KR102432835B1 - Security Event De-Identification System and Its Method - Google Patents

Abstract

The present invention relates to a security event de-identification system and a method thereof, and more specifically, to a security event de-identification system and a method thereof. The security event de-identification system includes a server which is connected to a plurality of client information assets and receives a log about a security event. A de-identification target in the log is searched using a regular expression of the de-identification target and the position of the regular expression. After classifying the searched de-identification target into a one-way encryption target and a two-way encryption target according to the criteria, one-way and two-way encryption are performed. The server receives the log in which the designated de-identification target is encrypted, and decrypts and decrypts and stores a part of the encrypted de-identification target. Accordingly, in a situation where a log about a security event is disclosed and/or leaked to the outside due to an external attack and the like, a de-identification target such as personal information, IP, and information that a user desires to analyze can be hidden, and at the same time, information to be analyzed in the security event can be separately stored.

Description

Security Event De-Identification System and Its Method

The present invention relates to a security event de-identification system and a method therefor, and more particularly, includes a server connected to a plurality of client information assets to receive a log for a security event, and the de-identification target in the log is non-identifying. The search is performed using the regular expression of the identification target and the location of the regular expression, and the searched de-identification target is divided into a one-way encryption target and a two-way encryption target according to a criterion, and then one-way and two-way encryption is performed, and the server In a situation where the specified de-identification target receives the encrypted log, but decrypts and stores some of the encrypted de-identification target, so that the log of the security event is disclosed and/or leaked to the outside due to an attack from the outside, etc. It relates to a security event de-identification system and method that can separately store information to be analyzed among security events while allowing de-identification targets such as personal information, IP, and information to be analyzed by a user.

Various data and logs are collected in systems related to Internet communication and security, such as integrated security management, log management, and big data analysis system. Various Internet activities such as access and information transmission are recorded in logs, and among the data recorded in the log, information that causes problems when leaked to the outside, such as personal information and confidential information, is included. In particular, not only the on-premises environment, which is a method in which solutions such as software are installed and operated directly on their own computer room server rather than a remote environment such as the cloud, but also the cloud method, in which an external service provider hosts data and stores the data in the supplied external server. As it becomes popular, when various information is stored in the cloud, a bigger problem occurs when personal information is leaked among data recorded as logs.

In conventional Internet sites, user's personal information is encrypted, and the method is to encrypt and store data input by the user, such as when registering as a member, in a database such as an RDBMS. Encryption of personal information in such Internet sites is legally compulsory, and the input plaintext is encrypted and stored, and the plaintext cannot be restored from the stored password.

However, since it is not a legal obligation to encrypt personal information in the log that records security events such as access records and information transmission records, personal information in the log is frequently stored without encryption. If the personal information in the log is stored unencrypted, the problem of personal information leakage occurs when the log stored in the cloud and/or server is leaked by an external attack or an external attacker can steal and/or read the log being transmitted to the server do. In addition, meaningful information in the security event that can be used as an analysis and strategic asset without being disclosed to the outside can be included in the log. If such information is disclosed to the outside, property damage may occur due to leakage of meaningful information or the economic status that could be lost through analysis and utilization of meaningful information may occur.

Therefore, while removing the possibility of external leakage by encrypting personal information such as IP and resident registration number in the log where security events are recorded, meaningful information such as the access route and access frequency within the site can be analyzed among security events for use in strategies such as marketing. A de-identification system capable of verifying data is required.

The present invention has been devised to solve the above problems,

An object of the present invention is to include a server that receives a log of a security event occurring in a client information asset, wherein the server includes a communication unit, and a designated de-identification target in the log receives and protects an encrypted log. To provide a security event de-identification system that allows personal information to be analyzed and meaningful information to be analyzed from the client information asset to the server in an encrypted state.

An object of the present invention is to analyze the non-identification target in the log according to the type, and the server further includes a decryption unit for decrypting the encrypted non-identification target without leaking meaningful information in the security event to the outside. It is to provide a security event de-identification system that allows

An object of the present invention is to include an agent running in a client information asset and having a log collection module for collecting security event logs generated or stored in the client information asset, and an agent having a de-identification unit that encrypts a de-identification target in the collected log. and the de-identification unit includes an identification information search module for finding a de-identification target in the log, a type determination module for determining the encryption type of the de-identification target, and an encryption module for encrypting the de-identification target, the server The decryption unit includes a target determination module that searches for a decryptable part among the transmitted logs, and a conversion module that decrypts an unidentified target determined to be decryptable. It is to provide a security event de-identification system that can separately store the information to be analyzed among security events while hiding the target of de-identification such as personal information, IP, and information that the user wants to analyze.

An object of the present invention is that the identification information search module searches for a de-identification target in a log using a regular expression of the de-identification target and the location of the regular expression, and the type determination module uses the searched de-identification target as a reference. Accordingly, it is to provide a security event de-identification system that separates the one-way encryption target and the two-way encryption target so that personal information cannot be identified in the server.

It is an object of the present invention, wherein the server further comprises a de-identification command transmission unit for allowing the client information asset to encrypt the de-identification target in the log for the security event, wherein the de-identification command transmission unit is collected in the client information asset. Including a command generation module that generates a command to encrypt the target of de-identification in the log for security events, de-identification of personal information is possible even when normal agent execution is not possible. It is to provide a security event de-identification system that can neutralize attacks such as hacking.

