KR20130116418A - Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol - Google Patents

Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol Download PDF

Info

Publication number
KR20130116418A
KR20130116418A KR1020120026384A KR20120026384A KR20130116418A KR 20130116418 A KR20130116418 A KR 20130116418A KR 1020120026384 A KR1020120026384 A KR 1020120026384A KR 20120026384 A KR20120026384 A KR 20120026384A KR 20130116418 A KR20130116418 A KR 20130116418A
Authority
KR
South Korea
Prior art keywords
reputation
information
signature
false positive
packet
Prior art date
Application number
KR1020120026384A
Other languages
Korean (ko)
Inventor
김무성
김현호
김동욱
최원덕
이남일
Original Assignee
주식회사 코닉글로리
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 코닉글로리 filed Critical 주식회사 코닉글로리
Priority to KR1020120026384A priority Critical patent/KR20130116418A/en
Publication of KR20130116418A publication Critical patent/KR20130116418A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Human Computer Interaction (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

PURPOSE: An internet protocol (IP) address reputation analyzing apparatus, a method thereof, and a computer-readable recording medium are provided to maintain reliable IP address reputation information for each IP address in a network, thereby enabling accurate identification about an attacker and a target and accurate true or false positive determination about an attack when an event is generated. CONSTITUTION: A signature analyzing part (220) analyzes a packet to check the existence of a code corresponding to a specific signature which was stored in a database in advance. If a code corresponding to the specific signature is found as an analysis result of the signature analyzing part, a reputation score calculation part (230) reads predetermined danger degree and false positive rate information about the found corresponding signature from a signature information database. The reputation score calculation part calculates a reputation score based on the danger degree and false positive rate information read from the database. An analysis result storing part (240) stores the reputation score calculated at the reputation score calculation part in a reputation information database along with the IP address information of the packet. [Reference numerals] (210) Packet collecting part; (220) Signature analyzing part; (230) Reputation score calculation part; (240) Analysis result storing part; (250) External reputation information collecting part; (260) Information renewing part; (270) Information request processing unit; (281) Signature information D/B; (282) TMS log information D/B; (283) Reputation information D/B; (AA) 120 or 150; (BB) IP reputation analysis device; (CC) Signature; (DD) Degree of risk; (EE) False Positive

Description

IPP plate analysis apparatus, method and computer readable recording medium {APPARATUS, METHOD AND COMPUTER READABLE RECORDING MEDIUM FOR ANALYZING A REPUTATION OF AN INTERNET PROTOCOL}

The present invention relates to an IP reputation analysis apparatus, a method and a computer-readable recording medium, and more particularly, to an IP reputation analysis apparatus for analyzing the reputation of the IP transmitting the packet through the risk analysis of each packet transmitted on the network, A method and a computer readable recording medium.

In general, the Internet is an open network configured to freely connect and use a common protocol called TCP / IP to a remote computer to be accessed anywhere in the world and to anyone. It is an open network that not only transmits basic character information but also develops compression technology, And various services such as e-mail, file transfer, and World Wide Web (WWW), which are used for delivering the service, can be used.

As the use of the Internet has rapidly increased in Korea and the world, the importance of the Internet has been rapidly increasing as a strategic tool for improving efficiency and productivity throughout the existing industries. As a result, new business opportunities through the Internet have been continuously created , And the number of Internet service providers is also increasing.

On the other hand, as an element that hinders the communication environment through the Internet, an attack is made to attack desired information by using a malicious program to attack a specific target computer connected to the Internet.

A malicious program is a malicious code written for malicious purposes. It is also called malware, malicious code. It is also called a malicious code, ), Worm virus (Trojan Horse), and the like.

In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. The main symptoms caused by such malicious programs are network traffic, system performance degradation, file deletion, e - mail sending, personal information leakage, remote control, etc. In addition, most malicious programs are applied various analysis disruption techniques so that the intention and behavior of the malicious program can not be easily noticed even if the malicious program is analyzed by security experts.

For example, a typical malicious program (eg, malware) detection procedure scans malware based on a signature as an example, and performs a corresponding malware processing process when malware is detected.

The signature-based malware diagnosis method is a method of collecting and diagnosing virus samples. In other words, when new computer viruses come into play, antivirus vendors have to figure out how to collect, diagnose and treat these samples and add them to the antivirus database. This method is referred to as a reactive method, and the sign of the virus is referred to as a 'signature'.

As described above, the conventional malicious program detection method generates a signature through expert analysis of previously discovered malicious programs, and when the same malicious program is used based on the generated signature, most of the detected malicious programs are very similar to malignant malicious programs Malicious programs that do not have exactly the same signature as the malicious program have limitations in that they can not be detected, and there is a problem that it is impossible to detect and cope with unknown malicious programs immediately.

On the other hand, as a technique for detecting such malicious programs or malicious sites, Korean Patent Registration No. 10-1044274 entitled "A malicious site detection apparatus, a method and a recording medium on which a computer program is recorded (AhnLab, A method of determining whether the current site is a dangerous site or a process that is currently running on the computer is abnormal by checking whether the certificate is included in the process at the time of executing the process of the program that is down at the site and whether the stack structure is normal .

However, the symptom and the spreading method due to the malicious program are gradually becoming complicated and intelligent, and there is a limitation in that such conventional antivirus program can not diagnose and treat various malicious programs.

On the other hand, in order to detect malicious programs or malicious sites faster, accurate identification of attacker and victim IPs is required for the attack log, and information for determining a fast noon detection on the attack log is required.

Therefore, there is a need to determine whether or not the IP risk by the past detection record, and the situation is required to determine the noon detection of the fast and accurate attack log.

[Patent Document 1] Korean Registered Patent No. 10-1044274 Malicious site detection apparatus, method, and recording medium on which a computer program is recorded (AhnLab, Inc.) 2011.06.20

SUMMARY OF THE INVENTION An object of the present invention is to provide an IP reputation analysis apparatus, method and computer readable recording medium which provide reliable identification of an attacker and a target and accurate determination of attack noon detection when an event occurs by maintaining reliable IP reputation information for each IP on a network. In providing.

Another object of the present invention is to provide an IP reputation analysis apparatus, method and computer readable recording medium capable of maintaining reliable IP reputation information for each IP on a network and providing the information in association with trusted external IP reputation information. In providing.

In addition, another object of the present invention is to maintain reliable IP reputation information for each IP on the network, IP reputation analysis apparatus, method and computer reading that allows the user to enter the IP address reputation and collection of information when the IP input It is to provide a possible recording medium.

In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.

According to an aspect of the present invention, an IP reputation analysis apparatus includes: a signature information database for quantifying each of a plurality of signatures suspected of an attack through a network and mapping and storing a preset risk and false positive rate; A packet collecting unit collecting each packet transmitted on the network; A signature analysis unit analyzing each packet collected by the packet collection unit and analyzing whether there is a code corresponding to a specific signature previously stored in a database; When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk and false positive rate information preset for the found signature is read from the signature information database, and the read through the detected risk and false positive rate information. A reputation score calculator for calculating a reputation score; And an analysis result storage unit for storing the reputation score calculated by the reputation score calculator together with the IP information of the packet in a reputation information database.

Preferably, the reputation score calculator, the reputation score is calculated so as to be proportional to the risk and false positive rate, respectively.

Preferably, the reputation score calculator,

Figure pat00001
It calculates by the following formula.

Preferably, the apparatus further includes an external reputation information collecting unit for collecting external reputation information through an external reputation information providing server and storing the collected reputation information in the reputation information database.

Preferably, the apparatus further includes an information update unit for collecting and updating the risk and false positive rate information for a particular signature stored in the signature information database.

Preferably, the apparatus further includes an information request processing unit that generates and provides the reputation information stored in the reputation information database upon request of specific reputation information from the IP reputation analysis apparatus.

Preferably, the device transmits the reputation information stored in the reputation information database to the user terminal periodically, aperiodically or at the request of the user terminal.

According to another aspect of the present invention, the IP reputation analysis method is an IP reputation analysis method by an IP reputation analysis apparatus, and quantifies each of a plurality of signatures suspected of an attack through a network to map a predetermined risk and false positive rate. Storing in the signature information database; Collecting each packet transmitted on the network in a packet collecting unit; Analyzing each packet collected by the packet collector in a signature analyzer to determine whether there is a code corresponding to a specific signature stored in a database in advance; When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk score and false positive rate information, which is preset in the reputation score calculator, is read from the signature information database, and the read risk and Calculating a reputation score through false positive rate information; And storing the reputation score calculated by the reputation score calculation unit in an analysis result storage unit together with the IP information of the packet in a reputation information database.

The information for receiving the IP reputation analysis method may be stored in a recording medium readable by a server computer. Such a recording medium includes all kinds of recording media in which programs and data are stored so that they can be read by a computer system. Examples include ROMs (Read Only Memory), Random Access Memory, CD (Compact Disk), DVD (Digital Video Disk) -ROM, magnetic tape, floppy disk, optical data storage device, (For example, transmission over the Internet). Such a recording medium may also be distributed over a networked computer system so that computer readable code in a distributed manner can be stored and executed.

As described above, according to the present invention, it is possible to determine whether the IP risk based on past detection records by digitizing the IP reputation analysis result, and it is possible to immediately identify the attacker and determine the attack according to the security policy.

In addition, according to the present invention, by maintaining the external IP reputation information and the internally measured IP reputation information, it is possible to accurately identify the attacker and the target of the attack when an event occurs and to determine the early attack noon detection.

In addition, according to the present invention, by measuring the reputation score for each site, there is an advantage that can determine the security level of each site and establish a security policy.

1 is a diagram showing the configuration of an IP reputation analysis system according to an embodiment of the present invention.
2 is a block diagram showing a detailed structure of an IP reputation analysis apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating an analysis procedure using an IP reputation analysis apparatus according to an embodiment of the present invention.
4 and 5 are diagrams showing a reputation value and a graph inquiry screen for a specific IP according to an embodiment of the present invention.
6 is a view showing a log query screen for a specific attack and IP according to an embodiment of the present invention.
FIG. 7 is a diagram illustrating a numerical and graph inquiry screen for each attack type for a specific IP according to an embodiment of the present invention. FIG.
8 is a diagram illustrating a log inquiry screen for a specific attack according to an embodiment of the present invention.
9 is a diagram illustrating a log inquiry screen for each attack type for a specific IP according to an embodiment of the present invention.
10 is a diagram illustrating a DB information management screen of a TMS to interwork with according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with an embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the present invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.

The present invention provides an IP reputation analysis apparatus and method for performing a reputation analysis for the corresponding IP that transmitted the packet by calculating the reputation score by analyzing the risk and false positives (FP) of each packet transmitted on the network Suggest.

In more detail, the present invention is to check through a plurality of signatures of each packet, and when the check result includes a code corresponding to a specific signature, reputation according to the predetermined risk and false positive rate for the signature Perform reputation analysis for each IP by calculating the scores.

On the other hand, the signature applied in the present invention can be applied to any attack on the network that can be represented by the signature, including the attack by the network as well as malware. For example, an attack method such as an attack method on a network using a vulnerability of a product, a network scanning, and a Distributed Denail of Service (DDoS) can be implemented as a signature.

In addition, in the specification of the present invention described below, the term 'malware (malware, malicious software)' is software that is intentionally designed to perform malicious activities, such as destroying the system or leaking information, contrary to the intention and interest of the user, Abbreviation for malicious software, generally translated as "malware." Malware is a broader concept that includes viruses that are characterized by self-replicating and file infections. Many of the so-called non-viral malwares are as destructive and dangerous as viruses. Trojan horses and keyboard input leakers are non-virus malware. In addition, there are remote management programs and various spyware. Although there are no reports of mass dissemination or serious damage to the public, the potential for major accidents is high. In other words, the malware used in the present invention to be described below is a generic name of executable code written for malicious purposes according to the present invention, and is a broad concept including a malicious program, a malicious code, and the like. The malware has various forms and may be classified into a virus, a worm virus, a Trojan horse, and the like, depending on the self-replicating ability and the presence or absence of an infection target. In addition, spyware, similar to malicious programs, is software that infiltrates another person's computer and extracts important personal information. In recent years, it has been developed to find out user names, IP addresses, favorite URLs, personal IDs and passwords. It is becoming a problem because there are many possibilities to be used maliciously. Thus, the present invention can be applied to the detection and diagnosis of code written for any malicious purpose, including such spyware, adware, tracking code, and the like.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.

The concept of IP reputation analysis is as follows.

First, the concept of malware detection using a network according to the present invention will be described.

Various application programs are executed in the client terminal, and at least one process according to the execution of the corresponding application program is executed. For example, process 1 is executed by connecting to the server 'www.google.com' by an Internet Protocol (IP) address and port number of '8.8.8.8:80', and process 3 is executed by '66 .3.4.1: 80 '. It runs by connecting to 'www.naver.com' server by Internet Protocol address and port number, and process 4 is executed by 'hack1.liOs' by IP (Internet Protocol) address and port number of '10 .11.22.23: 8080'. Runs with .org 'server.

At this time, by analyzing the packets transmitted and received between the client terminal and the server detects whether the packet is malware infection. For example, the IP reputation analysis apparatus operating in real time diagnoses malware infection of each executed process and diagnoses malware infection of the corresponding process through malware signature information stored in a previously stored malware signature DB.

If it is determined that the process is infected with malware based on the diagnosis of malware infection by the signature analyzer, the network access information (eg, an Internet Protocol (IP) address) of the infected malware is extracted. At this time, in order to calculate the reputation score for the IP according to the present invention, the risk and false positive rate corresponding to the signature are checked. That is, the reputation score for the corresponding IP is calculated from the risk and the false positive rate corresponding to the detected signature.

Meanwhile, the network access information (i.e., IP address) extraction method can be implemented in various ways. In other words, when network traffic is collected, IP can be extracted from the packet in various ways.

For example, the network information can be obtained by running an application for obtaining network information at the user level, and driving a hooking driver that hooks a function of the TCP / IP driver at the kernel level, and calling the network information obtaining function by the application. have. In this case, when the IP reputation analyzer is a Windows OS-based system, a function used to obtain network information may be a 'GetTcpTable' or 'GetExtendedTcpTable' function. The 'GetTcpPTable' function is a function for obtaining IP / Port network session information of Local / Remote, and the 'GetExtendedTcpTable' function is a function for obtaining IP / port of Local / Remote and process ID information owning the session. . The extracted network access information may be mapped and stored together with the calculated reputation analysis information in a database, and then used in a security policy of each user terminal.

Hereinafter, a system and apparatus according to an embodiment of the present invention will be described with reference to FIGS. 1 and 2.

The IP reputation analysis system is as follows.

1 is a diagram showing the configuration of an IP reputation analysis system according to an embodiment of the present invention. Referring to FIG. 1, a system according to the present invention includes a user terminal 100, an Internet 110, IP reputation analyzers 120 and 150, an external reputation information providing server 130, a malicious domain server 140, and the like. It can be configured to include.

First, the IP reputation analysis apparatus 120, 150 analyzes the reputation of each IP, scores it and stores it in a database. In addition, the external IP reputation information collected from the external reputation information providing server 130 is used as the reputation analysis information.

The external reputation information providing server 130 may be a variety of servers that typically provide information, such as a portal site server, and is distinguished from the malicious domain server 140 to provide a normal service without malicious attack or malware infection. Represents a common server. In particular, the external reputation information providing server 130 provides the external IP reputation information collected according to the embodiment of the present invention in association with the IP reputation analysis apparatus 120.

The Internet 110 may be configured as a communication network, such as a wired network or a wireless network, and may be a personal area network (PAN), a local area network (LAN), a metropolitan area network , A metropolitan area network (WAN), and a wide area network (WAN). In addition, the Internet 520 may be a known World Wide Web (WWW), and may partially transmit radio transmission technology used for short-range communication such as Infrared Data Association (IrDA) or Bluetooth It can also be used.

The malicious domain server 140 distributes malware to each user terminal 100, or attacks a server attacking each user terminal 100 or a server infected with malware (command & control server; C & C server) It is a server of a broad concept that includes. In this case, the command and control server refers to a server that a hacker remotely controls a zombie PC to execute an attack command to a specific target.

Meanwhile, the user terminal 100 may receive a result analyzed by the IP reputation analyzer 120 and apply various security policies according to user settings.

The IP reputation analysis apparatus 120 stores the IP reputation analysis information, and periodically or aperiodically or at the request of the user terminal 100, the collected IP reputation analysis to each user terminal 100 through the Internet 100. Information can be sent.

The IP reputation analyzer 120 may be connected to the Internet 110 through the switch 121 and the router 122 as shown, in the case of the company intranet 163, the switch 162, the firewall 161 and The router 160 may be connected to the Internet 110. In addition, according to another embodiment of the present invention, the IP reputation analysis apparatus 150 may be connected to the Internet 110 through a Threat Management System (TMS) 151, a TAP 152, and the like. The analysis device 150 may provide a service in cooperation with the TMS 151.

The TAP 152 is a device that serves to copy and monitor the packet data moving in an in-line section of the network to the monitoring device.

The TMS 151 is one of the integrated security management systems that aims to detect threats early and reduce or eliminate threats in order to protect internal information assets from external threats, and actively respond to attack traffic. It is a device that can provide relatively sophisticated and diverse information that the administrator wants (high five attack IP, port, protocol analysis, attack type in the last 5 minutes, etc.) when abnormal traffic increases.

The IP reputation analyzer is as follows.

2 is a block diagram showing a detailed structure of an IP reputation analysis apparatus according to an embodiment of the present invention. Referring to FIG. 2, the IP reputation analyzer 120 or 150 according to an embodiment of the present invention may include a packet collector 210, a signature analyzer 220, a reputation score calculator 230, and an analysis result storage unit ( 240, the external reputation information collecting unit 250, the information updating unit 260, and the information request processing unit 270 may be configured.

The packet collecting unit 210 collects each packet transmitted on the network.

The signature analyzer 220 analyzes each packet collected by the packet collector 210 to analyze whether there is a code corresponding to a specific signature. At this time, the specific signature code is stored and managed in the signature information database 281. That is, the signature information database 281 sets and stores a risk and a false positive rate for each of the signatures suspected of a plurality of malware.

For example, the signature information database 281 stores the signature, the risk, and the false positive rate as shown in Table 1 below.

No signature  Contents Risk False positive rate One alert icmp any any-> any any (msg: ”icmp router advertisement”; icode: 0; itype: 9; rev: 1;) One 5 2 alert icmp any any-> any any (msg: ”icmp ping misc dos-ath0 modem disconnect"; icode: 0; itype: 8; content: "+++ ath0"; rev: 1;) 2 5 3 alert icmp any any-> any any (msg: ”icmp ping pinger windows"; itype: 8; content: "Data | 000000000000000000000000 |"; depth: 32; rev: 1;) One 5 4 alert icmp any any-> any any (msg: ”icmp ping seer windows"; itype: 8; content: "| 8804 |"; depth: 32; rev: 1;) One 4 5 alert icmp any any-> any any (msg: ”icmp ping tjpingpro 1.1 build 2 windows"; itype: 8; content: "TJPingPro by Jim"; depth: 32; rev: 1;) 2 5 ... ... ... ...

That is, as shown in Table 1, risks and false positive rates are mapped and stored for a plurality of signatures, and the signature information may be continuously added, deleted, or updated. In addition, the risk and false positive rate for a particular signature can also be modified. For example, the information update unit 260 continuously collects the signature information and updates the signature information database 281.

On the other hand, Table 1 is an example to help the understanding of the present invention, various kinds of signatures may be included. In addition, the risk and false positive rate is shown in the steps 1 to 5 in the <Table 1>, it is possible to distinguish by quantifying in various ranges.

In Table 1, the risk level for each signature is set to 1 to 5, which means that the higher the risk value, the higher the risk of malware. At this time, for example, the risk level for each signature may be set based on the criteria as shown in Table 2 below.

Risk Metric Risk General ping or general communication behavior of specific products One Normal protocol command One Protocol general behavior notification One Ping and scan through scanning tools 2 Common commands used by ftp, iis, etc. 2 Calling xp_random extended command in mysql 2 http common file request behavior (generic file name page found during web scanning) 2 flooding, brute force, etc. 3 Classic packet attacks such as teardrop and ping of death 3 http file request exe file 3 Infrequent Vendor Product Vulnerabilities 3 request pages like keylogger, spyware 3 Common SQL, XSS Injection 3 Well-known web scanner 3 irc general command 3 Unknown user-agent 3 Malicious domain page request (false vaccine, statistics, host information transmission, etc.) 4 AV Vendor Vulnerability 4 Well-known worms and backdoors such as nimda 4 Well-known DDoS tools such as trin00 4 Web shell communication activity 4 C & C Server Domain Query 4 Malicious domain page request (malicious file, game hack, infected file, etc.) 5 AV Vendor Vulnerability critical rating 5 Fully controlled remote control tool 5 Detection of famous backdoor requests such as zeusbot and spyeye 5 Zeroday attack with remote code execution 5

In addition, the false positive rate can be set according to the criteria shown in Table 3 below.

False positive rate  Measurement method standard False positive rate Vulnerability detection rule One Easy word, flag only 2 Filename only, SQL | XSS 3 More than one sig and unique words 4 More than one sig and filename and host, botnet dsize and unique 5

In Table 3, the higher the false positive rate value, the lower the probability of false positive detection.

In the reputation score calculator 230, when a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer 220, the signature information database 281 displays the risk and false positive rate information preset for the found signature. Read from Then, the reputation score is calculated based on the read risk and false positive information.

The reputation score calculation method can be implemented by various methods, and preferably calculated to be proportional to the risk and false positive rate, respectively. For example, it may be calculated by the same method as in <Equation 1>.

Figure pat00002

That is, in the above example, since the risk and false positive rate have values in the range of 1 to 5, respectively, according to Equation 1, the reputation score has a value of 4 to 100. Therefore, an IP having a high reputation score may be regarded as an IP having a high risk.

As described above, when the reputation score calculation unit 230 calculates a reputation score for each packet, the analysis result storage unit 240 stores the calculated reputation score together with the IP information of the corresponding packet and the reputation information database 283. Are stored in.

The external reputation information collecting unit 250 collects external reputation information through the external reputation information providing server 130 (eg, Symantec blacklist, McAfee IP reputation score, etc.) of FIG. 1, and collects the reputation information. Is stored in the reputation information database 283. The collection of the external reputation information may be performed periodically or aperiodically or at the request of the IP reputation analysis apparatus 120. For example, when updated according to the renewal request of the IP reputation analysis apparatus 120, the external reputation information collecting unit 250 transmits the update request information for the reputation information database 283 to the external reputation information providing server 130 In this case, the information update request can be made.

Meanwhile, when the user terminal 100 or the like requests specific reputation information to the IP reputation analysis apparatus 120, the information request processing unit 270 generates and provides the reputation information stored in the reputation information database 283 according to a form. It plays a role. An example of a web page form providing the reputation information will be described later with reference to FIGS. 4 to 10.

The TMS log information database 282 obtains and stores information such as dwcode of the detected attack log, SIP, DIP of the detected attack log, and detection time of the detected attack log from the TMS log.

Hereinafter, a procedure performed in the IP reputation analysis apparatus will be described in detail with reference to FIG. 3.

The IP reputation analysis procedure is as follows.

3 is a flowchart illustrating an analysis procedure using an IP reputation analysis apparatus according to an embodiment of the present invention. Referring to FIG. 3, first, a risk level and a false positive rate for each signature are set (S301) and stored in a database.

Then, the packet data on the network is collected (S302), and for each packet collected, it is checked whether a code corresponding to the signature stored in the database exists (S303). If a signature detected as a result of the inspection exists (S304), the risk and the false positive rate mapped to the detected signature are searched from the database (S305). The reputation score is calculated using the detected risk and false positive rate for the corresponding signature (S306), and the calculation result is mapped to the IP address information of the corresponding packet and stored in the database (S307).

Meanwhile, the embodiments according to the present invention may be embodied in the form of program instructions that may be executed by various computer means and may be recorded in a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The program instructions recorded on the medium may be those specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk, and a magnetic tape; optical media such as CD-ROM and DVD; magnetic recording media such as a floppy disk; Includes hardware devices specifically configured to store and perform program instructions such as megneto-optical media and ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

Examples are as follows.

4 and 5 are diagrams showing a reputation value and a graph inquiry screen for a specific IP according to an embodiment of the present invention. 4 and 5, a reputation score calculated for a specific IP for a period set by a user may be provided in the form of a graph or table, and the attack corresponding to the IP is performed because the reputation analysis is performed according to a signature. You can also provide reputation scores by type. In addition, an average of reputation scores may be calculated and provided during the period.

6 is a view showing a log query screen for a specific attack and IP according to an embodiment of the present invention. Referring to FIG. 6, it is possible to provide log records of IPs and specific attacks set up during a specific period. In addition, as shown in FIG. 7, a reputation score and a graph inquiry screen for each attack type for a specific IP may be provided.

8 is a view showing a log query screen for a specific attack according to an embodiment of the present invention, Figure 9 is a view showing a log query screen for each attack type for a specific IP according to an embodiment of the present invention.

10 is a diagram illustrating a DB information management screen of a TMS to interwork with according to an embodiment of the present invention. Referring to FIG. 10, a management menu may be provided so that a user may easily manage database information of an interworking TMS.

As described above, the present invention has been described by specific embodiments such as specific components and the like. For those skilled in the art, various modifications and variations are possible from these descriptions.

Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

100: user terminal 110: Internet network
120, 150: IP reputation analyzer 121: switch
122: router 130: external reputation information providing server
140: malicious domain server 151: TMS
152: TAP 160: Router
161: firewall 162: switch
163: company intranet 210: packet collection unit
220: signature analysis unit 230: reputation score calculation unit
240: analysis result storage unit 250: external reputation information collection unit
260: information update unit 270: information request processing unit
281: Signature Information Database
282: TMS log information database
283: Reputation Information Database

Claims (15)

A signature information database for quantifying each of the plurality of signatures suspected of an attack through the network and mapping and storing a predetermined risk and false positive rate;
A packet collecting unit collecting each packet transmitted on the network;
A signature analysis unit analyzing each packet collected by the packet collection unit and analyzing whether there is a code corresponding to a specific signature previously stored in a database;
When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk and false positive rate information preset for the found signature is read from the signature information database, and the read through the detected risk and false positive rate information. A reputation score calculator for calculating a reputation score; And
And an analysis result storage unit for storing the reputation score calculated by the reputation score calculator together with the IP information of the packet in a reputation information database.
The method according to claim 1, wherein the reputation score calculation unit,
And calculate the reputation score to be proportional to the risk and false positive rate, respectively.
The method according to claim 2, The reputation score calculation unit,
An IP reputation analyzer, calculated by the following equation.
Figure pat00003

 The apparatus of claim 1,
And an external reputation information collecting unit configured to collect external reputation information through an external reputation information providing server and store the collected reputation information in the reputation information database.
The apparatus of claim 1,
And an information update unit for collecting and updating risk and false positive rate information on a specific signature stored in the signature information database.
The apparatus of claim 1,
And requesting specific reputation information from the IP reputation analysis apparatus, further comprising: an information request processor configured to generate and provide the request according to a form for requesting reputation information stored in the reputation information database.
The apparatus of claim 1,
And transmit the reputation information stored in the reputation information database to the user terminal periodically, aperiodically, or at the request of the user terminal.
An IP reputation analysis method using an IP reputation analysis apparatus,
Digitizing each of the plurality of signatures suspected of an attack through the network, and mapping a predetermined risk and false positive rate to a signature information database;
Collecting each packet transmitted on the network in a packet collecting unit;
Analyzing each packet collected by the packet collector in a signature analyzer to determine whether there is a code corresponding to a specific signature stored in a database in advance;
When a code corresponding to a specific signature is found as a result of the analysis of the signature analyzer, the risk score and false positive rate information, which is preset in the reputation score calculator, is read from the signature information database, and the read risk and Calculating a reputation score through false positive rate information; And
And storing the reputation score calculated by the reputation score calculation unit in an analysis result storage unit together with the IP information of the packet in a reputation information database.
The method of claim 8, wherein the calculating of the reputation score,
And calculating the reputation score to be proportional to the risk and the false positive rate, respectively.
The method of claim 9, wherein the calculating of the reputation score,
The IP reputation analysis method computed by the following formula.
Figure pat00004

 The method of claim 8,
And collecting external reputation information from an external reputation information collecting unit through an external reputation information providing server and storing the collected reputation information in the reputation information database.
The method of claim 8,
And collecting and updating risk and false positive rate information for a specific signature stored in the signature information database in an information update unit.
The method of claim 8,
When the information request processing unit requests specific reputation information to the IP reputation analysis apparatus, further comprising the step of generating and providing according to the form of requesting the reputation information stored in the reputation information database, IP reputation analysis method.
The method of claim 8,
And transmitting the reputation information stored in the reputation information database to the user terminal periodically, aperiodically or at the request of the user terminal.
A computer-readable recording medium in which a program for executing the method of any one of claims 8 to 14 is recorded.
KR1020120026384A 2012-03-15 2012-03-15 Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol KR20130116418A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120026384A KR20130116418A (en) 2012-03-15 2012-03-15 Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120026384A KR20130116418A (en) 2012-03-15 2012-03-15 Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol

Publications (1)

Publication Number Publication Date
KR20130116418A true KR20130116418A (en) 2013-10-24

Family

ID=49635475

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120026384A KR20130116418A (en) 2012-03-15 2012-03-15 Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol

Country Status (1)

Country Link
KR (1) KR20130116418A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016048543A1 (en) * 2014-09-24 2016-03-31 Mcafee, Inc. Determining the reputation of data
WO2016105850A1 (en) * 2014-12-23 2016-06-30 Mcafee, Inc. Determining a reputation through network characteristics
KR20180024524A (en) * 2016-08-30 2018-03-08 주식회사 윈스 Apparatus and method for blocking using reputation analysys
KR20190048606A (en) * 2017-10-31 2019-05-09 대한민국(국방부 공군참모총장) Realtime Web Attack Detection Method
KR20210022213A (en) * 2019-08-19 2021-03-03 한국전자통신연구원 Apparatus for extracting certificate reputation score and operating method thereof

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016048543A1 (en) * 2014-09-24 2016-03-31 Mcafee, Inc. Determining the reputation of data
US10462156B2 (en) 2014-09-24 2019-10-29 Mcafee, Llc Determining a reputation of data using a data visa
US11627145B2 (en) 2014-09-24 2023-04-11 Mcafee, Llc Determining a reputation of data using a data visa including information indicating a reputation
WO2016105850A1 (en) * 2014-12-23 2016-06-30 Mcafee, Inc. Determining a reputation through network characteristics
US9769186B2 (en) 2014-12-23 2017-09-19 Mcafee, Inc. Determining a reputation through network characteristics
KR20180024524A (en) * 2016-08-30 2018-03-08 주식회사 윈스 Apparatus and method for blocking using reputation analysys
KR20190048606A (en) * 2017-10-31 2019-05-09 대한민국(국방부 공군참모총장) Realtime Web Attack Detection Method
KR20210022213A (en) * 2019-08-19 2021-03-03 한국전자통신연구원 Apparatus for extracting certificate reputation score and operating method thereof

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
US9769200B2 (en) Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8683585B1 (en) Using file reputations to identify malicious file sources in real time
US9306964B2 (en) Using trust profiles for network breach detection
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US9065845B1 (en) Detecting misuse of trusted seals
US8516573B1 (en) Method and apparatus for port scan detection in a network
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
US11882137B2 (en) Network security blacklist derived from honeypot statistics
US7720965B2 (en) Client health validation using historical data
JP2018530066A (en) Security incident detection due to unreliable security events
US20060259967A1 (en) Proactively protecting computers in a networking environment from malware
JP5920169B2 (en) Unauthorized connection detection method, network monitoring apparatus and program
WO2018099206A1 (en) Apt detection method, system, and device
JP2015121968A (en) Log analyzer, log analysis method, and log analysis program
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
JP2012064208A (en) Network virus prevention method and system
CN116860489A (en) System and method for threat risk scoring of security threats
Jiang et al. Novel intrusion prediction mechanism based on honeypot log similarity
KR20130116418A (en) Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol
Kim et al. Agent-based honeynet framework for protecting servers in campus networks
US10462158B2 (en) URL selection method, URL selection system, URL selection device, and URL selection program
KR101398740B1 (en) System, method and computer readable recording medium for detecting a malicious domain
Wu et al. A novel approach to trojan horse detection by process tracing
CN108965277B (en) DNS (Domain name System) -based infected host distribution monitoring method and system

Legal Events

Date Code Title Description
A201 Request for examination
N231 Notification of change of applicant
E902 Notification of reason for refusal
E601 Decision to refuse application