KR102675087B1 - Method for generating and visualizing threat intelligence-based ontology and computing device using the same - Google Patents

Abstract

In the threat TI (Threat Intelligence)-based ontology generation and visualization method, (a) for existing threat TI including at least some of IP (Internet Protocol), URL (Uniform Resource Locator), and hash, existing threat TI Existing threat TI harmful value corresponding to a value specifying , existing threat log information which is log information of the existing threat TI, existing threat node information corresponding to the existing threat log information, and the relationship between the existing threat log information. With existing threat relationship information between a plurality of existing threat nodes stored in the threat TI database, the computing device acquires verification target log information, which is log information of the verification target TI, which is the target of determining whether or not it is a threat TI, from external security equipment, After obtaining the TI harmful value to be verified by referring to the log information to be verified, the harmful value of the TI to be verified is compared with the harmful value of the TI to be verified and the harmful value of the existing threat TI obtained from the threat TI database to select the TI to be verified among the existing threat TIs. determining whether there is an existing matching TI that matches with; (b) when the existing matching TI is confirmed, the computing device matches the verification target log information and the verification target log information corresponding to the verification target TI; Generating a plurality of verification target nodes with reference to a plurality of verification target data items; (c) the computing device, verification target relationship information between the plurality of verification target nodes indicating a relationship between each of the verification target log information; With reference to, generating a verification target ontology including each of the plurality of verification target nodes; (d) the computing device, the verification target log information corresponding to each of the plurality of verification target data items, the plurality The verification target ticket including at least part of the verification target node, the verification target ontology, the creation time of the verification target ticket, the occurrence time of the verification target event, and classification information of the verification target event (the verification target ticket is the verification target ticket) generating a processing unit for a target event, wherein the verification target event includes classified information corresponding to any one of security threats, security failures, security violations, information leaks, and unclear information; and (e) the computing device corresponds to each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database, and the ticket to be verified. Compares the plurality of verification target nodes included in the verification target ontology, and corresponds to at least one reference existing ontology including a plurality of reference existing nodes whose similarity to the plurality of verification target nodes is more than a preset threshold. determining at least one reference existing ticket, and determining at least one reference existing playbook that was used to process the reference existing ticket.

Description

Threat TI-based ontology generation and visualization method and computing device using the same {METHOD FOR GENERATING AND VISUALIZING THREAT INTELLIGENCE-BASED ONTOLOGY AND COMPUTING DEVICE USING THE SAME}

The present invention relates to a method for creating and visualizing a threat TI-based ontology and a computing device using the same.

SOAR (Security Orchestration Automation and Response) consists of SOA (Security Orchestration and Automation), which is responsible for security orchestration and automation functions, SIRP (Security Incident Response Platforms), a security incident response platform, and TIP (Threat Intelligence Platforms), a threat intelligence platform. It is a solution that integrates security events occurring from numerous heterogeneous security solutions and supports automated analysis and response.

SOAR sets nodes between fields such as source and destination IP, port, and attack type for each event, and provides an ontology function to visualize them. However, in order to create an ontology, a security control agent needs to separately select high-risk IPs among automatically classified threat IPs. After selecting IPs, you can create an ontology that visually expresses details such as ports and attack types for specific events. At this time, the user must set up a ticket for the event according to the characteristics of each threat IP, and the playbook is selected for each threat type according to a standardized response process.

However, if the threat IP types are similar, there is a limitation of simply repeating the same process and creating tickets and playbooks one by one. There are clear limitations in having limited security control personnel create and customize each ticket for each event that occurs in numerous devices, and if events that exceed a certain amount occur, processing may be overloaded. In addition, the ontology settings for the same threat IP may vary depending on the security control personnel, making it difficult to secure response consistency. However, there is no system that can overcome this problem.

The present invention aims to solve all of the above-mentioned problems.

Additionally, another purpose of the present invention is to efficiently and highly accurately generate a verification target ontology for a verification target event, which is a security event.

In addition, the present invention provides each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database, and a plurality of existing threat nodes included in each of the verification target ontologies corresponding to the verification target tickets. Comparing verification target nodes, determining at least one reference existing ticket corresponding to at least one reference existing ontology including a plurality of reference existing nodes whose similarity with the plurality of verification target nodes is greater than or equal to a preset threshold, Another purpose is to determine at least one reference existing playbook that has been used to process the reference existing ticket.

In order to achieve the purpose of the present invention as described above and realize the characteristic effects of the present invention described later, the characteristic configuration of the present invention is as follows.

According to one aspect of the present invention, in a method for creating and visualizing a threat intelligence (TI)-based ontology, (a) an existing method including at least some of an Internet Protocol (IP), a Uniform Resource Locator (URL), and a hash (hash); For a threat TI, an existing threat TI harmful value corresponding to a value specifying an existing threat TI, existing threat log information that is log information of the existing threat TI, existing threat node information corresponding to the existing threat log information, and the existing threat TI Threat log information While the existing threat relationship information between a plurality of existing threat nodes representing each relationship is stored in the threat TI database, the log information of the verification target TI, which is the object of the computing device to determine whether or not it is a threat TI from external security equipment, is stored in the threat TI database. Obtain log information to be verified, obtain a TI hazard value to be verified by referring to the log information to be verified, and compare the existing threat TI hazard value obtained from the threat TI database with the TI hazard value to be verified. Determining whether there is an existing matching TI that matches the verification target TI among existing threat TIs; (b) When the existing matching TI is confirmed, the computing device performs a plurality of verifications with reference to the verification target log information corresponding to the verification target TI and a plurality of verification target data items corresponding to the verification target log information. creating a target node; (c) The computing device generates an ontology to be verified including each of the plurality of nodes to be verified, with reference to the relationship information to be verified between the plurality of nodes to be verified, which represents the relationship between each of the log information to be verified. step; (d) the computing device, the log information to be verified corresponding to each of the plurality of data items to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the occurrence time of the event to be verified. , and the verification target ticket containing at least some of the classification information of the verification target event (the verification target ticket is a processing unit for the verification target event, and the verification target event is a security threat, security failure, security violation, information A step of generating (including classification information corresponding to any one of leakage and unclear); and (e) the computing device corresponds to each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database, and the ticket to be verified. Compares the plurality of verification target nodes included in the verification target ontology, and corresponds to at least one reference existing ontology including a plurality of reference existing nodes whose similarity to the plurality of verification target nodes is more than a preset threshold. determining at least one reference existing ticket, and determining at least one reference existing playbook that was used to process the reference existing ticket; A method comprising:

As an example, in step (b), for the existing matching TI that matches the verification target TI, existing matching log information corresponding to the existing matching TI from the threat TI database, existing matching log information corresponding to the existing matching log information In a state where at least some of matching node information, existing matching relationship information between a plurality of existing matching nodes indicating relationships between each of the existing matching log information, and a plurality of existing matching data items corresponding to the existing matching log information are obtained, A plurality of existing data items obtained by the computing device by extracting identical items from the plurality of existing matching data items as a result of comparing the plurality of existing matching data items and the plurality of data items to be verified, the existing data A first partial verification target node belonging to the plurality of verification target nodes is generated with reference to existing log information corresponding to an item and existing relationship information indicating a relationship between each of the existing log information, and the plurality of verification target data items Among them, the remaining data items to be verified except for the existing data items are generated as a plurality of new data items to be verified, the plurality of new data items to be verified, log information to be new to be verified corresponding to the new data items to be verified, and A second partial verification target node belonging to the plurality of verification target nodes is created by referring to new verification target relationship information indicating the relationship between the new verification target log information, and the first partial verification target node and the second partial verification target node. A method is disclosed, characterized in that the plurality of verification target nodes are generated using a node.

As an example, the computing device generates new matching node information by adding the second partial verification target node to the existing matching node information, and adds the plurality of new verification target data items to the plurality of existing matching data items. Create a plurality of new matching data items, add the new verification target relationship information to the existing matching relationship information to create new matching relationship information, and add the new verification target log information to the existing matching log information to create new matching relationship information. After generating matching log information, a new matching ontology is generated with reference to at least some of the new matching node information, the plurality of new matching data items, the new matching relationship information, and the new matching log information, and the new matching A method is disclosed that further includes performing a process of matching an ontology to the existing matching TI and storing it in the threat TI database.

As an example, the computing device is in a standby state before classification information of the event to be verified corresponding to the ticket to be verified is specified, and a state before the classification information of the event to be verified is specified and the playbook to be verified is executed. A classification state, which is a state, a response state, which is a state in which the ticket to be verified is processed by the playbook to be verified, an approval request state, which is a state in which an approval request is sent after execution of the playbook to be verified is completed, and the ticket to be verified is A method is disclosed that is characterized by managing a ticket processing status that includes at least a portion of a completed status in which processing is completed.

As an example, in step (a), for each of the existing threat TI harmful values, existing threat TI harmful value classification information including at least a portion of IP, URL, and hash, and an expiration date on which the existing threat TI harmful value is valid. When the computing device obtains the TI harmful value to be verified, with at least a portion of the information additionally stored in the threat TI database, the existing threat TI harmful value classification information corresponding to the plurality of existing threat TI harmful values, and determining whether the TI hazard value to be verified matches the existing threat TI hazard value with reference to at least part of the expiration date.

As an example, in step (e), the computing device determines the similarity between the plurality of verification target nodes and the plurality of reference existing nodes, the number of executions of the reference existing playbook, and the reference existing playbook, with respect to the reference existing ticket. A method is disclosed wherein a recommendation is calculated for each of the reference existing playbooks by referring to at least some of the result information of executing the existing playbook.

As an example, in step (d), the computing device includes (i) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the occurrence of the event to be verified. A process of automatically obtaining the time and at least some of the classification information of the event to be verified and generating the ticket to be verified, (ii) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, and the verification. Providing to input at least some of the target ticket generation time, the occurrence time of the verification target event, and classification information of the verification target event, and executing any one of the processes of generating the verification target ticket based on the input information A method characterized by this is disclosed.

As an example, (f) in a state where the ticket to be verified has been processed by the playbook to be verified, it is determined that the result of processing the ticket to be verified by the playbook to be verified does not satisfy the preset processing result conditions. In this case, the computing device cancels execution of the playbook to be verified, and obtains and provides at least one reference existing playbook from the threat TI database. .

As an example, prior to step (a), (a0) the computing device generates, for each of the at least one existing threat TI, an existing threat event that is the subject of at least one existing threat ticket corresponding to the existing threat TI. Obtain classification information, and for each existing threat TI with reference to at least some of the classification information of the existing threat event, the number of existing threat tickets corresponding to the existing threat TI, and the occurrence time of the existing threat ticket. A method is disclosed that further comprises calculating a threat risk and additionally storing it in the threat TI database.

As an example, in step (d), the computing device, for the event to be verified corresponding to the ticket to be verified, obtains an existing matching TI hazard value from the TI hazard value to be verified corresponding to the event to be verified. After obtaining the threat risk corresponding to the existing matching TI harmful value from the threat TI database, refer to at least part of the threat risk, classification information of the event to be verified, and the occurrence time of the event to be verified. A method is disclosed, characterized in that the risk score of the ticket subject to verification is calculated.

According to another aspect of the present invention, there is provided a threat intelligence (TI) based ontology generation and visualization computing device, comprising: at least one memory storing instructions; and at least one processor configured to execute the instructions, wherein the processor is configured to: (I) detect existing threats TI including at least a portion of an Internet Protocol (IP), a Uniform Resource Locator (URL), and a hash; For this, the existing threat TI harmful value corresponding to the value specifying the existing threat TI, existing threat log information which is log information of the existing threat TI, existing threat node information corresponding to the existing threat log information, and the existing threat log. With the existing threat relationship information between multiple existing threat nodes representing each information relationship stored in the threat TI database, the verification target log information, which is the log information of the verification target TI, which is the target of determining whether or not the threat is TI, is obtained from external security equipment. After obtaining the TI harmful value to be verified by referring to the verification target log information, the existing threat TI harmful value obtained from the threat TI database is compared with the verification target TI harmful value to verify the verification among the existing threat TIs. A process of determining whether an existing matching TI exists that matches the target TI; (II) When the existing matching TI is confirmed, generating a plurality of verification target nodes with reference to the verification target log information corresponding to the verification target TI and a plurality of verification target data items corresponding to the verification target log information. process; (III) a process of generating a verification target ontology including each of the plurality of verification target nodes with reference to verification target relationship information between the plurality of verification target nodes indicating the respective relationships between the verification target log information; (IV) The log information to be verified corresponding to each of the plurality of data items to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, the occurrence time of the event to be verified, and the subject to be verified. The ticket to be verified includes at least part of the classification information of the event (the ticket to be verified is a processing unit for the event to be verified, and the event to be verified is any of security threats, security failures, security breaches, information leaks, and unclear A process of generating (including classification information corresponding to one); and (V) each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets pre-processed and stored in the threat TI database, and the verification target ontology corresponding to the verification target ticket. By comparing the plurality of verification target nodes included in, at least one reference including a plurality of reference existing nodes whose similarity with the plurality of verification target nodes is more than a preset threshold At least one reference corresponding to an existing ontology A computing device comprising: determining an existing ticket, and determining at least one reference existing playbook that was used to process the reference existing ticket.

As an example, in the process (I), the processor, for the existing matching TI that matches the verification target TI, existing matching log information corresponding to the existing matching TI from the threat TI database, the existing matching log information At least some of the existing matching node information corresponding to the existing matching log information, existing matching relationship information between the plurality of existing matching nodes indicating the relationship between each of the existing matching log information, and a plurality of existing matching data items corresponding to the existing matching log information are obtained. In this state, as a result of comparing the plurality of existing matching data items and the plurality of data items to be verified, a plurality of existing data items obtained by extracting identical items from the plurality of existing matching data items, the existing data items A first partial verification target node belonging to the plurality of verification target nodes is generated with reference to existing log information corresponding to and existing relationship information indicating a relationship between each of the existing log information, and among the plurality of verification target data items Excluding the existing data items, the remaining data items to be verified are generated as a plurality of new data items to be verified, the plurality of new data items to be verified, log information to be new to be verified corresponding to the data items to be new to be verified, and log information to be new to be verified, and the new data items to be verified are A second partial verification target node belonging to the plurality of verification target nodes is created by referring to new verification target relationship information indicating the relationship between each log information to be verified, and the first partial verification target node and the second partial verification target node are generated. A computing device is disclosed, characterized in that it generates the plurality of verification target nodes using .

As an example, the processor generates new matching node information by adding the second partial verification target node to the existing matching node information, and adds the plurality of new verification target data items to the plurality of existing matching data items. Create a plurality of new matching data items, create new matching relationship information by adding the new verification target relationship information to the existing matching relationship information, and add the new verification target log information to the existing matching log information to create new matching. After generating log information, a new matching ontology is generated with reference to at least some of the new matching node information, the plurality of new matching data items, the new matching relationship information, and the new matching log information, and the new matching ontology A computing device is disclosed, characterized in that it further performs a process of matching the existing matching TI and storing it in the threat TI database.

As an example, the processor is in a waiting state before classification information of the event to be verified corresponding to the ticket to be verified is specified, and a state before the classification information of the event to be verified is specified and the playbook to be verified is executed. classification status, a response state in which the ticket to be verified is processed by the playbook to be verified, an approval request state in which an approval request is sent after execution of the playbook to be verified is completed, and processing of the ticket to be verified. A computing device is disclosed, characterized in that it manages a ticket processing state that includes at least some of the completion state in which the state is completed.

As an example, in the process (I), the processor: for each of the existing threat TI harmful values, existing threat TI harmful value classification information including at least a portion of an IP, URL, hash, and the existing threat TI harmful value. With at least some of these valid expiration dates additionally stored in the threat TI database, when the verification target TI harmful value is obtained, the existing threat TI harmful value classification information corresponding to a plurality of the existing threat TI harmful values, and A computing device is disclosed, wherein the computing device determines whether the TI hazard value to be verified matches the existing threat TI hazard value with reference to at least part of the expiration date.

As an example, in the process (V), the processor determines the similarity between the plurality of verification target nodes and the plurality of reference existing nodes, the number of executions of the reference existing playbook, and the reference existing ticket, for the reference existing ticket. A computing device is disclosed, wherein a recommendation is calculated for each of the reference existing playbooks by referring to at least some of the result information of executing the playbook.

As an example, in the process (IV), the processor: (i) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the occurrence time of the event to be verified. , and a process of automatically obtaining at least some of the classification information of the event to be verified and generating the ticket to be verified, (ii) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, and the subject to be verified. Providing to input at least part of a ticket creation time, an occurrence time of the event to be verified, and classification information of the event to be verified, and executing any one of the processes of generating the ticket to be verified based on the input information. A computing device featuring features is disclosed.

As an example, (VI) the processor, in a state where the ticket to be verified is processed by the playbook to be verified, the result of processing the ticket to be verified by the playbook to be verified does not satisfy a preset processing result condition. If it is determined that the verification target playbook is not executed, a process of canceling the execution of the playbook to be verified and obtaining and providing at least one reference existing playbook from the threat TI database is disclosed. .

As an example, prior to the (I) process, (I0) the processor, for each of the at least one existing threat TI, determines: Obtain classification information, and determine a threat for each of the existing threat TIs with reference to at least part of the classification information of the existing threat event, the number of existing threat tickets corresponding to the existing threat TI, and the occurrence time of the existing threat ticket. A computing device is disclosed that further performs a process of calculating risk and additionally storing it in the threat TI database.

As an example, in the process (IV), the processor, for the event to be verified corresponding to the ticket to be verified, obtains an existing matching TI hazard value from the TI hazard value to be verified corresponding to the event to be verified, and , After obtaining the threat risk corresponding to the existing matching TI harmful value from the threat TI database, the threat risk, classification information of the event to be verified, and the occurrence time of the event to be verified are referred to. A computing device is disclosed, characterized in that it calculates a risk score of a ticket to be verified.

The present invention has the effect of efficiently and highly accurately generating a verification target ontology for a verification target event, which is a security event.

In addition, the present invention provides each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database, and a plurality of existing threat nodes included in each of the verification target ontologies corresponding to the verification target tickets. Comparing verification target nodes, determining at least one reference existing ticket corresponding to at least one reference existing ontology including a plurality of reference existing nodes whose similarity with the plurality of verification target nodes is greater than or equal to a preset threshold, This has the effect of determining at least one reference existing playbook that has been used to process the reference existing ticket.

The following drawings attached for use in explaining embodiments of the present invention are only some of the embodiments of the present invention, and are of interest to those skilled in the art (hereinafter “those skilled in the art”) in the technical field to which the present invention pertains. Other drawings may be obtained based on these drawings without inventive work being done.
1 schematically shows a computing device that provides threat TI-based ontology generation and visualization according to an embodiment of the present invention;
Figure 2 schematically shows through a flowchart the process of creating an ontology to be verified and a ticket to be verified and determining a reference existing playbook according to an embodiment of the present invention;
Figure 3 exemplarily illustrates displaying an existing threat TI according to an embodiment of the present invention.
Figure 4 is an exemplary illustration of displaying a verification target node according to an embodiment of the present invention.
Figure 5 illustrates an exemplary visualization of an ontology to be verified according to an embodiment of the present invention.
Figure 6 exemplarily shows the process of generating a ticket to be verified according to an embodiment of the present invention.
Figure 7 illustrates an exemplary visualization of a reference existing ontology according to an embodiment of the present invention.
Figure 8 illustrates an exemplary display of a playbook to be verified according to an embodiment of the present invention.

The detailed description of the present invention described below refers to the accompanying drawings, which show by way of example specific embodiments in which the present invention may be practiced to make clear the objectives, technical solutions and advantages of the present invention. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention.

Additionally, throughout the description and claims of the present invention, the word “comprise” and variations thereof are not intended to exclude other technical features, attachments, components or steps. Other objects, advantages and features of the invention will appear to those skilled in the art, partly from this description and partly from practice of the invention. The examples and drawings below are provided by way of example and are not intended to limit the invention.

Moreover, the present invention encompasses all possible combinations of the embodiments shown herein. It should be understood that the various embodiments of the present invention are different from one another but are not necessarily mutually exclusive. For example, specific shapes, structures and characteristics described herein with respect to one embodiment may be implemented in other embodiments without departing from the spirit and scope of the invention. Additionally, it should be understood that the location or arrangement of individual components within each disclosed embodiment may be changed without departing from the spirit and scope of the invention. Accordingly, the detailed description that follows is not intended to be taken in a limiting sense, and the scope of the invention is limited only by the appended claims, together with all equivalents to what those claims assert, if properly described. Similar reference numbers in the drawings refer to identical or similar functions across various aspects.

Hereinafter, in order to enable those skilled in the art to easily practice the present invention, preferred embodiments of the present invention will be described in detail with reference to the attached drawings.

Figure 1 schematically illustrates a computing device that provides threat TI-based ontology creation and visualization according to an embodiment of the present invention.

Referring to FIG. 1, the computing device 100 may include a memory 110 that stores instructions for generating and visualizing a threat TI-based ontology and a processor 120 that performs the instructions stored in the memory 110. At this time, the computing device 100 may include various computing devices such as a server, personal computer (PC), tablet, mobile computer, PDA/EDA, mobile phone, smartphone, IOT device, etc.

Specifically, computing device 100 typically refers to a computing device (e.g., a device that may include a computer processor, memory, storage, input and output devices, and other components of a traditional computing device; electronic devices such as a router, switch, etc. The desired system utilizes a combination of communication devices (electronic information storage systems, such as network attached storage (NAS) and storage area networks (SAN)) and computer software (i.e., instructions that cause a computing device to function in a particular manner). Performance may be achieved.

Additionally, the processor of the computing device may include hardware components such as a Micro Processing Unit (MPU) or Central Processing Unit (CPU), cache memory, and data bus. Additionally, the computing device may further include an operating system and a software component of an application that performs a specific purpose.

However, this does not exclude the case where the computing device includes an integrated processor in which a medium, processor, and memory are integrated for implementing the present invention.

Additionally, the computing device 100 may be linked to a database (not shown). Here, the database (not shown) is a flash memory type, hard disk type, multimedia card micro type, or card type memory (for example, SD or XD memory). , RAM (Random Access Memory), SRAM (Static Random Access Memory), ROM (ReadOnly Memory, ROM), EEPROM (Electrically Erasable Programmable ReadOnly Memory), PROM (Programmable ReadOnly Memory), magnetic memory, magnetic disk, and optical disk. It may include at least one type of storage medium, but is not limited to this and may include any medium capable of storing data. In addition, the database (not shown) may be installed separately from the computing device 100, or alternatively, may be installed inside the computing device 100 to transmit data or record received data, and, unlike shown, may have more than one database (not shown). It may be implemented separately, and this may vary depending on the implementation conditions of the invention.

Figure 2 schematically shows through a flowchart the process of creating an ontology to be verified and a ticket to be verified and determining a reference existing playbook according to an embodiment of the present invention.

Referring to Figure 2, first, the existing threat TI may refer to the subject of an attack specified by at least some of the IP (Internet Protocol), URL (Uniform Resource Locator), and hash of the existing security threat event. there is. Existing threat TI harmful value corresponding to the value that specifies the existing threat TI in the threat TI database, existing threat log information, which is log information of the existing threat TI, existing threat node information corresponding to the existing threat log information, and the existing threat log. With existing threat relationship information between a plurality of existing threat nodes representing each relationship of information pre-stored, verification target log information, which is the log information of the verification target TI that is to be determined as a threat TI, is acquired from external security equipment (S201 ), the processor 120 obtains the TI harmful value to be verified by referring to the log information to be verified (S202), and compares the existing threat TI harmful value obtained from the threat TI database with the TI harmful value to be verified to determine the existing threat. Among the TIs, it is possible to determine whether there is an existing matching TI that matches the TI subject to verification (S203).

At this time, the event refers to a security attack event that includes classified information including security threats, security failures, security violations, information leaks, and unclear information.

The information stored in the threat TI database in response to existing threat TIs is illustratively described with reference to FIG. 3 as follows.

Figure 3 exemplarily illustrates displaying an existing threat TI according to an embodiment of the present invention.

The existing threat TI harmful value (320), which is a value that specifies the existing threat TI, existing threat log information (not shown), existing threat node information (not shown), and existing threat relationship information (not shown), as well as IP, URL, hash, etc. Classification information (310), threat risk (330), expiration date (340), etc. of the same existing threat TI harmful values can be additionally provided.

When the TI harmful value to be verified is obtained in step S202 described above, in step S203, the processor 120 refers to at least some of the existing threat TI harmful value classification information and expiration date corresponding to the plurality of existing threat TI harmful values. It can be determined whether the TI harmful value subject to verification matches the existing threat TI harmful value. For example, it will be possible to determine what the existing matching TI is by filtering based on the existing threat TI harmful value classification information and expiration date based on the TI classification information subject to verification and the matching point.

Returning to FIG. 2, when the processor 120 confirms the matching TI, a plurality of verification target nodes are selected with reference to the verification target log information corresponding to the verification target TI and a plurality of verification target data items corresponding to the verification target log information. You will be able to create (S204). This will be described in more detail with reference to FIG. 4 as follows.

