KR20110037578A - The integration security monitoring system and method thereof - Google Patents
The integration security monitoring system and method thereof Download PDFInfo
- Publication number
- KR20110037578A KR20110037578A KR1020090095080A KR20090095080A KR20110037578A KR 20110037578 A KR20110037578 A KR 20110037578A KR 1020090095080 A KR1020090095080 A KR 1020090095080A KR 20090095080 A KR20090095080 A KR 20090095080A KR 20110037578 A KR20110037578 A KR 20110037578A
- Authority
- KR
- South Korea
- Prior art keywords
- security
- integrated
- log
- server
- monitoring
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Technology Law (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to an integrated security monitoring system, the system being connected to a plurality of user servers, the plurality of individual security system server for recording and security monitoring the log data of the user server, and the plurality of individual security system server The integrated security monitoring server collects the log data, generates an integrated log, analyzes the integrated log, extracts a risk management target user from the user server, and determines whether the risk management target information is leaked. Therefore, by applying a correlated security policy to information leakage that is difficult to judge from individual security systems, it is possible to respond quickly and accurately to information leakages early, real-time management is possible, and reduce operation manpower by monitoring individual security systems. The cost can be reduced.
Monitoring, Security, Solution, Integrated Management, Security Index
Description
The present invention relates to an integrated security monitoring method. In particular, the present invention relates to a method for integrating and monitoring logs of security systems that are managed individually.
In general, government agencies, corporations, research institutes, or schools are building a plurality of execution servers connected through wired and wireless communication networks such as the Internet and wireless networks. Various data are provided in the execution server to communicate with other execution servers through a wired or wireless communication network.
These multiple execution servers are connected with a security system. That is, personal computer security, mail monitoring, messenger monitoring, document security, harmful blocking system or access control system.
Each security system induces information leakage and incident response based on usage information such as log information connected to each server.
However, such a plurality of security systems do not interoperate with each other, and determine whether or not to leak according to the individual security policy has a disadvantage in that accuracy is difficult and quick response to accidents.
The present invention aims to provide an integrated security monitoring method for standardizing security information from a plurality of security systems and extracting and managing a risk management target according to a correlated security policy and security index.
The integrated security monitoring system according to the present invention is connected to a plurality of user servers to collect a plurality of individual security system servers for recording and security monitoring log data of the user server, and collect the log data of the plurality of individual security system servers. And an integrated security monitoring server for generating an integrated log, analyzing the integrated log, extracting a risk management subject from the user server, and determining whether the risk management subject is leaked.
The plurality of individual security system servers may be a pc security system, a mail monitoring system, a messenger monitoring system, a document security system, a hazard blocking system or an access control system.
The integrated security monitoring server receives the log data from the input / output unit for reading the log data periodically from the individual security system server, the log data from the input / output unit to process the integrated log, and analyzes the integrated log It may include a processor for determining whether the risk management subject information leakage, and a database for storing the integrated log.
The processor may determine whether the integrated log is an abnormality indicator by analyzing the integrated log and report of the user server in which the integrated log is in violation of the security policy or the sum of the security index is greater than or equal to a threshold.
The security index may include a correlation security index between a plurality of individual monitoring servers.
The processor may determine whether the information is leaked by analyzing the details of the integrated log of the risk management subject.
On the other hand, the integrated security monitoring method according to the present invention is connected to a plurality of user servers, reading log data from a plurality of individual security system server for recording and security monitoring the log data of the user server, the log data Analyzing and collecting only log data used in an integrated security policy separately, and standardizing the log data of each of the collected individual security system servers to generate a consolidated log; a risk according to a security policy and a security index from the integrated log Selecting a subject to be managed, and determining whether the information is leaked by analyzing the integrated log of the risk management subject in detail.
The reading of the log data may read the log data recorded in the databases of the plurality of individual security system servers at predetermined intervals.
The selecting of the risk management target person may include determining whether the integrated log is an abnormality indicator for the user server that violates a security policy or the sum of security indices is greater than or equal to a threshold value, and determines whether the abnormality indicator is the conventional risk management target. And if the abnormality indicator is not the conventional risk management target, registering the new risk management target.
When the information leakage is confirmed, the integrated security monitoring method may further include performing a security measure for the risk management subject, and modifying the security policy to reflect the information leakage case.
The security index may include a correlation security index between a plurality of individual security system servers.
According to the present invention, by applying a correlated security policy to information leakage that is difficult to determine from an individual security system, it is possible to quickly and accurately respond to information leakage, etc. early, real-time management, operation by monitoring the individual security system Reduced manpower can result in cost savings.
DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.
Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, except to exclude other components unless otherwise stated. In addition, the terms “… unit”, “… unit”, “module”, etc. described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. have.
The present invention relates to the invention of the integrated security monitoring, receiving and standardizing the security information from the individual security system used in the company, etc., subject to risk management in accordance with the security index reflecting the security policy and correlation between a plurality of individual security systems It is about the monitoring method to extract and integrate management.
Hereinafter, an integrated security monitoring system according to an embodiment of the present invention will be described with reference to FIGS. 1 to 5.
1 is a configuration diagram of an integrated security monitoring system according to an embodiment of the present invention, Figure 2 is a flow chart showing the operation of the integrated security monitoring system according to an embodiment of the present invention, Figure 3 is a integrated security of Figure 2 4 is a flowchart illustrating an example of an operation of the monitoring system, FIG. 4 is a table illustrating an example of the security policy described in FIG. 3, and FIG. 5 is a table illustrating an example of the security index described in FIG. 3. to be.
Referring to FIG. 1, an integrated security monitoring system according to an embodiment of the present invention includes an integrated
The plurality of
Each
The
The individual
For example, the individual
The PC security system is connected to the
The mail monitoring system records information about sending and receiving mail and uploading files on a peer-to-peer site.
The messenger monitoring system records information on a content conversation or a file transmission with a specific user through a messenger program installed in the
The document security system records information about the
The harmful blocking system blocks a specific program or a connection to a specific site when downloading or uploading a program through the Internet.
The access control system works in conjunction with the user's access card to monitor the user's access to the office or school.
On the other hand, the individual
The plurality of individual
The log data may have a different form according to each of the individual
A plurality of individual
The integrated
The integrated
In this case, the
Referring to FIG. 2, referring to the overall operation of the integrated
That is, the integrated
The
Meanwhile, the
Next, the
The selected monitoring targets are classified as risk management targets, and the integrated log of the corresponding risk management targets is analyzed under an individual security system (S120).
Finally, the
At this time, the risk management target may be selected in the same manner as in FIG.
The
The user may violate the security policy as shown in FIG. 4. For example, in the case of the log analysis of the pc security system, if the number of occurrences is counted for various actions and a number of times exceeding a predetermined range is recognized as a security policy violation do.
These predetermined ranges vary depending on the behavior, for example, at least four times may be considered a violation of security policy for data storage in FDD, and three times or more may be regarded as a violation of security policy because of greater capacity than FDD for CD. have.
When the user's security index is high, it can be represented as shown in FIG. 5. For example, in the case of a log analysis of a PC security system, a security index is set for each action, and data storage occurs in an arbitrary memory. In addition, the index is determined in consideration of the data capacity and the number of storages, and when the total sum of the indexes is within a predetermined range, for example, 7 or more, it can be recognized that the security index is high.
In this case, a correlation security index is set between the actions of the plurality of individual
In addition, the correlation security index is also set between different operations in one individual
As such, when the security index identifies the subjects who are recognized as the security risk level and the subjects who violate the security policy, the past history and behavior patterns through the integrated log and report on the identified subjects are reviewed (S210).
Next, by analyzing the results of the review to determine whether the subject is an abnormal indication of information leakage (S220).
At this time, if there is no indication of abnormal information leakage as a result of the review, the analysis for the subject ends (S230).
On the other hand, if it is determined that the abnormal signs of information leakage as a result of the review, it is determined whether the target person is already subject to risk management (S240).
If the abnormality indicator is a conventional risk management target, the individual security system is performed to analyze the details of the log for the abnormality indicator (S260).
On the other hand, if the abnormality indicator is not a conventional risk management target, newly registered as a risk management target (S250), and performs a separate security system to analyze the details of the log for the abnormality indicator (S260).
When registered as a risk management target, the administrator of the integrated
On the other hand, if information leakage is confirmed through detailed breakdown analysis, after taking appropriate measures, the integrated security policy is corrected by supplementing the form of information leakage (S290).
At this time, if the information leakage is confirmed, the administrator can notify the information manager of the information leakage of the information leakage, collect the relevant data to create a report, and finally confirm the information leaker.
In this case, the report may include a change graph and a statistical graph for each risk management target, and the risk management target may include a retirement applicant or a retiree, and an integrated log management of the risk management target on the management site and individual security of the risk management target The integrated log for the
As such, by integrating and managing log data for a plurality of individual
The embodiments of the present invention described above are not implemented only through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Implementation may be easily implemented by those skilled in the art from the description of the above-described embodiments.
Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.
1 is a block diagram of an integrated security monitoring system according to an embodiment of the present invention.
2 is a flowchart illustrating the operation of the integrated security monitoring system according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating an example of an operation of the integrated security monitoring system of FIG. 2.
4 is a table illustrating an example of the security policy described in FIG. 3.
FIG. 5 is a table illustrating an example of the security index described in FIG. 3.
Claims (11)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090095080A KR20110037578A (en) | 2009-10-07 | 2009-10-07 | The integration security monitoring system and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090095080A KR20110037578A (en) | 2009-10-07 | 2009-10-07 | The integration security monitoring system and method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20110037578A true KR20110037578A (en) | 2011-04-13 |
Family
ID=44045038
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020090095080A KR20110037578A (en) | 2009-10-07 | 2009-10-07 | The integration security monitoring system and method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20110037578A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9158894B2 (en) | 2011-12-16 | 2015-10-13 | Electronics And Telecommunications Research Institute | Apparatus and method for analyzing rule-based security event association |
WO2017095017A1 (en) * | 2015-11-30 | 2017-06-08 | (주)엠더블유스토리 | System and method for recognizing business information leakage situation, and storage medium including program recorded therein for processing said method |
KR20180118869A (en) | 2017-04-24 | 2018-11-01 | 주식회사 피너스 | Integration security anomaly symptom monitoring system |
CN110062049A (en) * | 2019-04-30 | 2019-07-26 | 深圳前海微众银行股份有限公司 | A kind of monitoring method of office network, device, computer equipment and storage medium |
KR20210133598A (en) * | 2020-04-29 | 2021-11-08 | 주식회사 오케이첵 | Method for monitoring anomaly about abuse of private information and device for monitoring anomaly about abuse of private information |
US11876820B2 (en) | 2019-12-12 | 2024-01-16 | Korea Institute Of Science & Technology Information | Security information visualization device, security information visualization method, and storage medium for storing program for visualizing security information |
-
2009
- 2009-10-07 KR KR1020090095080A patent/KR20110037578A/en not_active Application Discontinuation
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9158894B2 (en) | 2011-12-16 | 2015-10-13 | Electronics And Telecommunications Research Institute | Apparatus and method for analyzing rule-based security event association |
WO2017095017A1 (en) * | 2015-11-30 | 2017-06-08 | (주)엠더블유스토리 | System and method for recognizing business information leakage situation, and storage medium including program recorded therein for processing said method |
KR20180118869A (en) | 2017-04-24 | 2018-11-01 | 주식회사 피너스 | Integration security anomaly symptom monitoring system |
CN110062049A (en) * | 2019-04-30 | 2019-07-26 | 深圳前海微众银行股份有限公司 | A kind of monitoring method of office network, device, computer equipment and storage medium |
US11876820B2 (en) | 2019-12-12 | 2024-01-16 | Korea Institute Of Science & Technology Information | Security information visualization device, security information visualization method, and storage medium for storing program for visualizing security information |
KR20210133598A (en) * | 2020-04-29 | 2021-11-08 | 주식회사 오케이첵 | Method for monitoring anomaly about abuse of private information and device for monitoring anomaly about abuse of private information |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8209204B2 (en) | Influencing behavior of enterprise operations during process enactment using provenance data | |
KR101593910B1 (en) | System for online monitering individual information and method of online monitering the same | |
RU2017118317A (en) | SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER RISK IN BUSINESS CRITICAL APPLICATIONS | |
KR20110037578A (en) | The integration security monitoring system and method thereof | |
US10496842B1 (en) | Multi-pronged file anomaly detection based on violation counts | |
CN117421761B (en) | Database data information security monitoring method | |
US20100082378A1 (en) | Business Process Optimization And Problem Resolution | |
KR101256507B1 (en) | An malicious insider detection system via user behavior analysis and method thereof | |
Wijnhoven et al. | Value-based file retention: File attributes as file value and information waste indicators | |
CN109684863A (en) | Data leakage prevention method, device, equipment and storage medium | |
CN111177139A (en) | Data quality verification monitoring and early warning method and system based on data quality system | |
KR100891345B1 (en) | Information security managment system supporting inter-mapping between each different information security index and method thereof | |
CN116881962B (en) | Security monitoring system, method, device and storage medium | |
KR101415528B1 (en) | Apparatus and Method for processing data error for distributed system | |
CN115617612A (en) | Log reporting method and device, computer equipment and storage medium | |
CN115097070A (en) | Intelligent integrated management system and method for laboratory | |
CN112346938B (en) | Operation auditing method and device, server and computer readable storage medium | |
KR20180118869A (en) | Integration security anomaly symptom monitoring system | |
KR20050093196A (en) | Method and system for calculating an risk index in real-time of information assets | |
CN112685768A (en) | Data leakage prevention method and device based on software asset audit | |
KR101923996B1 (en) | Detection system of cyber information leaking action | |
Benabidallah et al. | Designing a Code Vulnerability Meta-scanner | |
Tjee et al. | Evaluating of IT Services on Accurate Application Using COBIT 5 (Case Study: PT. SS Dinamika) | |
CN116578460B (en) | Medical institution front-end data safety monitoring method, system and device | |
CN117391261B (en) | AI intelligent water service system of internet of things based on low-power consumption ultrasonic measurement |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application | ||
E601 | Decision to refuse application |