KR102367546B1 - Hybrid correlation analysis method between heterogeneous using streaming analysis and batch analysis and apparatus thereof - Google Patents

Abstract

An operation method of a device comprises the following steps of: setting one or more detection rules for first data obtained in real time; determining whether the number of occurrences of an event corresponding to the one or more detection rules is equal to or greater than a preset level; extracting second data corresponding to the event occurring with the preset level or greater in the first data; and transmitting the second data. The step of determining whether the event corresponding to the one or more detection rules has occurred above the preset level or greater includes determining whether the number of occurrences of the event is equal to or greater than a predefined threshold value within a window.

Description

Heterogeneous hybrid correlation analysis method using streaming analysis and batch analysis, and an apparatus supporting the same

The present invention relates to a heterogeneous hybrid correlation analysis method using streaming analysis and batch analysis.

In the case of correlation analysis between heterogeneous types, there is a correlation analysis method that combines real-time generated alarms to perform correlation analysis, or searches and generates an alarm and searches again based on the correlation analysis method. In order to provide a quick analysis of the threat situation, a more efficient analysis method than the method combining only real-time alerts is needed.

Patent Publication No. 10-2020-0178521, 2020.12.18

The problem to be solved by the present invention is to provide correlation analysis by combining heterogeneous data in a system that collects data such as integrated security management and integrated log management and performs normalization, storage, search, and analysis.

The problems to be solved by the present invention are not limited to the problems mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the following description.

According to an embodiment of the present invention for solving the above problems, there is provided a method of operating an apparatus, the method comprising: setting one or more detection rules for first data acquired in real time; determining whether the number of occurrences of the event corresponding to the one or more detection rules is equal to or greater than a preset level; and extracting second data corresponding to an event occurring above the preset level from among the first data; and transmitting the second data.

Determining whether the event corresponding to the one or more detection rules has occurred above the preset level may include determining whether the number of occurrences of the event is equal to or greater than a predefined threshold within a window.

The size of the window may increase as the number of occurrences of the event acquired from the third data acquired at a time before the acquisition time of the first data increases.

The method may include cluster analysis of data having the same ID (ID) or the same Internet Protocol (IP) among the first data.

Based on the need for a resource for processing the first data more than a threshold, the first data may be distributed and processed through a plurality of servers.

The detection rule may be set to a case in which an event corresponding to a resignation ID (identification) occurs, an ID not in the database is detected, or an external IP (internet protocol) is detected.

An embodiment of the present invention may provide a method for processing and hybrid analysis of data by a device included in a system that blocks unauthorized access from an external network.

The method comprises: receiving data for streaming analysis; retrieving data for the streaming analysis in a firewall (FW: firewall); and blocking the unauthorized access from the external network.

The data for the streaming analysis is: When an intrusion prevention system (IPS) determines that the number of occurrences of an event corresponding to one or more detection rules has occurred above a preset level, among data acquired in real time The data may be extracted as data corresponding to an event occurring above the preset level and received from the IPS.

The step of searching for the extracted data in the firewall may include searching for the same data as the extracted data within a search range.

The search range can be set by the user in relation to the characteristics of the data to be searched.

The method may include analyzing a pattern based on a difference between an occurrence time of an event corresponding to the data extracted from the real-time search and a time at which data on a firewall corresponding to the extracted data is located.

An embodiment of the present invention may provide an apparatus for processing first data acquired in real time.

The apparatus for processing the first data includes: a memory configured to store data; and one or more processors coupled to the memory.

The one or more processors are configured to: set one or more detection rules for the first data; determining whether the number of occurrences of the event corresponding to the one or more detection rules is greater than or equal to a preset level; extracting second data corresponding to an event occurring above the preset level from among the first data; and transmit the second data.

The one or more processors may be configured to determine that the event corresponding to the one or more detection rules has occurred above the preset level when the event is greater than or equal to a predefined threshold within a window.

An embodiment of the present invention may be included in a system for blocking unauthorized access from an external network, and may provide an apparatus for processing and hybrid analysis of data.

The apparatus for processing and hybrid analysis of data includes: a memory configured to store data; and one or more processors connected to the memory.

The one or more processors are configured to: receive data for streaming analysis; retrieving data for the streaming analysis from a firewall (FW); and block the unauthorized access from the external network.

The data for the streaming analysis is when an intrusion prevention system (IPS) determines that the number of occurrences of an event corresponding to one or more detection rules has occurred at a preset level or more, among the data acquired in real time It may be data that is extracted as data corresponding to an event generated above a preset level and received from the IPS.

Other specific details of the invention are included in the detailed description and drawings.

According to the present invention, by combining a streaming analysis method capable of real-time detection and a batch analysis method capable of detecting stored data, more efficient and faster analysis than a method combining only real-time alerts is possible.

Effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included as part of the detailed description to aid understanding of the present invention, provide various embodiments and, together with the detailed description, explain technical features of the various embodiments.
1 is a diagram illustrating an analysis method using a window for streaming data of the present invention.
2 is a diagram illustrating a batch analysis method for streaming data according to the present invention.
3 is a diagram illustrating a correlation analysis of the present invention.
4 is a diagram of an example in which real-time streaming analysis and batch analysis of the present invention are combined.
5 is a conceptual diagram conceptually illustrating a process in which collected data is collected in a security device to which the present invention is applicable.
6 is a conceptual diagram illustrating a process of correlation analysis according to the present invention.
7 is a diagram illustrating an example of an apparatus in which the present invention may be implemented.

Advantages and features of the present invention and methods of achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only the present embodiments allow the disclosure of the present invention to be complete, and those of ordinary skill in the art to which the present invention pertains. It is provided to fully understand the scope of the present invention to those skilled in the art, and the present invention is only defined by the scope of the claims.

The terminology used herein is for the purpose of describing the embodiments and is not intended to limit the present invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, “comprises” and/or “comprising” does not exclude the presence or addition of one or more other components in addition to the stated components. Like reference numerals refer to like elements throughout, and "and/or" includes each and every combination of one or more of the recited elements. Although "first", "second", etc. are used to describe various elements, these elements are not limited by these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first component mentioned below may be the second component within the spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used herein will have the meaning commonly understood by those of ordinary skill in the art to which this invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless specifically defined explicitly.

Spatially relative terms "below", "beneath", "lower", "above", "upper", etc. It can be used to easily describe the correlation between a component and other components. Spatially relative terms should be understood as terms including different directions of components during use or operation in addition to the directions shown in the drawings. For example, when a component shown in the drawing is turned over, a component described as “beneath” or “beneath” of another component may be placed “above” of the other component. can Accordingly, the exemplary term “below” may include both directions below and above. Components may also be oriented in other orientations, and thus spatially relative terms may be interpreted according to orientation.

Hereinafter, preferred embodiments according to the present specification will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION The detailed description set forth below in conjunction with the appended drawings is intended to describe exemplary embodiments of various embodiments, and is not intended to represent the only embodiments.

Definitions of terms used in the present invention are as follows.

FW (FireWall): FW is a network security device to block, control, or authorize unauthorized access from an external network. For example, the FW may block data packets of the network, and specifically, the FW may block unauthorized access by checking the IP address and port number.

IDS (Intrusion Detection System): IDS is a system that detects intrusion attempts by checking network packets. IDS can match patterns based on logs and signatures on the network, such as intrusions. For example, the IDS may analyze the packet content. IDS detects whether there is malicious data in the application data of network packets, and basically only detects and does not block.

IPS (Instrument Prevention System): IPS is a system that blocks intrusions. IPS is a system with an active response function added compared to the existing IDS, and it detects whether there is malicious data in the application data of the network packet and blocks the attempt. Compared to IDS detecting intrusion, IPS can prevent access before intrusion. The IPS blocks packets, analyzes the contents of packets, detects/blocks misuse, and performs immediate response in real time, such as detecting/blocking anomalies, and session-based detection.

VPN (Virtual Private Network): A VPN is a virtual private network, a service that secures online privacy and protects sensitive data by connecting to the Internet through an encrypted tunnel. A VPN implements a virtual private network in the public network, and can be used to protect the connection in public Wi-Fi hotspots, and to protect the privacy of browsing activities by hiding the IP address.

WAF (Web Application Firewall): WAF is a security solution that blocks attack attempts on web applications. WAF blocks the packet when web application attack data is included in the packet data, and effective blocking is possible when an attack on an already allowed service occurs.

ESM (Enterprise Security Management): ESM is a security solution that can manage multiple hosts and security systems in an integrated manner. In addition, ESM can integrate and manage log information collected from multiple security devices.

1. Streaming Data and Windows

Streaming data is data that is continuously generated from thousands of data sources, and usually data records are transmitted simultaneously in a small size (in units of Kilo Byte (KB)). Streaming data includes log files generated by customers using mobile or web applications, e-commerce purchases, in-game player activity, information from social networks, stock exchanges, geospatial services (GPS), and telemes from connected devices. It includes a variety of data, such as trees and data center instrumentation.

This data must be processed sequentially, either record-by-record or incrementally over a sliding time window, and is used for a variety of analyses, including correlation, aggregation, filtering, and sampling. The information derived from this analysis gives companies visibility into various aspects of business and customer activity, enabling them to respond quickly to situations that arise. For example, by continuously analyzing social media streams, businesses can track changes in public sentiment about their brands and products and respond appropriately when necessary.

In the case of streaming data, it can be difficult to determine the timing when the result should be sent because the data comes in without interruption. For this purpose, tasks are cut and processed based on time, which is called 'windowing'. Specifically, windowing means processing at regular time intervals when processing streaming data.

Since streaming data is continuously input, it is necessary to continuously process and store it in a specific time period unit. For example, in the case of 10-minute windowing, data received between 1:00 and 2:00 is 1:10, 1:20, 1:30, … It can be collected as a unit and processed collectively. This unit is called 'window'.

A window is largely classified into a fixed window, a sliding window, and a session window according to a method of cutting data, and various window concepts exist in addition.

1) Fixed Windows

It is a concept of dividing a time window into precise time units. As in the example mentioned above, when the window size is 10 minutes, 1:10 is the data from 1:00 to 1:10, and 1:20 is the data from 1:10 to 1:20. handle

2) Sliding Windows

The sliding window method is a concept in which the window moves.

The concept of the sliding window is that the data before and after +-(±)N (N is a natural number) time from the current time is extracted every M (M is a natural number) time is called a sliding window, and these windows may overlap each other.

For example, a scenario in which the number of users from 10 minutes before the current time to the measurement time is measured in units of 1 minute may be assumed. For example, since data is extracted every unit time (eg, every 1 minute), and data 10 minutes before that time is extracted each time, the data overlap.

This extraction interval is called Period (1 minute in front), and the extraction period is called Length or Size (10 minutes in front).

3) Session Windows

In the session window, if the user does not respond for a certain period of time (data does not come up), from the start of the session to the time when the response is lost is grouped and processed as one session.

For example, assuming the session timeout is 20 minutes and data is being processed from 1:00, data is processed at 1:01 and 1:15, and if data is processed at 1:40 minutes, it is 20 minutes after 1:15. Since no data has been processed for a minute (until 1:35), 1:00, 1:01, 1:15 can be established as one session, and 1:40 can be defined as the start of a new session. .

2. How to analyze streaming data

1 shows an analysis method using a window for streaming data of the present invention.

1 , an event W1 occurs at t+4, an event W2 occurs at t+5, and an event W3 occurs at t+6.5. Here, when all events W1, W2, and W3 enter the window, an alarm is sounded (data or resources corresponding to the alarm are output) and the size of the window is assumed to be 4 seconds (seconds). Since this assumption is an example, in the present invention, the conditions of the size of the window and the number of events in the window for raising the alarm can be changed.

At t+4, only W1 exists in the window, so the alarm does not sound. As time passes, W1, W2, and W3 exist in the window at t+6.5, and an alarm is sounded at this time.

2 is a diagram illustrating a batch analysis method for streaming data according to the present invention.

In the present invention, batch refers to processing data to be processed for a certain period or by a certain amount as one of data processing types of a computer. That is, in the system of the present invention, collecting data to be processed on a daily or monthly basis and synthesizing and processing the data is called batch processing or batch processing. It is a relative word for immediate processing or real-time processing, which is processed immediately after data is generated.

In batch analysis of streaming data, data to be analyzed can be synthesized and a certain amount of data can be collected and analyzed. This is useful for work that needs to be analyzed at a certain point in time.

Referring to FIG. 2 , an alarm (data corresponding to an alarm) may be output when a certain amount of streaming data is collected and analyzed periodically to generate two or more events. The time batch is 4 seconds, and events W1 and W2 occur at t+1 and t+3, respectively.

When streaming data from t+4 to [t, t+4] is synthesized and analyzed, events W1 and W2 have occurred, and since two or more events have occurred, an alarm is sounded.

If the streaming data from t+8 to [t+4, t+8] is synthesized and analyzed, the event does not sound an alarm because one event occurred in W3.

The above is an example of the present invention, and in various embodiments, the size of the time batch and the number of event occurrences, which are conditions for sounding an alarm, are variable variables.

Analyzing data stored for a certain period in a batch method has a problem in that real-time data analysis is difficult. Therefore, the present invention proposes a hybrid analysis method that combines real-time streaming analysis and batch analysis of data in order to increase the efficiency of data processing and analysis.

3 is a diagram illustrating correlation analysis applicable to various embodiments of the present invention.

Correlation analysis refers to numerically analyzing the relationship between the mutually correlated parameters for two variables and the degree of the relationship.

Referring to FIG. 3 , an example of a correlation analysis method for finding and analyzing similarities between groups A and B is shown.

It is assumed that group A is a set of cases in which traces are found according to IPS, and group B is a set of traces found in FW. The intersection of group A and group B can be, for example, the same ID (identification) or the same IP (internet protocol). can be

If the IPS detects the occurrence of an event, it is possible to refer to whether there is the same trace in the FW to know whether it is an actual intrusion trace. For example, tens of thousands of events are detected on the security control system, and correlation analysis is performed to determine whether these events are hackers intrusion or noise unrelated to actual intrusion, thereby increasing the efficiency of intrusion determination.

There are three main methods of analysis.

First, there is a storage and retrieval (batch analysis) method. It may be a method of searching the firewall for specific traces detected by the IPS once more.

Second, real-time search and analysis can be performed to compensate for the shortcomings of the method of searching after saving. For example, after real-time analysis of streaming data in the IPS, the stored data can be searched in the firewall (FW).

Third, a method of combining real-time analysis and real-time analysis is also possible.

4 shows a method of combining real-time streaming analysis and batch analysis (store and retrieve) for the correlation analysis of FIG. 3 .

Referring to FIG. 4 , an alarm sounds when two or more events occur in a window by utilizing real-time streaming analysis in IPS. Conditions such as window size and number of events to trigger an alarm can be changed.

According to one embodiment, when the condition that two events W3 and W4 occur in a window is satisfied, whether W3 or W4 events have occurred in the past in the FW (firewall) can be determined by performing a batch analysis in a heterogeneous FW. There is (or do a search). As described above, by performing a correlation analysis based on the satisfaction of a specific condition, the scope of the analysis can be reduced and the efficiency can be increased.

Although the case of performing batch analysis after streaming analysis is given as an example, according to various embodiments, it is also possible to perform streaming analysis based on satisfaction of a specific condition after batch analysis. In addition, although IPS and FW are used in one embodiment, other methods/systems/devices may be used.

The search range can be set arbitrarily, such as yesterday, the last week, or a specific period, and since windows can exist in parallel for each rule, there can be one or more.

The analysis method combining the real-time streaming analysis and batch analysis of the present invention is as follows.

1) Real-time (streaming) and alerts

Set the detection rule for data coming in real-time in the streaming method. The detection rule can be set as (1) when an event corresponding to the ID of a person leaving the company occurs, (2) when an ID that is not in the database is detected, (3) when an external IP is detected, etc. Configurable. Based on this, when an event caught in a detection rule occurs, an alert for the rule is generated. The alerts that are raised contain the detected data.

2) Extract data from streaming alerts

From the data detected in the streaming alert, data to perform batch analysis is extracted.

3) Batch analysis

Using the data extracted in step 2) as a filter condition, a search is performed and correlation analysis is performed.

5 is a conceptual diagram conceptually illustrating a process in which collected data is collected in a security device.

Referring to FIG. 5 , assets (DataBase Management System (DBMS), Operating System (OS), Web Application Server (WAS), Network) are connected to the Internet through security devices. The security device includes devices such as a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS), and data satisfying a preset condition may be collected from each device.

6 is a conceptual diagram illustrating a process of hybrid analysis according to the present invention.

One or more detection rules for incoming data in real time are set ( 601 ).

Streaming analytics can be performed on incoming data in real time from an intrusion prevention system (IPS). In detail, it is determined whether the number of occurrences of the event corresponding to the detection rule is greater than or equal to a preset level (603), and data to be entered into the batch analysis condition from among the detected data is extracted (605).

When the event is greater than or equal to a predefined threshold within the window, the IPS determines that the number of occurrences of an event corresponding to one or more detection rules is greater than or equal to the preset level. If the number of occurrences of an event acquired from data acquired before the acquisition time of the data acquired in real time increases, the size of the window (window width) may also be set to increase.

For correlation analysis, IPS transmits the extracted data to the firewall (FW) so that correlation analysis between IPS and FW is possible.

The FW checks whether there is the same data as the extracted data among the data stored within the search range by batch-analyzing the data received from the IPS (data extracted from the IPS) within the search range ( 607 ). The search range can be arbitrarily set by the user.

In one embodiment, the case of streaming analysis in IPS and batch analysis in FW is combined, but the same analysis can be performed in other systems, and the combination of analysis types can be changed.

3. Effect of Streaming Data Hybrid Correlation Analysis

According to the various embodiments of the present invention described above, by combining the advantages of a method combining real-time alerts and batch search in heterogeneous correlation analysis, data is extracted from alerts that occur in real time, and this is used as a filter condition. A more efficient correlation analysis can be performed by directly performing a batch search.

4. Implementation of the present invention

7 shows an example of an apparatus in which the present invention may be implemented.

Referring to FIG. 7 , the device may include an input/output unit 310 , a communication unit 320 , a sensing unit 330 , a database 340 , and a processor 350 .

The input/output unit 310 may be various interfaces or connection ports that receive user input or output information to the user. The input/output unit 310 may be divided into an input module and an output module, and the input module receives a user input from a user. The user input may be made in various forms including a key input, a touch input, and a voice input. Examples of input modules that can receive such user input include a traditional keypad, keyboard, and mouse, as well as a touch sensor that detects a user's touch, a microphone that receives a voice signal, a camera that recognizes gestures through image recognition, A proximity sensor composed of an illuminance sensor or infrared sensor that detects a user's approach, a motion sensor that recognizes a user's motion through an acceleration sensor or a gyro sensor, and various other input means for sensing or receiving various types of user input It is a comprehensive concept that includes all Here, the touch sensor may be implemented as a piezoelectric or capacitive touch sensor for detecting a touch through a touch panel or a touch film attached to the display panel, an optical touch sensor for detecting a touch by an optical method, and the like. In addition, the input module may be implemented in the form of an input interface (USB port, PS/2 port, etc.) that connects an external input device that receives a user input instead of a device that detects a user input by itself. In addition, the output module can output various information and provide it to the user. The output module is a comprehensive concept that includes a display that outputs an image, a speaker that outputs a sound (and/or an amplifier connected thereto), a haptic device that generates vibration, and other various types of output means. In addition, the output module may be implemented in the form of a port-type output interface for connecting the above-described individual output means.

For example, the display-type output module may display text, still images, and moving images. The display includes a liquid crystal display (LCD), a light emitting diode (LED) display, an organic light emitting diode (OLED) display, a flat panel display (FPD), and a transparent display. display), a curved display, a flexible display, a three-dimensional display, a holographic display, a projector, and various types of devices capable of performing other image output functions. It is a concept meaning an image display device in a broad sense that includes all. Such a display may be in the form of a touch display integrally formed with the touch sensor of the input module.

The communication unit 320 may communicate with an external device. Accordingly, the device (device) may transmit/receive information to and from an external device through the communication unit. For example, the device may communicate with an external device so that information stored and generated in the illegal parking/stop warning system is shared using the communication unit.

Here, communication, that is, transmission and reception of data may be performed by wire or wirelessly. To this end, the communication unit includes a wired communication module that accesses the Internet through a local area network (LAN), a mobile communication module that accesses a mobile communication network through a mobile communication base station and transmits and receives data, and a wireless local area network (WLAN) such as Wi-Fi. A short-distance communication module using an area network communication method or a wireless personal area network (WPAN) communication method such as Bluetooth or Zigbee, or a global navigation satellite system (GNSS) such as GPS (Global Positioning System) ) using a satellite communication module or a combination thereof. A wireless communication technology used for communication may include a Narrowband Internet of Things (NB-IoT) for low-power communication. In this case, for example, NB-IoT technology may be an example of LPWAN (Low Power Wide Area Network) technology, and may be implemented in standards such as LTE Cat (category) NB1 and/or LTE Cat NB2, It is not limited. Additionally or alternatively, a wireless communication technology implemented in a wireless device according to various embodiments may perform communication based on LTE-M technology. In this case, as an example, the LTE-M technology may be an example of an LPWAN technology, and may be called various names such as enhanced machine type communication (eMTC). For example, LTE-M technology is 1) LTE CAT 0, 2) LTE Cat M1, 3) LTE Cat M2, 4) LTE non-BL (non-Bandwidth Limited), 5) LTE-MTC, 6) LTE Machine Type Communication, and/or 7) may be implemented in at least one of various standards such as LTE M, and is not limited to the above-described name. Additionally or alternatively, a wireless communication technology implemented in a wireless device according to various embodiments may include at least one of ZigBee, Bluetooth, and Low Power Wide Area Network (LPWAN) in consideration of low power communication. may include, and is not limited to the above-mentioned names. For example, the ZigBee technology can create PAN (personal area networks) related to small/low-power digital communication based on various standards such as IEEE 802.15.4, and can be called by various names.

The identification unit 330 includes a camera that recognizes an object, etc. through image recognition, a detection sensor that detects an object approach, and various types of identification/sensing means that detect or receive various types of external inputs. could be a concept. The identification unit may be understood to be the same as the input module in the input/output unit 310 and/or may be understood to be separate from the input module. The identification unit 330 includes a geomagnetic sensor, an acceleration sensor, a temperature/humidity sensor, an infrared sensor, a gyroscope sensor, a location sensor (eg, GPS), a barometric pressure sensor, a proximity sensor, and an RGB sensor (illuminance). sensor), a lidar sensor, an illuminance sensor, and a current sensor may further include, but is not limited thereto. Since a function of each sensor can be intuitively inferred from the name of a person skilled in the art, a detailed description thereof will be omitted.

The database 340 may store various types of information. A database can store data temporarily or semi-permanently. For example, in the database, an operating program (OS) for driving the first device and/or the second device, a program or application (eg, a web application) for generating data or Braille for hosting a web site ) may be stored. In addition, the database may store the modules in the form of computer code as described above.

Examples of the database 340 include a hard disk (HDD), a solid state drive (SSD), a flash memory, a read-only memory (ROM), a random access memory (RAM), and the like. This can be. Such a database may be provided in a built-in type or a detachable type.

The processor 350 controls the overall operation of the device (device). To this end, the processor 350 may perform calculation and processing of various types of information and may control operations of components of the first device and/or the second device. For example, the processor 350 may execute a program or application for an artificial intelligence-based traffic safety system. The processor 350 may be implemented as a computer or a similar device according to hardware software or a combination thereof. In hardware, the processor 350 may be provided in the form of an electronic circuit that processes electrical signals to perform a control function, and in software, it may be provided in the form of a program that drives the processor 240 in hardware. Meanwhile, in the following description, unless otherwise specified, the operations of the first device and/or the second device may be interpreted as being performed under the control of the processor 350 . That is, when the modules implemented in the artificial intelligence-based traffic safety system are executed, the modules may be interpreted as controlling the processor 350 to perform the following operations on the first device and/or the second device.

In summary, the present invention may be implemented through various means. For example, various embodiments may be implemented by hardware, firmware, software, or a combination thereof.

In case of implementation by hardware, the method according to the present invention may include one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays), a processor, a controller, a microcontroller, a microprocessor, and the like.

In the case of implementation by firmware or software, the method according to the present invention may be implemented in the form of a module, procedure, or function that performs the functions or operations described below. For example, the software code may be stored in a memory and driven by a processor. The memory may be located inside or outside the processor, and data may be exchanged with the processor by various known means.

The steps of a method or algorithm described in relation to an embodiment of the present invention may be implemented directly in hardware, as a software module executed by hardware, or by a combination thereof. A software module may contain random access memory (RAM), read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, CD-ROM, or It may reside in any type of computer-readable recording medium well known in the art to which the present invention pertains.

In the above, embodiments of the present invention have been described with reference to the accompanying drawings, but those of ordinary skill in the art to which the present invention pertains can realize that the present invention can be embodied in other specific forms without changing the technical spirit or essential features thereof. you will be able to understand Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive.

Claims (11)

In the method of operation of the device,
setting one or more detection rules for first data acquired in real time;
determining whether the number of occurrences of the event corresponding to the one or more detection rules is equal to or greater than a preset level; and
extracting second data corresponding to an event occurring above the preset level to be entered as a condition of batch analysis from among the first data;
transmitting the second data to a firewall (FW) using the second data as a filter condition;
searching for whether data identical to the second data occurs more than a predetermined number of times among data stored in a memory of the firewall within a search range corresponding to a time batch size set in the firewall; and
Blocking unauthorized access from an external network,
The step of determining whether the event corresponding to the one or more detection rules has occurred above the preset level includes determining whether the number of occurrences of the event is greater than or equal to a predefined threshold within one or more windows,
The time batch size is set to a predetermined period in relation to the characteristics of the data to be searched,
The one or more windows exist in parallel for each of the one or more detection rules,
The one or more windows existing in parallel for each of the one or more detection rules may overlap each other in a time domain, and
The method, characterized in that the first data obtained in real time is sequentially processed in an incremental manner according to the one or more windows. According to claim 1,
The method, characterized in that, as the number of occurrences of the event acquired from the third data acquired at a point in time earlier than the first data increases, the size of the window increases. According to claim 1,
The method comprising the step of cluster-analyzing data having the same ID (ID) or the same IP (Internet Protocol) among the first data. According to claim 1,
Based on the resource for processing the first data is required more than a threshold, the first data is characterized in that the distributed processing through a plurality of servers, the method. According to claim 1,
The detection rule is characterized in that it is set when an event corresponding to the ID of a retiree occurs, when an ID not in the database is detected, or when an external IP (internet protocol) is detected. delete delete delete According to claim 1,
The method further comprising the step of analyzing a pattern based on a difference between the occurrence time of the event corresponding to the first data and the time at which data on the firewall corresponding to the second data is located. An apparatus for processing first data acquired in real time,
The apparatus for processing the first data includes:
a memory configured to store data; and
one or more processors coupled to the memory;
The one or more processors include:
setting one or more detection rules for the first data;
determining whether the number of occurrences of the event corresponding to the one or more detection rules is greater than or equal to a preset level;
extracting second data corresponding to an event occurring above the preset level to be entered as a condition of batch analysis from among the first data;
configured to transmit the second data to a firewall (FW) as a filter condition,
the one or more processors determine that the event corresponding to the one or more detection rules has occurred above the preset level when the event is greater than or equal to a predefined threshold within one or more windows;
searching for whether the same data as the second data occurs more than a certain number of times among data stored in the memory of the firewall within a search range corresponding to a time batch size set in the firewall; and
configured to block unauthorized access from external networks;
The time batch size is set to a predetermined period in relation to the characteristics of the data to be searched,
The one or more windows exist in parallel for each of the one or more detection rules,
The one or more windows existing in parallel for each of the one or more detection rules may overlap each other in a time domain, and
The apparatus, characterized in that the first data acquired in real time is sequentially processed in an incremental manner according to the one or more windows. delete

Images