Figure 4 illustrates the display of a verification target node according to an embodiment of the present invention. The node to be verified may obtain a node name 410 from the data item to be verified and may include a detailed description 420 of the node. In addition, it may be possible to additionally provide information on whether each node is an essential node for processing security threat events (440), whether it is used (430), and the registration date and time of each node (450).

In addition, as an example of a method of generating a verification target node, for an existing matching TI that matches a verification target TI, existing matching log information corresponding to the existing matching TI from the threat TI database, existing matching node corresponding to the existing matching log information Information, existing matching log information, existing matching relationship information between a plurality of existing matching nodes representing the respective relationships, and a plurality of existing matching data items corresponding to the existing matching log information are obtained, the computing device 100 The processor 120 compares a plurality of existing matching data items and a plurality of data items to be verified, and extracts identical items from the plurality of existing matching data items to obtain a plurality of existing data items and a plurality of data items corresponding to the existing data items. A first partial verification target node belonging to a plurality of verification target nodes may be created by referring to the existing log information and the existing relationship information indicating the relationship between the existing log information. Then, among the plurality of data items subject to verification, the remaining data items subject to verification, excluding the existing data items, are created as a plurality of data items subject to new verification, and new data items subject to verification corresponding to the plurality of data items subject to new verification and the data items subject to new verification are created. After creating a second partial verification target node belonging to a plurality of verification target nodes by referring to the new verification target relationship information indicating the relationship between the log information and the new verification target log information, the first partial verification target node and the second partial verification are performed. Multiple verification target nodes can be created using the target node.

For example, when the processor 120 of the computing device 100 obtains verification target log information including 7 logs as shown in [Table 1] from an external security device, 7 verification target data items can be obtained from this. there is.

Equipment IP 10.1.2.3 Source IP 10.2.3.4 Destination IP 10.2.3.5 Origin country Taiwan destination port 30 URL www.testtest.com Hash 184336587832

Additionally, existing matching data items can be obtained from the threat TI database. For reference, a plurality of existing matching nodes may be as shown in [Table 2] below.

Node name explanation ticket_nm ticket name eqp_ip Equipment IP attack_nm Attack name src_ip Source IP dstn_ip Destination IP

At this time, the equipment IP, source IP, and destination IP, which are the same items (items indicated in bold in Table 1 and Table 2), can be extracted from the existing matching data item and the data item to be verified. The first partial verification target node may be generated from the same three items and the corresponding information.

In addition, the second partial verification target node may be created through items that are not the same among data items to be verified, that is, source country, destination port, URL, Hash, and information corresponding to the items.

A plurality of verification target nodes can be created as shown in [Table 3] through the first partial verification target node (node indicated in bold in Table 3) and the second partial verification target node.

Node name explanation eqp_ip Equipment IP src_ip Source IP dstn_ip Destination IP src_country_name Origin country name dstn_port destination port URL URL Hash Hash

Returning to FIG. 2 and continuing the explanation, the processor 120 of the computing device 100 generates a verification target ontology with reference to verification target relationship information between a plurality of verification target nodes representing the respective relationships of log information to be verified ( S205) You can. This will be illustratively explained with reference to FIG. 5 as follows.

Figure 5 illustrates an exemplary visualization of an ontology to be verified according to an embodiment of the present invention.

As an example, the ontology to be verified may show each verification target node 510 and verification target relationship information 520. At this time, the ontology to be verified may further include various additional information referencing the log information to be verified.

Returning to FIG. 2, the processor 120 of the computing device 100 generates log information to be verified, a plurality of nodes to be verified, ontology to be verified, creation time of the ticket to be verified, and verification target log information corresponding to each of the plurality of data items to be verified. A verification target ticket containing at least part of the occurrence time of the target event and classification information of the verification target event may be generated (S206). Here, the ticket refers to a processing unit for an event, which means a security attack incident containing classified information including security threats, security failures, security violations, information leaks, unclear information, etc. This will be illustratively explained with reference to FIG. 6 as follows.

Figure 6 exemplarily shows a process for generating a ticket to be verified according to an embodiment of the present invention.

The ticket subject to verification includes the ticket name (611), creation time of the ticket subject to verification (612), occurrence time of the event subject to verification (613), classification information of the event subject to verification (614), ontology to be verified (623), and ontology to be verified. It may include detailed information 630, log information to be verified (not shown), and a plurality of nodes to be verified (not shown). In addition, it may further include a reference existing playbook 621, a threat risk level 622, and a reference existing ontology (not shown) from the existing matching TI. The above content will be explained in detail later. The ticket to be verified may be generated by the processor 120 of the computing device 100 automatically obtaining the above information, or it may be provided to a user, etc. to input, and then generated through the input information.

In addition, the processor 120 of the computing device 100 is in a standby state before the classification information of the event to be verified corresponding to the ticket to be verified is specified, and the classification information of the event to be verified is specified and the playbook to be verified is executed. The classification state is the previous state, the response state is the state in which the ticket to be verified is processed by the playbook to be verified, the approval request state is the state in which an approval request is sent after execution of the playbook to be verified is completed, and the state in which the processing of the ticket to be verified is completed. It is possible to set a ticket processing status that includes at least part of the completion status, and manage the above status by considering the processing stage of the ticket to be verified.

Returning to FIG. 2 and continuing the explanation, the processor 120 of the computing device 100 preprocesses a plurality of existing threats included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database. Each node is compared with a plurality of verification target nodes included in the verification target ontology corresponding to the verification target ticket, and at least one node includes a plurality of reference existing nodes whose similarity to the plurality of verification target nodes is greater than or equal to a preset threshold. It may be possible to determine at least one reference existing ticket corresponding to the reference existing ontology and determine at least one reference existing playbook that was used to process the reference existing ticket (S207). At this time, in determining the reference existing playbook, the reference existing playbook may be directly selected (621) when creating the ticket in FIG. 6. Here, an example of determining a plurality of reference existing nodes whose similarity to a plurality of verification target nodes is greater than or equal to a preset threshold is as follows.

Node name explanation eqp_ip Equipment IP src_ip Source IP dstn_ip Destination IP dstn_port destination port src_country_name Origin country name URL URL Hash Hash

[Table 4] above shows a plurality of nodes to be verified, and [Table 5] below shows a plurality of reference existing nodes whose similarity to the plurality of nodes to be verified is equal to or higher than a preset threshold. Referring to [Table 4] and [Table 5], nodes that match each other are marked in bold, and according to this, 7 out of a total of 10 reference existing nodes in [Table 5] are the verification target nodes in [Table 4]. It can be seen that they match, and it can be assumed that this similarity of 70% is above the preset threshold. Of course, the calculation of 70% similarity here is only an example, and it goes without saying that there may be various variations in the method for calculating the similarity between a plurality of verification target nodes and a plurality of reference existing nodes.

Node name explanation eqp_ip Equipment IP src_ip Source IP dstn_ip Destination IP dstn_port destination port src_country_name Origin country name URL URL Hash Hash Asset Asset Asset Asset Attack_nm Attack name

Meanwhile, the process of determining the reference existing playbook will be described in more detail with reference to FIGS. 7 and 8 as follows.

Figure 7 illustrates an exemplary visualization of an existing threat ontology according to an embodiment of the present invention.

If the similarity between the existing threat node initiated in the existing threat ontology and the verification target node is determined to be greater than a preset threshold, it may be determined as the reference existing ontology even if the verification target ontology is not the same subject as the specified subject. At this time, in determining the reference existing ontology, the reference existing ontology may be directly selected (623) in the ticket creation process shown in FIG. 6.

In addition, when calculating the similarity between an existing threat node (i.e., a reference existing node) and a verification target node, the weight is varied for each node when calculating the similarity, referring to the possibility or ease of change of log information corresponding to each node. You may be able to set it.

Once the reference existing ticket is determined, the processor 120 of the computing device 100 selects the similarity between the plurality of verification target nodes and the plurality of reference existing nodes, the number of executions of the reference existing playbook, and the result information of executing the reference existing playbook. It will be possible to process a ticket subject to verification by calculating a recommendation for each reference existing playbook using at least some of them as a reference and providing a plurality of reference existing playbooks. At this time, the processor 120 of the computing device 100 may automatically execute the playbook with the highest recommendation to process the ticket to be verified.

Next, Figure 8 illustrates an exemplary display of a playbook to be verified according to an embodiment of the present invention.

Reference If you set a specific reference existing playbook among existing playbooks as the playbook to be verified, you can process tickets to be verified according to the playbook to be verified, and display the execution process and results.

At this time, if the processor 120 determines that the result of processing the ticket to be verified by the playbook to be verified while the ticket to be verified has been processed by the playbook to be verified does not satisfy the preset processing result conditions, The computing device may cancel 800 execution of the playbook to be verified and obtain and provide at least one reference existing playbook from the threat TI database.

The ticket subject to verification is further described with reference to FIG. 6 as follows.

First, for each of at least one existing threat TI, classification information of an existing threat event that is the target of at least one existing threat ticket corresponding to the existing threat TI is obtained, and classification information of the existing threat event and corresponding to the existing threat TI are obtained. Using at least part of the number of existing threat tickets and the occurrence time of existing threat tickets as a reference, the threat risk can be calculated for each existing threat TI and additionally stored in the threat TI database. At this time, the classification information of the existing threat event may include information on how much of a threat the existing threat event posed to security, and the number of existing threat tickets may include information on how often the existing threat TI performed attacks. This can be done, and the occurrence time of the existing threat ticket may include information about the frequency or concentration of the existing threat TI attack and the time of the most recent attack. If you calculate the threat risk with reference to this information, you will be able to quantify how much of a threat the existing threat TI poses to current security.

When the threat risk of the existing threat TI is calculated, the processor 120 obtains the existing matching TI harmful value from the verification target TI harmful value corresponding to the verification target event for the verification target event corresponding to the verification target ticket, and determines the threat TI harmful value. After obtaining the threat risk 622 corresponding to the existing matching TI harmful value from the database, the risk of the ticket to be verified (not shown) is calculated by referring to at least part of the threat risk, classification information of the event to be verified, and the occurrence time of the event to be verified. ) can be calculated, and the verification target ticket can be processed by referring to the risk level.

When updating the threat TI database, the processor 120 matches the existing matching TI to the verification target TI among the existing threat TIs stored in the database, and adds second information that is newly added information from the verification target node to the existing matching node information. Create new matching node information by adding a node subject to partial verification, and create a plurality of new matching data items by adding a plurality of new data items subject to verification, which are data items subject to verification, to a plurality of newly added items of existing matching data. New matching relationship information is created by adding new verification target relationship information, which is newly added information from the verification target relationship information, to the existing matching relationship information, and new matching log information is created by adding new verification target log information to the existing matching log information. After that, a new matching ontology is created with reference to at least some of the new matching node information, multiple new matching data items, new matching relationship information, and new matching log information, and the new matching ontology is matched to the existing matching TI to detect the threat TI. It can be saved in the database. Through this, the existing threat ontology can store more information, and when a new event occurs, it is possible to more easily select a playbook that can provide a more accurate response among the existing threat playbooks as a reference.

In the above, the present invention has been described with specific details such as specific components and limited embodiments and drawings, but this is only provided to facilitate a more general understanding of the present invention, and the present invention is not limited to the above embodiments. , a person skilled in the art to which the present invention pertains can make various modifications and variations from this description.

Therefore, the spirit of the present invention should not be limited to the above-described embodiments, and the scope of the patent claims described below as well as all modifications equivalent to or equivalent to the scope of the claims fall within the scope of the spirit of the present invention. They will say they do it.

Claims (20)

