KR20140077405A - Method and apparatus for detecting cyber target attack - Google Patents

Method and apparatus for detecting cyber target attack Download PDF

Info

Publication number
KR20140077405A
KR20140077405A KR1020120146176A KR20120146176A KR20140077405A KR 20140077405 A KR20140077405 A KR 20140077405A KR 1020120146176 A KR1020120146176 A KR 1020120146176A KR 20120146176 A KR20120146176 A KR 20120146176A KR 20140077405 A KR20140077405 A KR 20140077405A
Authority
KR
South Korea
Prior art keywords
information
genetic information
cyber
attack
time
Prior art date
Application number
KR1020120146176A
Other languages
Korean (ko)
Inventor
김태성
최두호
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120146176A priority Critical patent/KR20140077405A/en
Publication of KR20140077405A publication Critical patent/KR20140077405A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Because cyber-target attacks attack unknown vulnerabilities, signature-based detection of existing security systems is difficult to defend. Also, since the system tries to attack very slowly for a long period of time to disable the system detecting the abnormal traffic, the damaged system will not recognize the damage. The present invention provides a technique for detecting a cyber-target attack that attacks over a long period of time using an unknown vulnerability, receives information from various sources of the information system, stores the information, Provide techniques to detect behavior.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to a cyber-

The present invention relates to a cyber attack detection technology, and more particularly, to a cyber attack detection device and method suitable for detecting a target attack that attacks a major information system of a corporation or a public institution for a long period of time.

Cyber-targeted attacks are characterized by attacking systems using security vulnerabilities that are not yet known by the manufacturer or security company, and attacking key information systems of enterprises or public institutions quietly and for a long period of time .

Because these attacks attack unknown vulnerabilities, signature-based detection of existing security systems is difficult to defend. Also, since the system tries to attack very slowly for a long period of time to disable the system detecting the abnormal traffic, the damaged system will not recognize the damage.

Korean Patent Laid-Open No. 2009-0084530, a method for real-time detection and blocking of a vulnerability exploit code using a script language, and a device thereof, 2009.08.05

The present invention provides a technique for detecting a cyber-target attack that attacks over a long period of time using an unknown vulnerability.

Specifically, the present invention provides a technique for detecting an attacking behavior by inputting and storing information from various sources of an information system, comparing the stored information with a previously stored normal behavior, and comparing the similarity.

According to an embodiment of the present invention, there is provided an information processing method including collecting an information source for a predetermined period of time, classifying genetic information from the information source to be collected, comparing the genetic information to be classified with predetermined genetic information, And generating an abnormal behavior detection alarm when the genetic information to be classified and the predetermined genetic information do not coincide with each other.

The present invention introduces the concept of cyber-genetic information to detect cyber-target attacks that attack unknown vulnerabilities for a long period of time. Attacks can be detected by detecting abnormal behavior through profiling of cyber-genetic information from logs collected from various sources for a long period of time. In addition, genetic information evolves into a complex form with the concept of evolution, which enables more sophisticated detection.

1 is a block diagram of a cyber attack detection apparatus according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating an exemplary cyber attack detection method according to an embodiment of the present invention;
3 is an exemplary illustration of cyber-genetic information that may be applied to embodiments of the present invention;
4 is a diagram illustrating an evolution form of the cyber genetic information of FIG. 3;

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like numbers refer to like elements throughout.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.

Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.

A target attack is attacked using a security system that is zero-day vulnerability or a vulnerability that is not recognized by the manufacturer, so it can not be defended by a security system that detects an attack with a signature pattern of malicious code. In addition, there is a characteristic that it is difficult to detect by executing an attack quietly for a long period of time in order not to generate abnormal traffic.

In the present invention, the concept of cyber-genetic information is introduced to detect a cyber-target attack that attacks an unknown vulnerability for a long period of time, and an abnormal behavior is detected through profiling cyber-genetic information from logs collected from various sources for a long period of time And it is possible to easily attain the object of the present invention from such a technical idea.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a schematic block diagram of a cyber attack detecting apparatus according to an embodiment of the present invention, and may include an information source collecting unit 100, a profiling unit 102, an abnormal behavior detecting unit 104, and the like.