An object of the present invention is to transmit a hash value to the server when the command is executed in the client information asset, and the server performs an integrity check of the command through the received hash value to prevent forgery and falsification of security events It is to provide a system.

An object of the present invention is that the client information asset includes an information asset that cannot be installed or executed by an agent, and the server additionally receives an unencrypted log of a designated de-identification target from the client information asset, wherein the server Further comprising an encryption unit for encrypting a non-identification target among the unencrypted log, the encryption unit is an identification information search module for finding a non-identification target in the log, a type determination module for determining the encryption type of the non-identification target, and To provide a security event de-identification system that improves the security of personal information by additionally de-identifying and storing unencrypted personal information in the server, including an encryption module that encrypts the identification target.

The present invention is implemented by an embodiment having the following configuration in order to achieve the above object.

According to an embodiment of the present invention, the present invention includes a server that receives a log of a security event occurring in a client information asset, wherein the server includes a communication unit, and a designated de-identification target in the log is encrypted It is characterized in that the received log is transmitted.

According to another embodiment of the present invention, the non-identification target in the log is encrypted according to the type, and the server further comprises a decryption unit for decrypting the encrypted non-identification target.

According to another embodiment of the present invention, the present invention operates in a client information asset, and encrypts a log collection module that collects a log of security events occurring or stored in the client information asset, and a non-identification target in the collected log. and an agent having a de-identification unit that and an encryption module, wherein the decryption unit of the server comprises a target determination module for searching for a decryptable part from among the transmitted logs, and a conversion module for decrypting an unidentified object determined to be decryptable.

According to another embodiment of the present invention, in the present invention, the identification information search module searches for a de-identification target in a log using a regular expression of the de-identification target and a position of the regular expression, and the type determination module includes: It is characterized in that the searched de-identification target is divided into a one-way encryption target and a two-way encryption target according to a criterion.

According to another embodiment of the present invention, the server further comprises a de-identification command transmission unit for allowing the client information asset to encrypt the de-identification target in the log for the security event, and the de-identification The command transmission unit is characterized in that it includes a command generation module for generating a command for encrypting a non-identification target in a log for a security event collected in the client information asset.

According to another embodiment of the present invention, in the present invention, when the command is executed in the client information asset, a hash value is transmitted to the server, and the server performs an integrity check of the command through the received hash value. Thus, it is characterized in that forgery is prevented.

According to another embodiment of the present invention, in the present invention, the client information asset includes an information asset that cannot be installed or executed by an agent, and the server logs an unencrypted de-identification target designated from the client information asset. Doedoe further transmitted, the server further comprises an encryption unit for encrypting the non-identification target among the unencrypted logs, the encryption unit identification information search module for finding the non-identification target in the log, encryption of the non-identification target It is characterized in that it comprises a type determination module for determining the type and an encryption module for encrypting the non-identification target.

The present invention can obtain the following effects by the configuration, combination, and use relationship described below with the present embodiment.

The present invention includes a server that receives a log of a security event occurring in a client information asset, wherein the server includes a communication unit, and a designated de-identification target in the log receives and protects an encrypted log. It derives the effect of providing a security event de-identification system that allows information and meaningful information to be analyzed to be transmitted from the client information asset to the server in an encrypted state.

In the present invention, the non-identification target in the log is encrypted according to the type, and the server further includes a decryption unit for decrypting the encrypted non-identification target so that meaningful information in the security event can be analyzed without leaking to the outside. do.

The present invention is driven in a client information asset and includes a log collection module for collecting security event logs generated or stored in the client information asset, and an agent having a de-identification unit for encrypting a de-identification target in the collected log, The de-identification unit includes an identification information search module for finding a de-identification target in the log, a type determination module for determining an encryption type of the de-identification target, and an encryption module for encrypting the de-identification target, and decrypts the server The department includes a target determination module that searches for a decryptable part among the transmitted logs, and a conversion module that decrypts a non-identified target determined to be decryptable. The information to be analyzed among security events can be stored separately while allowing non-identification targets such as , IP, and information to be analyzed by the user.

In the present invention, the identification information search module searches for a de-identification target in a log using a regular expression of the de-identification target and the position of the regular expression, and the type determination module unidirectionally based on the searched de-identification target. By dividing the encryption target and the two-way encryption target, it is possible to obtain the effect that personal information cannot be identified in the server.

In the present invention, the server further comprises a de-identification command transmission unit for encrypting a non-identification target in a log for a security event of a client information asset, wherein the de-identification command transmission unit includes a security event collected in the client information asset. Including the command generation module that generates a command to encrypt the target of de-identification in the log for the log, de-identification of personal information is possible even when normal agent execution is not possible, and it is possible to check whether the program is forged or tampered with, so that hacking from outside It can neutralize attacks such as

According to the present invention, when the command is executed within the client information asset, a hash value is transmitted to the server, and the server performs an integrity check of the command through the received hash value to prevent forgery and falsification.

In the present invention, the client information asset includes an information asset that cannot be installed or executed by an agent, and the server additionally receives an unencrypted log of a designated non-identification target from the client information asset, wherein the server is not encrypted. Further comprising an encryption unit for encrypting the non-identification target in the log that is not identified, the encryption unit is an identification information search module for finding the non-identification target in the log, a type determination module for determining the encryption type of the non-identification target, and de-identification There is an effect of providing a security event de-identification system that improves the security of personal information by additionally de-identifying and storing unencrypted personal information in the server, including an encryption module for encrypting the target.

1 is an exemplary diagram illustrating that client information assets T1 and T2 are connected to a server 30 according to an embodiment of the present invention.
2 is a block diagram of a security event de-identification system 1 according to a preferred embodiment of the present invention.
3 is a block diagram of a security event de-identification system 1 according to another embodiment of the present invention.
4 is a block diagram of a security event de-identification system 1 according to another embodiment of the present invention.
5 is a flowchart of a security event de-identification method (S100) according to an embodiment of the present invention;
6 is a flowchart of an encryption step (S135) according to an embodiment of the present invention.
7 is a flowchart of a security event de-identification method (S200) according to another embodiment of the present invention.
8 is a flowchart of a security event de-identification method (S300) according to another embodiment of the present invention.

Hereinafter, preferred embodiments of the security event de-identification system and method according to the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, if it is determined that a detailed description of a well-known function or configuration may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. Unless otherwise defined, all terms in this specification have the same general meaning as understood by those of ordinary skill in the art to which the present invention belongs, and in case of conflict with the meaning of the terms used in this specification, the According to the definition used in the specification.

Throughout the specification, when a part "includes" a certain component, it does not exclude other components unless otherwise stated, and it means that other components may also be further included, The terms "~ unit" and "~ module" described herein mean a unit that processes at least one function or operation, which may be implemented as hardware or software, or a combination of hardware and software. Hereinafter, the present invention will be described in detail by describing preferred embodiments of the present invention with reference to the accompanying drawings.

1 is a block diagram of a security event de-identification system 1 according to a preferred embodiment of the present invention. Referring to FIG. 1, the security event de-identification system 1 identifies personal information, IP, information that the user wants to analyze, etc. Information that cannot be transmitted, that is, encrypted information is replaced and transmitted, and the server decrypts and stores the de-identified target to be analyzed. It is possible to separately store the information to be analyzed among security events while allowing non-identification targets, such as personal information, to be hidden. The security event de-identification system 1 may be connected to a plurality of client information assets, and may include an agent 10 in the client information assets T1 and a server 30 connected to the client information assets T1 and T2. have. As will be described later, the client information asset is connected to the server 30 so that an agent for diagnosing security events and performing security activities can be installed as a program or application, etc. As such, it can be divided into a type of client information asset T2 that transmits a security event log to the server 30 . The client information assets include security equipment and security systems that can function as nodes of a secure network, such as a PC, a server host, and a router. Security equipment and security systems refer to machines, systems, and software that operate to protect networks and/or information assets from internal and external threats. ) may be a security system, or a device such as a firewall.

1 and 2, the agent 10 is installed or provided in the client information asset T1 to perform a desired function, a security activity, and may be installed in the form of a program or an application, but the present invention can be referred to as a concept including a processor that is connected wirelessly/wired to the server 30 within the client information asset T1 to perform security activities. The agent 10 may include a log collection module 11 , a de-identification unit 13 , and a transmission module 15 .

The log collection module 11 functions to collect logs related to security events occurring in the client information asset. A log is data that contains system records, and through log data analysis, it is possible to detect and track intrusions from outside, and manage system performance. Web log and webtop log exist, and the security log records each event as defined in the security policy set for each object.

The de-identification unit 13 is configured to encrypt the de-identified target in the collected log, and after parsing the log stored as a file, searching for and encrypting the target to be encrypted, or without parsing the de-identified target in the log. If you can browse, you can encrypt it right away and save it as a file. Accordingly, the de-identification unit 13 encrypts personal information such as a resident registration number, account number, password, etc. in the log for the security event and meaningful information not to be disclosed to the outside, so that it cannot be known from the outside. The de-identification unit 13 may include an identification information search module 131 , a type determination module 133 , and an encryption module 135 .

The identification information search module 131 is configured to find a non-identification target in a log. The log for security events includes source IP information, destination IP information, source port information, destination port information, host information, and payload information. , HTTP referrer (hypertext transfer protocol referer) information, and information on the number of security events may include at least one, and the payload may include personal information such as a user's resident registration number and account number. The identification information search module 131 searches for the non-identification target, which is target information, to be encrypted in this log.

In an embodiment of the present invention, the identification information search module 131 may search for a non-identification target in a log using a regular expression of the non-identification target and/or a position of the regular expression. The identification information search module 131 may search for a non-identification target by using a different regular expression for each type of the non-identification target.

In an embodiment of the present invention, the regular expression of an e-mail address including a specific string (eg, "hacker") among the user's personal information or the e-mail address corresponding to the attacker is "\d*(hacker)\d*[ @]([a-z]+\.)+(com|net|kr)". The identification information search module 131 may select an e-mail address including a specified character string in the log as a de-identification target, or select all e-mail addresses as a de-identification target if a specific character string is not included. In addition, the user's personal information, the resident registration number, is "\d{2}([0]\d|[1][0-2])([0][1-9]|[1-2]\d|[ 3][0-1])[-]*[1-4]\d{6}" can be expressed as a search target. In this way, since the IP address, account number, card number, social security number, etc. can be expressed as a regular expression, the identification information search module 131 is not identified in the log based on the stored or input regular expression of the target de-identification target. The identification target can be searched.

Here, the identification information search module 131 may search for the de-identification target including the identification information based on the regular expression of the de-identification target and the position of the regular expression in the log. There are cases where it is not necessary to encrypt or de-identify personal or meaningful information, such as other types of information are recognized as de-identification targets or personal information is illustratively processed or created. Therefore, the identification information search module 131 uses the regular expression of the target de-identification target and the location of the regular expression to minimize unnecessary de-identification and selectively de-identify information that causes problems when leaked. The identification target can be searched.

In one embodiment of the present invention, in the case of the access log of the Apache server, the IP of the accessor is located at the forefront of the log. In the following log, the identification information search module 131 may recognize the visitor IP of 127.0.0.1 as a non-identification target by using the regular expression of the IP address at the forefront of the log.

127.0.0.1 - - [03/Dec/2019:01:21:23 +0900] "GET /referer.html HTTP/1.1" 304 -

In addition, if you want to de-identify an IP address that is an attack target from the outside, the attack target IP is located at the rear end of 'Victim=' in the log below. Accordingly, the identification information search module 131 may recognize the attack target IP of 2.2.2.2 as a non-identification target through the regular expression of the IP address located at the rear end of 'Victim='.

<36>[SNIPER-2000] [Attack_Name=(0006)UDP Flooding], [Time=2013/05/14 14:21:17], [Hacker=1.1.1.1], [Victim=2.2.2.2], [ Protocol=udp/26901], [Risk=high], [Handling=Alarm], [Information=], [SrcPort=61952]

Furthermore, the identification information search module 131 may determine the position of the regular expression based on the delimiter. In the log as follows, the delimiter is set to ':', and the mail address starting in the third is recognized as a de-identification target. may be

123:1.1.1.1:admin@test.com:2021-10-15 17:14:00

The type determination module 133 divides the de-identification target searched by the identification information search module 131 into a one-way encryption target and a two-way encryption target according to a criterion. In order to prevent disclosure to the outside, the user's personal information, such as resident registration number and account number, is classified into non-decryptable one-way encryption targets. It is divided into two-way encryption targets that can be decrypted so that they can be read. As the bidirectional encryption target, information that can be specified for analyzing access frequency, access time, access path, etc. may be classified, and information designated by the user for analysis may be reflected as the bidirectional encryption target.

The encryption module 135 is configured to encrypt the non-identification target, and according to the classification of the type determination module 133, the non-identification target recognized by the identification information search module 131 can be unidirectionally encrypted or bidirectionally encrypted. . One-way encryption is an encryption method using hashing, and it is impossible to convert ciphertext into plaintext, and an SHA-based hash algorithm may be used, but is not limited thereto. Bidirectional encryption can restore the contents to plaintext at the receiving end through a decryption process, and a symmetric key, a block method included in an asymmetric key, RSA, etc. may be used. As the encryption and decryption algorithm, a known or to-be-known method may be used.

The transmission module 15 transmits a log for the collected security event. In this case, the de-identification target encrypted and/or de-identified by the de-identification unit 13 may be included in the log. Accordingly, the transmission module 15 may store the encrypted log of the non-identification target as a file and transmit it to the server 30 .

The server 30 is configured to receive a log of a security event from a plurality of client information assets T1 and T2, process, analyze, and store the log. The server 30 may include a communication unit 31 , an encryption adjustment unit 32 , a decryption unit 33 , and a database (DB, 37 ).

The communication unit 31 is connected to the client information asset by wire or wirelessly to transmit and receive information from the client information asset. You can receive logs for events. In addition, as described later, it is also possible to send a command to the client information asset or access the client information asset.

The encryption adjustment unit 32 may be provided to set or adjust information to be de-identified in the log. A user or a security administrator can set the personal information to be encrypted and meaningful information in the log to be analyzed, and the target of de-identification in the log may be determined according to the set meaningful information. In one embodiment of the present invention, if the access frequency from one node for a given IP is defined as meaningful information, the access time from the same IP address may be determined as a non-identification target. The encrypted target, that is, the de-identification target adjusted in this way, is transmitted to the agent 10 through the communication unit 31 and de-identification is performed in the de-identification unit 13 in the agent 10, or a command for de-identification It may be transmitted to this client information asset (T1, T2).

Preferably, the decryption unit 33 decrypts the bidirectionally encrypted non-identification target in a configuration for decrypting the encrypted non-identification target. The decryption unit 33 is preferably stored in the form of a file, finds a decryptable target among the logs for the transmitted security event, and converts it into plaintext through an encrypted algorithm and/or a decryption algorithm and/or key matching the key can do. The decryption unit 33 may include a parsing module 331 , a target determination module 333 , and a conversion module 335 .

The parsing module 331 is provided to parse the log received from the client information asset. Preferably, since the log is stored and transmitted in the form of a file, the log file can be parsed by the parsing module 331 . The parsing module 331 parses the file in which the log is stored according to the parsing criteria stored in the database 37 or the parsing criteria input.

The target determination module 333 searches for a decryptable non-identification target among the encrypted non-identification targets in the log. In the reverse order of the process in which the de-identification unit 13 searches for the de-identification target in the log, the target determination module 333 determines whether the de-identification target is a de-identification target that can be decrypted based on the encrypted regular expression and location. can be judged

In an embodiment of the present invention, the log below indicates that the IP address at the end of 'Victim' is de-identified. Here, the target determination module 333 may recognize that the phrase at the rear end of 'Victim' is an unidentified IP address by using the regular expression of the IP address and location information of the rear end of 'Victim'. Thereafter, the target determination module 333 determines whether it is a decoding target according to the type of the non-identified target. Whether it is a decryption target may vary depending on the type of de-identification target set or designated by the encryption adjustment unit 32 . In an embodiment of the present invention, the resident registration number in the payload and the IP address at the end of 'Victim' are one-way encrypted and can be recognized as not being decrypted. It may be determined and recognized as a decoding target.

<36>[SNIPER-2000] [Attack_Name=(0006)UDP Flooding], [Time=2013/05/14 14:21:17], [Hacker=1.1.1.1], [Victim=B808E0327C2F216FF3BAE677FC02F923BBCCE38CBE6D6A3F047F46F46E6D6A325BDE36F6D6A3FE3C024F24E6D6A3FECC024F24E6D6A3FECC024F2438B58177B453B7 udp/26901], [Risk=high], [Handling=Alarm], [Information=], [SrcPort=61952]

The conversion module 335 may decrypt the non-identified target determined to be decryptable, and may decrypt the non-identified target through an algorithm and/or key corresponding to the algorithm and/or key used for bidirectional encryption.

The database (DB, 37) may store the transmitted log or may store the decrypted non-identification target to be analyzed. In addition, it is also possible to store the analysis result of the decrypted de-identification target.

Referring to another embodiment of the present invention shown in FIG. 3 , the agent in the client information asset T1 receives a command to de-identify the log related to the security event from the server 30, and de-identifies the log. A de-identification command can be sent to encrypt the target before transmission. Accordingly, the server 30 may further include a de-identification command transmission unit 34 .

The de-identification command transmission unit 34 is provided to generate and transmit a command for enabling the client information asset to encrypt the de-identification target in the log for the security event. The de-identification command may be a process file in a binary format. Unlike a script file that is analyzed and executed in real time by an interpreter such as Python, Perl, etc., it exists in plain text form and can only be executed when a program (interpreter) that can interpret the script exists. It is translated into machine language that can be executed immediately. When modifying the binary file, recompilation must be performed after modification, and execution is possible only in an operating system targeted for execution. As a result, the parts that can be arbitrarily modified or set from the outside are limited, and it is possible to prevent errors due to the wrong transmission of commands due to the negligence of the user or security administrator. Security event logs can be collected and aggregated within the asset. The de-identification command transmission unit 34 includes an integrity check module 341 and a command generation module 343 .

The integrity check module 341 configures a process file so that the integrity check can be performed when the generated de-identification command is executed in the client information asset. When the process file is transmitted and executed to the client information asset, the integrity check of the process file may be performed by a program provided in the client information asset T, but preferably, for the integrity check when the process file is executed, The hash value is transmitted to the server 30, and the server performs an integrity check and responds to the result to confirm the integrity of the process file.

As in the present invention, when a de-identification command is transmitted and the integrity of the transmitted de-identification command is checked when the de-identification command is executed, and logs related to security events are collected and encrypted, an attack from the outside can be prevented. can Thereby, when the de-identification command is executed on the client information asset, forgery is prevented through an integrity check. Various methods for checking integrity can be used, but preferably, integrity verification can be performed through a hash value, and a specific part of the de-identification command is processed with a hash value through a hash function to enter the inside of the de-identification command. Integrity verification can be performed by comparing the hash value in the de-identification command and the hash value derived by processing a specific part in the de-identification command with a hash function when the de-identification command is executed. When the integrity of the de-identification command is confirmed, the log on security events can be collected and encrypted. can be blocked

The command generation module 343 is configured to generate a command to encrypt a non-identified target in a log for a security event collected in a client information asset, and searches for a non-identified target in the log based on a regular expression and a location, After classifying the encryption type of the de-identification target into unidirectional and bidirectional, a command to encrypt the de-identification target according to the separated encryption type is generated.

In another embodiment of the present invention shown in FIG. 4 , the client information asset T2 may be an information asset that cannot be installed or executed by an agent. In this case, the log on the security event is transmitted to the server 30 without de-identification in the client information asset T2, and the log on the security event is de-identified by the server 30. To this end, the server 30 may further include an encryption unit 35 . The encryption unit 35 may include an identification information search module 351 , a type determination module 353 , and an encryption module 355 .

The identification information search module 351 , the type determination module 353 , and the encryption module 355 have substantially the same functions as the above-described identification information search module 131 , the type determination module 133 , and the encryption module 135 . It can be done, so let's substitute the explanation for it.

According to the combination of the above-described components, the de-identification target in the log is searched using the regular expression of the de-identification target and the position of the regular expression, and the one-way encryption target and the two-way encryption target are based on the searched de-identification target according to the criteria. After classifying into , one-way and two-way encryption is performed, and the server receives an encrypted log for a designated non-identification target in the log, and decrypts and stores some of the encrypted non-identification target, thereby preventing attacks from outside, etc. In a situation in which the log of security event is disclosed and/or leaked to the outside due to security events, the information to be analyzed among the security events can be stored separately while hiding non-identification targets such as personal information, IP, and information that the user wants to analyze. A security event de-identification system is implemented. Hereinafter, a security event de-identification method (S) according to an embodiment of the present invention will be described.

5, the security event de-identification method (S100) according to an embodiment of the present invention includes a log collection step (S110), a de-identification step (S130), a transmission step (S150), and a reception processing step (S170). ) may be included.

The log collection step (S110) is a process of collecting logs related to security events occurring in the client information asset, and may be performed by an agent running in the client information asset or the client information asset.

The de-identification step (S130) is a process of encrypting the non-identification target in the collected log. After parsing the log stored as a file, searching for and encrypting the target to be encrypted, or parsing the non-identifying target in the log. If it can be browsed without information, it is immediately encrypted and saved as a file, and personal information such as resident registration number, account number, and password in the log for security events and meaningful information that you do not want to be disclosed to the outside is encrypted and encrypted or de-identified so that it cannot be known from the outside. can get angry The de-identification step (S130) may include an identification information search step (S131), a type determination step (S133), and an encryption step (S135).

The identification information search step (S31) is a process of finding a non-identified target in the log, and searches for personal information such as resident registration number and account number in the log to be encrypted. In an embodiment of the present invention, the identification information search step (S31) may use a regular expression of the non-identification target and/or the location of the regular expression to search for the non-identification target in the log, and Different types of regular expressions can be used to search for de-identification targets.

In an embodiment of the present invention, the regular expression of an e-mail address including a specific string (eg, "hacker") among the user's personal information or the e-mail address corresponding to the attacker is "\d*(hacker)\d*[ @]([a-z]+\.)+(com|net|kr)". The identification information search module 131 may select an e-mail address including a specified character string in the log as a de-identification target, or select all e-mail addresses as a de-identification target if a specific character string is not included. In addition, the user's personal information, the resident registration number, is "\d{2}([0]\d|[1][0-2])([0][1-9]|[1-2]\d|[ 3][0-1])[-]*[1-4]\d{6}" can be expressed as a search target. In this way, since the IP address, account number, card number, social security number, etc. can be expressed in regular expressions, in the identification information search step ( S131 ), based on the stored or input regular expression of the target de-identification target, the The identification target can be searched.

Here, the identification information search step S131 may search for a non-identification target including identification information based on the above-described regular expression of the non-identification target and the position of the regular expression in the log. As there are cases where it is not necessary to encrypt or de-identify personal or meaningful information, such as other types of information are recognized as de-identification targets or personal information is processed or created by way of example, it is necessary to minimize unnecessary de-identification and leak information. In order to selectively de-identify information in which a problem occurs, the de-identification target may be searched for by using the regular expression of the target de-identification target and the position of the regular expression.

In one embodiment of the present invention, in the case of the access log of the Apache server, the IP of the accessor is located at the forefront of the log. In the following log, in the identification information search step (S131), the visitor IP of 127.0.0.1 can be recognized as a de-identification target by using the regular expression of the IP address at the forefront of the log.

127.0.0.1 - - [03/Dec/2019:01:21:23 +0900] "GET /referer.html HTTP/1.1" 304 -

In addition, if you want to de-identify an IP address that is an attack target from the outside, the attack target IP is located at the rear end of 'Victim=' in the log below. Accordingly, in the identification information search step (S131), the attack target IP of 2.2.2.2 can be recognized as a non-identification target through the regular expression of the IP address located at the rear end of 'Victim='.

<36>[SNIPER-2000] [Attack_Name=(0006)UDP Flooding], [Time=2013/05/14 14:21:17], [Hacker=1.1.1.1], [Victim=2.2.2.2], [ Protocol=udp/26901], [Risk=high], [Handling=Alarm], [Information=], [SrcPort=61952]

Further, in the identification information search step (S131), the position of the regular expression can be determined based on the delimiter. In the log as shown below, the delimiter is set to ':', and the mail address starting in the third is recognized as a de-identification target. may be

123:1.1.1.1:admin@test.com:2021-10-15 17:14:00

In the type determination step (S133), the de-identification target found in the identification information searching step (S131) is divided into a one-way encryption target and a two-way encryption target according to a criterion. In order to prevent disclosure to the outside, the user's personal information, such as resident registration number and account number, is classified into non-decryptable one-way encryption targets. It is divided into two-way encryption targets that can be decrypted so that they can be read. As the bidirectional encryption target, information that can be specified for analyzing access frequency, access time, access path, etc. may be classified, and information designated by the user for analysis may be reflected as the bidirectional encryption target.

The encryption step (S135) is a configuration for encrypting the non-identification target, and the non-identification target classified according to the classification in the type determination step (S133) may be one-way or two-way encrypted. Accordingly, the encryption step (S135) includes a one-way encryption step (S1351) and a two-way encryption step (S1353) as shown in FIG.

The one-way encryption step (S1351) is an encryption method using hashing, and it is impossible to convert the ciphertext into a plaintext, and an SHA-based hash algorithm may be used, but is not limited thereto.

In the two-way encryption step (S1353), the content can be restored to plaintext at the receiving end through the decryption process, and a symmetric key, a block method included in an asymmetric key, RSA, etc. may be used. As the encryption and decryption algorithm, a known or to-be-known method may be used.

