KR102088304B1 - Log Data Similar Pattern Matching and Risk Management Method Based on Graph Database - Google Patents

Abstract

The present invention relates to a graph database-based log data similar pattern matching and risk managing method. More specifically, provided is the graph database-based log data similar pattern matching and risk managing method which determines a subgraph with respect to a frequent pattern after designating collected log data as graph data and compares the similarity with comparison reference graph data so that efficient security control is possible by discovering, screening, and managing data with a high threat possibility.

Description

Log Data Similar Pattern Matching and Risk Management Method Based on Graph Database

The present invention relates to a method for matching and risk management of log data-based log data similar patterns, and more specifically, after storing the collected log data as graph data, subgraphs are determined for the frequent patterns, and the comparison reference graph data By comparing similarities, it is possible to find, select, and manage data with a high threat potential to enable efficient security control.

As the importance of information and the amount of information in information resources has increased, the importance of security on the network has also emerged. For the security of information resources, security equipment and security systems such as integrated security management systems, threat management systems, and firewalls are used. Currently, a large number of security events are occurring due to the continuous and variable increase in cyber infringement attempts, and it is necessary to respond effectively to changing attacks.

Meanwhile, the number of users using digital equipment has rapidly increased, and various data has been generated according to the development of computers and IoT technologies. In this situation, the data has a great relationship, and for efficient management of the data, it is necessary to store the relationship of the data. In order to store this relationship, a lot of data storage space is required, and a problem arises in that calculations according to relationships between data are also increased. Accordingly, objects with high relations are expressed as graph data by connecting objects according to the relationship.

Graph data can show various patterns according to the characteristics of objects in the data. Among these various patterns, a certain pattern is generated, and this is called a frequent pattern. In the area of security control, this frequent pattern can have an important meaning. This can mean that threats such as hacking are continuously applied to certain information resources. Therefore, the need to separately select and manage these frequent patterns has emerged.

Referring to the conventional method and apparatus for generating a graph database for infringement resources disclosed in Korean Patent Publication No. 10-1764674, the conventional method and apparatus for generating a graph database for infringement resources creates a graph database for infringement behavior And save it. However, when stored as such graph data, there is a problem that it must be directly interpreted or compared with other graph data. Moreover, in today's big data environment, the amount of data is huge, so the size of graph data is inevitably large. It is a very difficult process for a user to directly compare it with other graph data, or to run a different program, for graph data with huge capacity.

In addition, the conventional invention seeks to continuously store graph data, and does not place any emphasis on the efficiency and speed of analysis operations using subgraphs or the like. In addition, there is no disclosure on how to search for or search for frequent patterns, so it is not suitable for selecting and managing frequent patterns. Accordingly, related industries require graph data-based log data-like pattern matching and risk management methods while being able to generate graph data with respect to data related to infringement threats, select and manage frequent patterns, and efficiently perform the calculations efficiently and rapidly. That is true.

Korean Registered Patent Publication No. 10-1764674 (2017.07.28)

The present invention was made to solve the above problems,

An object of the present invention includes an inflow graph data generation step of storing the collected log data as inflow graph data, wherein the inflow graph data generation step is an individual element designation step of designating each element of the log data as a graph element And configured to include a labeling step of labeling at least a portion of the stored graph elements to store the collected log data as graph data, determine subgraphs for frequent patterns, and compare similarity with comparative reference graph data By doing so, it is to provide a graph database-based log data similar pattern matching and risk management method that enables efficient security control by finding, screening, and managing data with high threat potential.

Another object of the present invention, the individual element designation step is a node generation step of analyzing the collected log data and generating a node when no node has a value corresponding to the value of the first element or the second element, the log Graph data according to the data format by configuring to include the node designation step of designating the first and second elements of the data as the first node and the second node, and the edge designation step of designating the third element of the log data as the edge. It is to provide a method for matching and risk management of log data similar patterns based on graph database, which enables efficient security control by designating and selecting and managing the data with high threat potential by designating the components of.

Another object of the present invention, the individual element designation step is configured to further include a weight designation step of designating a weight according to the type of the edge to efficiently collect data with a high threat potential according to the threat type of the collected data. It provides a pattern matching and risk management method for finding log data based on the graph database to search.

Still another object of the present invention is that the first element is an attacker resource, the second element is a threat target resource, and the edge is a threat method to classify an attacker and a threat target from a log converted to a regular format. Therefore, it is to provide similar pattern matching and risk management method based on graph database that efficiently finds the data with high threat potential.

Another object of the present invention is configured to further include a subgraph determination step of setting each subgraph for comparison of the inflow graph data and the comparison reference graph data and an attribute comparison step of calculating similarity by pattern matching between the subgraphs. By doing so, it is to provide a log database similar pattern matching and risk management method based on a graph database that efficiently finds data with a high probability of threat through similar pattern matching between subgraphs.

Another object of the present invention, the sub-graph determining step, a reference node setting step of setting a reference node that is the reference of the sub-graph, the first edge search step of searching and specifying the edge connected to the reference node, the reference node Graph database-based log data similarity pattern matching and risk management by systematically constructing subgraphs to search for data with a high threat potential by configuring to include the first connection node search step of searching for the first connection node connected to the edge Is to provide a way.

Another object of the present invention, the first edge search step, by searching only the in-edge among the edges connected to the reference node to designate as an edge of the subgraph, but configured to exclude that the weight of the in-edge is 0, similar patterns It is to provide similar pattern matching and risk management method based on the graph database that enables efficient frequent pattern selection by simplifying the calculation of matching.