As shown in FIG. 1, the information source collecting unit 100 may perform a role of collecting information sources for a long period of time.

At this time, the information source may include various sources for detecting a target attack, such as a network router log, a database log, PC event information, Information, an enterprise information system log, e-mail, or the like. A technique for detecting a target attack using such information sources is one of features according to an embodiment of the present invention, and can be compared with a conventional technique of recognizing an attack using only a network log.

The profiling unit 102 may serve to classify the genetic information from the information source collected through the information source collecting unit 100. Classifying genetic information can be called profiling.

The abnormal behavior detection unit 104 according to an embodiment of the present invention compares the genetic information classified in the profiling unit 102 with preset genetic information and when the classified genetic information does not coincide with the predetermined genetic information, It can detect the action. If an abnormal behavior is detected, the security officer can be notified of the abnormal behavior detection through a separate alarm system (not shown).

Hereinafter, a cyber attack detection method according to an embodiment of the present invention will be described in detail with reference to the flowchart of FIG. 2 together with the above-described configuration.

2, the information source collecting unit 100 may collect information sources such as a network router log, a database log, a PC event information, a smartphone access record information, a company information system log, and an e-mail for a predetermined period of time (S100).

The profiling unit 102 may classify the genetic information from the information sources thus collected (S102). Classifying genetic information can be called profiling.

At this time, the genetic information is cyber genetic information for distinguishing normal action from aggressive action, and can be defined as a series of actions performed by one subject in the information system. For example, a series of processes such as booting and log-in of a personal PC by a person in charge of an information system, confirming an e-mail, and processing an electronic approval that has been passed to the person is one cyber genetic information .

FIG. 3 exemplarily shows such cyber-genetic information. Cyber-genetic information can be composed of elements and chains.

An element can refer to a cyber behavior in genetic information, and a chain can refer to a relationship between an element and an element.

The following [Table 1] shows the genetic information and corresponding profiles.

Genetic information profile Element: Loggin 09:00 ~ 09:10 hong User 20120928 09:05:43 Login Element: Reading mail 09:08 ~ 09:30 etri / hong Account mail 20120928 09:06:04 read etri / hong Account mail 20120928 09:06:34 read Chain: same IP (IP) Chain: 129.254.185.131 IP address

As shown in [Table 1], the profiling is performed periodically, thereby detecting abnormal behavior that does not fit existing genetic information.

In step S104 of FIG. 2, the abnormal behavior detection unit 104 may compare the genetic information classified through the profiling unit 102 with predetermined genetic information.

If the classified genetic information does not match the predetermined genetic information, the abnormal behavior detection unit 104 may generate an abnormal behavior detection notification (S108) ). The abnormal behavior detection notification may be a process of notifying the security officer of the abnormal behavior detection through a separate alarm system (not shown).

On the other hand, if the classified genetic information and the predetermined genetic information match each other, the normal behavior can be recorded (S112).

Meanwhile, in the embodiment of the present invention, the abnormal behavior may be repeatedly performed, and this case may be accepted as evolution and recorded as a normal behavior. For example, an electronic approval item may be added to the genetic information of FIG. 3, or a database log may be included in which detailed information can be included.

The evolution of the genetic information may be complex and may be illustrated in the form of FIG.

According to the embodiment of the present invention as described above, the concept of cyber genetic information is introduced to detect a cyber target attack that attacks an unknown vulnerability for a long period of time. The cyber genetic information is profiling from a log collected from various sources for a long time, Can be used to detect anomalous activity and detect attacks. Genetic information is developed into a complex form with the concept of evolution, which enables more sophisticated detection.

100: Information source collecting unit
102: Profiling section
104: abnormal behavior detector

Claims (1)

Collecting information sources for a predetermined period of time,
Classifying the genetic information from the information source to be collected,
Comparing the genetic information classified and predetermined genetic information,
And generating an abnormal behavior detection alarm when the genetic information to be classified and the predetermined genetic information do not coincide with each other
Cyber attack detection method.
KR1020120146176A 2012-12-14 2012-12-14 Method and apparatus for detecting cyber target attack KR20140077405A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120146176A KR20140077405A (en) 2012-12-14 2012-12-14 Method and apparatus for detecting cyber target attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120146176A KR20140077405A (en) 2012-12-14 2012-12-14 Method and apparatus for detecting cyber target attack

Publications (1)

Publication Number Publication Date
KR20140077405A true KR20140077405A (en) 2014-06-24

Family

ID=51129347

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120146176A KR20140077405A (en) 2012-12-14 2012-12-14 Method and apparatus for detecting cyber target attack

Country Status (1)

Country Link
KR (1) KR20140077405A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102120214B1 (en) 2019-11-15 2020-06-08 (주)유엠로직스 Cyber targeted attack detect system and method using ensemble learning
KR102120232B1 (en) 2019-11-04 2020-06-16 (주)유엠로직스 Cyber targeted attack detect system and method using kalman-filter algorithm
KR20210064848A (en) 2019-11-26 2021-06-03 한전케이디엔주식회사 System and method for security management based artificial intelligence using federated learning
KR20220069544A (en) 2020-11-20 2022-05-27 (주)유엠로직스 Explainable advanced persistent threat detect system and method using multiple machine learning
KR20220072939A (en) 2020-11-25 2022-06-03 (주)유엠로직스 Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102120232B1 (en) 2019-11-04 2020-06-16 (주)유엠로직스 Cyber targeted attack detect system and method using kalman-filter algorithm
KR102120214B1 (en) 2019-11-15 2020-06-08 (주)유엠로직스 Cyber targeted attack detect system and method using ensemble learning
KR20210064848A (en) 2019-11-26 2021-06-03 한전케이디엔주식회사 System and method for security management based artificial intelligence using federated learning
KR20220069544A (en) 2020-11-20 2022-05-27 (주)유엠로직스 Explainable advanced persistent threat detect system and method using multiple machine learning
KR20220072939A (en) 2020-11-25 2022-06-03 (주)유엠로직스 Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques

Similar Documents

Publication Publication Date Title
US11165815B2 (en) Systems and methods for cyber security alert triage
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
US10721245B2 (en) Method and device for automatically verifying security event
US8689336B2 (en) Tiered exposure model for event correlation
CN110602041A (en) White list-based Internet of things equipment identification method and device and network architecture
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
Wang et al. Attentional heterogeneous graph neural network: Application to program reidentification
US11698962B2 (en) Method for detecting intrusions in an audit log
KR20140077405A (en) Method and apparatus for detecting cyber target attack
US10193904B2 (en) Data-driven semi-global alignment technique for masquerade detection in stand-alone and cloud computing systems
US11711383B2 (en) Autonomous generation of attack signatures to detect malicious network activity
US20170155683A1 (en) Remedial action for release of threat data
Abdullayev et al. SQL injection attack: Quick view
CN103268447B (en) A kind of anti-fishing method and system
JP2024536226A (en) SYSTEM AND METHOD FOR DETECTING MALICIOUS HANDS-ON KEYBOARD ACTIVITY VIA MACHINE LEARNING
CN116319074B (en) Method and device for detecting collapse equipment based on multi-source log and electronic equipment
Carrier Detecting obfuscated malware using memory feature engineering
US8549631B2 (en) Internet site security system and method thereto
Maamar et al. Open challenges in vetting the internet‐of‐things
US20230018096A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program
Nicula et al. Technical and Economical Evaluation of IOT Attacks and their Corresponding Vulnerabilities.
Kaushik et al. Advanced Techniques and Applications of Cybersecurity and Forensics
Chamiekara et al. Autosoc: A low budget flexible security operations platform for enterprises and organizations
Deepserish et al. PET-Droid: Android Malware Detection Using Static Analysis

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination