317 optimizes parameters for accuracy of the policy model derived from the learning module 319 described later. Initially derived policy models may not be sufficiently high in predictability and accuracy. Therefore, the policy model may need to be improved for better prediction, so adjust the parameters used for learning to improve. The method of adjusting the parameter may include replacing, adding, or deleting a field name, or converting the field data format when the field data format is set incorrectly. In addition, it can replace the value of the training data used in the learning module.

The learning module 319 performs machine learning using a selected algorithm or combination of algorithms and derives a policy model. The learning module 319 may derive another policy model according to the type of the classified log data. Accordingly, the learning module 319 may include a predictive threshold extraction module 3319 and a representative phrase phrase extraction module 3193.

The prediction threshold extraction module 3319 may extract a policy model including a maximum and / or minimum threshold value for each time when the classified log has a number format. The threshold value is, for example, a reference value for the amount of access traffic to the DNS address, and may be determined to be abnormal traffic when the traffic amount exceeds the threshold value. In the case of DDoS, which transmits a large amount of traffic in a short time, it is possible to determine whether abnormal traffic is through the maximum threshold value. In addition, there may be a minimum requirement for the log data of the number format other than the traffic volume, and the prediction threshold extraction module 3191 may also extract a policy model including the minimum threshold value.

The minimum threshold or the maximum threshold needs to be changed according to the normal operation of the network and the organization's information system. Since the amount of information exchange between the network and the information system in the organization may change with time even within a day unit, the predictive threshold extraction module 3319 may determine that the minimum and / or maximum threshold values change over time. Model can be derived. As a result, unnecessary security events due to changes in traffic volume are minimized, and thus, false positives and over-detections of the security policy can be minimized.

The representative phrase extraction module 3193 may extract a policy model including a representative string for exception processing when the classified log has a string format. For example, when a new software or program executes a command on a network, the security device can classify it as an unknown threat. The representative phrase extraction module 3193 according to an embodiment of the present invention may extract a string to be exception-processed from a threat through a clustering algorithm. As a result, code containing an exception string can minimize false positives by not generating a security event according to the policy model that excludes it from threats. In addition, the representative phrase extraction module 3193 may detect the presence of malicious code for the code executed on the network in addition to the string to be exception. As a result, a policy model can be derived to classify existing and / or new malicious codes to be treated as malicious codes in addition to strings not to be treated as threats.

4 is a block diagram showing a policy decision unit 33 according to an embodiment of the present invention. Hereinafter, the policy decision unit 33 will be described with reference to FIG. 4. The policy decision unit 33 may generate an event-based security policy periodically or in real time according to a parameter by evaluating and synthesizing the policy model derived from the policy generation unit 31. The policy decision unit 33 may include a model evaluation module 331, a result analysis module 333, and a generation module 335.

The model evaluation module 331 evaluates the policy model generated from the policy generator 31. Measure how general the policy model is for new data. It is possible to assess how high the predictive accuracy of the generated policy model is, including accuracy and loss, and whether it is optimized only for the dataset used for machine learning. The evaluation method may include a known or to be known evaluation method for machine learning.

The result analysis module 333 may request or approve a re-learning based on a criterion based on a result of evaluating the policy model in the model evaluation module 331. In an embodiment of the present invention, the model evaluation module 331 scores the result of evaluating the policy model according to an item, and the result analysis module 333 fails to reach the designated reference score. Re-learning can be requested, and the policy model can be approved if the specified standard score is exceeded.

The generation module 335 generates a security policy by synthesizing the approved policy model. The approved policy model may contain hourly minimum and / or maximum threshold values and may include representative strings for exceptions. Since the generation module 335 synthesizes the policy model generated according to the machine learning cycle input to the parameter, the generation module 335 may generate a security policy periodically or in real time according to the machine learning cycle.

2, the detection unit 50 receives and records the event-based security policy generated by the generation module 335, compares the preprocessed log with the security policy, and compares the security policy to a real-time security event. Process. The detector 50 may include a policy receiving module 51, a determination module 53, and a notification module 55.

The policy receiving module 51 receives the security policy generated by the generation module 335 and applies it to the existing security policy. Applying the generated security policy to the existing security policy, the security policy generated in the generation module 335 is a security policy based on the log field, the same log compared to the security policy recorded on the existing security equipment If there is a field-based policy, it is replaced with the generated security policy, and if it is based on unequal log fields or not based on the log field, the new security policy is added while maintaining the policy while maintaining the policy. .

The determination module 53 compares the new security policy applied in the policy reception module 51 with the preprocessed log to detect a threat and determine a risk. The risk is a quantitative measure calculated using weights and calculation formulas established according to threat factors. Therefore, it is possible to assist in estimating or determining the priority of each security event by determining different risks according to the security event that has occurred.

The notification module 55 transmits a security event and a risk according to the detected threat factor to the user. Different levels of notification are provided according to the risk, and may be provided to the user in other known or known ways, including providing in a visual and audio manner.

The storage unit 70 may store preprocessed logs, generated security policies, and detected security events provided by the log collection unit 10, the machine learning unit 30, and the detection unit 50. The preprocessed log is stored in the log DB, the generated security policy is stored in the policy DB, and the security event is stored in the security event DB, which can be used to perform machine learning, log analysis, or data mining.

5 is a flowchart of an event-based security policy real-time optimization method according to an embodiment of the present invention. Hereinafter, the present invention will be described with reference to FIGS. 5 to 8.

The event-based security policy real-time optimization method (S1) according to an embodiment of the present invention is optimized periodically or in real time through a machine learning algorithm for the problem that the security expert must manually update the security policy for the static security policy. It is configured to create and apply a security policy to minimize over-detection or false detection of security events, resulting in collection step (S11), preprocessing step (S13), policy generation step (S31), policy decision step (S33), and policy reception. It may include the step (S51), risk determination step (S53), notification step (S55).

The collecting step (S11) is a process that the log collecting unit 10 passes through, collecting logs transmitted from the elements of the network. In one embodiment of the present invention can collect the log transmitted from the firewall and the web, in another embodiment can also collect the log generated by the endpoint (Log) generated from the endpoint, such as SIEM or IPS security control system.

The preprocessing step (S13) is a process of converting the log collected by the preprocessing module 13 in the log collecting unit 10 into a regular format and processing. As described above, the log containing information such as source IP information and destination IP information is normalized to data including fields such as Time, Type, SentIP, and DestIP, and the data is refined. Thereafter, the preprocessing module 13 transmits the preprocessed data to the machine learning unit 30 and the detector 50 as shown in FIG. 5.

The policy generation step S31 is a step of generating a policy model through machine learning using an algorithm on a preprocessed log, which may be performed in the machine learning unit 30. The policy generation step S31 may include a variable extraction step S311, an algorithm selection step S315, a variable adjustment step S317, a learning step S319, and may further include a classification step S313. .

The variable extraction step S311 is a step of extracting a threat factor determination filter from a pre-processed log by receiving a parameter, and may be performed by the variable extraction module 311. As described above, the parameter may be input by a user, and the system may determine and input a suitable parameter by itself. In addition, a known or to be known interface used for the parameter input may be used, and the input parameter may include a field name, field data format, and machine learning cycle of the preprocessed log.

The classification step S313 is a step of classifying the provided preprocessed log in a number format or a string format, and may be performed in the classification module 313.

The algorithm selecting step S315 may be performed by the algorithm selecting module 315 to select at least one algorithm from among a plurality of algorithms with respect to the preprocessed log. If the format of the data is classified in the classification step S313, at least one algorithm may be selected from a time series algorithm when the data format is a number format and a clustering algorithm when the data format is a string format. ) May include a time series selection step S3151 and a clustering selection step S3153.

The time series selection step (S3151) is a step of selecting an algorithm corresponding to the number format when the classified log format is a number format. As described above, the algorithm or combination of algorithms used in supervised learning may be selected, but the algorithm or combination of algorithms used in non-supervised learning may also be selected.

The clustering selection step (S3153) is a step of selecting an algorithm matching the string format when the classified log format is a string format. As described above, algorithms such as k-means, GMM, hierarchical clustering, etc. may be selected, and combinations of the above algorithms may be selected. In addition, a single known algorithm or combination of algorithms used for machine learning may be selected, not limited to the enumerated algorithms.

The variable adjusting step S317 optimizes parameters for the accuracy of the policy model derived from the learning step S319 described later. The policy models that are initially derived may not be sufficiently high in their predictability and accuracy, so that the parameters used for learning can be adjusted to create better predictive models. In addition, when requesting a re-learning because the evaluation score is less than a specified criterion in the result analysis step (S333) to be described later, the parameter adjustment step (S317) can be adjusted to accept the parameter. The method of adjusting the parameter may include replacing, adding, or deleting a field name, or converting the field data format when the field data format is set incorrectly. In addition, it can replace the value of the training data used in the learning module.

The learning step (S319) is a step of performing machine learning and deriving a policy model using a selected algorithm or a combination of algorithms. Since the learning step (S319) can derive a different policy model according to the format of the log data classified in the classification step (S313), the learning step (S319) is the prediction threshold extraction step (S3191) and the representative phrase extraction step It may include (S3193).

The predicted threshold extraction step (S3191) is a step of extracting a policy model including a maximum and / or minimum threshold value for each time when the classified log has a number format. As described above, the threshold value is a reference value for a value related to security control, such as the amount of access traffic, and may be determined to be abnormal traffic when the security control and related number such as traffic amount exceeds the threshold value. In addition, there may be a minimum numerical requirement on the security control, the predicted threshold extraction step (S3191) can also extract a policy model including the minimum threshold value.

The minimum or maximum threshold may need to be changed depending on the normal operation of the network and the organization's information system. Since the amount of information exchange between the network and the information system in the organization may change over time even within a day unit, in the predicted threshold extraction step (S3191), the minimum and / or maximum threshold values may be changed according to time. Model can be derived. As a result, unnecessary security events due to changes in traffic volume are minimized, and thus, false positives and over-detections of the security policy can be minimized.

The representative phrase extraction step (S3193) is a step of extracting a policy model including a representative string for exception processing when the classified log has a string format. Representative phrase extraction step (S3193) according to an embodiment of the present invention can extract a string to be exception processing in the threat factor through the clustering algorithm. As a result, code containing an exception string can minimize false positives by not generating a security event according to the policy model that excludes it from threats. In addition, the representative phrase extraction step (S3193) may detect the presence of malicious code for the code executed on the network in addition to the string to be exception. As a result, a policy model can be derived to classify existing and / or new malicious codes to be treated as malicious codes in addition to strings not to be treated as threats.

Through the above steps, the policy model according to the number format and / or string format of the event log is derived in the policy generation step S31. Hereinafter, the policy decision step S33 will be described. The policy decision step (S33) evaluates the derived policy model, requests or approves the re-learning according to the criteria, and synthesizes it to generate a security policy periodically or in real time. Accordingly, the policy decision step S33 may include a model evaluation step S331, a result analysis step S333, and a generation step S335.

The model evaluation step S331 may evaluate the policy model generated in the learning step S319. The generated policy model evaluates the predictability of newly input data by the scale including accuracy and loss. Evaluation methods may include known or to be known evaluation methods for models derived from machine learning.

The result analysis step (S333) may request or approve a re-learning based on a criterion based on a result of evaluating the generated policy model in the model evaluation step (S331). In the result analysis step (S333) according to an embodiment of the present invention, the result of evaluating the policy model is weighted according to the item, and scored. If the specified criterion score is satisfied, the policy model can be approved. More specifically, referring to FIG. 8, if the evaluation score of the policy model exceeds a predetermined criterion in the result analysis step (S333), if it does not exceed, the re-learning request to go through the variable adjustment step (S317) again. And, if exceeded to approve the policy model to go through the generation step (S335) to be described later.

The generating step (S335) generates a security policy by combining the approved policy model. The approved policy model may include an hourly minimum and / or maximum threshold value and may include a representative string to be exceptioned. In the generating step (S335) synthesizes the policy model generated according to the machine learning cycle input to the parameter, it is possible to generate a security policy periodically or in real time according to the machine learning cycle.

4, the detection unit 50 receives and records the generated event-based security policy, and compares the preprocessed log with the security policy and the security policy to process a real-time security event. The detection unit 50 may perform a policy reception step S51, a risk determination step S53, and a notification step S55.

The policy receiving step S51 receives the generated event-based security policy and applies it to the existing security policy. Compare event-based security policy based on log field with security policy recorded on existing security equipment. If there is a policy based on the same log field, replace it with created security policy, and based on unequal log field. If you do not do this, or based on the log field, you can make the new security policy by adding the created security policy while maintaining the policy.

The risk determination step (S53) is a step of detecting a threat and determining a risk by comparing a new security policy applied in the policy reception step (S51) with a preprocessed log transmitted from the preprocessing step (S13). The risk is a quantitative measure calculated using weights and calculation formulas established according to threat factors. Accordingly, in the risk determination step (S53), it is possible to assist in calculating or determining the priority of each security event by determining different risks according to the security event that occurred.

The notification step S55 transmits a security event and a risk level according to the detected threat factor to the user. Different levels of notification are provided according to the risk, and may be provided to the user in other known or known ways, including providing in a visual and audio manner.

Through the above steps, an event-based security policy real-time optimization system and a security policy real-time optimization method are derived, which generates and applies an optimized security policy periodically or in real time through a machine learning algorithm, thereby minimizing over-detection or false detection of security events. do.

The embodiments of the present invention described above are not implemented only through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Implementation can be easily implemented by those skilled in the art from the description of the embodiments described above.

The foregoing detailed description illustrates the present invention. In addition, the above description shows and describes preferred embodiments of the present invention, and the present invention can be used in various other combinations, modifications, and environments. That is, changes or modifications can be made within the scope of the concept of the invention disclosed in this specification, the scope equivalent to the disclosures described above, and / or the skill or knowledge in the art. The described embodiments illustrate the best state for implementing the technical idea of the present invention, and various modifications required in the specific application field and use of the present invention are possible. Thus, the detailed description of the invention is not intended to limit the invention to the disclosed embodiments. Also, the appended claims should be construed to include other embodiments.

1: Event-based security policy real-time optimization system
10: log collector 11: collection module
13: pretreatment module 30: machine learning part
31: policy generator 311: variable extraction module
313: classification module 315: algorithm selection module
3151: time series selection module 3153: clustering selection module
317: variable adjustment module 319: learning module
3191: Predictive threshold extraction module 3193: Representative sentence extraction module
33: Policy Decision Unit 331: Model Evaluation Module
333: result analysis module 335: generation module
50: detector 51: policy receiving module
53: judgment module 55: notification module
70: storage
S1: 1: Event-based Security Policy Real-Time Optimization
S11: collection step S13: pretreatment step
S31: policy generation step S311: variable extraction step
S313: Classification step S315: Algorithm selection step
S3151: time series selection step S3153: clustering selection step
S317: Variable adjustment step S319: Learning step
S3191: Predictive threshold extraction stage S3193: Representative sentence phrase extraction stage
S33: policy decision step S331: model evaluation step
S333: result analysis step S335: generation step
S51: Policy Receive Stage S53: Risk Judgment Stage
S55: notification step

Claims (17)

The machine learning unit generates an event based security policy periodically or in real time using a machine learning algorithm from a preprocessed log, and receives and records the generated security policy and compares the preprocessed log to process a real time security event. Including a detector,
The machine learning unit includes a policy generation unit for deriving a policy model through machine learning using an algorithm on a preprocessed log, and a policy decision unit for generating an event-based security policy periodically or in real time by evaluating and synthesizing the policy model. ,
The policy generation unit receives a parameter, a variable extraction module for extracting a threat determination field from a preprocessed log, a classification module for classifying the received preprocessed log in a number or string format, and a preprocessed log. Algorithm selection module for selecting at least one of the plurality of algorithms with respect to the learning module for performing a machine learning using the selected algorithm or combination of algorithms,
The learning module includes a prediction threshold extraction module and a representative phrase extraction module, and extracts a maximum and / or minimum threshold value for each time when the classified format is a number format, and the classified format is a string format. In the event-based security policy real-time optimization system, characterized in that to generate a policy model by extracting a representative string to be exception handling. delete The event-based security policy real-time optimization system according to claim 1, wherein the policy generation unit further comprises a variable adjustment module for optimizing parameters for accuracy of a policy model. 4. The system of claim 3, wherein the parameter comprises at least one of a log field name, a log field data format, and a machine learning cycle. The event-based security policy real-time optimization system according to claim 1, wherein the algorithm selection module selects an algorithm to be applied to a preprocessed log according to a classified format including a time series selection module and a clustering selection module. delete The method of claim 1, wherein the policy determination unit evaluates a policy model generated from the policy generation unit, a result analysis module for requesting or approving a re-learning based on the evaluation result of the policy model, and an approved policy. Event generation security policy real-time optimization system, characterized in that it comprises a generation module for generating a security policy by synthesizing the model. According to claim 1, The detection unit, Receiving module for receiving a security policy generated by the generation module, the policy receiving module to apply to the existing security policy, comparing the pre-processed log and the security policy to detect threats and determine the risk level And a notification module for transmitting the detected threats and risks to the user. 9. The log according to any one of claims 1, 3 to 5 and 7 to 8, which collects logs transmitted from network components and converts and converts the logs into a canonical format for preprocessing. And a storage unit for storing at least one of the preprocessed log, the generated security policy, and the detected security event. The system of claim 9, wherein the log collecting unit simultaneously transmits the preprocessed log to the machine learning unit and the detection unit through a preprocessing module. The policy generation step of generating a policy model by machine learning the preprocessed log using an algorithm, the policy decision step of evaluating and synthesizing the model generated in the policy generation step and generating a security policy periodically or in real time, in the policy generation unit. Receive the generated security policy and apply the security policy to the existing security policy, compare the preprocessed log with the security policy to detect the threat and determine the risk, the risk determination step and detected threats and / or risks to the user A notification step of notifying,
The policy generation step may include a variable extraction step of extracting a threat determination filter from a preprocessed log by receiving a parameter, and a classification step of classifying the received preprocessed log into a number type or a string type, and the preprocessing. An algorithm selection step of selecting at least one of a plurality of algorithms with respect to the generated log, and a learning step of performing machine learning using a selected algorithm or combination of algorithms,
The learning step includes a prediction threshold extraction step and a representative phrase extraction step, and when the classified format is a number format, extracts the maximum and / or minimum threshold values for each hour, and the classified format is a string format. In the event of extracting a representative string for exception handling, characterized in that for generating a policy model, event-based security policy real-time optimization method. 12. The method of claim 11, wherein the policy generation step further comprises a variable adjustment step of optimizing a parameter for accuracy of a policy model. The method of claim 12, wherein the parameter comprises at least one of a log field name, a log field data format, and a machine learning cycle. 12. The method of claim 11, wherein the algorithm selection step comprises selecting an algorithm to be applied to the preprocessed log according to a classified format including a time series selection step and a clustering selection step. delete 12. The method of claim 11, wherein the policy decision step comprises: a model evaluation step of comparing the policy models generated in the policy generation step, a result analysis step of approving or approving a result of the evaluation of the policy model, and approval And a generation step of generating a security policy periodically or in real time by synthesizing the revised policy model. The method of claim 11, further comprising a collecting step of collecting logs transmitted from network components before the policy generating step, and a preprocessing step of converting and processing the collected logs into a regular format. Security policy real-time optimization method.

Images