In the transmitting step (S150), the log for the collected security event is transmitted to the server 30 side, and the de-identification target encrypted and/or de-identified by the de-identification unit 13 is included in the transmitted log. can

The reception processing step (S170) is a process of receiving a log from the server 30 and analyzing it, and preferably, some of the encrypted non-identification targets may be decrypted, analyzed, and stored. The reception processing step (S170) may include a parsing step (S171), a decoding target determination step (S173), a decoding step (S175), and a storage step (S177).

The parsing step (S171) may be performed by the parsing module 331, and is a process of parsing the log received from the client information asset. Preferably, since the log is stored and transmitted in the form of a file, the log file can be parsed in the parsing step (S331). In the parsing step (S331), the file in which the log is stored is parsed according to the parsing criteria stored in the database 37 or the parsing criteria input.

The decryption target determination step ( S173 ) may be performed by the target determination module 333 , and a decryptable non-identification target among the encrypted non-identification targets in the log is searched for. In the reverse order of the process of searching for a non-identification target in the log in the above-described identification information search step (S131), in the decryption target determination step (S173), the non-identification target can be decrypted based on the encrypted regular expression and location. target can be determined.

The decryption step (S175) may be performed in the conversion module 335, and is a process of decrypting a non-identified target determined to be decryptable, and an algorithm and/or corresponding to an algorithm and/or key used for bidirectional encryption. The de-identified target can be decrypted through the key.

The storing step (S177) is a process of storing the decrypted de-identified target and the de-identified target, and then the analysis result is stored in the database (DB, 37).

The security event de-identification method (S200) according to another embodiment of the present invention shown in FIG. 7 encrypts the de-identification target in the security event log with respect to the client information asset T2 in which the agent cannot be installed or executed. As a method of storing the data, it includes a log collection step (S210), a transmission step (S230), a parsing step (S240), a de-identification step (S250), and a storage step (S270).

At this time, the log collection step (S210) may be performed in the client information asset (T2), but the log may be transmitted to the server 30 through the transmission step (S230) in the form of syslog rather than a stored file.

The parsing step (S240) is a process of parsing the log after receiving it from the server 30, may be performed by the parsing module 331, and parsing the log received from the client information asset or a log in a predetermined form. is transmitted, the parsing step ( S240 ) may be omitted.

The de-identification step (S250) is a process of encrypting the non-identification target in the server 30, and may include an identification information search step (S251), a type determination step (S253), and an encryption step (S255). The de-identification step (S250), the identification information search step (S251), the type determination step (S253), and the encryption step (S255) are substantially the same as the de-identification step (S130) described above.

The storing step (S270) is a process of storing the decrypted de-identified target and the de-identified target, and then the analysis result is stored in the database (DB, 37). However, in the storing step (S270), the unencrypted personal information transmitted from the client information asset T2 may be additionally stored in the database (DB, 37). Accordingly, in the storage step (S270), unencrypted personal information to be unidirectionally encrypted may be deleted.

The security event de-identification method (S300) according to another embodiment of the present invention shown in FIG. 8 is connected to a plurality of client information assets (T1, T2) and receives a log related to a security event to de-identify and As a decryption process, it is to be performed in the server 30 and the security event de-identification system simultaneously connected with the client information asset (T1) where the agent can be installed and executed and the client information asset (T2) where the agent cannot be installed and executed. can

The security event de-identification method (S300) includes a log collection step (S310), a second log collection step (S320), a de-identification step (S330), a transmission step (S350), and a reception processing step (S370). . The log collecting step (S310) and the de-identifying step (S330) are substantially the same as the aforementioned log collecting step (S110) and the de-identifying step (S130), but the second log collecting step (S320) is performed by the server 30 It is a process in which the client information asset (T2), which cannot install or execute the agent connected to it, collects logs for security events that occur in the client information asset, and transmits the log to the server 30 without going through the de-identification process. .

Accordingly, the log transmitted to the server 30 in the transmission step S350 includes a log including an encrypted de-identification target and a log including an unencrypted de-identification target.

The reception processing step (S370) includes a parsing step (S371), a decoding target determination step (S373), a decoding step (S375), and a storage step (S375), and the above-described processes include the above-described parsing step (S171), a decoding target The determination step (S173), the decryption step (S175), and the storage step (S175) may be substantially the same. However, the reception processing step (S370) may further include a second de-identification step (S372) to encrypt and store non-de-identified personal information and meaningful information to be analyzed or utilized.

The second de-identification step (S372) may include a second identification information search step (S3721), a second type determination step (S3723), and a second encryption step (S375). The above processes are processes of encrypting the non-identification target in the server 30, and may be substantially the same as the identification information search step (S251), the type determination step (S253), and the encryption step (S255).

Therefore, in the second identification information search step (S3721) performed in the server 30, the non-identification target is searched for in the log by using the regular expression of the non-identification target and the position of the regular expression, and the second type determination step ( In step S3723), the searched de-identification target is divided into a one-way encryption target and a two-way encryption target according to a criterion, and the second encryption step (S3725) encrypts the one-way encryption target with an undecryptable algorithm, and sets the two-way encryption target to the server It can be encrypted so that it can be decrypted in .

The above detailed description is illustrative of the present invention. In addition, the above description shows and describes preferred embodiments of the present invention, and the present invention can be used in various other combinations, modifications, and environments. That is, changes or modifications are possible within the scope of the concept of the invention disclosed herein, the scope equivalent to the written disclosure, and/or within the scope of skill or knowledge in the art. The written embodiment describes the best state for implementing the technical idea of the present invention, and various changes required in the specific application field and use of the present invention are possible. Accordingly, the detailed description of the present invention is not intended to limit the present invention to the disclosed embodiments. Also, the appended claims should be construed to include other embodiments as well.

1: Security event de-identification system
10: Agent 11: Log Collection Module
13: de-identification unit
131: identification information search module 133: type determination module
135: encryption module 15: transmission module
30: server
31: communication unit 32: encryption coordination unit
33: decryption unit 331: parsing module
333: target judgment module 335: conversion module
34: non-identification command transmission unit 341: integrity check module
343: command generation module
35: encryption unit 351: identification information search module
353: type determination module 355: encryption module

Claims (14)

A server that receives logs of security events that occur in client information assets, a log collection module that runs within the client information assets and collects logs of security events that occur or are stored in client information assets, An agent having a de-identification unit to encrypt,
The de-identification unit includes an identification information search module for finding a de-identification target in the log, a type determination module for determining the encryption type of the de-identification target, and an encryption module for encrypting the de-identification target,
The server includes a communication unit, a decryption unit for decrypting the encrypted non-identification target,
The decryption unit includes a target determination module that searches for a decryptable part from among the transmitted logs, and a conversion module that decrypts an unidentified object determined to be decryptable,
The identification information search module searches the non-identification target in the log using the regular expression of the non-identification target and the position of the regular expression,
The security event de-identification system, characterized in that the type determination module divides the searched de-identification target into a one-way encryption target and a two-way encryption target according to a criterion. delete delete delete The method of claim 1, wherein the server further comprises a de-identification command transmission unit for allowing the client information asset to encrypt the de-identification target in the log for the security event,
The security event de-identification system, characterized in that the de-identification command transmission unit includes a command generation module for generating a command for encrypting a de-identification target in a log for a security event collected in the client information asset. 6. The method of claim 5, wherein the command transmits a hash value to the server when it is executed in the client information asset, and the server performs an integrity check of the command through the received hash value to prevent forgery and falsification. Security event de-identification system. Including a server that receives a log of security events that occur on information assets that cannot be installed or executed by the agent,
The server receives the unencrypted log of the designated de-identification target from the client information asset,
It includes a communication unit and an encryption unit that encrypts a non-identified target among unencrypted logs,
The encryption unit includes an identification information search module for finding a de-identification target in the log, a type determination module for determining the encryption type of the de-identification target, and an encryption module for encrypting the de-identification target. identification system. A log collection step in which the agent running in the client information asset collects logs for security events occurring in the client information asset, the de-identification step in which the agent encrypts the non-identification target in the log, and the client information asset is unidentified. A transmission step of transmitting a log including an identification target to a server, a reception processing step of receiving the transmitted log by the server and processing a log for a security event,
The de-identification step includes an identification information search step for finding a de-identification target in the log, a type determination step for determining the encryption type of the de-identification target, and an encryption step for encrypting the de-identification target,
The identification information search step searches for a non-identification target in the log using a regular expression of the non-identification target and the position of the regular expression,
The type determination step divides the searched de-identification target into a one-way encryption target and a two-way encryption target according to a criterion,
The encryption step includes a one-way encryption step of encrypting a one-way encryption target with an undecryptable algorithm, and a two-way encryption step of encrypting the two-way encryption target so that it can be decrypted by the server. 9. The security event rain according to claim 8, wherein the reception processing step comprises a decryption target determination step of searching for a decryptable part in a transmitted log, and a decrypting step of decrypting a non-identifiable object determined to be decryptable. identification method. delete 10. The method of claim 8 or 9, further comprising a second log collecting step of collecting logs of security events occurring in the client information assets by other client information assets connected to the server,
The log transmitted in the transmission step includes a log containing an encrypted de-identification target and a log containing an unencrypted de-identification target,
The receiving processing step is a security event de-identification method comprising a second de-identification step of encrypting the de-identification target in the log containing the non-encrypted de-identification target. 12. The method of claim 11, wherein the second de-identification step comprises a second identification information search step of finding a de-identification target in a log, a second type determination step of determining the encryption type of the de-identification target, and a de-identification target A second encryption step of encrypting
In the second identification information search step, the de-identification target is searched for in the log using the regular expression of the de-identification target and the position of the regular expression,
The second type determination step divides the searched de-identification target into a one-way encryption target and a two-way encryption target according to a criterion,
The second encryption step includes a one-way encryption step of encrypting a one-way encryption target with an undecryptable algorithm, and a two-way encryption step of encrypting the two-way encryption target so that it can be decrypted by the server. A log collection step in which the client information asset collects a log of a security event occurring in the client information asset, a transmission step of transmitting the log for the security event to a server;
A de-identification step of encrypting the de-identification target in the log in the server,
The de-identification step includes an identification information search step for finding a de-identification target in the log, a type determination step for determining the encryption type of the de-identification target, and an encryption step for encrypting the de-identification target,
The identification information search step searches for a non-identification target in the log using a regular expression of the non-identification target and the position of the regular expression,
The type determination step divides the searched de-identification target into a one-way encryption target and a two-way encryption target according to a criterion,
The encryption step includes a one-way encryption step of encrypting a one-way encryption target with an undecryptable algorithm, and a two-way encryption step of encrypting the two-way encryption target so that it can be decrypted by the server.
delete

Images