In the threat TI (Threat Intelligence)-based ontology creation and visualization method,
(a) For existing threat TI that includes at least some of IP (Internet Protocol), URL (Uniform Resource Locator), and hash, existing threat TI harmful value corresponding to the value specifying existing threat TI, said existing threat TI Existing threat log information, which is log information of threat TI, existing threat node information corresponding to the existing threat log information, and existing threat relationship information between a plurality of existing threat nodes representing the relationships between each of the existing threat log information are stored in the threat TI database. In the stored state, the computing device acquires verification target log information, which is log information of the verification target TI, which is the target of determining whether or not it is a threat TI, from external security equipment, and obtains verification target TI harmful values by referring to the verification target log information. Then, comparing the existing threat TI harmful value obtained from the threat TI database with the verification target TI harmful value to determine whether there is an existing matching TI that matches the verification target TI among the existing threat TIs;
(b) When the existing matching TI is confirmed, the computing device performs a plurality of verifications with reference to the verification target log information corresponding to the verification target TI and a plurality of verification target data items corresponding to the verification target log information. creating a target node;
(c) The computing device generates an ontology to be verified including each of the plurality of nodes to be verified, with reference to the relationship information to be verified between the plurality of nodes to be verified, which represents the relationship between each of the log information to be verified. step;
(d) the computing device, the log information to be verified corresponding to each of the plurality of data items to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the occurrence time of the event to be verified. , and the verification target ticket containing at least some of the classification information of the verification target event - the verification target ticket is a processing unit for the verification target event, and the verification target event is a security threat, security failure, security violation, information Containing classification information corresponding to any one of leakage and unclear - generating a; and
(e) the computing device, each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets stored in the threat TI database, and each of the plurality of existing threat nodes corresponding to the ticket to be verified By comparing the plurality of verification target nodes included in the verification target ontology, at least one reference existing ontology including a plurality of reference existing nodes whose similarity to the plurality of verification target nodes is greater than or equal to a preset threshold determining at least one reference existing ticket and determining at least one reference existing playbook that was used to process the reference existing ticket;
A method comprising: According to paragraph 1,
In step (b) above,
For the existing matching TI that matches the verification target TI, existing matching log information corresponding to the existing matching TI from the threat TI database, existing matching node information corresponding to the existing matching log information, and the existing matching log information, respectively. In a state where at least some of the existing matching relationship information between the plurality of existing matching nodes indicating the relationship, and the plurality of existing matching data items corresponding to the existing matching log information are obtained, the computing device performs the plurality of existing matching data items. As a result of comparing the data item and the plurality of data items to be verified, a plurality of existing data items obtained by extracting identical items from the plurality of existing matching data items, existing log information corresponding to the existing data items, and A first partial verification target node belonging to the plurality of verification target nodes is created with reference to existing relationship information indicating the relationship between each of the existing log information, and the remaining verification target nodes excluding the existing data item among the plurality of verification target data items are subject to verification. Generating a data item as a plurality of new data items to be verified, and indicating a relationship between the plurality of new data items to be verified, log information to be new to be verified corresponding to the data items to be new, and log information to be new to be verified. A second partial verification target node belonging to the plurality of verification target nodes is created by referring to new verification target relationship information, and the plurality of verification target nodes are generated using the first partial verification target node and the second partial verification target node. A method characterized in that generating. According to paragraph 2,
The computing device generates new matching node information by adding the second partial verification target node to the existing matching node information, and adds the plurality of new verification target data items to the plurality of existing matching data items to create a plurality of new matching node information. Create a new matching data item, add the new verification target relationship information to the existing matching relationship information to create new matching relationship information, and add the new verification target log information to the existing matching log information to create new matching log information. After generating, a new matching ontology is generated with reference to at least some of the new matching node information, the plurality of new matching data items, the new matching relationship information, and the new matching log information, and the new matching ontology is A method characterized by further performing a process of matching existing matching TIs and storing them in the threat TI database. According to paragraph 1,
The computing device is in a standby state before the classification information of the event to be verified corresponding to the ticket to be verified is specified, and a classification state in which the classification information of the event to be verified is specified and the playbook to be verified is executed. state, a response state in which the ticket to be verified is processed by the playbook to be verified, an approval request state in which an approval request is sent after execution of the playbook to be verified is completed, and processing of the ticket to be verified is completed. A method characterized by managing a ticket processing status that includes at least some of the statuses of completion. According to paragraph 1,
In step (a) above,
For each of the existing threat TI harmful values, existing threat TI harmful value classification information including at least a portion of IP, URL, hash, and at least a portion of a valid expiration date of the existing threat TI harmful value are added to the threat TI database. In the stored state, when the computing device obtains the TI hazard value to be verified, at least some of the existing threat TI hazard value classification information corresponding to the plurality of existing threat TI hazard values, and the expiration date are referred to. A method characterized by determining whether the TI harmful value subject to verification matches the existing threat TI harmful value. According to paragraph 1,
In step (e) above,
The computing device is configured to, with respect to the reference existing ticket, at least one of a similarity between the plurality of verification target nodes and the plurality of reference existing nodes, an execution number of the reference existing playbook, and information on a result of executing the reference existing playbook. A method characterized in that a recommendation is calculated for each of the referenced existing playbooks using some of them as a reference. According to paragraph 1,
In step (d) above,
The computing device includes (i) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, the occurrence time of the event to be verified, and classification information of the event to be verified. a process for generating the ticket to be verified by automatically obtaining at least a portion of the target log information, (ii) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the event to be verified. A method characterized by providing input of at least some of the occurrence time and classification information of the event to be verified, and executing any one of a process of generating the ticket to be verified based on the input information. According to paragraph 1,
(f) When the ticket to be verified has been processed by the playbook to be verified, and it is determined that the result of processing the ticket to be verified by the playbook to be verified does not satisfy the preset processing result conditions, A computing device, canceling execution of the playbook to be verified, and obtaining and providing at least one reference existing playbook from the threat TI database;
A method further comprising: According to paragraph 1,
Before step (a) above,
(a0) The computing device acquires, for each of the at least one existing threat TI, classification information of an existing threat event that is the target of at least one existing threat ticket corresponding to the existing threat TI, and the existing threat event The threat risk is calculated for each of the existing threat TIs with reference to at least part of the classification information, the number of existing threat tickets corresponding to the existing threat TI, and the occurrence time of the existing threat ticket, and added to the threat TI database. saving;
A method characterized in that further performing. According to clause 9,
In step (d) above,
The computing device, for the event to be verified corresponding to the ticket to be verified, obtains an existing matching TI harmful value from the TI harmful value to be verified corresponding to the event to be verified, and matches the existing matching TI harmful value from the threat TI database. After obtaining the threat risk corresponding to the TI hazard value, calculating the risk score of the ticket to be verified by referring to at least part of the threat risk, classification information of the event to be verified, and the occurrence time of the event to be verified. A method characterized by: In a threat intelligence (TI)-based ontology generation and visualization device,
at least one memory storing instructions; and
At least one processor configured to execute the instructions;
The processor, for existing threat TIs that include at least some of (I) IP (Internet Protocol), URL (Uniform Resource Locator), and hash, existing threat TI harmful corresponding to a value that specifies the existing threat TI. value, existing threat log information that is log information of the existing threat TI, existing threat node information corresponding to the existing threat log information, and existing threat relationship information between a plurality of existing threat nodes indicating the relationship between each of the existing threat log information. While stored in the threat TI database, obtain verification target log information, which is the log information of the verification target TI, which is the target for determining whether or not it is a threat TI from external security equipment, and obtain verification target TI harmful values by referring to the verification target log information. Then, a process of comparing the existing threat TI harmful value obtained from the threat TI database with the verification target TI harmful value to determine whether there is an existing matching TI that matches the verification target TI among the existing threat TIs; (II) When the existing matching TI is confirmed, generating a plurality of verification target nodes with reference to the verification target log information corresponding to the verification target TI and a plurality of verification target data items corresponding to the verification target log information. process; (III) a process of generating a verification target ontology including each of the plurality of verification target nodes with reference to verification target relationship information between the plurality of verification target nodes indicating the respective relationships between the verification target log information; (IV) The log information to be verified corresponding to each of the plurality of data items to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, the occurrence time of the event to be verified, and the subject to be verified. The ticket to be verified includes at least some of the classification information of the event (the ticket to be verified is a processing unit for the event to be verified, and the event to be verified is any of security threats, security failures, security breaches, information leaks, and unclear A process of generating (including classification information corresponding to one); and (V) each of a plurality of existing threat nodes included in each of a plurality of existing threat ontologies corresponding to each of a plurality of existing threat tickets pre-processed and stored in the threat TI database, and the verification target ontology corresponding to the verification target ticket. By comparing the plurality of verification target nodes included in, at least one reference including a plurality of reference existing nodes whose similarity with the plurality of verification target nodes is more than a preset threshold At least one reference corresponding to an existing ontology A computing device comprising: determining an existing ticket, and determining at least one reference existing playbook that was used to process the reference existing ticket. According to clause 11,
In process (II) above,
The processor, with respect to the existing matching TI that matches the verification target TI, existing matching log information corresponding to the existing matching TI from the threat TI database, existing matching node information corresponding to the existing matching log information, and the existing matching TI In a state where at least some of the existing matching relationship information between the plurality of existing matching nodes indicating the relationship between each matching log information, and the plurality of existing matching data items corresponding to the existing matching log information are obtained, the plurality of existing matching data As a result of comparing the item and the plurality of data items to be verified, a plurality of existing data items obtained by extracting identical items from the plurality of existing matching data items, existing log information corresponding to the existing data items, and A first partial verification target node belonging to the plurality of verification target nodes is generated by referring to existing relationship information indicating the relationship between log information, and the remaining verification target data excluding the existing data item among the plurality of verification target data items An item is created as a plurality of new data items to be verified, and a new data item indicating a relationship between the plurality of new data items to be verified, new log information to be verified corresponding to the data items to be verified, and log information to be new to be verified. A second partial verification target node belonging to the plurality of verification target nodes is generated by referring to verification target relationship information, and the plurality of verification target nodes are generated using the first partial verification target node and the second partial verification target node. A computing device characterized by generating. According to clause 12,
The processor generates new matching node information by adding the second partial verification target node to the existing matching node information, and adds the plurality of new verification target data items to the plurality of existing matching data items to create a plurality of new matching node information. Create a matching data item, add the new verification target relationship information to the existing matching relationship information to create new matching relationship information, and add the new verification target log information to the existing matching log information to create new matching log information. After creation, a new matching ontology is created with reference to at least some of the new matching node information, the plurality of new matching data items, the new matching relationship information, and the new matching log information, and the new matching ontology is added to the existing matching ontology. Computing device characterized in that further performing a process of matching the matching TI and storing it in the threat TI database. According to clause 11,
The processor is in a waiting state before classification information of the event to be verified corresponding to the ticket to be verified is specified, and a classification state is a state before the classification information of the event to be verified is specified and the playbook to be verified is executed. , a response state in which the ticket to be verified is processed by the playbook to be verified, an approval request state in which an approval request is sent after execution of the playbook to be verified is completed, and a state in which processing of the ticket to be verified is completed. A computing device characterized by managing ticket processing status, including at least some of the status of completed. According to clause 11,
In process (I) above,
The processor configures, for each of the existing threat TI harmful values, existing threat TI harmful value classification information including at least a portion of an IP, URL, and hash, and at least a portion of a valid expiration date of the existing threat TI harmful value to indicate the threat. When the TI hazard value subject to verification is acquired while additionally stored in the TI database, at least some of the existing threat TI hazardous value classification information corresponding to the plurality of existing threat TI hazardous values, and the expiration date are used as reference. A computing device characterized in that it determines whether the TI harmful value subject to verification matches the existing threat TI harmful value. According to clause 11,
In process (V) above,
The processor, with respect to the reference existing ticket, at least some of the following: similarity between the plurality of verification target nodes and the plurality of reference existing nodes, the number of executions of the reference existing playbook, and result information of executing the reference existing playbook. A computing device characterized in that it calculates a recommendation for each of the existing playbooks referenced above. According to clause 11,
In process (IV) above,
The processor, among (i) the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, the occurrence time of the event to be verified, and the classification information of the event to be verified; A process of generating the ticket to be verified by automatically acquiring at least a portion of the log information to be verified, the plurality of nodes to be verified, the ontology to be verified, the creation time of the ticket to be verified, and the event to be verified. A computing device that provides input of at least some of the occurrence time and classification information of the event to be verified, and executes one of a process of generating the ticket to be verified based on the input information. According to clause 11,
(VI) The processor determines that the result of processing the ticket to be verified by the playbook to be verified does not satisfy a preset processing result condition while the ticket to be verified has been processed by the playbook to be verified. If so, canceling execution of the playbook to be verified, and obtaining and providing at least one reference existing playbook from the threat TI database. According to clause 11,
Prior to process (I) above,
(I0) The processor acquires, for each of the at least one existing threat TI, classification information of an existing threat event that is the target of at least one existing threat ticket corresponding to the existing threat TI, and Calculate a threat risk for each of the existing threat TIs with reference to at least part of the classification information, the number of existing threat tickets corresponding to the existing threat TI, and the occurrence time of the existing threat tickets, and additionally store them in the threat TI database. A computing device characterized in that it further performs a process of: According to clause 19,
In process (IV) above,
The processor, for the event to be verified corresponding to the ticket to be verified, obtains an existing matching TI harmful value from the TI harmful value to be verified corresponding to the event to be verified, and obtains an existing matching TI harmful value from the threat TI database. After obtaining the threat risk corresponding to the harmful value, calculating the risk score of the ticket to be verified by referring to at least part of the threat risk, classification information of the event to be verified, and the occurrence time of the event to be verified. A computing device characterized by: