KR20120069130A - A realtime monitoring method based on log data - Google Patents

Abstract

The present invention relates to a real-time monitoring method based on log data, wherein the system monitoring method according to the present invention extracts a first key indicating an attribute of a data item from a log of a first application, and logs a second application generated in real time. Extracts a second key corresponding to the first key from the second key and maps the first and second keys to establish a correlation between the log of the first application and the log of the second application; Select the data to obtain the right to use, and monitor the generation of the data corresponding to the selected data in the log of the second application in real time according to the set correlation, the file object of the monitored data by referring to the property of the data item Detect log data to obtain output permission for.

Description

Real-time monitoring method based on log data {A REALTIME MONITORING METHOD BASED ON LOG DATA}

The present invention relates to a system monitoring method, and more particularly, to an apparatus, a method, and a recording medium for recording the method, which can detect in real time whether an application undermines security based on log data.

In the case of an application running on a server such as a web server, a file server, an e-mail server, a printer server, and an FTP server, only a plurality of authorized users can access the server and use the application. In particular, such a server-side application has a risk of being easily damaged by hacking and viruses due to the nature of storing data in a digital format at a remote location. As a result, the issue of confidentiality and reliability of the data used by server-side applications has always been one of the major issues in computer systems.

In order to solve this problem, various types of surveillance systems have been proposed. These surveillance systems consist of software and hardware that constantly monitor the computer's operational status and perform control and retrieval whenever necessary. In addition, it has a function of notifying the system administrator of an abnormal state of the system or a condition exceeding some predefined criteria or automatically recovering from such an abnormal state. Among these surveillance systems, audit and security related systems aim to protect the system from illegal data leakage or malicious attack by an attacker.

However, conventional auditing and security systems simply encrypt data or use firewalls to block attacks from the outside, and the countermeasures are merely mechanical defenses. Therefore, it is pointed out that such a conventional audit and security system cannot properly respond to malicious information leakage by an attacker or data leakage combining two or more heterogeneous applications.

The technical problem to be solved by the present invention is to overcome the limitation that the security measures through simple log analysis can only be an after-sales measure that can not adequately protect against confidential leakage occurring in real time, and in the case of a typical audit and security system, The combination of two or more heterogeneous applications solves the problem of being vulnerable to attempts to compromise confidentiality, and eliminates the inconvenience that an already established security system cannot actively cope with new patterns of attack behavior.

In order to solve the above technical problem, the system monitoring method according to the present invention comprises the steps of extracting a first key indicating the attribute of the data item from the log (log) of the first application; Extracting a second key corresponding to the extracted first key from a log of a second application generated in real time; Establishing a correlation between a log of the first application and a log of the second application by mapping the extracted first key and the extracted second key; Selecting data for obtaining a right to use a file object in a log of the first application by referring to an attribute of a data item; Monitoring generation of data corresponding to the selected data in the log of the second application in real time according to the set correlation; And detecting log data for obtaining an output right for a file object among the monitored data by referring to an attribute of the data item.

In the system monitoring method described above, the first key and the second key are preferably at least one of a user ID, an IP address, a file name, an occurrence time, or a job type included in a log.

In the above-described system monitoring method, the permission on the file object is at least one of reading, copying, or receiving, and the output permission on the file object is at least one of writing, moving, transmitting, or modifying. Do.

The system monitoring method may further include transmitting a warning message to a preset administrator when log data for acquiring the output right is detected.

Meanwhile, in order to solve the other technical problem, in the above-described system monitoring method, the correlation is an association rule modeled using an ontology, and the step of detecting log data for acquiring the output authority uses the inference device of the ontology. Is performed by querying whether data generated in real time corresponds to information leakage.

In addition, in order to solve the other technical problem, the above-described system monitoring method further comprises the step of receiving a modification to the association rule by repeating the query through the inference machine, the correlation by the input correction It is desirable to learn relationships.

Furthermore, the following provides a computer readable recording medium having recorded thereon a program for executing the above-described system monitoring method on a computer.

The present invention extracts and maps a key indicating a property of a data item from heterogeneous application logs so that an attacker can detect a combination of two or more heterogeneous applications and attempt to leak it, and generate a log of current interest data. By monitoring, it is possible to defend against confidential leak attempts occurring in real time, and actively defend against new patterns of attack behavior by learning query results by inferencing.

1 is a view for explaining the basic idea of the real-time system monitoring method according to an embodiment of the present invention.
2 is a flowchart illustrating a real-time system monitoring method based on log data according to an embodiment of the present invention.
3 is a diagram illustrating an implementation environment and an overall operating method of a real-time system monitoring method according to an exemplary embodiment of the present invention.
4 is a diagram illustrating a log of a file server as log data of a real-time system monitoring method according to an exemplary embodiment of the present invention.
FIG. 5 is a diagram illustrating data items and attributes of a mail archive server as log data of a real-time system monitoring method according to an exemplary embodiment of the present invention.
6 is a diagram illustrating a log of the print server as log data of the real-time system monitoring method according to an embodiment of the present invention.
7 is a diagram illustrating a log of an FTP (file transfer protocol) server as log data of a real-time system monitoring method according to an embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a view for explaining the basic idea of the real-time system monitoring method according to an embodiment of the present invention, the past log data generated by the first application 10 and generated by the second application 20 The current log data is shown. For convenience of explanation, assume that the first application 10 is a file server and the second application 20 is an email archive server.

In FIG. 1, a common attribute between log data generated by heterogeneous applications is found, and a relationship is formed from this to link past information with present information. First, the items and attributes of log data generated by each application are as follows.

Since the first application 10 is a file server, the first application 10 may have data items such as a time when the file is manipulated, a name of the file, an operation type, a number of operations, an IP address to which the user is connected, and an identifier (ID) of the user. Meanwhile, since the second application 20 is an email archive server, the second application 20 may have data items such as an email account identifier (ID) of the user, an email address, an attached file name, and an e-mail transmission / reception time.

At this time, the user identifier 11 of the log data generated by the first application 10 and the email account identifier 21 of the log data generated by the second application 20 have very similar properties and typically have a single property. Within an institution, it is common for both to coincide. Accordingly, a correlation may be generated by mapping the user identifier 11 of the first application 10 and the email account identifier 21 of the second application 20.

Now, specific log data generated by heterogeneous applications can be concatenated according to the generated correlation. Embodiments of the present invention focus on the temporal order in such concatenation. Naturally, the log data of the first application 10 which is the past data will be temporally preceded by the log data of the second application 20 which is the current data.

If the correlation according to the temporal priority is set as described above, it is necessary to purify the data meaningful for auditing and security among the connected data. To this end, embodiments of the present invention intend to define an act of an attacker undermining the security of the system as a two-step act as follows. First, the log data generated in advance due to the disclosure of confidentiality is data that acquires permission to use a file object. Second, log data generated by trailing time due to the leakage of confidential information is data for obtaining output authority for a file object. That is, the attacker will first try to obtain the subject secret that he wants to leak, and once he has obtained the confidential data, he will attempt to leak it.

Accordingly, embodiments of the present invention extract the operation of each application from the two log data connected in accordance with the correlation, and checks whether the operation of the extracted application corresponds to the leak pattern of the above two stages. As a result of the inspection, when the operations of the above-described application acquires the right to use the file object in chronological order, and then attempt to obtain the right to output, the series of actions are regarded as a confidential leak.

2 is a flowchart illustrating a real-time system monitoring method based on log data according to an embodiment of the present invention, and includes the following steps.

In operation 210, a first key representing an attribute of a data item is extracted from a log of the first application. In operation 220, a second key corresponding to the first key extracted from the log of the second application generated in real time is extracted. This key extraction is then a preliminary work to derive the correlation between heterogeneous applications. For this purpose, the first key and the second key described above are preferably at least one of a user ID, an IP address, a file name, an occurrence time, or a job type included in a log. In addition, those skilled in the art to which the present invention belongs, in addition to the above-listed key, under the environment in which the present embodiment is implemented, the key is flexibly selected and applied within the limit that the nature of the technical property or the idea remains the same or similar. You can do it.

In step 230, a correlation between the log of the first application and the log of the second application is established by mapping the first key extracted in step 210 and the second key extracted in step 220. At this time, it is natural that correlations of logs of heterogeneous applications are mapped in a chronological order. Therefore, the log data for the current data generated in real time is followed in time.

Now, if the correlation for the logs of the heterogeneous application is established, it is determined whether the set of data appearing therefrom is a confidential leakage behavior of the attacker described above with reference to FIG. 1.

In operation 240, the data for obtaining the use authority for the file object is selected from the log of the first application by referring to the attribute of the data item. That is, step 240 selects the data corresponding to the confidentiality leaking behavior of the first step from the log data corresponding to the set correlation. In this case, the permission for the file object may be at least one of read, copy, or receive.

In step 250, the generation of data corresponding to the selected data is monitored in real time in step 240 of the log of the second application according to the correlation set in step 230. Step 250 describes the operation of monitoring data that satisfies the confidentiality of the first step described above. Although this satisfies the first level of confidentiality (meaning to use the file object) check, the second level of confidentiality (meaning output to the file object) is satisfied. If it is not reached, it is not a confidential leak.

In step 260, log data for obtaining output authority for the file object is detected among the monitoring target data in step 250 by referring to the attribute of the data item. That is, step 260 detects whether there is an activity corresponding to the second level of confidential leakage among the monitored data (that is, data that satisfies the conditions of the first level of confidential leakage). In this case, the output right for the file object may be at least one of write, move, forward, send, transfer, and modify.

For example, even if the log data for 'read a specific document', which is the first level of confidentiality, is found, if there is no trailing time, 'Send the document externally' This is not a confidential act. This is because, in the workgroup, the user is not allowed to simply browse the documents stored in the server. However, if an unauthorized release of such documents is carried out in succession, this may be considered a confidential disclosure.

Therefore, in the embodiments of the present invention, the detection of step 260 refers to the attribute of the data item. In particular, when an attribute of a data item corresponds to a file export to the outside, it is possible to check the illegality by combining two or more attributes. For example, if a data item is an 'action type', and if the value of the item is 'transmit', one may suspect illegal file leakage. However, this 'send' action may be a normal business mail transmission action. You can refer to the attributes of other data items in cases where this decision is ambiguous. If the other data item is 'File is security level' and the value of the item is 'Confidential', the transmission of the file to the outside itself can be considered illegal file leakage. In addition to these examples, intranets can create and apply various security rules, such as applying rules that allow file transmission and reception only for IP classes that correspond to a specific internal network, and include them in log data to determine these rules. You need to examine the various data items and their attributes.

According to the embodiments of the present invention described above, by extracting and mapping a key indicating a property of a data item from heterogeneous application logs, even if an attacker attempts to leak confidentially by combining two or more heterogeneous applications, the present invention can be detected. By monitoring log generation for data of interest, you can protect against confidential leak attempts that occur in real time.

3 is a view for explaining the implementation environment and the overall operating method of the real-time system monitoring method according to an embodiment of the present invention, the first application 10, the second application 2 and the correlation 30 Include.

Each of the applications 10, 20 generates log data 13 and real time log data 23 from a past point in time. At this time, the parser 15 extracts meaningful key keywords or data items from the log data 13 and 23. The parser 15 may be implemented in various ways depending on the characteristics of the log data generated under the environment in which the embodiments of the present invention are implemented. For example, if the log data is generated in Excel format, the parser for the Excel document should be implemented. In the case of text format separated by a specific delimiter, a parser corresponding to the text format must be implemented. something to do. Therefore, one of ordinary skill in the art may employ an appropriate parser 15, 25 according to the format of the log data 13, 23 generated.

In addition, the correlation 30 may be set according to a predefined association rule and recorded in a special storage means such as a database. Using a database can be convenient for implementation in that it can be provided with a variety of calculation means of conventional relational modeling. Of course, this association rule maps the first key extracted from the respective log data 13, 23 and the second key extracted in consideration of the prognostic relationship of the generation time of the log.

Furthermore, the embodiment of FIG. 3 has a monitor 27 module, where log data for obtaining output rights is detected (i.e., a case where a second level of confidential leakage activity is detected). It is desirable to send a warning message to a preset administrator. Such a warning message may be implemented through a short message service using a mail or a mobile terminal.

3 illustrates an example of an operation for such a correlation 30, whereby an association rule can be found by comparing data items, analyzing the data items, and modifying the corresponding values through operations. For example, a person with ID 'AAA' viewed a file named 'xxx.doc' in the past, and later on December 20, 2010, the file corresponds to an 'unauthorized IP block'. 168.126.63.1 ', the present embodiment delivers a warning message to the system administrator in real time through the monitor 27 module. As described above, the second application 20 is an application operating in real time, and generates log data 23 in real time whenever a unit operation is performed. Thus, such illegal confidential activity can be detected by the monitor 27 module, and such threats can be controlled by the system administrator.

Meanwhile, embodiments of the present invention may utilize ontology in implementing the correlation 30. An ontology is a model that abstracts and shares what people think about things. It is a technology that is formalized and explicitly defines the types of concepts or usage constraints. In the field of computer science, the way people understand language is commonly called conceptualization. A person experiences each object or event in the world and grasps the features contained in it and conceptualizes it in language. Similarly, the technology of making a kind of database that corresponds to the concept of human being in computer is called ontology technology. In particular, ontology is used as a tool to connect knowledge concepts semantically, and it enables the computer to process and process the concept of human things in the form of a database.

 Ontologies, a set of vocabulary described in formal language, are used for reasoning / inference. In this regard, the semantic web technology has emerged. The semantic web has a relationship between a resource and information about a resource (web document, various files, services, etc.) in a distributed environment such as the current Internet. ) Is a framework and technology that expresses in the form of a machine, that is, an ontology that can be processed by a computer, and let the automated machine process it. In other words, ontology is a tool that can implement semantic web, and it is a tool that can semantically connect knowledge concept.

Elements of ontology can be classified into class, instance, relationship, and property. Explain that a class is usually a name that we attach to things or concepts. Instances, on the other hand, mean the things or concepts that manifest themselves in the actual form of things or events. Relationships refer to relationships that exist between classes / instances and can generally be classified into a taxonomic relation and a non-taxonomic relation. A taxonomy relationship is a hierarchical relationship divided into broader concepts and concrete concepts for class / instance conception. A non-classification relationship is called a non-classification relationship. An attribute is a concatenation of a class or instance with a specific value to indicate a particular property / propensity of the class or instance.

Embodiments of the present invention described above can be conceptualized by utilizing the concept of the ontology, and this ontology enables new inference from the set correlation. More practically, implementing the correlation by using the ontology is beyond the scope of the essential or basic idea proposed by the embodiments of the present invention, and thus, only detailed examples will be presented here without omitting the detailed description.

The correlation 30 set as described above may be implemented as an association rule modeled using an ontology, and in this case, the process of detecting log data for obtaining output authority may include data generated in real time using an ontology inference device. This can be done by querying whether the leak corresponds to an outflow. In this case, the query results can provide inferencing results that are not provided by a formal relational database, which can result in richer results.

Furthermore, by repeating the query through the ontology inference machine, it is possible to receive modifications to the association rule, and by learning the correlation 30 by the input modifications, the inference result that the correlation already established cannot be calculated. It can also actively defend against new patterns of attack behavior.

Hereinafter, to illustrate the applications that can be utilized in the embodiments of the present invention.

FIG. 4 is a diagram illustrating a log of a file server as log data of a real-time system monitoring method according to an embodiment of the present invention. The detailed data items include 'time', 'user', 'server name', 'File name', 'Operation type' and 'Operation number' are shown.

In FIG. 4, the log of the file server has four read operations after five logon operations. That is, it can be seen that the act of acquiring the use right for the file object, which is the first act of the confidential leakage act, has occurred. In addition, in the case of FIG. 4, the user 'xxxAP' may be utilized as a key, and may be mapped and monitored with the log data of the heterogeneous application which is later than the file manipulation time.

FIG. 5 is a diagram illustrating data items and attributes of a mail archive server as log data of a real-time system monitoring method according to an exemplary embodiment of the present invention. Although the data items illustrated in FIG. 5 generally correspond to information that can be obtained by sending / receiving mails from a mail server, particularly meaningful data includes 'sender address', 'receiver address', and 'attached file name'. Will be In this case, if the character after '@' is cut from the 'sender address', the same data as the user ID may be extracted. As described above, in order to map the log data of heterogeneous applications, some data items may be processed as necessary.

FIG. 6 is a diagram illustrating a log of a printer server as log data of a real-time system monitoring method according to an embodiment of the present invention. The detailed data items include 'time', 'user', 'server name', and 'file name'. , 'Type of operation' and 'number of operations'. Confidential leaks can be leaked not only by electronic file transfer but also by hard copy, so it is also useful to monitor log data on the print server. In this case, as in FIG. 4, 'user' may be used as a key, and if there is a file reading action among the log data mapped before the file output action, this series of actions may be regarded as a confidential leaking action.

FIG. 7 is a diagram illustrating a log of a file transfer protocol (FTP) server as log data of a real-time system monitoring method according to an embodiment of the present invention. The detailed data items are 'time', 'IP address', and 'file'. Size ',' file path / file name 'and' user '. In the case of FIG. 7, as in FIG. 4 to FIG. 6 described above, the user may be used as a key to check whether the second level confidentiality is satisfied.

Furthermore, the present invention can be embodied as computer readable codes on a computer readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device and the like, and also a carrier wave (for example, transmission via the Internet) . In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner. In addition, functional programs, codes, and code segments for implementing the present invention can be easily deduced by programmers skilled in the art to which the present invention belongs.

The present invention has been described above with reference to various embodiments thereof. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

10: first application
13: first application log (past data)
20: second application
23: second application log (current data)
15, 25: parser 27: monitor
30: correlation

Claims (10)

Extracting a first key representing an attribute of a data item from a log of the first application;
Extracting a second key corresponding to the extracted first key from a log of a second application generated in real time;
Establishing a correlation between a log of the first application and a log of the second application by mapping the extracted first key and the extracted second key;
Selecting data for obtaining a right to use a file object in a log of the first application by referring to an attribute of a data item;
Monitoring generation of data corresponding to the selected data in the log of the second application in real time according to the set correlation; And
And detecting log data for obtaining an output right for a file object among the monitored data by referring to an attribute of the data item. The method of claim 1,
And the first key and the second key are each at least one of a user ID, an IP address, a file name, an occurrence time, or a job type included in a log. The method of claim 1,
And the usage right for the file object is at least one of reading, copying, or receiving. The method of claim 1,
The detecting of the log data may further include considering at least one of a security level or a target IP address of the file object. The method of claim 1,
And the output authority for the file object is at least one of writing, moving, transmitting, or modifying. The method of claim 1,
The correlation is set according to a predefined association rule,
And the association rule maps the extracted first key and the extracted second key in consideration of a probabilistic relationship between log generation times. The method of claim 1,
The correlation is an association rule modeled using an ontology,
The step of detecting the log data to obtain the output authority is performed by querying whether the data generated in real time corresponding to the information leakage using the reasoning machine of the ontology. The method of claim 7, wherein
Receiving a modification to the association rule by repeating the query through the inferred, further comprising:
And the correlation is learned by the input correction. The method of claim 1,
And transmitting a warning message to a preset administrator when log data for acquiring the output right is detected. A computer-readable recording medium having recorded thereon a program for executing the method of any one of claims 1 to 9.

Images