KR20110037578A - The integration security monitoring system and method thereof - Google Patents

The integration security monitoring system and method thereof Download PDF

Info

Publication number
KR20110037578A
KR20110037578A KR1020090095080A KR20090095080A KR20110037578A KR 20110037578 A KR20110037578 A KR 20110037578A KR 1020090095080 A KR1020090095080 A KR 1020090095080A KR 20090095080 A KR20090095080 A KR 20090095080A KR 20110037578 A KR20110037578 A KR 20110037578A
Authority
KR
South Korea
Prior art keywords
security
integrated
log
server
monitoring
Prior art date
Application number
KR1020090095080A
Other languages
Korean (ko)
Inventor
조현우
Original Assignee
(주)비에스시큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)비에스시큐리티 filed Critical (주)비에스시큐리티
Priority to KR1020090095080A priority Critical patent/KR20110037578A/en
Publication of KR20110037578A publication Critical patent/KR20110037578A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Technology Law (AREA)
  • Debugging And Monitoring (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an integrated security monitoring system, the system being connected to a plurality of user servers, the plurality of individual security system server for recording and security monitoring the log data of the user server, and the plurality of individual security system server The integrated security monitoring server collects the log data, generates an integrated log, analyzes the integrated log, extracts a risk management target user from the user server, and determines whether the risk management target information is leaked. Therefore, by applying a correlated security policy to information leakage that is difficult to judge from individual security systems, it is possible to respond quickly and accurately to information leakages early, real-time management is possible, and reduce operation manpower by monitoring individual security systems. The cost can be reduced.

Monitoring, Security, Solution, Integrated Management, Security Index

Description

Integrated security monitoring system and method

The present invention relates to an integrated security monitoring method. In particular, the present invention relates to a method for integrating and monitoring logs of security systems that are managed individually.

In general, government agencies, corporations, research institutes, or schools are building a plurality of execution servers connected through wired and wireless communication networks such as the Internet and wireless networks. Various data are provided in the execution server to communicate with other execution servers through a wired or wireless communication network.

These multiple execution servers are connected with a security system. That is, personal computer security, mail monitoring, messenger monitoring, document security, harmful blocking system or access control system.

Each security system induces information leakage and incident response based on usage information such as log information connected to each server.

However, such a plurality of security systems do not interoperate with each other, and determine whether or not to leak according to the individual security policy has a disadvantage in that accuracy is difficult and quick response to accidents.

The present invention aims to provide an integrated security monitoring method for standardizing security information from a plurality of security systems and extracting and managing a risk management target according to a correlated security policy and security index.

The integrated security monitoring system according to the present invention is connected to a plurality of user servers to collect a plurality of individual security system servers for recording and security monitoring log data of the user server, and collect the log data of the plurality of individual security system servers. And an integrated security monitoring server for generating an integrated log, analyzing the integrated log, extracting a risk management subject from the user server, and determining whether the risk management subject is leaked.

The plurality of individual security system servers may be a pc security system, a mail monitoring system, a messenger monitoring system, a document security system, a hazard blocking system or an access control system.

The integrated security monitoring server receives the log data from the input / output unit for reading the log data periodically from the individual security system server, the log data from the input / output unit to process the integrated log, and analyzes the integrated log It may include a processor for determining whether the risk management subject information leakage, and a database for storing the integrated log.

The processor may determine whether the integrated log is an abnormality indicator by analyzing the integrated log and report of the user server in which the integrated log is in violation of the security policy or the sum of the security index is greater than or equal to a threshold.

The security index may include a correlation security index between a plurality of individual monitoring servers.

The processor may determine whether the information is leaked by analyzing the details of the integrated log of the risk management subject.

On the other hand, the integrated security monitoring method according to the present invention is connected to a plurality of user servers, reading log data from a plurality of individual security system server for recording and security monitoring the log data of the user server, the log data Analyzing and collecting only log data used in an integrated security policy separately, and standardizing the log data of each of the collected individual security system servers to generate a consolidated log; a risk according to a security policy and a security index from the integrated log Selecting a subject to be managed, and determining whether the information is leaked by analyzing the integrated log of the risk management subject in detail.

The reading of the log data may read the log data recorded in the databases of the plurality of individual security system servers at predetermined intervals.

The selecting of the risk management target person may include determining whether the integrated log is an abnormality indicator for the user server that violates a security policy or the sum of security indices is greater than or equal to a threshold value, and determines whether the abnormality indicator is the conventional risk management target. And if the abnormality indicator is not the conventional risk management target, registering the new risk management target.

When the information leakage is confirmed, the integrated security monitoring method may further include performing a security measure for the risk management subject, and modifying the security policy to reflect the information leakage case.

The security index may include a correlation security index between a plurality of individual security system servers.

According to the present invention, by applying a correlated security policy to information leakage that is difficult to determine from an individual security system, it is possible to quickly and accurately respond to information leakage, etc. early, real-time management, operation by monitoring the individual security system Reduced manpower can result in cost savings.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, except to exclude other components unless otherwise stated. In addition, the terms “… unit”, “… unit”, “module”, etc. described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. have.

The present invention relates to the invention of the integrated security monitoring, receiving and standardizing the security information from the individual security system used in the company, etc., subject to risk management in accordance with the security index reflecting the security policy and correlation between a plurality of individual security systems It is about the monitoring method to extract and integrate management.

Hereinafter, an integrated security monitoring system according to an embodiment of the present invention will be described with reference to FIGS. 1 to 5.

1 is a configuration diagram of an integrated security monitoring system according to an embodiment of the present invention, Figure 2 is a flow chart showing the operation of the integrated security monitoring system according to an embodiment of the present invention, Figure 3 is a integrated security of Figure 2 4 is a flowchart illustrating an example of an operation of the monitoring system, FIG. 4 is a table illustrating an example of the security policy described in FIG. 3, and FIG. 5 is a table illustrating an example of the security index described in FIG. 3. to be.

Referring to FIG. 1, an integrated security monitoring system according to an embodiment of the present invention includes an integrated security server 100, an individual security server group 200 including a plurality of individual security system servers 210, and a plurality of user servers. User server group 300 including 310.

The plurality of user servers 310 are wired / wireless terminals that agree to certain security regulations in corporations, research institutes, or schools, such as personal computers, pass cards, and the like, and are accessible to common databases of enterprises, research institutes, or schools.

Each user server 310 is input and output of data stored in the internal, receiving data from the common data server, document creation, document sending and other document operations, sending and receiving mail, messenger, download and upload via the Internet, etc. You can perform the operation.

The user server 310 is connected to a plurality of individual security system server 210 for monitoring the security of each operation over a wired / wireless.

The individual security system server 210 monitors the plurality of user servers 310 for a corresponding operation, and if an operation is detected that deviates from the security policy, the individual security system server 210 blocks the alarm and alerts the administrator.

For example, the individual security system server 210 may be a pc security system, a mail monitoring system, a messenger monitoring system, a document security system, a hazard protection system or an access control system.

The PC security system is connected to the user server 310 to monitor the security of data stored in the user server 310 on a removable disk such as a USB memory, data sharing, data transmission, output and program installation.

The mail monitoring system records information about sending and receiving mail and uploading files on a peer-to-peer site.

The messenger monitoring system records information on a content conversation or a file transmission with a specific user through a messenger program installed in the user server 310.

The document security system records information about the user server 310 which restricts the reading of a specific document or reads the specific document according to the user level.

The harmful blocking system blocks a specific program or a connection to a specific site when downloading or uploading a program through the Internet.

The access control system works in conjunction with the user's access card to monitor the user's access to the office or school.

On the other hand, the individual security system server 210 is not only a security system, but also a general management system, for example, knowledge management system (KMS), drawing management system (PDM), source shape management system (Clear Case) or document management system ( EDMS) and the like.

The plurality of individual security system server 210 includes a respective database and detects the operation of the user server 310 and stores log data in each operation.

The log data may have a different form according to each of the individual security system servers 210, and may include a date, time, name, path, and content.

 A plurality of individual security system server 210 is connected to the integrated security monitoring server 100, the integrated security monitoring server 100 from the plurality of individual security system server 210 is periodically stored in the database log data Read

The integrated security monitoring server 100 processes the read log data to select a risk management target person, analyzes the log data of the risk management target user in detail, takes an action, and modifies the security policy.

The integrated security monitoring server 100 receives a log data from the input / output unit 110, the input / output unit 110 to transmit and receive with a plurality of individual security system server 210 to proceed with the integrated security monitoring process 120 and a database 130 that stores standardized integration logs from the processor 120.

In this case, the database 130 may be formed outside the integrated security monitoring server 100.

Referring to FIG. 2, referring to the overall operation of the integrated security monitoring server 100, log data is periodically read from each individual security system server 210 (S100).

That is, the integrated security monitoring server 100 periodically reads log data stored from each individual security system server 210.

The processor 120 analyzes the log data to collect only the log data used for the integrated security policy separately, standardizes the log data of each collected security system server 210, generates an integrated log, and generates the generated integrated log. Store in the database 130.

Meanwhile, the processor 120 displays the integrated log stored in the management window of the integrated security monitoring server 100 so that an administrator can easily search.

Next, the processor 120 selects the monitoring target by selecting the risk management target according to the integrated security policy and security index from the integrated log (S110).

The selected monitoring targets are classified as risk management targets, and the integrated log of the corresponding risk management targets is analyzed under an individual security system (S120).

Finally, the processor 120 takes an action according to the analysis result of the individual security system and modifies and supplements the integrated security policy by reflecting the analysis result (S130).

At this time, the risk management target may be selected in the same manner as in FIG.

The processor 120 of the integrated security monitoring server 100 analyzes the integrated log to identify a subject whose security policy violation or security index exceeds a predetermined range (S200).

The user may violate the security policy as shown in FIG. 4. For example, in the case of the log analysis of the pc security system, if the number of occurrences is counted for various actions and a number of times exceeding a predetermined range is recognized as a security policy violation do.

These predetermined ranges vary depending on the behavior, for example, at least four times may be considered a violation of security policy for data storage in FDD, and three times or more may be regarded as a violation of security policy because of greater capacity than FDD for CD. have.

When the user's security index is high, it can be represented as shown in FIG. 5. For example, in the case of a log analysis of a PC security system, a security index is set for each action, and data storage occurs in an arbitrary memory. In addition, the index is determined in consideration of the data capacity and the number of storages, and when the total sum of the indexes is within a predetermined range, for example, 7 or more, it can be recognized that the security index is high.

In this case, a correlation security index is set between the actions of the plurality of individual security system servers 210. For example, the correlation security index is counted when the file is stored in the FDD and the file is transmitted through an e-mail. And add up.

In addition, the correlation security index is also set between different operations in one individual security system server 210, for example, the correlation security index is counted when the storage and printing at the same time with respect to the PC security system of FIG. Can be summed.

As such, when the security index identifies the subjects who are recognized as the security risk level and the subjects who violate the security policy, the past history and behavior patterns through the integrated log and report on the identified subjects are reviewed (S210).

 Next, by analyzing the results of the review to determine whether the subject is an abnormal indication of information leakage (S220).

At this time, if there is no indication of abnormal information leakage as a result of the review, the analysis for the subject ends (S230).

On the other hand, if it is determined that the abnormal signs of information leakage as a result of the review, it is determined whether the target person is already subject to risk management (S240).

If the abnormality indicator is a conventional risk management target, the individual security system is performed to analyze the details of the log for the abnormality indicator (S260).

On the other hand, if the abnormality indicator is not a conventional risk management target, newly registered as a risk management target (S250), and performs a separate security system to analyze the details of the log for the abnormality indicator (S260).

When registered as a risk management target, the administrator of the integrated security monitoring server 100 may perform a separate security system from time to time to view the details of the log.

On the other hand, if information leakage is confirmed through detailed breakdown analysis, after taking appropriate measures, the integrated security policy is corrected by supplementing the form of information leakage (S290).

At this time, if the information leakage is confirmed, the administrator can notify the information manager of the information leakage of the information leakage, collect the relevant data to create a report, and finally confirm the information leaker.

In this case, the report may include a change graph and a statistical graph for each risk management target, and the risk management target may include a retirement applicant or a retiree, and an integrated log management of the risk management target on the management site and individual security of the risk management target The integrated log for the system server 210 may be displayed, and the risk management target may be modified and deleted if the risk management target is not recognized as the risk management target for a predetermined period of time.

As such, by integrating and managing log data for a plurality of individual security system servers 210, detection of information leakage can be easily performed according to correlations between individual security system servers 210, and individual security systems. By only managing the integrated security monitoring system without managing the server 210, integrated security management for a plurality of users such as a company or a school may be performed to reduce costs.

The embodiments of the present invention described above are not implemented only through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Implementation may be easily implemented by those skilled in the art from the description of the above-described embodiments.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

1 is a block diagram of an integrated security monitoring system according to an embodiment of the present invention.

2 is a flowchart illustrating the operation of the integrated security monitoring system according to an embodiment of the present invention.

FIG. 3 is a flowchart illustrating an example of an operation of the integrated security monitoring system of FIG. 2.

4 is a table illustrating an example of the security policy described in FIG. 3.

FIG. 5 is a table illustrating an example of the security index described in FIG. 3.

Claims (11)

A plurality of individual security system servers connected to a plurality of user servers, for recording and security monitoring log data of the user server; and Integrated security by collecting the log data of the plurality of individual security system server, generating an integrated log, analyzing the integrated log to extract the risk management target among the user server and determine whether the risk management target information leaked out Monitoring server Containing Integrated security monitoring system. The method of claim 1, The plurality of individual security system server pc security system, mail monitoring system, messenger monitoring system, document security system, anti-hazard system or access control system Integrated security monitoring system. The method of claim 1, The integrated security monitoring server An input / output unit for periodically reading the log data from the individual security system server, A processor that receives the log data from the input / output unit and processes the log data into the integrated log, and analyzes the integrated log to determine whether the risk management information is leaked; Database storing the integration log Containing Integrated security monitoring system. The method of claim 3, The processor determines whether the integrated log is an abnormality indicator by analyzing the integrated log and report of the user server that violates the security policy or the sum of the security index is greater than or equal to a threshold. Integrated security monitoring system. The method of claim 4, wherein The security index includes a correlation security index between a plurality of individual security system server Integrated security monitoring system. The method of claim 3, The processor determines whether the information leaked out through the detailed breakdown analysis of the integrated log for the risk management subject Integrated security monitoring system. Reading log data from a plurality of individual security system servers connected to a plurality of user servers and recording and monitoring log data of the user server; Analyzing the log data and separately collecting only log data used in an integrated security policy, and generating a consolidated log by standardizing the log data of each collected individual monitoring server; Selecting a risk management subject according to a security policy and a security index from the integrated log; and Analyzing the integrated log of the risk management subject in detail to determine whether information is leaked Containing Integrated security monitoring method. The method of claim 7, wherein Reading the log data is Reading the log data recorded in a database of a plurality of individual security system servers at predetermined intervals; Integrated security monitoring method. The method of claim 8, The step of selecting the risk management target Determining whether the integrated log is an anomaly indicator for the user server that violates a security policy or the sum of security indices is greater than or equal to a threshold; Determining whether the abnormality indicator is the conventional risk management subject, and If the abnormality indicator is not the conventional risk management target, registering the new risk management target Containing Integrated security monitoring method. The method of claim 7, wherein The integrated security monitoring method If the information leakage is confirmed, performing security measures for the risk management subject, and Modifying the security policy to reflect the information leakage case Further comprising Integrated security monitoring method. The method of claim 7, wherein The security index includes a correlation security index between a plurality of individual security system server Integrated security monitoring method.
KR1020090095080A 2009-10-07 2009-10-07 The integration security monitoring system and method thereof KR20110037578A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020090095080A KR20110037578A (en) 2009-10-07 2009-10-07 The integration security monitoring system and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020090095080A KR20110037578A (en) 2009-10-07 2009-10-07 The integration security monitoring system and method thereof

Publications (1)

Publication Number Publication Date
KR20110037578A true KR20110037578A (en) 2011-04-13

Family

ID=44045038

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020090095080A KR20110037578A (en) 2009-10-07 2009-10-07 The integration security monitoring system and method thereof

Country Status (1)

Country Link
KR (1) KR20110037578A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9158894B2 (en) 2011-12-16 2015-10-13 Electronics And Telecommunications Research Institute Apparatus and method for analyzing rule-based security event association
WO2017095017A1 (en) * 2015-11-30 2017-06-08 (주)엠더블유스토리 System and method for recognizing business information leakage situation, and storage medium including program recorded therein for processing said method
KR20180118869A (en) 2017-04-24 2018-11-01 주식회사 피너스 Integration security anomaly symptom monitoring system
CN110062049A (en) * 2019-04-30 2019-07-26 深圳前海微众银行股份有限公司 A kind of monitoring method of office network, device, computer equipment and storage medium
KR20210133598A (en) * 2020-04-29 2021-11-08 주식회사 오케이첵 Method for monitoring anomaly about abuse of private information and device for monitoring anomaly about abuse of private information
US11876820B2 (en) 2019-12-12 2024-01-16 Korea Institute Of Science & Technology Information Security information visualization device, security information visualization method, and storage medium for storing program for visualizing security information

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9158894B2 (en) 2011-12-16 2015-10-13 Electronics And Telecommunications Research Institute Apparatus and method for analyzing rule-based security event association
WO2017095017A1 (en) * 2015-11-30 2017-06-08 (주)엠더블유스토리 System and method for recognizing business information leakage situation, and storage medium including program recorded therein for processing said method
KR20180118869A (en) 2017-04-24 2018-11-01 주식회사 피너스 Integration security anomaly symptom monitoring system
CN110062049A (en) * 2019-04-30 2019-07-26 深圳前海微众银行股份有限公司 A kind of monitoring method of office network, device, computer equipment and storage medium
US11876820B2 (en) 2019-12-12 2024-01-16 Korea Institute Of Science & Technology Information Security information visualization device, security information visualization method, and storage medium for storing program for visualizing security information
KR20210133598A (en) * 2020-04-29 2021-11-08 주식회사 오케이첵 Method for monitoring anomaly about abuse of private information and device for monitoring anomaly about abuse of private information

Similar Documents

Publication Publication Date Title
US8209204B2 (en) Influencing behavior of enterprise operations during process enactment using provenance data
KR101593910B1 (en) System for online monitering individual information and method of online monitering the same
RU2017118317A (en) SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER RISK IN BUSINESS CRITICAL APPLICATIONS
KR20110037578A (en) The integration security monitoring system and method thereof
US10496842B1 (en) Multi-pronged file anomaly detection based on violation counts
CN117421761B (en) Database data information security monitoring method
US20100082378A1 (en) Business Process Optimization And Problem Resolution
KR101256507B1 (en) An malicious insider detection system via user behavior analysis and method thereof
Wijnhoven et al. Value-based file retention: File attributes as file value and information waste indicators
CN109684863A (en) Data leakage prevention method, device, equipment and storage medium
CN111177139A (en) Data quality verification monitoring and early warning method and system based on data quality system
KR100891345B1 (en) Information security managment system supporting inter-mapping between each different information security index and method thereof
CN116881962B (en) Security monitoring system, method, device and storage medium
KR101415528B1 (en) Apparatus and Method for processing data error for distributed system
CN115617612A (en) Log reporting method and device, computer equipment and storage medium
CN115097070A (en) Intelligent integrated management system and method for laboratory
CN112346938B (en) Operation auditing method and device, server and computer readable storage medium
KR20180118869A (en) Integration security anomaly symptom monitoring system
KR20050093196A (en) Method and system for calculating an risk index in real-time of information assets
CN112685768A (en) Data leakage prevention method and device based on software asset audit
KR101923996B1 (en) Detection system of cyber information leaking action
Benabidallah et al. Designing a Code Vulnerability Meta-scanner
Tjee et al. Evaluating of IT Services on Accurate Application Using COBIT 5 (Case Study: PT. SS Dinamika)
CN116578460B (en) Medical institution front-end data safety monitoring method, system and device
CN117391261B (en) AI intelligent water service system of internet of things based on low-power consumption ultrasonic measurement

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application
E601 Decision to refuse application