Another object of the present invention, the sub-graph determination step, the edge clean-up step of deleting the weighted zero edge before the reference node setting step, and the first connection node search step connected to the first connection node The second edge search step, which designates the edge of the subgraph as the edge of the subgraph by searching only the in-edges whose weight is not 0, and the second connection node search step, which specifies the node connected to the edge as the second connection node to the first connection node. It is configured to further include to provide a log database-like pattern matching and risk management method based on graph database that enables efficient operation and responds to diversified threats.

Another object of the present invention, the attribute comparison step, comparing the similarity factor with the subgraph operation step of calculating the similarity factor based on the inflow subgraph and the comparison reference subgraph, return similarity to return the similarity of each subgraph Including a step, the similarity factor is configured to be calculated based on nodes and edges of each subgraph to provide a method for matching and risk management of log data similar patterns based on a graph database that enables quantitative comparison of subgraphs.

Another object of the present invention, the similarity return step, based on the difference between the similarity factor of the inflow subgraph and the similarity factor of the comparison reference subgraph, the smaller the difference, the higher the similarity value is configured to return. It is to provide similar pattern matching and risk management method based on the graph database that efficiently selects.

Another object of the present invention is to provide a graph database-based log data similar pattern matching and risk management method to effectively notify the risk of incoming data by further comprising a risk calculation step of calculating the risk of the subgraph.

Another object of the present invention, the risk calculation step, by configuring the risk value based on the weight of the label value of the reference node and the edge connected to the reference node, the risk is variable according to the threat resource and the threat type To provide similar pattern matching and risk management method based on graph database notified by.

Another object of the present invention, by configuring to further include a screening management step of selecting and storing and managing frequent patterns, the graph database-based log data similar pattern to efficiently manage the selected frequent patterns to improve the efficiency of the security control system It is to provide a matching and risk management method.

The present invention is implemented by an embodiment having the following configuration in order to achieve the above object.

According to an embodiment of the present invention, the present invention includes an inflow graph data generation step of storing the collected log data as inflow graph data, wherein the inflow graph data generation step comprises graph elements for each element of the log data. And an individual element designating step designated by and a labeling step of labeling at least a part of the stored graph elements.

According to another embodiment of the present invention, the present invention, the individual element designation step, analyzes the collected log data to generate a node when there is no node having a value corresponding to the value of the first element or the second element And a node designation step, a node designation step of designating the first and second elements of the log data as first and second nodes, and an edge designation step of designating the third element of the log data as an edge. do.

According to another embodiment of the present invention, the present invention is characterized in that the individual element designation step further comprises a weight designation step of designating a weight according to the type of the edge.

According to another embodiment of the present invention, the present invention is characterized in that the first element is an attacker resource, the second element is a threat target resource, and the edge is a threat method.

According to another embodiment of the present invention, the present invention compares the inflow graph data and the comparison reference graph data by comparing the properties of calculating the similarity by sub-graph determination step of setting each sub-graph and pattern matching between the sub-graphs Characterized in that it further comprises a step.

According to another embodiment of the present invention, the present invention, the sub-graph determining step, a reference node setting step of setting a reference node that is the reference of the sub-graph, the first edge to search for and specify the edge connected to the reference node And a first connection node search step of searching for a first connection node connected to the reference node and an edge.

According to another embodiment of the present invention, in the present invention, in the first edge search step, only the in-edge among the edges connected to the reference node is searched and designated as an edge of the subgraph, but the weight of the in-edge is 0 It is characterized by being excluded.

According to another embodiment of the present invention, the present invention, the sub-graph determination step, the edge clean-up step of deleting the edge with a weight of zero before the reference node setting step, and after the first connection node search step A second edge search step of designating as an edge of the subgraph by searching only the in-edge that has a non-zero weight among the edges connected to the first connection node, and a second node designating a node connected as an edge to the first connection node as the second connection node. It characterized in that it further comprises a connection node search step.

According to another embodiment of the present invention, in the present invention, the attribute comparison step compares the similarity factor with the subgraph calculation step of calculating the similarity factor based on the inflow subgraph and the comparison reference subgraph, and compares the similarity factor with each subgraph. And a similarity return step of returning the similarity, wherein the similarity factor is calculated based on nodes and edges of each subgraph.

According to another embodiment of the present invention, the present invention, the similarity return step, based on the difference between the similarity factor of the inflow subgraph and the similarity factor of the comparison reference subgraph, the smaller the difference, the higher the similarity value. It is characterized by returning.

According to another embodiment of the present invention, the present invention is characterized in that it further comprises a risk calculation step of calculating the risk of the subgraph.

According to another embodiment of the present invention, the present invention is characterized in that the risk calculating step calculates a risk based on a label value of a reference node and a weight of an edge connected to the reference node.

According to another embodiment of the present invention, the present invention is characterized in that it further comprises a screening management step of screening and storing frequent patterns.

According to the present invention, the following effects can be obtained according to the configuration, combination, and use relationship described above with respect to the present embodiment.

The present invention includes an inflow graph data generation step of storing the collected log data as inflow graph data, wherein the inflow graph data generation step includes individual element designation steps for designating each element of the log data as graph elements and stored data. By storing the collected log data as graph data by configuring to include a labeling step of labeling at least a part of the graph elements, by sub-graphing the frequent patterns, and comparing similarity with the comparative reference graph data, It has the effect of providing log pattern similar pattern matching and risk management method based on graph database that enables efficient security control by finding, screening, and managing data with high threat potential.

In the present invention, the individual element designation step comprises: generating a node when there is no node having a value corresponding to the value of the first element or the second element by analyzing the collected log data, and generating the log data. It is configured to include the node designation step of designating the 1st element and the 2nd element as the 1st node and the 2nd node, and the edge designation step of designating the 3rd element of the log data as an edge. By designating, selecting and managing the data with high threat potential, we derive the effect of providing similar pattern matching and risk management method based on the graph database that enables efficient security control.

In the present invention, the individual element designation step is further configured to further include a weight designation step of designating a weight according to the type of the edge, and a graph database for efficiently extracting data having a high threat potential according to the threat type of the collected data Based log data, similar pattern matching and risk management are provided.

The present invention is characterized in that the first element is an attacker resource, the second element is a threat resource, and the edge is a threat method. It has the effect of providing similar pattern matching and risk management methods based on graph data to search for data with high probability.

The present invention is configured to further include an attribute comparison step of calculating similarity by a pattern matching between a subgraph determination step of setting each subgraph and a pattern matching between the subgraphs for comparison of the inflow graph data and comparison reference graph data. It has the effect of providing similar pattern matching and risk management methods based on graph database that efficiently finds data with a high probability of threat through similar pattern matching.

In the present invention, the sub-graph determining step, a reference node setting step of setting a reference node as a reference for the sub-graph, a first edge search step of searching for and specifying an edge connected to the reference node, connected to the reference node and the edge Provides a graph database-based log data similar pattern matching and risk management method that systematically constructs a subgraph by searching for the first connection node search step to search for the first connection node, and efficiently finds data with a high threat potential. .

The present invention, the first edge search step, by searching only the in-edge of the edges connected to the reference node to designate the edge of the subgraph, but configured to exclude that the weight of the in-edge is 0, the calculation of similar pattern matching It has the effect of providing a similar pattern matching and risk management method based on graph data that enables efficient and efficient frequent pattern selection.

In the present invention, the sub-graph determining step includes an edge clean-up step of deleting an edge having a weight of 0 before the reference node setting step, and a weight among the edges connected to the first connection node after the first connection node search step. It is configured to further include a second edge search step of designating a non-zero in-edge as an edge of the subgraph and a second connection node search step of designating a node connected as an edge to the first connection node as the second connection node. Therefore, it has the effect of providing a similar pattern matching and risk management method based on graph data, which is capable of efficient computation and responds to diversified threats.

In the present invention, the attribute comparison step includes a similarity return step of returning the similarity of each subgraph by comparing the similarity factor with the subgraph calculation step of calculating the similarity factor based on the inflow subgraph and the comparison reference subgraph. , The similarity factor is configured to be calculated based on nodes and edges of each subgraph, thereby providing an effect of providing a pattern matching and risk management method of log data based on a graph database that enables quantitative comparison of subgraphs.

In the present invention, the similarity returning step is based on the difference between the similarity factor of the inflow subgraph and the similarity factor of the comparison reference subgraph, so that the smaller the difference is, the higher the similarity value is efficiently selected, thereby frequently selecting frequent patterns This has the effect of providing a similar method of pattern matching and risk management based on the graph database.

The present invention can be configured to further include a risk calculation step of calculating the risk of the subgraph to provide a graph database-based log data similar pattern matching and risk management method for effectively notifying the risk of the incoming data.

In the present invention, the risk calculation step is configured to calculate a risk based on a label value of a reference node and a weight of an edge connected to the reference node, so that the risk is variably notified according to the target resource and the threat type It provides database-based log data similar pattern matching and risk management methods.

The present invention is configured to further include a screening management step of selecting, storing, and managing frequent patterns to efficiently manage the selected frequent patterns to improve the efficiency of the security control system. Derive the effect that provides the method.

1 is a flow chart of a method for matching and risk management of log data similar patterns based on a graph database according to an embodiment of the present invention.
2 is a block diagram of a system that executes a method for matching and risk management of similar patterns in log data based on a graph database according to an embodiment of the present invention.
Figure 3 is a flow chart showing the step of generating the inflow graph data of Figure 1;
4 is a view showing an embodiment of the individual element designation step and labeling step of FIG. 3;
Figure 5 is a flow chart showing the individual element designation step of Figure 3;
6 is a flowchart illustrating a subgraph determination step of FIG. 1.
FIG. 7 is a view showing an embodiment of the subgraph determination step of FIG. 6.
8 is a flow chart showing the attribute comparison step of FIG.
9 is a view showing an embodiment of the attribute comparison step of FIG. 8;
10 is a flow chart showing the selection management step of Figure 1;

Hereinafter, preferred embodiments of the graph database-based log data similar pattern matching and risk management method according to the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, when it is determined that a detailed description of known functions or configurations may unnecessarily obscure the subject matter of the present invention, the detailed description will be omitted. Unless otherwise specified, all terms in this specification are the same as the general meaning of the term understood by a person skilled in the art to which the present invention belongs, and if there is a conflict with the meaning of the term used herein It follows the definition used in the specification.

Throughout the specification, when a part “includes” a certain component, this means that other components are not excluded, and that other components may be further included unless specifically stated to the contrary. Hereinafter, the present invention will be described in detail by describing preferred embodiments of the present invention with reference to the accompanying drawings.

In this specification, a threat means that a malicious activity targeting an information resource is performed. Since there can be various types of threats, there can be various types of threats depending on the threat type and the threat type. In addition, the attacker resource is information related to assets for performing malicious actions, and may include IP, domain, and malicious code.

In this specification, graph data is a data base based on graph theory, and includes nodes, edges, and labels. The node is an object to be tracked, and in this specification, information resources such as an attacker resource or a threat target resource may be plotted as a node. Accordingly, the concept of identifying assets such as IP and domain is plotted on the node. Edge represents the relationship between nodes. When data is transmitted from one node to another, the edge may have a direction. In addition, such an edge may have a weight, and in this specification, the edge is weighted according to the risk accompanying the threat type. Labels are related to node information and can be classified into the same set by labeling multiple nodes. In the present specification, the label may be labeled according to the importance of the asset, or may be labeled according to the threat level of the incoming data.

1 is a graph database based log data similar pattern matching and risk management method according to an embodiment of the present invention. Referring to FIG. 1, the method for matching and risk management of log data similar patterns based on this graph database (S1) specifies the collected log data as graph data, determines a subgraph for frequent patterns, and compares similarity with comparative reference graph data. By comparison, it is possible to efficiently control data by finding, screening, and managing threat-prone data, and may include an inflow graph data generation step (S10).

FIG. 2 is a block diagram of a system 1 according to a method for matching and matching risk patterns of log data based on a graph database according to an embodiment of the present invention. The system may collect and normalize log data from the graph data generation unit 10, and generate inflow graph data.

The graph data analysis unit 30 may generate a subgraph with respect to the incoming graph data and the comparison reference graph data, determine similarity using a pattern matching technique, and calculate a risk.

3 is a flowchart illustrating an inflow graph data generation step (S10) according to an embodiment of the present invention. Referring to FIG. 3, the inflow graph data generation step (S10) is to designate by converting the collected log data into inflow graph data. The present invention is to convert the collected log data into graph data, and compare the comparison with the reference graph data to calculate the similarity, so as to find out the frequent pattern, to generate graph data through a predetermined process. The inflow graph data generation step (S10) may include a pre-processing step (S11), an individual element designation step (S13), and a labeling step (S15).

The pre-processing step (S11) is a process of collecting logs transmitted from components of the network, converting them into a normal format, and processing them. In one embodiment of the present invention, a log generated from an endpoint or a security control system such as SIEM or IPS may be collected. The collected logs include source IP information, destination IP information, source port information, destination port information, host information, payload information, HTTP It may include at least one of referrer (hypertext transfer protocol referer) information and the number of security events. In addition, the normalized log may be composed of data including fields including Time, Type, SentIP, DestIP, Payload, and the like. At this time, Time can be the detection time of the event, Type is the type of the event, SentIP is the source IP, DestIP is the destination IP of the event, and Payload can be information about the attack in the log. It can be seen that the information and / or fields included in the log and the normalized log are exemplary, and may include other information and / or fields required for security control. The collected data may lack some of the above information, may be included redundantly, or may have different types of field values. Accordingly, in the pre-processing step 11, log data may be converted to a normal format, and data may be refined such as filling a missing value or deleting a duplicate value.

5 is a flowchart of an individual element designation step (S13) according to an embodiment of the present invention. Referring to FIG. 5, the individual element designation step (S13) is a step of converting pre-processed log data into inflow graph data. The normalized log data has information necessary for conversion to necessary nodes, edges, labels, etc., which are elements of graph data, and matches log data in the individual element designation step (S13) to be stored as elements of graph data. The individual element designation step (S13) may include a node creation step (S131), a node designation step (S133), an edge designation step (S135), and a weight designation step (S137).

In the node creation step (S131), when there is no node having a value corresponding to the value of the first element or the second element by analyzing the collected log data, a node having a corresponding value is generated. If this is described with reference to FIG. 4, the normalized log may include various information as described above. In the node creation step (S131), a value is checked for a first element in the log, and it is determined whether a node having a corresponding value exists. If a node with a corresponding value exists, a new node is not created. If a node with a corresponding value does not exist, a new node is created. The generated new node has the value of the first element of log data. The same operation is repeated for the second element of log data.

In one embodiment of the invention, the first element may be an attacker resource. Attacker resources are resources that perform malicious acts on information resources. The attacker resource may include an IP (IP), a domain, and a malicious code as described above, and preferably, the IP may be a first element. The pre-processed log may include the source IP of the data in the field name SentIP.

In one embodiment of the present invention, the second element may be a resource to be threatened. It can be regarded as a target resource when malicious action is performed by an attacker resource. The threat target resource may be an IP, a domain, or a system, and is not limited to a specific concept. Preferably, the IP of the target, which is the object of malicious activity, can be used as the second element. The pre-processed log may include the destination IP of data as a field name of DestIP.

The node designation step (S133) is a step of designating the first and second elements of the log data as the first node and the second node of the inflow graph data. For the node created or already existed in the node creation step (S131), preferably, a node having a value corresponding to a source IP is designated as a first node, and a node having a value corresponding to a destination IP is a second node. Is specified as. In this way, the attacker resource and the target resource of the data are plotted as the first node and the second node in the graph data.

The edge designation step (S135) is a step of designating the third element of log data as an edge. In the log data, the transmission of data from the origin to the destination is recorded. Therefore, the first node and the second node are connected by expressing data transmission as an edge. Here, the connected edge may be generated differently depending on the type of data. For example, the connection due to the edge may include communication, attack, data dissemination, and threats. The specified edge may have a relationship of rectification listed above, but the connection relationship listed above is an example, and is not limited thereto, and may indicate various other relationships.

In the weight designation step (S137), the weight of the edge may be designated according to the connection relationship between the edges. The log data may include the contents of the threat from the attacker resource to the threat target resource. In this case, the content of the threat and its type can be included in the edge. In addition, there may be an edge due to data transmission that does not involve the threat content, and in this case, the threat content and type will not be included in the edge. In the weighting step (S137), the threat content and / or type of threats are derived from the risk calculation according to the DB or threat type stored according to the threat content and / or type included in the edge and designated as the weight of the edge. In one embodiment of the present invention, data transmitted from the first element to the second element may be analyzed to assign an int type weight according to the threat type. At this time, if there is no threat in the transmitted data, the weight may be 0. In another embodiment of the present invention, a real number of a double type rather than an int type may be designated as a weight.

Referring to FIGS. 4 and 5, the process of the individual element designation step (S13) is described, and after analyzing the normalized log, extracting the first to third elements, and corresponding to the values of the first and second elements Search for nodes with values of A and B. If there are no nodes with A and B values, a new node is created, and nodes with A and B values are designated as graph elements. Then, an edge from A to B is generated, and the third element is analyzed to display the connection relationship of the nodes. In the embodiment illustrated in FIG. 4, a connection relationship between C and D may be displayed. The inflow graph data can be completed by specifying the weight by analyzing the connection relationship of the nodes, that is, the transmitted data.

The labeling step (S15) is a step of labeling at least a part of the designated graph element according to its characteristics. Preferably, a label value may be assigned to a node corresponding to the second node among nodes of the incoming graph data. In addition, in another embodiment of the present invention, not only the node corresponding to the second node but also the node corresponding to the first node may be labeled. The method of labeling may be known or known, but preferably, it may be designated according to the importance of the threatened resource, and the value of the label may be preferably defined in the real region. In the embodiment illustrated in FIG. 4, it can be confirmed that the label value of Y was assigned to the threat target resource corresponding to the second element, and the label value of X was assigned to the attacker resource corresponding to the first element.

When the incoming graph data is completed, the graph data analysis unit 30 searches for frequent patterns through similar pattern matching between the incoming graph data and the pre-stored comparison reference graph data. The frequent pattern refers to similar or identical patterns that may be continuously generated or generated among various patterns existing in graph data. This pattern can represent a major data transfer. Among the main data, there may be a threat to external information resources, so it is necessary to find and manage frequent patterns. As a process for finding out the frequent pattern, a subgraph determination step (S20) and an attribute comparison step (S30) may be included.

The sub-graph determination step (S20) is a step of setting a sub-graph for comparison of the incoming graph data and the comparison reference graph data. A subgraph is a graph composed of a part of nodes and edges of a graph, and the subgraph H of graph G satisfies Equation 1 below. Accordingly, the inflow subgraph and the comparison reference subgraph are determined.

Equation 1

At this time, V (H) corresponds to the node of the subgraph H, V (G) corresponds to the node of the graph G, E (H) corresponds to the edge of the subgraph H, and E (G) corresponds to the edge of the graph G.

There may be multiple nodes and edges of the incoming datagraph. Therefore, the number of subgraphs that can be generated from the incoming data graph is also large, and it is possible to search for frequent patterns with similar pattern matching by specifying the subgraphs individually, but in this case, the amount and time of the operation are exponential. There must be many. Therefore, the amount and time of calculation can be reduced by designating the subgraph according to a certain criterion.

6 is a flowchart illustrating a subgraph determination step S20 according to an embodiment of the present invention. Referring to FIG. 6, the subgraph determination step (S20) may include a reference node setting step (S21), a first edge search step (S23), and a first connection node search step (S25), and a second edge. A search step (S27) and a second connection node search step (S29) may be further included. 7 is a diagram illustrating inflow graph data constructed according to an embodiment of the present invention. The following will be described with reference to FIG. 7.

In the reference node setting step (S21), a reference node serving as a reference for the subgraph is set. By setting the reference node, it is possible to efficiently reduce the calculation time and the amount of calculation by determining and comparing subgraphs that meet the conditions without having to compare the subgraphs centered on all nodes. In the reference node setting step (S21), the reference node setting step may have various methods and criteria, but in a preferred embodiment of the present invention, the reference node setting step (S21) is performed among a plurality of nodes to which the same label value is assigned. The node having the maximum number of in-edges may be set as a reference node. At this time, the in-edge refers to an edge in a direction that enters a corresponding node among edges, which are flows of directional data, and in the present invention, when an node is a second element that is a destination of data, an in-edge may be defined.

The graph data shown in FIG. 7 shows some of the inflow graph data according to an embodiment of the present invention. As can be seen from the inflow graph data, nodes N1, N2 and V1 to V4 exist, and labels of N1 and N2 are designated as 3. The edges are E1 to E5. The number indicated on each edge refers to the weight according to the type of threat.

When the process of setting the reference node in the inflow graph data of FIG. 7 is described, it is determined which of the N1 and N2 nodes having the same label as 3 is the reference node. In this case, N1 with a larger number of in-edges will be the reference node. The large number of in-edges means that more data flows into the resource, so the relative importance of the resource may be greater than the resource corresponding to other nodes.

In the reference node setting step S21 according to another embodiment of the present invention, a node having the maximum sum of the weights of the edges rather than the number of edges may be set as the reference node. In this case, the N1 node has a sum of the weights of the in-edge, and the N2 node has a sum of the weights of the in-edges, so N1 will be set as a reference node. A high sum of in-edge weights means that they are subjected to many threatening attacks, which means that the importance of the resource is greater than other resources.

In the reference node setting step (S21) according to another embodiment of the present invention, when a node having the largest number of in-edges among a plurality of nodes to which the same label value is assigned is set as a reference node, when counting the number of in-edges It can be excluded that the weight of the in-edge is 0. An edge with a weight of 0 means that the transmission of data from the first element to the second element is not a threat. The purpose of the present invention is to search for and manage the transmission of log data containing the threat type or content in a frequent pattern, so an edge containing data without threats may be excluded from the criteria for setting the reference node.

The subgraph determining step S20 according to another embodiment of the present invention may include an edge rearranging step S22 before or after the reference node setting step S21 for setting the reference node. In the edge rearranging step (S22), an edge having a weight of 0 is deleted, so that the computation time and computation amount can be reduced. When data that does not contain a threat type or content is transmitted, the corresponding edge may be assigned a weight of 0. In this case, in order to remove the computational waste in the reference node setting step (S21) during the frequent pattern search, it is possible to determine an effective subgraph in the inflow graph data by deleting the edge having a weight of 0.

Referring to FIG. 7, the edge rearranging step (S22) is preferably performed before the reference node setting step (S21), and since the edge corresponding to the weight is deleted, E5 having a weight of 0 in the inflow graph data is deleted. Can be removed. In this case, when setting the reference node, the edge to N1 may be counted as two instead of three.

The first edge search step S23 may search for an edge connected to a reference node and designate it as an element of a subgraph. The subgraph consists of nodes and edges, and is intended to designate the components of the subgraph for similar pattern matching. Sub-graphs only for nodes that do not specify an edge may exist, but in that case, analysis is meaningless because it does not have information according to data transmission. In the first edge search step (S23) according to an embodiment of the present invention, an edge connected to a reference node may be searched and designated as an edge of a subgraph, but preferably, only an in-edge among edges connected to a reference node is searched for the subgraph. It can be specified as the edge. Normal information resources are highly unlikely to transmit threat data unless otherwise specified. For efficiency of calculation, the out edge can be excluded from the edge of the subgraph.

In the first edge search step (S23) according to another embodiment of the present invention, an out edge among the edges connected to the reference node may be designated as an edge of the subgraph, and the formulation 1 edge search step (S23) according to another embodiment. In), only the weight of the reference node that has a non-zero weight can be designated as the edge of the subgraph. In this case, the information resource corresponding to the reference node becomes a so-called zombie PC and transmits threat data to other information resources. This also can be a threat to other information resources, so it needs to be selected and managed as a frequent pattern. have.

Referring to FIG. 7, E1, E2, and E5 exist for the edge of the reference node N1. All of the in-edges may be designated as the edges of the subgraph, but for the E5, E5 may be removed or may not be designated as the edge of the subgraph according to a specific embodiment.

The first connection node search step (S25) is a step of searching for a node connected by the reference node and the edge specified in the first edge search step (S23) and designating it as the first connection node. The subgraph is composed of a node and an edge, and the edge connects between the node and the node, and is a step of configuring the subgraph by designating the first connection node as a node of the subgraph. In a preferred embodiment of the present invention, nodes designated as the first connection node through the first connection node discovery step (S25) will be an attacker resource that directly transmits threat data to the information resource serving as a reference node. Referring to FIG. 7, V1 and V2 nodes transmitting threat data to the reference node N1 will be the first connection node.

As described above, the sub-graph determination step (S20) may further include a second edge search step (S27) and a second connection node search step (S29). The above steps (S27 and S29) may be performed to search for an attacker resource that indirectly transmits threat data, rather than an attacker resource that directly transmits threat data to the target resource. For example, in the case of a DDos attack, since the remote PC infects multiple zombie PCs and the infected zombie PC attacks the threat target resource, the second edge search step (S27) and the second step for managing such patterns are also frequently used. Two connection node search step (S29) may be performed.

In the second edge search step (S27), the edge connected to the first connection node is searched, and only the in-edge is searched, but only the weight of the in-edge is non-zero to be designated as the second edge of the subgraph. You can.

In the second connection node search step (S29), a node connected to the first connection node and an edge is searched, but only the node connected to the second edge of the subgraph can be designated as the second connection node. Referring to FIG. 7, the weight is designated as 1, so E3 that is not 0 is designated as the second edge, and the V3 node will be designated as the second connection node.

8 is a flowchart illustrating an attribute comparison step (S30) according to an embodiment of the present invention, and FIG. 9 shows an example of a subgraph in the subgraph operation step (S31) according to an embodiment of the present invention It is one drawing. Hereinafter, the attribute comparison step (S30) will be described with reference to FIGS. 8 and 9. In the attribute comparison step (S30), after subgraphs are set for the incoming graph data and the comparison reference graph data, the subgraphs are compared with similar pattern matching and similarity is returned. The attribute comparison step (S30) may include a subgraph operation step (S31) and a similarity return step (S33).

The subgraph operation step S31 is a step of calculating the similarity factor F by comparing the inflow subgraph and the comparison reference subgraph. The similarity factor F is a measure indicating how similar the two subgraphs are, and is calculated based on the nodes and edges of each subgraph.

The similarity factor (F) can be calculated in a number of ways. The methods for comparing the two subgraphs and calculating the similarity factor F based on the node and the edge are within the scope of the present invention, but preferably, the similarity factor F of the subgraph operation step S31 is as follows. It can be calculated through Equation 1.

(Equation 1)

At this time, the minimum distance between each node is the minimum number of edges from any one node to another node in a node constituting the subgraph. If this is described with reference to FIG. 9, nodes constituting the inflow subgraph are N1, V1 to V3, and edges E1 to E3 exist. The nodes constituting the comparison reference subgraph are N3, V5, and V6, and the edges are E5 and E6.

When calculating the similarity factor (F) of the inflow subgraph, the combination of each node is (N1, V1), (N1, V2), (N1, V3), (V1, V2), (V1, V3), (V2) , V3), and the minimum distance of the combination is 1, 1, 2, 2, 3, 1, respectively. Summing them together, the similarity factor (F) is calculated as 10. When calculating the similarity factor (F) of the comparison reference subgraph, the combination of each node becomes (N3, V5), (N3, V6), (V5, V6), and the minimum distance of the combination is 1, 1, 2, respectively. And the similarity factor (F) is calculated as 4. The similarity factor (F) tends to increase when the threat is performed by many attacker resources against the reference node.

In the subgraph operation step S31 according to another embodiment of the present invention, the similarity factor F2 is calculated, but the similarity factor may be calculated based on nodes, edges, and weights. The above-described calculation of the similarity factor (F) is the minimum number of edges from any node to another node when determining the minimum distance between nodes, and increases the value of 1 when passing an edge, but the similarity factor ( In the case of obtaining the minimum distance, F2) may increase the weight value of the edge when passing an edge. Accordingly, when calculating the example of FIG. 9, the similarity factor F2 of the comparison reference subgraph becomes 10, which is the sum of 3, 2, and 5. The similarity factor (F2) in the corresponding case is calculated by considering the threat content in the attacker resource.

In the subgraph operation step S31 according to another embodiment of the present invention, when calculating the similarity factor F3, it is calculated through Equation 1 above, but it can be calculated by dividing the calculated value by the number of nodes in the subgraph. The similarity factor F3 of the comparison reference subgraph may be 1.33 by dividing the value 4 according to Equation 1 by the number of nodes 3. The similarity factor (F3) corresponds to a method of canceling the rapid increase in the similarity factor (F3) due to an increase in attacker resources.

The similarity return step (S33) calculates a difference in the similarity factor (F, F2, F3, etc.) between the inflow subgraph and the comparison reference subgraph calculated in the subgraph operation step (S31), and the smaller the difference is, the higher the similarity value is. Can return When the difference between the similarity factors is 0, the similarity may have the highest value. In the similarity return step (S33), a conversion formula of various methods may be used to convert the difference value of the similarity factor to similarity, and a known or known conversion formula may be used. Further, in one embodiment of the present invention, the similarity may be returned in a numeric format, but in other embodiments, the similarity steps may be classified and returned according to the similarity factor. The similarity return method is not limited to the above-described examples, and other return methods such as using a value obtained by dividing the similarity factor rather than the difference between the similarity factors may be used. In the similarity return step (S33)

Furthermore, the graph database-based log data similar pattern matching and risk management method S1 according to an embodiment of the present invention can calculate the risk R of the inflow subgraph and notify the user. Accordingly, the graph database based log data similar pattern matching and risk management method (S1) according to an embodiment of the present invention may further include a risk calculation step (S40).

In the risk calculation step S40, the risk R is calculated based on the nodes and edges of the graph data. The risk (R) can be calculated in a number of ways, several methods for calculating the risk (R) based on the node and the edge is within the scope of the present invention, preferably, the risk of the risk calculation step (S40) (R) can be calculated through Equation 2 below.

(Equation 2)

At this time, R is the risk, and L is the label value assigned to the reference node of the subgraph. When this is described with reference to FIG. 9, the risk (R) of the inflow subgraph can be calculated as a value of 21 by multiplying the label value 3 and 7, which is the sum of the edge weights connected to the reference node. The risk (R) is calculated to take into account the importance or vulnerability of the target asset corresponding to the reference node, the threat of the content of the threat and the frequency of occurrence of the threat.

In another embodiment of the present invention, the risk (R2) may include the edge directly connected to the reference node as well as the indirectly connected edge to obtain the risk. Referring to FIG. 9, since the weight of E3 is considered in the inflow subgraph, the risk may be calculated as 24. The method of calculating the risks (R, R2) is not limited to the illustrated method, and may be any method that can consider the threat type and the importance of the target resource. It is obvious that the calculated risk R can be notified to the user by various visual and audible methods.

When similarity and / or risk are calculated according to the above steps, it is necessary to select and store frequent patterns. The stored frequent pattern can be used as a comparison reference subgraph when data is subsequently introduced. Accordingly, the graph database-based log data similar pattern matching and risk management method (S1) according to the present invention may further include a screening management step (S50).

10 is a flowchart illustrating a screening management step (S50) according to an embodiment of the present invention. Referring to FIG. 10, in the screening management step (S50), frequent patterns may be selected and stored. As described above, the frequent pattern may be an attempt to threaten the target resource, and thus is stored and managed separately. The selection management step (S50) may include a frequent pattern selection step (S51) and a storage step (S53).

The frequent pattern selection step S51 may define inflow graph data and / or subgraphs as frequent patterns according to a standard. The reference value that can be defined can be defined as various functions or constants, and can be defined as different values according to the purpose of the security control system. Inflow graph data and / or subgraphs having similarities above the reference value are defined and managed as frequent patterns.

The management step (S53) may store and manage the selected frequent pattern. The selected frequent patterns can be stored in the DB, the frequent patterns stored in the DB can be analyzed, or, if there is incoming data, it can be called into a comparison criteria graph to perform comparison.

After specifying the log data collected as the graph data according to the above steps, subgraphs are determined for the frequent patterns, and the similarity is compared with the comparative reference graph data to find, screen, and manage data with a high threat potential for effective security control. A possible pattern matching and risk management method can be performed based on possible graph database.

The embodiment of the present invention described above is not implemented only through an apparatus and a method, and may be implemented through a program that realizes a function corresponding to the configuration of the embodiment of the present invention or a recording medium in which the program is recorded. The implementation can be easily implemented by those skilled in the art to which the present invention pertains from the description of the above-described embodiments.

The above detailed description is to illustrate the present invention. In addition, the foregoing is a description of preferred embodiments of the present invention, and the present invention can be used in various other combinations, modifications and environments. That is, it is possible to change or modify the scope of the concept of the invention disclosed herein, the scope equivalent to the disclosed contents, and / or the scope of the art or knowledge in the art. The embodiments described describe the best state for implementing the technical idea of the present invention, and various changes required in specific application fields and uses of the present invention are possible. Accordingly, the detailed description of the invention is not intended to limit the invention to the disclosed embodiments. In addition, the appended claims should be construed to include other embodiments.

S1: Graph database based log data similar pattern matching and risk management method
S10: Step of generating inflow graph data
S11: Pre-processing step S13: Individual element designation step
S131: node creation step S133: node designation step
S135: Edge designation step S137: Weight designation step
S15: Labeling step
S20: Subgraph determination step
S21: Reference node setting step S22: Edge cleanup step
S23: first edge search step S25: second connection node search step
S27: second edge search step S29: second connection node search step
S30: Quick comparison step
S31: Subgraph operation step S33: Similarity return step
S40: Risk calculation stage
S50: Screening management stage
S51: Frequent pattern selection step S53: Management step
F: Similarity factor R: Risk

Claims (18)

And generating inflow graph data to store the collected log data as inflow graph data.
The inflow graph data generation step includes an individual element designation step of designating each element of the log data as a graph element and a labeling step of labeling at least a portion of the stored graph elements,
The individual element designation step is a node generation step of generating a node when there is no node having a value corresponding to the value of the first element or the second element by analyzing the collected log data, and the first element and the first element of the log data. A graph database-based log data similar pattern matching and risk management method comprising a node designation step of designating 2 elements as a first node and a second node and an edge designation designation of a 3rd element of log data as an edge. . delete The method of claim 1, wherein the step of designating the individual elements,
A graph database-based log data similar pattern matching and risk management method, further comprising a weight designating step of designating a weight according to the type of the edge. The graph database based log data similar pattern matching and risk management method according to claim 1, wherein the first element is an attacker resource, the second element is a threat target resource, and the edge is a threat method. The similarity can be determined by generating inflow graph data that stores the collected log data as inflow graph data, and determining subgraphs to set each subgraph for comparison between the inflow graph data and comparison reference graph data, and pattern matching between subgraphs. Comprising the attribute comparison step to calculate,
The inflow graph data generation step includes an individual element designation step of designating each element of the log data as a graph element and a labeling step of labeling at least a portion of the stored graph elements,
The sub-graph determination step,
A reference node setting step of setting a reference node to be a subgraph reference, a first edge search step of searching for and specifying an edge connected to the reference node, and a first connection node searching for a first connection node connected to the reference node and the edge A graph database based log data similar pattern matching and risk management method comprising a search step.
delete According to claim 5, The reference node setting step,
A graph database-based log data similar pattern matching and risk management method, characterized in that a node having the same number of edges with the same label is set as a reference node. According to claim 5, The reference node setting step,
A graph database-based log data similar pattern matching and risk management method, characterized in that a node having the same weight among the nodes with the same label is set as a reference node. The method of claim 7 or 8, wherein the first edge search step,
A graph database-based log data similar pattern matching and risk management method characterized by searching only the in-edge among the edges connected to the reference node and designating it as an edge of the subgraph, except that the weight of the in-edge is zero. The method of claim 9, wherein the sub-graph determination step,
An edge clearing step of deleting an edge having a weight of 0 before the reference node setting step;
After the first connection node search step, a second edge search step of designating an edge in which the weight is not 0 among edges connected to the first connection node is designated as an edge of the subgraph, and
A graph database-based log data similar pattern matching and risk management method, further comprising a second connection node search step of designating a node connected as an edge to the first connection node as a second connection node. The method of claim 5, wherein the attribute comparison step,
A subgraph operation step of calculating the similarity factor based on the inflow subgraph and the comparison reference subgraph and a similarity return step of comparing the similarity factor and returning the similarity of each subgraph,
The similarity factor is calculated based on the nodes and edges of each subgraph, and the graph database-based log data similar pattern matching and risk management method. The method of claim 11, wherein the similarity factor is,
A graph database based log data similar pattern matching and risk management method, which is calculated through Equation 1 below according to the nodes and edges constituting each subgraph.
(Equation 1)

At this time, F is a similarity factor, and the minimum distance between each node is the minimum number of edges from any one node to another node in the subgraph. The method of claim 12, wherein the similarity return step,
A graph database based log data similarity pattern matching and risk management method characterized by returning a higher similarity value based on the difference between the similarity factor of the inflow subgraph and the similarity factor of the comparison reference subgraph. The method according to claim 5, further comprising a risk calculation step of calculating a risk of the subgraph, a log database similar pattern matching and risk management method. 15. The method of claim 14, The risk calculation step,
A graph database based log data similar pattern matching and risk management method, characterized in that a risk is calculated based on a label value of a reference node and a weight of an edge connected to the reference node. 16. The method according to claim 15, wherein the risk is calculated according to Equation 2 below.
(Equation 2)

At this time, R is the risk and L is the label value assigned to the reference node. The method of claim 5, further comprising a screening management step of selecting and storing and managing the frequent patterns. The method of claim 17, wherein the selection management step,
Based on a graph database characterized by including a frequent pattern selection step of defining frequent patterns by determining similarity according to criteria defined in advance as a function or constant and a management step of storing and managing inflow subgraphs corresponding to frequent patterns Log data similar pattern matching and risk management method.

Images