KR102160950B1 - Data Distribution System and Its Method for Security Vulnerability Inspection - Google Patents

Abstract

The present invention relates to a data distributed processing system and a method thereof upon security vulnerability inspection, and more particularly, to a data distributed processing system upon security vulnerability inspection, which includes: a diagnostic command generation unit that generates a diagnostic command, in order to solve a problem in which a load is generated on a diagnosis target system to be diagnosed or a system corresponding to an analysis server when diagnosing security vulnerability; a communication unit that accesses the diagnosis target system, transmits the diagnosis command, and receives a result file; a distributed processing unit that tags data in the result file according to a predetermined criterion, and distributes and stores the data in the result file; and a diagnosis execution unit that diagnoses security vulnerability based on the result file, wherein the diagnosis command can increase the efficiency of resource use by generating a two-step structure by selectively classifying diagnosis-related information for diagnosis items collected by each diagnosis target system by classifying the collected diagnosis-related information based on resources required for vulnerability diagnosis analysis, tagging diagnosis-related information data in advance according to the characteristics of the diagnosis-related information data, and diagnosing security vulnerability separately, and effectively diagnosing the security vulnerability by distributing resources used when diagnosing the security vulnerability by classifying data from the diagnosis target system by type in the analysis server when diagnosing the security vulnerability and diagnosing the security vulnerability.

Description

Data Distribution System and Its Method for Security Vulnerability Inspection}

The present invention relates to a data distribution processing system and a method thereof when checking a security vulnerability, and more particularly, to solve a problem that a load is generated on a system corresponding to a diagnosis target system or an analysis server to be diagnosed when a security vulnerability is diagnosed. For this purpose, a diagnosis command generation unit that generates a diagnosis command, a communication unit that connects to the diagnosis target system to transmit the diagnosis command and receives a result file, and stores the data in the result file by designating a tag according to a predetermined standard, and distributing it. It includes a distributed processing unit and a diagnosis performing unit for diagnosing security weaknesses based on the result file, and the diagnosis command classifies collected diagnosis-related information based on resources required for vulnerability diagnosis analysis, and characterizes diagnosis-related information data. By setting tags in advance and diagnosing security weaknesses separately, the diagnostic-related information on the diagnostic items collected by each diagnostic target system is selectively classified and a two-level structure is created to increase the efficiency of resource use. When diagnosing security vulnerabilities, the analysis server categorizes the data from the system to be diagnosed by type and executes the security vulnerability diagnosis, thereby distributing the resources used in the vulnerability diagnosis to conduct effective security vulnerability diagnosis. And to the method.

As the importance and volume of information in information assets increase, the importance of security on the network has also emerged. Security equipment and security systems such as an integrated security management system, a threat management system, and a firewall are used for the security of information assets. Currently, a large number of security events are occurring as the number of continuous and variable cyber intrusion attempts increase, and an efficient response to changing attacks is required.

Security vulnerability check is to check for threats that may allow illegal user access to the information system or threats to leakage, alteration, or deletion of important data managed by the system to be diagnosed. It refers to analyzing the security level of the system to be diagnosed after performing a check on whether a security vulnerability exists in the system.

As there are various types of systems subject to security vulnerability checks, such as client PCs and network equipment, there are cases in which an agent that checks security vulnerabilities is installed on the target system to check security vulnerabilities, and the agent cannot be installed on the target system. In some cases, the manager system checks for security vulnerabilities after sending a command or script from the manager system and receiving a response.

1 is a conventional network vulnerability analysis system and method, which enables centralized audit and analysis of vulnerability in a distributed network environment, and an inspection of the internal network of a vulnerability analysis target network 910 is performed. It consists of an agent 91 to perform, a manager 920 that receives and analyzes the results from each agent and detects vulnerabilities to De-Militarized Zones (DMZ), and a security protocol for communication between the manager and the agent. The manager analyzes each information sent by the agent, performs differential analysis on the vulnerability detection results by host and network, and generates a comparison result. The vulnerability analysis agent 91 retrieves the latest vulnerability list from the manager 920, checks for network-based vulnerabilities for a designated host in the subnet to which the agent 91 belongs, and the manager 920 The results are reported by receiving and analyzing the inspection results.

However, as shown in FIG. 2, in the case of an existing agent-based vulnerability check system, a vulnerability check was performed in the system to be diagnosed in the network to be analyzed for vulnerability 910, and the system dedicated to collecting information and executing diagnosis Since the agent 91 is executed, the diagnosis is performed using the resources of the system to be diagnosed and the result file is transmitted. In this diagnosis process, there was a problem that it was difficult to use the system normally because it occupies a large amount of resources of the diagnosis target sheetme when diagnosing a specific item. In addition, after transferring the diagnosis result file to the manager 920, which is a central analysis server, a load is generated in the process of processing data for each diagnosis related information, and the result is displayed when attempting to simultaneously diagnose security weaknesses for many assets. There was a problem that could not be analyzed. Furthermore, in recent years, as the amount of assets subject to security vulnerability diagnosis has increased, a problem that cannot perform all analysis on a limited analysis server occurs, and there are many problems with resource and time efficiency when re-executing diagnosis commands or processing them individually. Have.

Therefore, minimizing the use of resources of the system to be diagnosed when diagnosing security vulnerabilities, solving the problem that a load is generated on the system by focusing the diagnosis command and the process according to the security vulnerability diagnosis in limited resources, and collecting By selectively classifying diagnosis-related information on diagnosis items and creating a two-stage structure, the efficiency of resource use is improved.When diagnosing security weaknesses, the analysis server classifies data from the system to be diagnosed by type and performs security vulnerability diagnosis. There is a need for a diagnostic system that can perform effective security vulnerability diagnosis by distributing resources used for vulnerability diagnosis.

Korean Registered Patent Publication No. 10-0474155 (2005.02.22.)

The present invention was devised to solve the above problems,

It is an object of the present invention to provide a diagnostic command generation unit that generates a diagnostic command that is executed in a system to be diagnosed for diagnosing a security vulnerability, a communication unit that connects to the system to be diagnosed to transmit the diagnostic command and receives a result file, and the result file In the vulnerability diagnosis analysis, the diagnosis-related information collected for security vulnerability diagnosis including a distributed processing unit that tags and stores my data according to predetermined criteria and a diagnosis execution unit that diagnoses security weaknesses based on the result file. Classifications based on required resources, and by setting tags in advance according to the characteristics of diagnosis-related information data and separately performing security vulnerability diagnosis, diagnosis-related information on diagnosis items collected by each diagnosis target system is selectively selected. By classifying and creating a two-level structure, the efficiency of resource use is improved, and the analysis server classifies the data from the system to be diagnosed by type in the analysis server when diagnosing security vulnerabilities, and by performing security vulnerability diagnosis, the resources used in the vulnerability diagnosis are distributed and effective security. It is to provide a data distribution processing system when checking security weaknesses that can perform vulnerability diagnosis.

An object of the present invention is that the diagnosis command generation unit includes an information collection module, and the information collection module generates a result file by collecting diagnosis related information for diagnosing a security vulnerability of the system to be diagnosed by the generated diagnosis command. It is to provide a data distribution processing system when checking security weaknesses.

An object of the present invention is to further include a selective classification module to classify the diagnosis-related information collected by the diagnosis command based on resources required for vulnerability diagnosis analysis, and the overload of resources when diagnosing security weaknesses. It is to provide a data distribution processing system when checking security weaknesses that minimize

It is an object of the present invention to provide a data distribution processing system for classifying diagnostic-related information based on at least one resource utilization rate among CPU, memory, GPU, and disk used when diagnosing a security vulnerability. To provide.

An object of the present invention is to provide the selective classification module to classify the diagnosis-related information into data to perform vulnerability diagnosis through an in-memory method and data to perform vulnerability diagnosis through multiple core allocation. To provide a system.

It is an object of the present invention to include a tagging module for setting a tag to the diagnosis related information so that the distributed processing unit can distribute and register the collected diagnosis related information so that the classified diagnosis related information can be identified according to the tag. It is to provide a data distribution processing system when checking security weaknesses.

It is an object of the present invention to provide a data distribution processing system in which the tagging module sets a tag by grouping at least one of asset information, a diagnosis item, and a classification classified in the selective classification module into the diagnosis related information. To provide.

An object of the present invention is that the distributed processing unit generates at least one distribution tree in which diagnosis related information is stored, and a distribution tree generation module that sets resources to be used for the distribution tree, and the diagnosis related information in the distribution tree according to a set tag. It further includes a classification registration module that classifies and registers, and provides a data distributed processing system for security vulnerability checks that reduces resource occupancy when diagnosing security weaknesses by distributing diagnosis-related information.

An object of the present invention is to provide a data distribution processing system in which the classification registration module classifies and registers the diagnosis related information in the distribution tree based on the diagnosis item.

An object of the present invention is that the distributed processing unit further includes a threshold value setting module for setting a threshold value of a resource utilization rate when diagnosing a security vulnerability for diagnosis-related information stored in the distributed tree, and when a load is concentrated on the distributed tree It is to provide a data distribution processing system when checking security weaknesses that distribute the load.

It is an object of the present invention to provide a diagnostic unit, a parsing module for parsing diagnosis-related information stored in the distribution tree, a result extraction module for analyzing diagnosis-related information parsed by the parsing module, and diagnosis-related information and security weaknesses of the diagnosis target system. It provides a data distribution processing system when checking security weaknesses that diagnoses security weaknesses of the system to be diagnosed, including a vulnerability judgment module that compares the judgment criteria to determine whether they are vulnerable.

It is an object of the present invention to provide a data distribution processing system when the parsing module parses diagnosis-related information for diagnosis items stored in one distributed tree to prevent the occurrence of a bottleneck due to I/O speed. will be.

It is an object of the present invention to prevent the parsing module from concentrating a load on a specific resource by parsing the diagnosis related information stored in another distributed tree when the resource utilization rate exceeds a threshold value when parsing the diagnosis related information stored in the distributed tree. It is to provide a data distribution processing system when checking security weaknesses.

The present invention is implemented by an embodiment having the following configuration in order to achieve the above object.

According to an embodiment of the present invention, the present invention provides a diagnostic command generation unit that generates a diagnostic command that is executed in a system to be diagnosed for diagnosing a security vulnerability, and transmits the diagnostic command by accessing the system to be diagnosed. It characterized in that it comprises a communication unit to receive, a distributed processing unit to designate a tag according to a predetermined criterion and store the data in the result file by distributing, and a diagnosis execution unit to diagnose a security vulnerability based on the result file.

According to an embodiment of the present invention, in the present invention, the diagnostic command generation unit includes an information collection module, and the information collection module generates diagnostic-related information for diagnosing a security vulnerability of the system to be diagnosed. It is characterized by collecting and generating a result file.

According to an embodiment of the present invention, the present invention further comprises a selective classification module for classifying the diagnosis-related information collected by the diagnosis command based on resources required for vulnerability diagnosis analysis. It features.

According to an embodiment of the present invention, the selective classification module classifies diagnosis related information based on at least one resource utilization rate among CPU, memory, GPU, and disk used when diagnosing a security vulnerability. To do.

According to an embodiment of the present invention, the selective classification module classifies the diagnosis-related information into data to perform vulnerability diagnosis in an in-memory manner and data to perform vulnerability diagnosis through allocation of multiple cores. It features.

According to an embodiment of the present invention, the distributed processing unit includes a tagging module for setting a tag to the diagnosis related information so that the collected diagnosis related information can be distributed and registered.

According to an embodiment of the present invention, the tagging module sets a tag by grouping at least one of asset information, a diagnosis item, and classification classified by the selective classification module into the diagnosis related information. To do.

According to an embodiment of the present invention, the distributed processing unit generates at least one distribution tree in which diagnosis related information is stored, and a distribution tree generation module for setting resources to be used for the distribution tree, and diagnosis related information is set. It characterized in that it further comprises a classification registration module for registering and classifying the distribution tree according to the tag.

According to an embodiment of the present invention, the classification registration module classifies and registers the diagnosis related information in the distribution tree based on a diagnosis item.

According to an embodiment of the present invention, the distributed processing unit further comprises a threshold value setting module for setting a threshold value of a resource usage rate when diagnosing security weaknesses for diagnosis-related information stored in the distributed tree, and the distributed It is characterized by distributing the load when the load is concentrated on the tree.

According to an embodiment of the present invention, the present invention provides a diagnostic processing unit, a parsing module for parsing diagnosis related information stored in the distributed tree, a result extracting module for analyzing diagnosis related information parsed by the parsing module, and the diagnosis target system. It characterized in that it comprises a vulnerability determination module for determining whether or not the vulnerability by comparing the diagnosis-related information of the security vulnerability.

According to an embodiment of the present invention, the parsing module is characterized in that the parsing module prevents the occurrence of a bottleneck due to the I/O speed by parsing diagnosis related information on the diagnosis item stored in one distributed tree. .

According to an embodiment of the present invention, in the present invention, the parsing module parses diagnosis related information stored in another distributed tree when a resource usage rate exceeds a threshold value when parsing diagnosis related information stored in a distributed tree It is characterized in that it prevents the load from being concentrated on.

The present invention can obtain the following effects by the configuration, combination, and use relationship that will be described below with the present embodiment.

The present invention provides a diagnosis command generation unit that generates a diagnosis command executed in a diagnosis target system to diagnose a security vulnerability, a communication unit that transmits the diagnosis command by accessing the diagnosis target system and receives a result file, and data in the result file Including a distributed processing unit that designates a tag according to a predetermined standard, distributes and stores it, and a diagnosis execution unit that diagnoses security weaknesses based on the result file, the diagnosis-related information collected for security vulnerability diagnosis is required for vulnerability diagnosis analysis. Classifies by resource, and by setting tags in advance according to the characteristics of diagnosis-related information data and separately performing security vulnerability diagnosis, diagnosis-related information on diagnosis items collected by each diagnosis target system is selectively classified. By creating a two-stage structure, the efficiency of resource use is improved, and the analysis server classifies the data from the system to be diagnosed by type and executes the security vulnerability diagnosis when diagnosing a security vulnerability, thereby distributing the resources used for vulnerability diagnosis to effectively diagnose the security vulnerability. It has the effect of providing a data distribution processing system when checking security vulnerabilities that can implement data.

In the present invention, the diagnosis command generation unit includes an information collection module, and the information collection module generates a result file by collecting diagnosis related information for diagnosing a security vulnerability of the diagnosis target system by the generated diagnosis command There is.

In the present invention, the diagnosis command generation unit further includes a selective classification module to classify the diagnosis-related information collected by the diagnosis command based on resources required for vulnerability diagnosis analysis to minimize resource overload when diagnosing a security vulnerability. When checking security vulnerabilities, it has the effect of providing a data distribution processing system.

In the present invention, the selective classification module provides an effect of classifying diagnosis-related information based on a utilization rate of at least one or more of a CPU, memory, GPU, and disk used when diagnosing a security vulnerability.

In the present invention, the selective classification module has an effect of classifying the diagnosis-related information into data to perform vulnerability diagnosis through an in-memory method and data to perform vulnerability diagnosis through allocation of multiple cores.

In the present invention, the distributed processing unit includes a tagging module that sets a tag in the diagnosis related information so that the collected diagnosis related information can be distributed and registered, so that the classified diagnosis related information can be identified according to the tag. When checking, it derives the effect of providing a data distribution processing system.

In the present invention, the tagging module provides a data distribution processing system for checking security weaknesses in which tags are set by grouping at least one of asset information, diagnostic items, and classifications classified in the selective classification module into the diagnosis related information. Produces an effect.

In the present invention, the distributed processing unit generates at least one distribution tree in which diagnosis related information is stored, and a distribution tree generation module that sets resources to be used for the distribution tree, and classifies diagnosis related information into the distribution tree according to a set tag. By further including a classification registration module to be registered so that diagnosis-related information can be distributed and diagnosed, it has the effect of reducing resource occupancy when diagnosing security weaknesses.

In the present invention, the classification registration module provides an effect of providing a data distribution processing system when checking security weaknesses in which the diagnosis related information is classified and registered in the distribution tree based on a diagnosis item.

In the present invention, the distributed processing unit further includes a threshold value setting module for setting a threshold value of a resource utilization rate when diagnosing a security vulnerability for diagnosis-related information stored in the distributed tree, and when a load is concentrated in the distributed tree, the load is reduced. Can be distributed.

In the present invention, the diagnosis performing unit includes a parsing module for parsing diagnosis related information stored in the distribution tree, a result extraction module for analyzing diagnosis related information parsed by the parsing module, and diagnosis related information and security vulnerability criteria of the diagnosis target system. The security vulnerability of the system to be diagnosed is diagnosed, including a vulnerability determination module that determines whether or not the system is vulnerable by comparing them.

In the present invention, the parsing module has the effect of providing a data distribution processing system when checking security weaknesses that prevent the occurrence of bottlenecks due to I/O speed by parsing diagnosis related information stored in one distributed tree. have.

In the present invention, when the parsing module parses the diagnosis related information stored in the distributed tree, when the resource usage rate exceeds the threshold value, the parsing module parses the diagnosis related information stored in another distributed tree to prevent the load from being concentrated on a specific resource. It has the effect of providing a data distribution processing system when checking vulnerability.

1 is a method for diagnosing a vulnerability through an information collection function through a conventional agent
2 is a method for diagnosing vulnerability through a group of commands related to information collection and diagnosis through a conventional agent
3 is a block diagram of a data distribution processing system 1 when checking security vulnerabilities according to a preferred embodiment of the present invention
4 is a block diagram of a diagnostic command generation unit 10 according to an embodiment of the present invention
5 is a block diagram showing a communication unit 30 according to an embodiment of the present invention
6 is a diagram showing data movement in the process of generating a result file by a diagnostic command transmitted from the data distribution processing system 1 and transmitting the result file when checking a security vulnerability according to a preferred embodiment of the present invention
FIG. 7 is a diagram illustrating transmission of a result file to the management server 10 after a diagnosis command is transmitted to and executed to a diagnosis target system T according to an embodiment of the present invention to perform a collection process.
8 is a block diagram showing the communication unit 30 according to an embodiment of the present invention
9 is a schematic diagram showing that a first tag file 411 and a second tag file 412 are allocated to each distribution tree 431 in the distribution processing unit, and a threshold value is applied to each distribution tree 431
10 is a block diagram showing a diagnosis performing unit 60 according to an embodiment of the present invention
11 is a flowchart of a data distribution processing method (S) when checking security vulnerabilities according to an embodiment of the present invention
FIG. 12 is a flowchart showing a diagnostic command execution step (S30) of FIG. 11
13 is a flowchart of a distributed processing step (S50) according to a preferred embodiment of the present invention
14 is a flowchart of a distributed processing step (S50') according to another embodiment of the present invention
15 is a flow chart showing a diagnosis performing step (S60) according to an embodiment of the present invention

Hereinafter, exemplary embodiments of a data distribution processing system and method for checking security vulnerabilities according to the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, if it is determined that a detailed description of a known function or configuration may unnecessarily obscure the subject matter of the present invention, a detailed description thereof will be omitted. Unless otherwise defined, all terms in this specification are the same as the general meaning of the term as understood by those of ordinary skill in the art to which the present invention belongs. According to the definitions used in the specification.

Throughout the specification, when a part "includes" a certain component, this does not exclude other components unless otherwise stated, it means that other components may also be included. Terms such as "~ unit" and "~ module" described herein mean units that process at least one or more functions or operations, which may be implemented by hardware or software or a combination of hardware and software. Hereinafter, the present invention will be described in detail by describing a preferred embodiment of the present invention with reference to the accompanying drawings.

3 is a block diagram of a data distribution processing system 1 when checking security vulnerabilities according to a preferred embodiment of the present invention. Referring to FIG. 3, in order to solve a problem in which a load is generated on a system corresponding to an analysis target system or an analysis server to be diagnosed when a security vulnerability is checked, the data distribution processing system (1) diagnoses security vulnerability. The diagnosis-related information collected for this purpose is classified based on the resources required for vulnerability diagnosis analysis, and the diagnosis-related information data is collected in each diagnosis target system by setting tags in advance according to the characteristics and performing a separate security vulnerability diagnosis. To increase the efficiency of resource use by creating a two-stage structure by selectively classifying the diagnostic information for the diagnostic items to be performed, and when diagnosing security weaknesses, the analysis server classifies the data from the system to be diagnosed by type and executes the security vulnerability diagnosis. By doing so, it is possible to conduct effective security vulnerability diagnosis by distributing resources used for vulnerability diagnosis. When checking the security vulnerability, the data distribution processing system 1 includes a diagnosis command generation unit 10, a communication unit 30, a distribution processing unit 50, and a diagnosis execution unit 60, and further includes a database (DB, 70). Can include.

4 is a block diagram of a diagnostic command generation unit 10 according to an embodiment of the present invention. Referring to FIG. 4, the diagnosis command generation unit 10 is provided to generate a diagnosis command executed in a diagnosis target system to diagnose a security vulnerability. The command includes a command, a program, and a script transmitted to the system to be diagnosed, and in a preferred embodiment of the present invention, the script is transmitted as a diagnosis command for diagnosis and is executed within the system to be diagnosed to diagnose security weaknesses of the system to be diagnosed. Information related to diagnosis is collected.

Diagnosis-related information is information collected for diagnosis of security weaknesses of the system to be diagnosed (T). The system's operating system (OS), software, and network have vulnerabilities that are the basis for cyber attacks from the outside.In the case of a system, the account and password that controls access rights to the system, system configuration, and backdoors are security weaknesses. It exists, and in the case of a network, cyber attacks can occur through paths such as HTTP, SMTP, and FTP. In order to prevent such cyber attacks, it is checked whether an attack can be easily performed on the network and system. This is called security vulnerability check, and data of various check items must be analyzed. Preferably, information on password-related vulnerabilities, packet-related vulnerabilities, and port-related vulnerabilities is collected.

Diagnosis items define items to diagnose security weaknesses through individual diagnosis-related information in the system to be diagnosed, and limit remote access to the root account, password complexity, passwords for account management, file and directory management, and access management according to the diagnosis target. Multiple diagnostic items such as minimum length, /etc/services file owner and authority setting, access ip and port restrictions can be provided.

The diagnosis command generated by the diagnosis command generation unit 10 is transmitted to the diagnosis target system to collect diagnosis related information of the information asset to generate a result file, and is transmitted to the diagnosis target system to be executed, thereby saving resources such as CPU and memory. Occupy and run the process. In a preferred embodiment of the present invention, one diagnostic command, that is, a diagnostic process, is transmitted and executed in the system to be diagnosed, but a plurality of diagnostic commands can be transmitted in groups and executed sequentially.

The diagnostic command can classify diagnostic-related information data into two or more types, and can be classified based on resources required for vulnerability diagnosis analysis, and preferably, among CPU, memory, GPU, and disk used in the system to be diagnosed. Diagnosis related information may be classified based on at least one resource utilization rate. The diagnosis command generation unit 10 includes an integrity test module 11, an information collection module 13, a selective classification module 15, and a result file generation module 17.

The integrity test module 11 configures a diagnosis command to perform an integrity test when the diagnosis command is executed in the system to be diagnosed. The diagnostic command is transmitted and executed to the system to be diagnosed by the communication unit 30 to be described later, and the integrity test of the diagnostic command may be performed by a program provided in the system to be diagnosed (T). When executing, the hash value is transmitted to the data distribution processing system 1 for integrity check, and the data distribution processing system 1 performs the integrity check and responds to the result to check the integrity of the diagnostic command.

In the conventional method for collecting diagnostic-related information by transmitting a command, it was not possible to confirm whether the command transmission was caused by an attack such as hacking, but the diagnostic command was transmitted as in the present invention, and the diagnostic command transmitted when the diagnostic command was executed. If diagnosis-related information is collected after checking the integrity of the device, external attacks can be prevented. Accordingly, when the diagnostic command is executed in the system to be diagnosed, forgery and alteration is prevented through an integrity check. Several methods for the integrity test can be used, but preferably, integrity verification may be performed through a hash value, and a specific part of the diagnosis command is processed by a hash function and stored inside the diagnosis command. Integrity verification can be performed by comparing a hash value in the diagnostic command with a hash value derived by processing a specific part in the diagnostic command with a hash function when the command is executed. If the integrity of the diagnostic command is verified, diagnostic-related information can be collected within the system to be diagnosed, and if the integrity is not verified, the result of the failure of the integrity test can be transmitted and the execution of the diagnostic command can be terminated to block modification of the diagnostic process. have.

The information collection module 13 programs a diagnostic command according to a preferred embodiment of the present invention to collect diagnostic-related information for diagnosing security weaknesses of the system to be diagnosed (T), and the integrity check module 11 It may be provided to collect diagnosis related information when the test is successful. In addition, in another embodiment of the present invention, the information collection module 13 may collect diagnostic related information through a plurality of groups of diagnostic commands that are sequentially executed.

The selective classification module 15 is programmed to classify the diagnosis-related information collected by the diagnosis command, preferably based on resources required for vulnerability diagnosis analysis. In order to solve the problem of excessive use of resources of a system to be diagnosed when performing diagnosis of a diagnosis command, the selective classification module 15 may classify data of diagnosis related information collected by the diagnosis command into two or more. In order to solve the bottleneck caused by data processing when diagnosing security weaknesses and the problem of using excessive resources when diagnosing a specific diagnosis item, the selective classification module 15 of the present invention is classified based on resources required for vulnerability diagnosis, A diagnostic command is programmed to classify diagnostic-related information based on at least one resource utilization rate among CPU, memory, GPU, and disk used when diagnosing security vulnerabilities. Each resource usage rate may be a standard, but a classification criterion may be used by combining two or more resource usage rates. The classification criteria according to the resource usage rate may be set to a value defined in the database 70 to be described later, or may be input by a security administrator. The classification criterion is set in consideration of the structure of the system to be diagnosed T and characteristics of the service.

Accordingly, in a preferred embodiment of the present invention, when the diagnosis command according to the selective classification module 15 is executed in the diagnosis target system T, diagnosis-related information data can be classified into two types according to the diagnosis type. , In detail, a first file, which is data to perform vulnerability diagnosis in an in-memory method, and a second file, which is data to perform vulnerability diagnosis through allocation of multiple cores, can be classified.

The first file is an object to be analyzed in an in-memory method with a high input/output speed. A system that analyzes and processes data may consist of a processor that performs an operation, a storage device that stores data to be processed, and a transmission system that transmits data between the processor and the storage device. The bottleneck that degrades is caused by the slowest component, and the part corresponding to the storage device has been the cause of this bottleneck. Therefore, in the case of a job that designates and processes disk data, a bottleneck may occur due to the input/output speed of the data, and analysis is performed in an in-memory method with a high input/output speed in order to separately process these objects. In the in-memory method, data for data analysis and processing is loaded and used in a memory rather than a hard disk, and data is stored in a memory area and an operation is performed. Since memory access speed is very fast compared to general storage devices (hard disks, etc.), the input/output speed is fast, so bottlenecks can be prevented.

In the second file, a security vulnerability diagnosis is performed by assigning multiple cores to in-memory for objects that need to perform encryption and other complex calculation processing. When complex processing such as decryption of the password is required, the resource usage rate may increase, and the designated second file to prevent resource load does not allocate a separate HDD Swap when working in the distributed processing unit 50 to be described later, but in-memory The analysis is performed through multi-core allocation.

Accordingly, as shown in Table 1 below, diagnosis-related information is classified according to an information asset and a diagnosis item to perform a security vulnerability diagnosis, and may be classified into various types in another embodiment of the present invention.

Asset classification Item Diagnosis type Asset classification Item Diagnosis type UNIX Account management File-II PC Account management File-II File and directory management File-I Service management File-I Service management File-I Patch management File-II Patch management File-II Security management File-II Log management File-II DBMS Account management File-II WINDOWS Account management File-II Access management File-I Service management File-I Option management File-I Patch management File-II Patch management File-II Log management File-II Log management File-II Security management File-II WAS Service management File-I Security equipment Account management File-II Setting management File-I Access management File-I File and directory management File-I Patch management File-II Patch management File-II Log management File-II Log management File-II Function management File-II WEB Service management File-I Network equipment Account management File-II Setting management File-I Access management File-I File and directory management File-I Patch management File-II Patch management File-II Log management File-II Log management File-II Function management File-II Web application Buffer overflow File-II Control system Account management File-II Format string File-II Service management File-I Patch management File-II Security management File-II

The result file generation module 17 generates a result file after the diagnosis command collects diagnosis related information. The result file generated accordingly includes information for diagnosing security weaknesses of the system to be diagnosed. The generated result file is transmitted to the data distribution processing system 1 again, and the security vulnerability is diagnosed by the diagnosis performing unit 60 to be described later. The result file generation module 17 may generate and transmit a result file by encrypting the collected information.

5 is a block diagram showing the communication unit 30 according to an embodiment of the present invention. 3 and 5, the communication unit 30 is provided to access the system to be diagnosed, transmit the diagnosis command, and receive a result file. As the communication unit 30 transmits a diagnosis command and receives a result file corresponding to the response of the diagnosis target system, the diagnosis performing unit 60 to be described later can analyze the security weakness of the diagnosis target system T. The communication unit 30 includes a connection module 31, a command transmission module 33, and a result file reception module 35.

The connection module 31 is provided to be connected to the diagnosis target system through an access method set. If the IP address, access method (Telnet, SSH, etc.) and access authority (ID, Password) for the system to be diagnosed are specified, you can access through the designated method. If the access method or access authority is not specified, The connection may be attempted by detecting the connection method through a predetermined method. Here, the predetermined method is to search for an access method and access rights through a recognizable label such as a similar IP address or Hostname in the database 70, and the access method and access rights are determined from the data on at least one diagnosis target system (T). You can extract and try to connect.

The command transmission module 33 may transmit the diagnosis command generated by the diagnosis command generation unit 10 described above, and drive the diagnosis command to perform a collection process in the diagnosis target system T. The command may be a command, a script, or a program. In a preferred embodiment of the present invention, the diagnostic command transmitted from the command transmission module 33 is a diagnostic script, and the diagnostic script is transmitted to the system to be diagnosed (T). As it is executed, diagnosis-related information is collected and classified selectively.

The result file receiving module 35 is provided to receive a result file transmitted from a diagnosis command of the system to be diagnosed, and receives the result file so that the result file can be analyzed by a diagnosis execution unit 60 to be described later.

6 is a diagram showing data movement in the process of generating a result file by a diagnostic command transmitted from the data distribution processing system 1 and transmitting the result file when checking a security vulnerability according to a preferred embodiment of the present invention. As can be seen in FIG. 6, when the diagnostic command is transmitted by the command transmission module 33, the diagnostic command is executed in the diagnosis target system T, the hash value is extracted and transmitted, and the hash value is compared in the distributed processing system. The integrity of the diagnostic command is guaranteed by performing an integrity check such as. When the integrity test is successful, the diagnosis related information in the diagnosis target system is collected according to the execution of the diagnosis command, and the collected diagnosis related information is classified into the first file and the second file as described above, and a result file is generated. Send the result file as a return value.

7 is a block diagram of a distributed processing unit 50 according to an embodiment of the present invention, and FIG. 8 is a diagram illustrating that diagnosis related information is distributed and stored in a distribution tree 431 generated by the distributed processing unit 50. It is a drawing. 7 to 8, the distributed processing unit 50 is provided to designate a tag according to a predetermined criterion and store the data in the result file by distributing it. The data in the result file is preferably diagnosis-related information classified into a first file and a second file. Since it is necessary to diagnose security weaknesses from data from a large amount of information assets, it is difficult to perform all analysis with limited resources, and the resources required for each diagnosis item to be processed are also different, so the distributed processing unit 50 By distributing and storing diagnosis-related information according to the criteria and performing security vulnerability diagnosis, it is possible to efficiently manage resource use problems by distributing system resources concentrated on the central server. The distributed processing unit 50 includes a tagging module 51, a distributed tree generation module 53, a threshold value setting module 55, and a classification registration module 57.

The tagging module 51 sets a tag to the diagnosis related information so that the collected diagnosis related information can be distributed and registered. The diagnosis related information is distributedly stored in a plurality of distribution trees 531 generated by the distribution tree generation module 53 to be described later, and tags are processed for each diagnosis related information so that the diagnosis related information can be distributed and stored. In a preferred embodiment of the present invention, a tag is set by grouping asset information, diagnostic items, and classifications classified by the selective classification module in the diagnosis related information. If the asset information of diagnosis-related information is defined as'asset classification', the diagnosis item related to the diagnosis-related information is defined as'item', and the classification classified in the selective classification module is defined as'diagnosis type', the results shown in Table 1 Likewise, it is possible to group the diagnosis-related information by asset classification, item, and diagnosis type, and when tagging according to grouping is performed, the following tags are set. In the order of diagnosis-related information, asset classification, diagnosis item, diagnosis type, and the last'Category 1-M' or'Category 3-M' refers to the space to be stored in a distributed manner. Diagnosis related information in which tags are set as follows may be distributed and stored according to tags as a first tag file 411 and a second tag file 412.

-Unix_Account Management_File-II_Category 1-M

-Windows_Account Management_File-II_Category 1-M

-Unix_Log Management_File-II_Category 3-M

-DBMS_Log Management_File-II_Category 6-M

-WAS_Log Management_File-II_Category 3-M

-Unix_File Directory_File-I_Category 2-M

-WEB_File Directory_File-I_Category 2-M

The distribution tree generation module 53 is provided to generate at least one distribution tree in which diagnosis related information is stored and to set a resource to be applied to the distribution tree. The distribution tree generation module 53 may generate at least one distribution tree 431 so that diagnosis related information is distributed and stored in the distribution tree 431. The distributed tree generation module 53 designates a computing resource when diagnosing security weaknesses for diagnosis-related information stored in the distributed tree. CPU, MEM, GPU, and DISK, which are classification categories for the resource utilization rate, may be used, preferably CPU and MEM may be applied, and the allocated resource value may be set in the form of reference information as shown in FIG. have.

9 is a schematic diagram showing that a first tag file 411 and a second tag file 412 are allocated to each distribution tree 431 in the distribution processing unit, and a threshold value is applied to each distribution tree 431. 7 to 9, the threshold value setting module 55 is provided to set a threshold value 451 of a resource usage rate when diagnosing a security vulnerability for diagnosis related information stored in the distribution tree. When the threshold values TH and 451 are registered, the load can be distributed to each distributed tree when a security vulnerability is diagnosed when the load is concentrated on a specific distribution tree or a new diagnosis request occurs using the threshold value. In addition, when a resource is used within a set threshold value TH, unnecessary resource waste can be eliminated to secure effective data processing performance.

The classification registration module 57 may be provided to classify and register diagnosis related information in the distribution tree according to a set tag. Diagnosis-related information in the result file, that is, the first tag file 411 and the second tag file 412 are distributed and stored in several distribution trees 431, so that the first tag file is processed in an in-memory method during vulnerability diagnosis. The bottleneck is minimized, and the second tag file is stored in several distribution trees, and excessive use of the resources stored in the distribution tree 431 during vulnerability diagnosis can be prevented. The classification registration module 57 may classify and register the diagnosis related information, preferably the first tag file 411 and the second tag file 412 in the distribution tree 431 based on a diagnosis item. . If the information asset containing the diagnosis related information is different, the format of the diagnosis related information is different, but the method of performing security vulnerability diagnosis through the diagnosis related information is substantially the same or similar. In the case of classification and registration in a distributed tree, data can be processed smoothly when diagnosing security weaknesses. Therefore, the distribution tree corresponding to classification 1-M in FIG. 8 stores diagnosis-related information on the diagnosis items for account management, and the distribution tree corresponding to classification 2-M stores diagnosis-related information on the diagnosis items related to the file. , Distribution tree corresponding to category 3-M distributes and stores diagnostic-related information about log management.

10 is a block diagram showing a diagnosis performing unit 60 according to an embodiment of the present invention. Referring to FIG. 10, the diagnosis performing unit 60 is provided to diagnose a security vulnerability based on a result file. By analyzing the result file received by the diagnosis performing unit 60 and determining the security vulnerability of the system to be diagnosed, it is possible to know which vulnerability the diagnosis target system has for which security vulnerability check items. The diagnosis execution unit 60 includes a parsing module 61, a result extraction module 63, and a vulnerability determination module 65.

The parsing module 61 is provided to parse the result file received from the diagnosis target system. Here, since the security vulnerability check items may be different depending on the system to be diagnosed, the parsing module 61 parses the result file according to the parsing criteria stored in the database 70 or input parsing criteria. In a preferred embodiment of the present invention, the parsing module 61 parses diagnostic-related information stored in a distributed tree. By parsing the diagnosis-related information stored in the distributed tree by the parsing module 61, vulnerability diagnosis for diagnosis-related information of the diagnosis target system T may be performed for each distribution tree.

In a preferred embodiment of the present invention, the parsing module 61 may prevent the occurrence of a bottleneck due to I/O speed by parsing diagnosis related information for a diagnosis item stored in one distributed tree. In particular, a bottleneck can be prevented by parsing the distribution tree 431 in which the first tag file 411 in which the tag is set in the above-described first file is stored so that data is processed by an in-memory method. In another embodiment of the present invention, when the parsing module 61 parses the diagnosis related information stored in the distribution tree 431, when the resource usage rate exceeds a threshold value, the parsing module 61 parses the diagnosis related information stored in another distribution tree. Thus, it is possible to prevent the load from being concentrated on a specific resource.

The result extracting module 63 is provided to analyze the parsing information parsed by the parsing module 61 to extract a diagnosis related information value of the diagnosis target system and analyze the diagnosis related information. Since the parsing information includes information related to the security vulnerability check item of the system to be diagnosed, the diagnosis-related information extracted by the result extraction module 63 corresponds to information such as password vulnerability and packet vulnerability of the system to be diagnosed. In a preferred embodiment of, as the parsing module 61 parses for each distribution tree, a value for diagnosis related information is extracted for each distribution tree, and diagnosis related information belonging to the same diagnosis item may be analyzed.

The vulnerability determination module 65 is provided to determine whether the vulnerability is vulnerable by comparing diagnosis-related information of a system to be diagnosed with a security vulnerability determination criterion. The diagnosis related information extracted from the result extraction module 63 has various types of values such as numbers, strings, and True of False. The judgment criteria are retrieved from the database 70 and compared with the diagnosis related information, Determine whether it is vulnerable. The determination result may be stored in the database 70.

Referring back to FIG. 3, the database 70 stores information on a system to be diagnosed connected to a network. IP address, host name, and all related information can be stored, and inspection items necessary for security vulnerability inspection, parsing criteria, etc. are stored. In addition, classification criteria according to the resource usage rate and resource values allocated to each distribution tree may be stored, and when the vulnerability determination module 65 determines whether the system to be diagnosed is vulnerable, information about it is stored.

As described above, the data distribution processing system 1 is implemented when checking security vulnerabilities according to an embodiment of the present invention. Hereinafter, a data distribution processing method (S) when checking security weaknesses will be described with reference to the drawings.

11 is a flowchart of a data distribution processing method (S) when checking security weaknesses according to an embodiment of the present invention. Referring to FIG. 11, the data distribution processing method (S) when checking security weaknesses is a security vulnerability diagnosis in order to solve a problem in which a load is generated on a system to be diagnosed or a system corresponding to an analysis server to be diagnosed when a security vulnerability is diagnosed. The diagnosis-related information collected for this purpose is classified based on the resources required for vulnerability diagnosis analysis, and the diagnosis-related information data is collected in each diagnosis target system by setting tags in advance according to the characteristics and performing a separate security vulnerability diagnosis. To increase the efficiency of resource use by creating a two-stage structure by selectively classifying the diagnostic information for the diagnostic items to be performed, and when diagnosing security weaknesses, the analysis server classifies the data from the system to be diagnosed by type and executes the security vulnerability diagnosis. By distributing the resources used when diagnosing vulnerabilities, effective security vulnerability diagnosis is performed, and diagnosis command generation step (S10), connection transmission step (S20), diagnosis command execution step (S30), result receiving step (S40), and distributed It includes a processing step (S50) and a diagnosis performing step (S60).

In the diagnosis command generation step (S10), a diagnosis command executed in the diagnosis target system T is generated to diagnose a security vulnerability. The diagnostic command generated in this step is transmitted to the system to be diagnosed and executed, thereby occupying resources such as CPU and memory to operate the process. In a preferred embodiment of the present invention, the diagnostic command is a diagnostic script and is executed after being transmitted to the diagnostic target system T.

The connection transmission step (S20) can be performed in the communication unit 30, and can be accessed through an access method set in the diagnosis target system, and the IP address and access method (Telnet, SSH, etc.) for the diagnosis target system (T). ), if the access authority (ID, Password) is specified, access can be made through the designated method. If the access method or access authority is not designated, the access method can be detected through a predetermined method and attempted access. have. Here, the predetermined method is to search for an access method and access rights through a recognizable label such as a similar IP address or Hostname in the database 70, and the access method and access rights are determined from the data on at least one diagnosis target system (T). It can extract and try to connect, and after being connected, a diagnosis command is transmitted to the diagnosis target system T.

12 is a flowchart illustrating a diagnostic command execution step (S30) of FIG. 11. Referring to FIG. 12, in the diagnostic command execution step (S30), the diagnostic command transmitted to the diagnostic target system T is executed to collect diagnostic-related information of the diagnostic target system and generate a result file. This is the process of transferring to (1). The diagnostic command execution step (S30) includes an integrity check step (S31), an information collection step (S33), a selective classification step (S45), a result file generation step (S37), and a result file transmission step (S39). .

The integrity check step (S31) is a step of verifying the integrity to prevent forgery and alteration of the diagnostic command. The hash value is transmitted to check whether the diagnostic command has been forged or altered, and the integrity check is received by receiving the result of the integrity check. Several methods for the integrity test can be used, but preferably, integrity verification may be performed through a hash value, and a specific part of the diagnosis command is processed by a hash function and stored inside the diagnosis command. When the command is executed, integrity verification can be performed by comparing the hash value transmitted by processing the hash value of the previously stored diagnostic command with a specific part in the diagnostic command with a hash function. The data distribution processing system (1) stores the hash value of the diagnosis command before transmission of the diagnosis command, and when the diagnosis command is executed, the hash value of the diagnosis command is extracted from the system to be diagnosed and the extracted hash value is converted into a data distribution processing system ( 1), and the data distribution processing system 1 may perform an integrity check by comparing the stored hash value with the transmitted hash value. When the integrity of the diagnostic command is verified, diagnostic-related information can be collected in the system to be diagnosed, and if the integrity is not verified, the execution of the diagnostic command can be terminated to prevent process transformation.

The information collection step (S33) is a step in which diagnosis-related information of the diagnosis target system T is collected by execution of the diagnosis command. Data related to the diagnostic items of the system to be diagnosed are collected, and preferably, information on the security vulnerability diagnostic items such as password-related vulnerabilities, packet-related vulnerabilities, and port-related vulnerabilities are collected for each information asset.

The selective classification step (S35) is a step of classifying the collected diagnosis-related information based on resources required for vulnerability diagnosis analysis, and the diagnosis-related information can be classified based on a resource utilization rate used when diagnosing a security vulnerability. have. In a preferred embodiment of the present invention, in the selective classification step (S35), the diagnostic command classifies diagnostic related information based on at least one resource utilization rate among CPU, memory, GPU, and disk, and each resource utilization rate is It can be a criterion, but a classification criterion may be used by combining two or more resource utilization rates. The classification criteria according to the resource usage rate may be set to a value defined in the database 70 to be described later, or may be input by a security administrator. The classification criterion is set in consideration of the structure of the system to be diagnosed T and characteristics of the service. In addition, in the selective classification step (S35), the diagnosis-related information may be classified into a first file, which is data to perform vulnerability diagnosis in an in-memory method, and a second file, which is data to perform vulnerability diagnosis through allocation of multiple cores. In addition, in another embodiment, data may be classified into two or more types of data.

The result file generation step (S37) is a step of generating a result file by collecting the diagnosis related information. The result file generated accordingly includes information for diagnosing security weaknesses of the system to be diagnosed. The generated result file is transmitted to the data distribution processing system 1 in the result file transmission step (S39), and security vulnerability diagnosis is performed by the diagnosis performing step (S60) described later.

Referring back to FIG. 11, the result receiving step (S40) is performed in the result file receiving module 35, and the result file transmitted from the diagnosis command of the diagnosis target system is received and performed in the diagnosis performing step (S60) to be described later. Make it possible to analyze.

13 is a flowchart of a distributed processing step S50 according to a preferred embodiment of the present invention, and FIG. 14 is a flowchart of a distributed processing step S50' according to another embodiment of the present invention. 11, 13 and 14, in the distributed processing step (S50), the data in the result file is tagged according to a predetermined criterion, distributed and stored, and preferably, the first file and the second file in the result file. This is the step of distributing and storing diagnosis related information classified as a file. Since it is necessary to diagnose security weaknesses from data from a large amount of information assets, it is difficult to perform all analysis with limited resources, and the resources required for each diagnostic item to be processed are also different, so the distributed processing step (S50) diagnoses By distributing and storing related information and performing security vulnerability diagnosis, it is possible to efficiently manage resource use problems by distributing system resources concentrated on the central server. The distributed processing step (S50) includes a tagging step (S51), a distributed tree generation step (S53), a threshold value setting step (S55), and a classification registration step (S57).

In the tagging step S51, a tag is set in the diagnosis related information so that the collected diagnosis related information can be distributed and registered. Diagnosis-related information is distributed and stored in a plurality of distribution trees 531 generated by a distribution tree generation step (S53) to be described later, and tags are processed for each diagnosis related information so that the diagnosis related information can be distributed and stored. In a preferred embodiment of the present invention, tags are set by grouping asset information, diagnostic items, and classifications classified in the selective classification module into the diagnostic-related information, and detailed examples are as shown in Table 1 above. . Diagnosis related information in which tags are set as follows may be distributed and stored according to tags as a first tag file 411 and a second tag file 412.

-Unix_Account Management_File-II_Category 1-M

-Windows_Account Management_File-II_Category 1-M

-Unix_Log Management_File-II_Category 3-M

-DBMS_Log Management_File-II_Category 6-M

-WAS_Log Management_File-II_Category 3-M

-Unix_File Directory_File-I_Category 2-M

-WEB_File Directory_File-I_Category 2-M

In the distribution tree generation step (S53), at least one distribution tree in which diagnosis related information is stored is generated, and resources to be applied to the distribution tree are set. In the distributed tree generation step (S53), at least one distribution tree 431 may be generated so that diagnosis-related information may be distributed and stored in the distribution tree 431. In the distributed tree generation step (S53), a computing resource is designated when a security vulnerability is diagnosed for diagnosis-related information stored in the distributed tree. CPU, MEM, GPU, and DISK, which are classification categories for the resource utilization rate, may be used, preferably CPU and MEM may be applied, and the allocated resource value may be set in the form of reference information as shown in FIG. have.

9, 13, and 14, the threshold value setting step (S55) is a step of setting a threshold value 451 of a resource usage rate when diagnosing a security vulnerability for diagnosis-related information stored in the distribution tree. When the threshold values TH and 451 are registered, the load can be distributed to each distributed tree when a security vulnerability is diagnosed when the load is concentrated on a specific distribution tree or a new diagnosis request occurs using the threshold value. In addition, when a resource is used within a set threshold value TH, unnecessary resource waste can be eliminated to secure effective data processing performance.

In the classification registration step S57, diagnosis-related information is classified and registered in the distribution tree according to a set tag. Diagnosis-related information in the result file, that is, the first tag file 411 and the second tag file 412 are distributed and stored in several distribution trees 431, so that the first tag file is processed in an in-memory method during vulnerability diagnosis. The bottleneck is minimized, and the second tag file is stored in several distribution trees, and excessive use of the resources stored in the distribution tree 431 during vulnerability diagnosis can be prevented. In the classification registration step (S57), the diagnosis-related information, preferably the first tag file 411 and the second tag file 412 are classified and registered in the distribution tree 431 based on the diagnosis item. If the information asset containing the diagnosis related information is different, the format of the diagnosis related information is different, but the method of performing security vulnerability diagnosis through the diagnosis related information is substantially the same or similar. In the case of classification and registration in a distributed tree, data can be processed smoothly when diagnosing security weaknesses.

14, in the distributed processing step (S50') according to another embodiment of the present invention, the tagging step (S51) is performed after the distribution tree generation step (S53) and the threshold value setting step (S55). I can. By creating a distributed tree according to diagnosis items and resources, and tagging diagnosis related information according to the generated distributed tree, diagnosis related information can be distributed and stored.

15 is a flowchart illustrating a diagnosis performing step S60 according to an embodiment of the present invention. Referring to FIG. 15, in the diagnosis performing step (S60), a security vulnerability is diagnosed based on a result file, and the result file is analyzed in the diagnosis performing step (S60), and the security vulnerability of the system to be diagnosed is determined. You can see which vulnerability the system has for which security vulnerability check items. The diagnosis performing step (S60) includes a parsing step (S61), a result extraction step (S63), and a vulnerability determination step (S65).

The parsing step (S61) is a step of parsing the result file received from the diagnosis target system. Here, since the security vulnerability check items may be different depending on the system to be diagnosed, the result file is parsed according to the parsing criteria stored in the database 70 or input parsing criteria in the parsing step (S61). In a preferred embodiment of the present invention, the diagnosis related information stored in the distributed tree is parsed in the parsing step (S61), and the diagnosis related information stored in the distributed tree is parsed. Vulnerability diagnosis for information can be performed.

In a preferred embodiment of the present invention, in the parsing step (S61), the occurrence of a bottleneck due to the I/O speed can be prevented by parsing the diagnosis related information on the diagnosis item stored in one distributed tree. A bottleneck can be prevented by parsing the distribution tree 431 in which the first tag file 411 in which the tag is set in one first file is stored so that data is processed by an in-memory method. In another embodiment of the present invention, the parsing step (S61) parses the diagnosis related information stored in another distributed tree when the resource utilization rate exceeds a threshold value when parsing the diagnosis related information stored in the distribution tree 431 Thus, it is possible to prevent the load from being concentrated on a specific resource.

In the result extraction step (S63), the parsing information parsed in the parsing step (S61) is analyzed to extract a diagnosis related information value of the diagnosis target system to analyze the diagnosis related information. Since the parsing information includes information related to the security vulnerability check item of the system to be diagnosed, the diagnostic-related information value extracted in the result extraction step (S63) corresponds to information such as password vulnerability and packet vulnerability of the system to be diagnosed. In a preferred embodiment of, as parsing is performed for each distribution tree in the parsing step (S61), a value of diagnosis related information is extracted for each distribution tree, and diagnosis related information belonging to the same diagnosis item may be analyzed.

In the vulnerability determination step (S65), the vulnerability is determined by comparing the diagnosis-related information of the system to be diagnosed with the security vulnerability determination criteria. The diagnosis-related information extracted in the result extraction step (S63) has several types of values, such as numbers, strings, and True of False, and the diagnosis-related system is compared with the diagnosis-related information by calling the judgment criteria from the database 70. To determine whether it is vulnerable. The determination result may be stored in the database 70.

The detailed description above is illustrative of the present invention. In addition, the above description shows and describes preferred embodiments of the present invention, and the present invention can be used in various other combinations, modifications and environments. That is, changes or modifications may be made within the scope of the concept of the invention disclosed in the present specification, the scope equivalent to the disclosed contents, and/or the skill or knowledge of the art. The above-described embodiments describe the best state for implementing the technical idea of the present invention, and various changes required in the specific application fields and uses of the present invention are possible. Therefore, the detailed description of the invention is not intended to limit the invention to the disclosed embodiment. In addition, the appended claims should be construed as including other embodiments.

1: Data distributed processing system when checking security weaknesses
10: diagnostic command generation unit
11: Integrity check module 13: Information collection module
15: selective classification module 17: result file generation module
30: communication unit 31: connection module
33: command transmission module 35: result file reception module
50: distributed processing unit
51: tagging module 53: distributed tree generation module
55: threshold setting module 57: classification registration module
60: diagnostic unit 61: parsing module
63: result extraction module 65: vulnerability determination module
S: Data distributed processing system when checking security weaknesses
S10: diagnostic command generation step S20: connection transmission step
S30: diagnostic command execution step S31: integrity check step
S33: Information collection step S35: Selective classification step
S37: Result file generation step S39: Result file transmission step
S40: Result receiving step
S50: distributed processing step S51: tagging step
S53: Distribution tree generation step S55: Threshold setting step
S57: Classification registration step
S6: Diagnosis execution step S61: Parsing step
S63: Result extraction step S65: Vulnerability determination step

Claims (24)

A diagnostic command generation unit that generates a diagnostic command that is executed in the system to be diagnosed for security vulnerability diagnosis, a communication unit that connects to the system to be diagnosed to transmit the diagnostic command and receives a result file, and assigns a tag to the data in the result file And a distributed processing unit that is distributed and stored, and a diagnosis performing unit that diagnoses security weaknesses based on the result file,
The diagnostic command generation unit is an information collection module that allows the generated diagnostic command to collect diagnostic-related information for diagnosing a security vulnerability of the system to be diagnosed, and the diagnostic-related information collected by the diagnostic command to collect resources required for vulnerability diagnosis analysis. As a standard, a selective classification module that classifies the diagnosis-related information into data to perform vulnerability diagnosis in an in-memory method and data to perform vulnerability diagnosis through multiple core assignments, and to generate a result file after collecting diagnosis-related information. It includes a result file generation module,
The distributed processing unit includes a tagging module for setting tags to the diagnosis related information according to criteria classified by a selective classification module so that the collected diagnosis related information can be distributed and registered, wherein the tagging module includes the diagnosis related information At least one of asset information, diagnosis items, and classifications classified by the selective classification module is grouped and tags are set.
delete delete The data when checking security vulnerability according to claim 1, wherein the selective classification module classifies diagnosis-related information based on a utilization rate of at least one of a CPU, memory, GPU, and disk used when diagnosing a security vulnerability. Distributed processing system.
delete delete delete The distribution tree generation module of claim 1, wherein the distributed processing unit generates at least one distribution tree in which diagnosis related information is stored and sets resources to be used for the distribution tree, and the diagnosis related information is stored in the distribution tree according to a set tag. A data distribution processing system when checking security vulnerabilities further comprising a classification registration module for classifying and registering. The data distribution processing system of claim 8, wherein the classification registration module classifies and registers the diagnosis related information in the distribution tree based on a diagnosis item. The method of claim 8, wherein the distributed processing unit further comprises a threshold value setting module for setting a threshold value of a resource usage rate when diagnosing a security vulnerability for diagnosis-related information stored in the distributed tree, wherein the load is concentrated on the distributed tree. Data distribution processing system when checking security weaknesses, characterized in that the load is distributed. The method of claim 10, wherein the diagnosis performing unit includes a parsing module for parsing diagnosis related information stored in the distribution tree, a result extraction module for analyzing diagnosis related information parsed by the parsing module, and diagnosis related information and security weaknesses of the diagnosis target system. Data distributed processing system when checking security vulnerabilities including a vulnerability determination module that compares judgment criteria to determine whether or not they are vulnerable. The data distribution processing according to claim 11, wherein the parsing module prevents the occurrence of a bottleneck due to I/O speed by parsing diagnosis related information about the diagnosis items stored in one distributed tree. system. The method of claim 11, wherein the parsing module parses the diagnosis related information stored in another distributed tree when a resource utilization rate exceeds a threshold value when parsing the diagnosis related information stored in the distributed tree to prevent load concentration on a specific resource. Data distributed processing system when checking security vulnerabilities, characterized in that. Diagnosis command generation step of generating a diagnosis command executed in the diagnosis target system for diagnosis of security weaknesses, a connection transmission step of connecting to the diagnosis target system and transmitting the diagnosis command, and diagnosis within the diagnosis target system by executing the diagnosis command A diagnostic command execution step of collecting related information, a result receiving step of receiving a result file generated according to the execution of the diagnostic command, a distributed processing step of tagging and distributing and storing the data in the result file, and the result file Including a diagnosis execution step of diagnosing security weaknesses based on,
In the diagnostic command execution step, the diagnostic command execution step is an information collection step of collecting diagnostic-related information of a system to be diagnosed, and the diagnostic-related information is in-memory based on the collected diagnostic-related information based on resources required for vulnerability diagnosis analysis. Including a selective classification step of classifying data to perform vulnerability diagnosis in a method and data to perform vulnerability diagnosis through allocation of multiple cores, and a result file generation step of collecting the diagnosis-related information to generate a result file,
The distributed processing step includes a tagging step of setting a tag to the diagnosis related information so that the collected diagnosis related information can be distributed and registered, wherein the tagging step includes asset information, diagnosis items, and selective A method of distributing data when checking security vulnerabilities, characterized in that tags are set by grouping at least one of the classifications classified in the classification step. The method of claim 14, wherein the execution of the diagnostic command comprises transmitting a hash value to check whether the diagnostic command has been forged or altered before the information collecting step, and receiving a result of the integrity check, and managing the generated result file. Data distribution processing method when checking security vulnerabilities further comprising a step of transmitting a result file transmitted to the server. The method of claim 14, wherein the selective classification step classifies the diagnosis-related information based on at least one resource utilization rate among CPU, memory, GPU, and disk used when diagnosing a security vulnerability. Treatment method. delete delete delete The method of claim 14, wherein the distributed processing step comprises: generating at least one distribution tree in which diagnosis related information is stored and setting a resource to be used for the distribution tree; and the distribution tree generating diagnosis related information according to a set tag. Further comprising a classification registration step of classifying and registering to,
The classification and registration step comprises classifying and registering the diagnosis-related information in the distribution tree based on a diagnosis item. The method of claim 20, wherein the distributed processing step further comprises a threshold value setting step of setting a threshold value of a resource utilization rate when diagnosing a security vulnerability for the diagnosis-related information stored in the distributed tree, wherein the load is concentrated on the distributed tree. Data distribution processing method when checking security vulnerabilities, characterized in that the load is distributed in case of case. The method of claim 21, wherein the performing diagnosis comprises a parsing step of parsing the diagnosis related information stored in the distribution tree, a result extraction step of analyzing the diagnosis related information parsed in the parsing step, and diagnosis related information and security of the diagnosis target system. A method of distributing data when checking security vulnerabilities, including the step of determining whether a vulnerability is vulnerable by comparing the vulnerability criteria. The data distribution processing according to claim 22, wherein the parsing step prevents the occurrence of a bottleneck due to the I/O speed by parsing the diagnosis related information for the diagnosis item stored in one distributed tree. Way. The method of claim 22, wherein the parsing step prevents the load from being concentrated on a specific resource by parsing the diagnosis related information stored in another distributed tree when the resource utilization rate exceeds a threshold value when parsing the diagnosis related information stored in the distributed tree. Data distributed processing method when checking security weaknesses, characterized in that.

Images