KR102556463B1 - Social advanced persistent threat prediction system and method based on attacker group similarity - Google Patents

Abstract

The present invention relates to a social issue-based cyber target attack prediction system and method using an attacker group similarity technique. It is about technology that can predict issue-based cyber targeted attacks.

Description

Social advanced persistent threat prediction system and method based on attacker group similarity}

The present invention relates to a social issue-based cyber target attack prediction system and method using an attacker group similarity technique, and more particularly, to an attacker group similarity technique that can predict the occurrence of a social issue-based cyber target attack that has not yet occurred. It is about the social issue-based cyber target attack prediction system and method.

A cyber targeted attack is an attack made by a set of insidious and continuous computer hacking processes by people targeting a specific entity, usually an individual, organization, country, or business or political organization (their operating server, etc.) make a target

These cyber-targeted attacks require a considerable degree of stealth for a long time, use malicious software to attack vulnerabilities in the operating server (or operating system) being targeted, and continuously attack from outside to create such malicious software. It monitors and extracts data on target objects.

Among these cyber targeted attacks, SAPT (Social Advanced Persistent Threat) based on social issues is a cyber targeted attack that an attacker organization strategically launches against multiple attack targets related to it under the pretext of a specific social issue. it means. These social issue-based cyber-targeted attacks cause a lot of social damage by serially, concurrently, or consecutively attempting cyber-attacks against multiple attack targets.

According to Symantec's announcement, it received the 6th largest number of cyber-targeted attacks in the world from about 140 attacker groups in 2017 alone, including domestic cyber-targeted attacks, PyeongChang Olympic cyber-attacks, defense, high-tech, and financial industries. Cyber targeted attacks in the past extorted important information within an organization, such as confidential data, key asset information, and personal information. However, modern cyber targeted attacks not only extort important information, but also carry out attacks to obtain economic benefits. there is. In addition, the purpose and means of attackers are becoming more intelligent and advanced, ranging from paralysis, destruction, or intimidation to systems within companies and institutions.

Conventional cyber targeted attacks are judged to be a threat at the national level, and investment is expanding accordingly. Existing security solutions and security frameworks clearly have limitations.

In other words, each server (institution, etc.) individually applies security techniques, so when social issue-based cyber targeted attacks occur simultaneously and in series, it is not recognized as a single attack trend. , there is a problem in that detection of social issue-based cyber targeted attacks is delayed because each server individually responds only to individual cyber targeted attacks.

In addition, since it is a technology for detecting the occurrence of a cyber targeted attack at the present time and promptly responding to it to prevent secondary damage, it is difficult to predict the occurrence of a cyber targeted attack, especially a cyber targeted attack based on social issues. There is a problem.

Konkuk University Master's Thesis Research on Rick Hash-based Malicious Code Analysis for Social Issue-based Cyber Target Attack Detection (2021.08.)

The present invention has been devised to solve the problems of the prior art as described above, and an object of the present invention is to predict in advance whether a cyber target attack based on a social issue that has not yet occurred will occur, and relatively accurately predict until the time of occurrence. The purpose of this study is to provide a social issue-based cyber target attack prediction system and method using an attacker group similarity technique.

In the social issue-based cyber target attack prediction system using the attacker group similarity method according to an embodiment of the present invention, the operation of multiple organizations that want to apply the social issue based cyber target attack prediction system using the attacker group similarity method The data collection unit 100 that receives security-related operation data from the server, generates each security-related operation data by the data collection unit 100 as a learning data set for artificial intelligence learning, and uses a plurality of artificial intelligence algorithms. To the learning processing unit 200 that performs learning processing on the learning data set using the data input unit 300 that receives real-time operation data from at least one of the operation servers of the plurality of institutions, and the learning processing unit 200 By using an ensemble technique applying a plurality of artificial intelligence models generated by, inputting the real-time operation data by the data input unit 300 to calculate the risk of occurrence of a cyber target attack based on social issues for the real-time operation data A predictive analysis unit 500 that predicts the time of occurrence of a cyber target attack based on the social issue analyzed by the risk analysis unit 400 using the risk analysis unit 400 and the stored attack characteristic DB for each attacker group it is desirable

Furthermore, the social issue-based cyber target attack prediction system using the attacker group similarity technique includes a first collection unit 600 that collects data related to multiple cyber target attacks that have occurred in the past, and the time when each cyber target attack occurred in the past. A second collection unit 700 that collects data related to social issues for a predetermined period of time as a standard, and a similarity analysis unit that analyzes the degree of similarity between the data collected by the first collection unit 600 and the second collection unit 700 ( 800) and the similarity analyzed by the similarity analysis unit 800, group attackers who have caused cyber target attacks in the past, match the collected data for each group, create a database, and transmit it to the prediction analysis unit 500 And it is preferable to further include an attacker analysis unit 900 for storing.

Furthermore, the prediction analysis unit 500 preferably performs a prediction analysis operation when the risk of occurrence calculated by the risk analysis unit 400 exceeds a preset risk threshold of the corresponding operation server.

Furthermore, it is preferable that the learning processing unit 200 performs parallel learning processing by applying each of the generated learning data sets using a plurality of artificial intelligence algorithms.

Furthermore, the risk analysis unit 400 inputs the real-time operation data to a plurality of artificial intelligence models, respectively, using an ensemble technique to which a plurality of artificial intelligence models are applied, and converts the real-time operation data from the plurality of artificial intelligence models. It is desirable to calculate the risk of occurrence of a cyber target attack based on social issues for the corresponding operation server by comparing and judging each analysis result.

Furthermore, the social issue-based cyber target attack prediction system using the attacker group similarity technique uses the risk of occurrence calculated by the risk analysis unit 400 or the time of occurrence predicted by the prediction analysis unit 500, It is preferable to further include a follow-up processing unit 1000 for generating proactive action information matched to the operating server.

Prediction of social issue-based cyber target attack using the attacker group similarity method in which each step is performed by the social issue-based cyber target attack prediction system using the computer-implemented attacker group similarity method according to another embodiment of the present invention In the method, in the data collection unit, an operation data input step of receiving security-related operation data from operation servers of multiple organizations to which a social issue-based cyber target attack prediction system using an attacker group similarity technique is applied (S100) , In the learning processing unit, the security-related operation data input by the operation data input step (S100) is generated as a learning data set for artificial intelligence learning, and learning of the learning data set using a plurality of artificial intelligence algorithms A learning processing step (S200) of performing processing, a real-time data input step (S300) of receiving real-time operating data from at least one of the operation servers of the plurality of institutions in the data input unit, and the learning processing step in the risk analysis unit. Using the ensemble technique to which a plurality of artificial intelligence models generated in (S200) are applied, the real-time operation data is input in the real-time data input step (S300), and social issue-based cyber target attack on the real-time operation data The risk calculation step (S400) of calculating the risk of occurrence of the occurrence of the social issue-based cyber target attack analyzed by the risk calculation step (S400) using the attack characteristic DB for each attacker group stored in the prediction analysis unit In the predictive analysis step (S500) of predicting and subsequent processing unit, using the results of the risk calculation step (S400) or the predictive analysis step (S500), proactive action information matched to the corresponding operation server is generated. and a corresponding step of transmitting (S600).

Furthermore, in the learning processing step (S200), it is preferable to perform parallel learning processing by applying each of the generated learning data sets using a plurality of artificial intelligence algorithms.

Furthermore, in the method of predicting social issue-based cyber target attacks using the attacker group similarity technique, the risk of occurrence of social issue-based cyber target attacks calculated in the risk calculation step (S400) corresponds to the preset risk threshold of the operating server. If it exceeds , it is preferable to perform the predictive analysis step (S500).

Furthermore, in the social issue-based cyber target attack prediction method using the attacker group similarity technique, the first collection unit collects data related to multiple cyber target attacks that have occurred in the past, and the second collection unit collects data related to each cyber target in the past. A past data collection step (S510) of collecting social issue-related data for a predetermined period of time based on the time of the attack, and a similarity analysis unit analyzing the similarity between the data collected by the past data collection step (S510). In the analysis step (S520) and the attacker analysis unit, based on the similarity analyzed by the similarity analysis step (S520), attackers who have caused cyber target attacks in the past are grouped, and each group is collected by the past data collection step (S510). Further comprising an attacker analysis step (S530) of matching data and converting the data into a database, and the predictive analysis step (S500) uses the data databased by the attacker analysis step (S530) as an attack characteristic DB for each attacker group. desirable.

The social issue-based cyber target attack prediction system and method using the attacker group similarity technique of the present invention according to the above configuration have limitations in the conventional countermeasure technology (detection of the first occurrence and then defense) against the cyber target attack. In order to overcome this, data related to cyber target attacks that have occurred in the past are collected in connection with data related to social issues, and their similarities are analyzed to form a database of attacker groups and their attack characteristics, thereby creating a database based on social issues that have not yet occurred. It has the advantage of being able to relatively accurately predict the occurrence of cyber targeted attacks.

In particular, by employing an ensemble technique applying a plurality of artificial intelligence models, prediction results having high accuracy/reliability can be provided without a separate prediction algorithm such as a Kalman filter algorithm.

Through this, considering the risk and ripple effect of 'social issue-based cyber target attacks' strategically carried out on multiple attack targets under the pretext of specific social issues, etc., it is possible to more actively/actively predict the possibility of accurate advance attacks There are advantages.

1 is an exemplary configuration diagram illustrating a social issue-based cyber target attack prediction system using an attacker group similarity technique according to an embodiment of the present invention.
2 is a flowchart illustrating a method for predicting a cyber target attack based on social issues using an attacker group similarity technique according to an embodiment of the present invention.

Hereinafter, a social issue-based cyber target attack prediction system and method using the attacker group similarity technique of the present invention will be described in detail with reference to the accompanying drawings. The drawings introduced below are provided as examples to sufficiently convey the spirit of the present invention to those skilled in the art. Accordingly, the present invention may be embodied in other forms without being limited to the drawings presented below. Also, like reference numerals denote like elements throughout the specification.

At this time, unless there is another definition in the technical terms and scientific terms used, they have meanings commonly understood by those of ordinary skill in the art to which this invention belongs, and the gist of the present invention in the following description and accompanying drawings Descriptions of well-known functions and configurations that may be unnecessarily obscure are omitted.

In addition, a system refers to a set of components including devices, mechanisms, and means that are organized and regularly interact to perform necessary functions.

In the case of a conventional cyber target attack response, it is used as a countermeasure method to detect a cyber target attack that has occurred at the present time and prevent secondary damage. In other words, there is a problem in that cyber target attacks that will occur in the future cannot be predicted and prevented, as well as the time of occurrence.

This is detection of a cyber-targeted attack that has already occurred, and is only a countermeasure to prevent secondary damage to organizations related to the attack.

It is unreasonable to apply it to all social issue-based cyber targeted attacks that occur, but by applying a countermeasure method that detects it after the first social issue-based cyber targeted attack has occurred, it is the first social issue-based cyber targeted attack that occurs. It is natural that the cost of recovering the damage caused by this is higher than the cost incurred to predict and prepare for a cyber target attack based on social issues in advance.

A social issue-based cyber target attack prediction system and method using an attacker group similarity technique according to an embodiment of the present invention, in order to solve the above-mentioned problems, social issue data at the time when a cyber target attack occurred in the past and corresponding It is about a technology that can predict social issue-based cyber target attacks by analyzing the characteristics of an attacker group, measuring the similarity between them, and utilizing this to analyze operational data generated from operation servers of multiple institutions.

In other words, after analyzing social issues and attacker group characteristics at the time of past cyber targeted attacks, we calculate the similarity between the analysis data and operation data based on the operation data generated from the operation servers of multiple institutions, Target attacks can be predicted.

In particular, a social issue-based cyber target attack prediction system and method using an attacker group similarity technique according to an embodiment of the present invention uses an ensemble technique to which a plurality of artificial intelligence algorithms are applied. Even without a predictive algorithm, it is possible to predict the occurrence and timing of social issue-based cyber targeted attacks.

Conventionally, technologies to defend against cyber-targeted attacks using artificial intelligence techniques have been developed, but they are suitable for cyber-targeted attacks based on social issues that require operational data generated by various environments from various attacked servers as a source of learning data. Not only that, but it is only 'attack detection' as a defense against social issue-based cyber target attacks using a single machine learning model or multiple machine learning models, so there are clearly limitations in predicting and responding.

Here, to look at the ensemble technique first, parallel learning is performed using a plurality of artificial intelligence learning algorithms, and prediction models (models) based on learning results are combined to generate one prediction result with increased stability and predictive power. way to learn.

That is, one best analysis value can be derived as a result by performing parallel learning using a plurality of artificial intelligence learning algorithms, receiving each analysis value output from the prediction model based on the learning result, and comparing and judging them. It is a learning technique in

Through this, compared to using a single artificial intelligence learning model, overfitting can be reduced by dispersing performance, and better prediction performance can be obtained even if the performance of each learning prediction model is poor.

In the case of using a single artificial intelligence learning algorithm, if multiple learning data (different operational data for each institution) come in, the learning process result is not fair, so even if it is applied to each institution, the effect is inevitably insignificant.

In order to solve this problem, as described above, a social issue-based cyber target attack prediction system and method using an attacker group similarity technique according to an embodiment of the present invention employs an ensemble technique to which a plurality of artificial intelligence algorithms are applied. By using, it is possible to perform parallel learning using a plurality of artificial intelligence learning algorithms and to calculate the most accurate analysis value (predictive value) by combining a plurality of prediction models based on the learning result.

Examples of such ensemble techniques include methods such as majority rule/voting, bagging, and pasting.

The majority vote/vote-based ensemble technique performs learning on the same training data using a plurality of artificial intelligence learning algorithms in the learning process, and calculates the final result value by proceeding with a majority vote with the analysis value of each learning result model. way to do it These majority/vote-based ensemble techniques are known to have higher accuracy than the best performing artificial intelligence techniques.

In addition, the ensemble technique of bagging and pasting uses a plurality of the same artificial intelligence learning algorithms, but randomly inputs learning data, so that the resulting learning result models themselves perform learning differently. Through this, it is a method of predicting a new result value by collecting analysis values of each learning result model.

In the process of randomly inputting training data into a plurality of identical AI learning algorithms, a sampling method that allows overlapping is called bagging, and a sampling method that does not allow overlapping is called pasting.

1 is an exemplary configuration diagram showing a social issue-based cyber target attack prediction system using an attacker group similarity technique according to an embodiment of the present invention. Referring to FIG. 1, the attacker group similarity according to an embodiment of the present invention The social issue-based cyber target attack prediction system using the technique is explained in detail.

Social issue-based cyber target attack prediction system using attacker group similarity technique according to an embodiment of the present invention, as shown in FIG. , It is preferably configured to include a risk analysis unit 400 and a prediction analysis unit 500. In addition, it is preferable that each component performs an operation by being individually or collectively included in at least one calculation processing means including a computer.

For a detailed look at each component,

It is preferable that the data collection unit 100 receives security-related operation data from operation servers of a plurality of institutions to which a social issue-based cyber target attack prediction system using an attacker group similarity technique is applied.

At this time, the operation servers of multiple organizations are operated by individuals, organizations, institutions, governments, etc. who want to take countermeasures in advance in fear of the occurrence of cyber-targeted attacks, even if they are not necessarily social issue-based cyber-targeted attacks. means server.

The data collection unit 100 not only security-related operation data including normal information from each operation server, but also security-related operation data including attack information, in detail, cyber target attacks based on social issues in the past or social Even if it is not issue-based, it is desirable to receive information related to the cyber target attack that occurred (security event log including time information, web traffic information, etc.).

Preferably, the learning processing unit 200 generates security-related operation data of each operation server by the data collection unit 100 as a learning data set for artificial intelligence learning. In detail, the learning data set is created using the security-related operating data transmitted from each operating server, that is, included normal operating information, attack operating information, social issue-based attack information, and the like.

In addition, it is preferable to generate the learning data set by variously combining security-related operation data of each operation server. For example, when d, e, and f security-related operational data are input from a, b, and c operation servers, the d, e, and f security-related operational data are generated as individual learning data sets or integrated into one It can be created as a learning data set, and if the d security-related operational data contains only normal operating information, d security-related operational data and e, f security-related operational data can be created as learning data sets, respectively. It is preferable that the setting value applied to generate this learning data set is set under the control of an external user in order to improve the prediction accuracy of a social issue-based cyber target attack.

In addition, the learning processing unit 200 preferably performs learning processing on the learning data set generated using a plurality of artificial intelligence algorithms.

In detail, a parallel learning process is performed by applying each of the learning data sets generated using an ensemble technique to which a plurality of artificial intelligence algorithms are applied. Of course, as described above, the learning processing unit 200 sets whether the same artificial intelligence learning algorithm or all different artificial intelligence learning algorithms are applied to a plurality of artificial intelligence algorithms according to the detailed technique of the set ensemble technique. Preferably, the generation of the learning data set may also be controlled by detailed techniques of the set ensemble techniques.

However, the learning processing unit 200 performs learning processing using a plurality of artificial intelligence learning algorithms for a learning data set generated based on the same basic data (security-related operation data input from operation servers of multiple institutions) it is desirable

The data input unit 300 preferably receives real-time operation data from at least one of the operation servers of the plurality of institutions. If the data input by the data collection unit 100 is past data, the data input by the data input unit 300 corresponds to real-time data.

That is, after learning is completed by the learning processing unit 200, operation data collected from that point in time is received as the real-time operation data.

The risk analysis unit 400 inputs the real-time operation data by the data input unit 300 using an ensemble technique to which a plurality of artificial intelligence models generated by the learning processing unit 200 are applied, and the real-time operation It is desirable to calculate the risk of occurrence of cyber targeted attacks based on social issues for data.

In detail, the risk analysis unit 400 inputs the real-time operation data by the data input unit 300 to the plurality of artificial intelligence models generated by the learning processing unit 200, respectively, and multiple artificial intelligence models. The risk of occurrence of a cyber target attack based on social issues for the real-time operation data is calculated by integrating a plurality of analysis results output from each.

At this time, the risk analysis unit 400 compares and determines a plurality of analysis results output from a plurality of artificial intelligence models, and utilizes a majority vote result or an average value result for a social issue-based cyber target attack on the corresponding operation server. will calculate the risk of occurrence.

In the case of result calculation by using an ensemble technique to which multiple artificial intelligence models are applied, various settings can be controlled, but due to the nature of social issue-based cyber targeted attacks, if an attack occurs even if the cost incurred in preventing and responding is 10,000 Since it is relatively less than the solution cost of , it is desirable to calculate the degree of occurrence risk so that it can respond more actively.

It is preferable that the prediction analysis unit 500 predicts the occurrence time of the social issue-based cyber target attack analyzed by the risk analysis unit 400 using the stored attack characteristic DB for each attacker group.

In detail, the prediction analysis unit 500 performs a prediction analysis operation when the risk of occurrence calculated by the risk analysis unit 400 exceeds a preset risk threshold of the corresponding operation server.

In other words, the predictive analysis unit 500 additionally issues a social issue when the risk of occurrence of a social issue-based cyber target attack on the corresponding operation server calculated by the risk analysis unit 400 exceeds a preset threshold. It is desirable to predict the point of occurrence of the base cyber target attack. At this time, since the security level is different for each operation server, the risk level threshold may be set differently.

At this time, in order to store the attack characteristic DB for each attacker group in the prediction analyzer 500, the social issue-based cyber target attack prediction system using the attacker group similarity method according to an embodiment of the present invention is shown in FIG. As shown, it is preferable to further include a first collection unit 600, a second collection unit 700, a similarity analysis unit 800, and an attacker analysis unit 900.

Preferably, the first collection unit 600 collects data related to multiple cyber target attacks that have occurred in the past. At this time, the data related to the cyber-targeted attack collected through the first collection unit 600 includes the type of cyber-targeted attack that has occurred, information on the attack target agency at the time of occurrence, detailed type information of the attack, attacker information, It is composed of attack code information, attack code type information, etc.

It is preferable that the second collection unit 700 collects data related to social issues for a predetermined period based on the time point when a number of past cyber target attacks collected through the first collection unit 600 occurred. That is, if data related to cyber target attacks A and B that occurred in the past have been collected from the first collection unit 600, the second collection unit 700 will be collected from a predetermined period prior to the time when A cyber target attack occurred in the past. It is desirable to collect social issue data up to after the period and social issue data from before a predetermined period to after a predetermined period based on the point in time when the B cyber target attack occurred in the past.

To this end, it is preferable that the second collection unit 700 collects the social issue data by performing crawling of analysis target sites.

That is, the second collection unit 700 performs crawling of analysis target sites, analyzes various web document data (web page data, etc.) of the collected site, and collects social issue data that occurred during the period. desirable.

In this case, social issues can be inferred when considering the above-mentioned social issue data, articles that have been issued and published by media outlets, etc. are aggregated.

However, when collecting articles published (occurrence, creation, upload, etc.) by media outlets and extracting key keywords for them, for example, if it is analyzed that the keyword 'government' appeared a lot through analysis of media articles, simply using only the keyword Since it is difficult to infer the context of "", it is difficult to conclude that it is a keyword of social issues. In addition, even if it is determined as a social issue, it is almost impossible to interpret the social situation in the future. Therefore, in view of this point, by collecting and analyzing the articles that have been issued as issues by the media, etc., the collected articles are extracted from the core keywords found, and even related keywords are extracted together, grouped into one group, and derived as a social issue. It is desirable to do Data on social issues that occurred during a specific period of time, as well as the reasons and progress of those social issues, can be clearly organized and confirmed.

Accordingly, the social issue data collected by the second collecting unit 700 may mean not just one word, but keywords that are becoming issues in a specific period, that is, a set of related keywords.

Preferably, the similarity analysis unit 800 analyzes the similarity between data collected by the first collection unit 600 and the second collection unit 700 . In other words, the first collection unit 600 collects attack-related data corresponding to each cyber target attack that has occurred in the past, and the second collection unit 700 collects at least any data collected by the first collection unit 600. Social issue data about the time of one cyber targeted attack will be collected.

As described above, since the first collection unit 600 and the second collection unit 700 do not collect only a single cyber target attack, they collect attack-related data - social issue data by matching each cyber target attack that has occurred in the past. can do.

Using this, the similarity analyzer 800 analyzes the similarity between the cyber target attacks that have occurred by analyzing the similarity between the collected data.

It is preferable that the attacker analysis unit 900 groups attackers who have caused cyber target attacks in the past based on the similarity analyzed by the similarity analysis unit 800, and matches the collected data for each group to form a database. In addition, the attack characteristic DB for each attacker group, which is the databased data, is transmitted to the prediction analysis unit 500 to be used to predict the occurrence time of a cyber target attack based on social issues.

That is, the attacker analysis unit 900 analyzes the similarity between the cyber target attacks analyzed by the similarity analysis unit 800, and detects a cyber target attack having a similarity higher than a certain value (for example, 80%). It is desirable to group the aggressor who caused it. After that, it is preferable to match the collected data (attack related data - social issue data), which can know the attack characteristics for each attacker group, and form a database.

Through this, through the attack characteristic DB for each attacker group, which is a database generated by the attacker analysis unit 900, attack characteristic data for a plurality of cyber target attacks having similarities rather than a cyber target attack that has occurred simply once ( Attack target organization information, attack type information, attacker information, attack code information, attack code type information, social issue data) can be easily checked.

Through this, the predictive analysis unit 500 determines that, when the risk of social issue-based cyber target attack analyzed by the risk analysis unit 400 exceeds the preset risk threshold of the corresponding operation server, each attacker group It is possible to predict the time of occurrence by checking the attack characteristic data of cyber target attacks based on social issues with a high risk of occurrence using the attack characteristic DB.

In addition, the social issue-based cyber target attack prediction system using the attacker group similarity technique according to an embodiment of the present invention preferably further includes a follow-up processing unit 1000 as shown in FIG. 1 .

The post-processing unit 1000 uses the risk of occurrence calculated by the risk analysis unit 400 or the time of occurrence predicted by the prediction analysis unit 500 to generate proactive action information matched to the corresponding operation server it is desirable

As described above, when a cyber-targeted attack occurs, the cost of resolving it is predicted and defended, but it is much higher than the cost incurred when an actual cyber-targeted attack does not occur. Therefore, it is desirable to perform maximum defense through prediction. do.

Therefore, through the post-processing unit 1000, using the risk of occurrence calculated by the risk analysis unit 400 or the occurrence time predicted by the prediction analysis unit 500, social issue-based cyber targets whose occurrence is predicted It is desirable to ensure that appropriate countermeasures are made according to the propensity of the attack.

For example, before an attack by 'X' attacker group on 'B' target server, the exposure of 'A' social issue keyword was improved with a 90% probability, and the attack on 'B' target server If this occurs, if the data in which the attack occurred on the 'C' target server with a 100% probability is secured through the attack characteristic DB for each attacker group, the risk analysis unit 400 determines the 'B' target server to be attacked. If the risk of a cyber-targeted attack based on social issues on the target server of 'B' exceeds the risk threshold of 60, which is set in advance in the attack target server, 'X' attacker group is identified while checking whether the exposure of 'A' social issue keywords has improved. It is possible to convey that there is a possibility of an attack to the 'C' target server while defending against the attack by knowing the attack pattern in advance.

Of course, as the probability of occurrence of the 'B' target server and the 'C' target server is different, the degree of preemptive measures may be different, but if the 'C' target server contains more important confidential data, In the case of an organization's operating server, it is desirable that the degree of preemptive measures be controlled only by the fact that there is a possibility of occurrence regardless of the difference in the degree of occurrence. Since such pre-response action information may be different for each corresponding operation server, it is not limited thereto.

2 is a flowchart illustrating a method for predicting a cyber target attack based on social issues using an attacker group similarity technique according to an embodiment of the present invention. Referring to FIG. 2, a method for predicting a cyber target attack based on a social issue using an acid attacker group similarity technique according to an embodiment of the present invention will be described in detail.

Social issue-based cyber target attack prediction method using attacker group similarity technique according to an embodiment of the present invention, as shown in FIG. It is preferable to include step (S300), risk calculation step (S400), predictive analysis step (S500) and response step (S600). In addition, each step is performed by a social issue-based cyber target attack prediction system using an attacker group similarity technique in a computer-implemented industrial control system.

For a detailed look at each step,

In the operation data input step (S100), the data collection unit 100 receives security-related operation data from the operation servers of a plurality of organizations to which a social issue-based cyber target attack prediction system using an attacker group similarity technique is applied. will be entered

At this time, the operating servers of multiple institutions are operated by individuals, organizations, institutions, governments, etc. who want to take countermeasures in advance in fear of the occurrence of cyber-targeted attacks, even if they are not necessarily social issue-based cyber-targeted attacks. means server.

The operation data input step (S100) includes not only security-related operation data including normal information from each operation server, but also security-related operation data including attack information, in detail, cyber target attacks based on social issues in the past, Even if it is not based on social issues, information related to cyber target attacks that occurred (security event log including time information, web traffic information, etc.) is input.

In the learning processing step (S200), the learning processing unit 200 generates the security-related operating data of each operating server input by the operating data input step (S100) as a learning data set for artificial intelligence learning.

In detail, the learning data set is created using the security-related operating data transmitted from each operating server, that is, included normal operating information, attack operating information, social issue-based attack information, and the like.

In addition, it is preferable to generate the learning data set by variously combining security-related operation data of each operation server. For example, when d, e, and f security-related operational data are input from a, b, and c operation servers, the d, e, and f security-related operational data are generated as individual learning data sets or integrated into one It can be created as a learning data set, and if the d security-related operational data contains only normal operating information, d security-related operational data and e, f security-related operational data can be created as learning data sets, respectively. It is preferable that the setting value applied to generate this learning data set is set under the control of an external user in order to improve the prediction accuracy of a social issue-based cyber target attack.

In addition, in the learning processing step (S200), learning processing is performed on the learning data set generated using a plurality of artificial intelligence algorithms.

In detail, a parallel learning process is performed by applying each of the learning data sets generated using an ensemble technique to which a plurality of artificial intelligence algorithms are applied. Of course, as described above, it is preferable to set whether the same artificial intelligence learning algorithm or all different artificial intelligence learning algorithms are applied to a plurality of artificial intelligence algorithms by detailed techniques of the set ensemble technique, and the learning data set The generation of may also be controlled by the detailed technique of the set ensemble technique.

However, the learning processing step (S200) performs learning processing using a plurality of artificial intelligence learning algorithms for a learning data set generated based on the same basic data (security-related operation data input from operation servers of multiple institutions) It is desirable to do

In the real-time data input step (S300), the data input unit 300 receives real-time operation data from at least one of the operation servers of the plurality of institutions. That is, after learning is completed by the learning processing step (S200), operation data collected from that point in time is received as the real-time operation data.

The risk calculation step (S400) is performed in the real-time data input step (S300) by using an ensemble technique to which a plurality of artificial intelligence models generated by the learning processing step (S200) are applied in the risk analysis unit 400. By inputting the real-time operation data, the risk of occurrence of a cyber target attack based on social issues for the real-time operation data is calculated.

In detail, the risk calculation step (S400) inputs the real-time operating data by the real-time data input step (S300) to the plurality of artificial intelligence models generated by the learning processing step (S200), respectively, By integrating a number of analysis results output from the artificial intelligence model, the risk of occurrence of a cyber target attack based on social issues for the real-time operation data is calculated.

At this time, a plurality of analysis results output from a plurality of artificial intelligence models are compared and judged, and a majority vote result or an average value result is used to calculate the risk of a social issue-based cyber target attack on the corresponding operation server.

In the case of result calculation by using an ensemble technique to which multiple artificial intelligence models are applied, various settings can be controlled, but due to the nature of social issue-based cyber targeted attacks, if an attack occurs even if the cost incurred in preventing and responding is 10,000 Since it is relatively less than the solution cost of , it is desirable to calculate the degree of occurrence risk so that it can respond more actively.

The predictive analysis step (S500) predicts the occurrence time of the social issue-based cyber target attack analyzed by the risk calculation step (S400) using the attack characteristic DB for each attacker group stored in the predictive analyzer (400). will do

At this time, in the predictive analysis step (S500), when the risk of occurrence of the social issue-based cyber target attack analyzed by the risk calculation step (S400) exceeds the preset risk threshold of the corresponding operation server, the predictive analysis operation is performed. will perform

That is, in the predictive analysis step (S500), when the risk of occurrence of a social issue-based cyber-targeted attack on the corresponding operation server calculated by the risk calculation step (S400) exceeds a preset threshold, an additional social issue It is desirable to predict the point of occurrence of the base cyber target attack. At this time, since the security level is different for each operation server, the risk level threshold may be set differently.

Here, in order to store the attack characteristic DB for each attacker group, the social issue-based cyber target attack prediction method using the attacker group similarity method according to an embodiment of the present invention, as shown in FIG. 2, collects past data. (S510), a similarity analysis step (S520), and an attacker analysis step (S530) are further included.

In detail, in the past data collection step (S510), the first collection unit 600 collects data related to a plurality of cyber target attacks that have occurred in the past. The data related to the cyber-targeted attack to be collected includes the type of cyber-targeted attack that occurred, information on the target organization at the time of occurrence, detailed type information of the attack, attacker information, attack code information, attack code type information, etc. do.

In addition, the second collection unit 700 collects data related to social issues for a predetermined period based on the time point at which a number of collected past cyber target attacks occurred.

That is, in the past data collection step (S510), if the first collection unit 600 has collected data related to cyber-target attacks A and B that have occurred in the past, the second collection unit 700 collects data related to cyber target A in the past. Based on the time of occurrence of the attack, social issue data from before a predetermined period to after a predetermined period of time, and social issue data from before a predetermined period to after a predetermined period based on the time of occurrence of the B cyber-targeted attack in the past are collected.

To this end, in the past data collection step (S510), the social issue data is collected by crawling analysis target sites.

Crawling the sites to be analyzed, analyzing various web document data (web page data, etc.) of the collected sites and collecting social issue data that occurred during the period. Social issues can be inferred when looking at the articles that have been issued and published in various publications.

However, when collecting articles published (occurrence, creation, upload, etc.) by media outlets and extracting key keywords for them, for example, if it is analyzed that the keyword 'government' appeared a lot through analysis of media articles, simply using only the keyword Since it is difficult to infer the context of "", it is difficult to conclude that it is a keyword of social issues. In addition, even if it is determined as a social issue, it is almost impossible to interpret the social situation in the future. Therefore, in view of this point, articles collected and published by media outlets, etc. are collected, analyzed, centered on the core keywords found, and even related keywords are extracted together, grouped into one group, and derived as a social issue. It is desirable to do Data on social issues that occurred during a specific period, as well as the reasons and progress of those social issues, can be clearly organized and confirmed.

Accordingly, in the past data collection step (S510), the collected social issue data may simply mean keywords that are issues in a specific period, that is, a set of related keywords, rather than simply one word.

In the similarity analysis step (S520), it is preferable that the similarity analyzer 800 analyzes the similarity between data collected by the past data collection step (S510).

In other words, in the past data collection step (S510), attack-related data corresponding to each cyber-targeted attack that occurred in the past is collected, and social issue data about the time when at least one cyber-targeted attack linked to (related to) occurred is collected. will do

At this time, since the past data collection step (S510) does not collect only a single cyber target attack, it is possible to collect attack-related data - social issue data by matching each cyber target attack that has occurred in the past.

Using this, the similarity analysis step (S520) analyzes the similarity between the collected data to analyze the similarity between cyber target attacks.

In the attacker analysis step (S530), the attacker analysis unit 900 groups attackers who have caused cyber target attacks in the past based on the similarity analyzed by the similarity analysis step (S520), and the past data collection step for each group The data collected by (S510) is matched and converted into a database.

In other words, the attacker analysis step (S530) analyzes the similarity between the cyber target attacks analyzed in the similarity analysis step (S520), and the cyber target attack of which the similarity is higher than a certain value (for example, 80%) It is desirable to group the attackers who caused the attack. After that, the collected data (attack related data - social issue data), which can know the attack characteristics for each attacker group, is matched and converted into a database.

Through this, through the attack characteristic DB for each attacker group, which is the database created, attack characteristic data (attack target organization information, attack details enemy type information, attacker information, attack code information, attack code type information, social issue data) can be easily checked.

In addition, the predictive analysis step (S500) uses the attack characteristic DB for each attacker group, which is the data databased by the attacker analysis step (S530), to be used to predict the time of occurrence of a cyber target attack based on social issues.

Accordingly, in the predictive analysis step (S500), when the risk of the social issue-based cyber-targeted attack calculated in the risk calculation step (S400) exceeds the preset risk threshold of the corresponding operation server, each attacker group It is possible to predict the time of occurrence by checking the attack characteristic data of cyber target attacks based on social issues with a high risk of occurrence using the attack characteristic DB.

In the response step (S600), in the subsequent processing unit 1000, by using the result of the risk calculation step (S400) or the predictive analysis step (S500), proactive action information matched to the corresponding operation server is generated. will create

The countermeasure step (S600) ensures that appropriate countermeasures are made according to the propensity of the social issue-based cyber-targeted attack that is predicted to occur, and since such preliminary countermeasure information may be different for each corresponding operating server, it is limited to this It is not.

For example, before an attack by 'X' attacker group on 'B' target server, the exposure of 'A' social issue keyword was improved with a 90% probability, and the attack on 'B' target server If this occurs, if the data in which the attack occurred on the 'C' target server with a 100% probability is secured through the attack characteristic DB for each attacker group, the risk analysis unit 400 determines the 'B' target server to be attacked. If the risk of a cyber-targeted attack based on social issues on the target server of 'B' exceeds the risk threshold of 60, which is set in advance in the attack target server, 'X' attacker group is identified while checking whether the exposure of 'A' social issue keywords has improved. It is possible to convey that there is a possibility of an attack to the 'C' target server while defending against the attack by knowing the attack pattern in advance.

Of course, as the probability of occurrence of the 'B' target server and the 'C' target server is different, the degree of preemptive measures may be different, but if the 'C' target server contains more important confidential data, In the case of an organization's operating server, it is desirable that the degree of preemptive measures be controlled only by the fact that there is a possibility of occurrence regardless of the difference in the degree of occurrence.

In other words, the social issue-based cyber target attack prediction system and method using the attacker group similarity technique according to an embodiment of the present invention can relatively accurately predict the occurrence of a social issue-based cyber target attack that has not yet occurred. There are advantages to

As described above, the present invention has been described with specific details such as specific components and limited embodiment drawings, but this is only provided to help a more general understanding of the present invention, and the present invention is not limited to the above embodiment. No, and those skilled in the art to which the present invention pertains can make various modifications and variations from these descriptions.

Therefore, the spirit of the present invention should not be limited to the described embodiments, and it will be said that not only the claims to be described later, but also all modifications equivalent or equivalent to these claims belong to the scope of the present invention. .

100: data collection unit
200: learning processing unit
300: data input unit
400: risk analysis unit
500: predictive analysis unit
600: first collection unit
700: second collection unit
800: similarity analysis unit
900: attacker analysis unit
100: subsequent processing unit

Claims (10)

A data collection unit 100 that receives security-related operation data from operation servers of multiple institutions to which a social issue-based cyber target attack prediction system using an attacker group similarity technique is applied;
A learning processing unit (200) that generates each security-related operation data by the data collection unit (100) as a learning data set for artificial intelligence learning and performs learning processing on the learning data set using a plurality of artificial intelligence algorithms. );
a data input unit 300 receiving real-time operating data from at least one of the operating servers of the plurality of organizations;
By using an ensemble technique to which a plurality of artificial intelligence models generated by the learning processing unit 200 are applied, the real-time operation data by the data input unit 300 is input, and social issue-based cyber targets for the real-time operation data a risk analysis unit 400 that calculates a risk of occurrence of an attack;
a predictive analysis unit 500 that predicts when a cyber target attack based on the social issue analyzed by the risk analysis unit 400 will occur using the stored attack characteristic DB for each attacker group;
A first collection unit 600 that collects data related to multiple cyber target attacks that have occurred in the past;
a second collection unit 700 that collects data related to social issues for a predetermined period based on the time point when each cyber target attack collected by the first collection unit 600 occurs;
a similarity analysis unit 800 analyzing a similarity between data collected by the first collection unit 600 and the second collection unit 700; and
Based on the similarity analyzed by the similarity analyzer 800, attackers who have caused cyber target attacks in the past are grouped, and using the collected data, data related to cyber target attacks by attackers corresponding to each grouped attacker group and corresponding data an attacker analysis unit 900 that matches social issue data to be databased and transmits and stores them to the prediction analysis unit 500;
including,
The predictive analysis unit 500
If the risk of social issue-based cyber target attack on the real-time operation data analyzed by the risk analyzer 400 exceeds the preset risk threshold of the corresponding operation server,
Using the data databased by the attacker analysis unit 900 as an attack characteristic DB for each attacker group, predicting the time of occurrence of the social issue-based cyber target attack analyzed by the risk analysis unit 400, Social issue-based cyber target attack prediction system using attacker group similarity technique.
delete delete According to claim 1,
The learning processing unit 200
A social issue-based cyber target attack prediction system using an attacker group similarity technique that performs parallel learning processing by applying each of the generated learning data sets using an ensemble technique to which multiple artificial intelligence algorithms are applied.
According to claim 1,
The risk analysis unit 400
Using an ensemble technique applying a plurality of artificial intelligence models, the real-time operating data is input to a plurality of artificial intelligence models, respectively, and each analysis result for the real-time operating data is compared and determined from the plurality of artificial intelligence models, and the corresponding Social issue-based cyber target attack prediction system using attacker group similarity technique, which calculates the risk of social issue based cyber target attack on the operating server.
According to claim 1,
Social issue-based cyber target attack prediction system using the attacker group similarity technique
A follow-up processing unit 1000 that generates proactive action information matched to a corresponding operation server by using the risk of occurrence calculated by the risk analysis unit 400 or the time of occurrence predicted by the prediction analysis unit 500;
Social issue-based cyber target attack prediction system using attacker group similarity technique, further comprising.
In the method of predicting a cyber target attack based on a social issue using an attacker group similarity method in which each step is performed by a social issue based cyber target attack prediction system using an attacker group similarity method implemented by a computer,
In the data collection unit, an operation data input step (S100) of receiving security-related operation data from operation servers of multiple institutions to which a social issue-based cyber target attack prediction system using an attacker group similarity technique is applied;
In the learning processing unit, the security-related operation data input by the operation data input step (S100) is generated as a learning data set for artificial intelligence learning, and a plurality of artificial intelligence algorithms are used to process the learning data set Learning processing step (S200) to perform;
A real-time data input step of receiving real-time operating data from at least one of the operating servers of the plurality of institutions in the data input unit (S300);
In the risk analysis unit, the real-time operation data is input by the real-time data input step (S300) using an ensemble technique to which a plurality of artificial intelligence models generated by the learning processing step (S200) are applied, and the real-time operation A risk calculation step of calculating the risk of occurrence of a cyber target attack based on social issues for data (S400);
A predictive analysis step (S500) of predicting when a cyber target attack based on the social issue analyzed by the risk calculation step (S400) will occur, using the stored attack characteristic DB for each attacker group in the predictive analyzer; and
In the subsequent processing unit, using the result of the risk calculation step (S400) or the predictive analysis step (S500), a response step (S600) of generating and transmitting preliminary response action information matched to the corresponding operation server;
Including,
In order to store the attack characteristic DB for each attacker group, the first collection unit collects data related to multiple cyber target attacks that have occurred in the past, and the second collection unit collects data related to each cyber target attack. past data collection step of collecting social issue-related data for a predetermined period (S510);
a similarity analysis step (S520) of analyzing the similarity between the data collected by the past data collection step (S510) in a similarity analyzer; and
In the attacker analysis unit, attackers who have caused cyber target attacks in the past are grouped based on the similarity analyzed in the similarity analysis step (S520), and using the collected data, each grouped attacker group is grouped into a cyber target by the corresponding attacker. An attacker analysis step (S530) of matching attack-related data with corresponding social issue data and creating a database;
Including more,
The predictive analysis step (S500)
If the risk of a social issue-based cyber-targeted attack on the real-time operation data analyzed by the risk calculation step (S400) exceeds the preset risk threshold of the corresponding operation server,
Using the data databased by the attacker analysis step (S530) as an attack characteristic DB for each attacker group, predicting the time when the social issue-based cyber target attack analyzed by the risk calculation step (S400) will occur, A method for predicting cyber target attacks based on social issues using attacker group similarity technique.
According to claim 7,
The learning processing step (S200)
A method for predicting cyber target attacks based on social issues using an attacker group similarity technique, in which parallel learning processing is performed by applying each of the generated learning data sets using an ensemble technique to which multiple artificial intelligence algorithms are applied.
delete delete

Images