KR20140077405A - Method and apparatus for detecting cyber target attack - Google Patents
Method and apparatus for detecting cyber target attack Download PDFInfo
- Publication number
- KR20140077405A KR20140077405A KR1020120146176A KR20120146176A KR20140077405A KR 20140077405 A KR20140077405 A KR 20140077405A KR 1020120146176 A KR1020120146176 A KR 1020120146176A KR 20120146176 A KR20120146176 A KR 20120146176A KR 20140077405 A KR20140077405 A KR 20140077405A
- Authority
- KR
- South Korea
- Prior art keywords
- information
- genetic information
- cyber
- attack
- time
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Because cyber-target attacks attack unknown vulnerabilities, signature-based detection of existing security systems is difficult to defend. Also, since the system tries to attack very slowly for a long period of time to disable the system detecting the abnormal traffic, the damaged system will not recognize the damage. The present invention provides a technique for detecting a cyber-target attack that attacks over a long period of time using an unknown vulnerability, receives information from various sources of the information system, stores the information, Provide techniques to detect behavior.
Description
The present invention relates to a cyber attack detection technology, and more particularly, to a cyber attack detection device and method suitable for detecting a target attack that attacks a major information system of a corporation or a public institution for a long period of time.
Cyber-targeted attacks are characterized by attacking systems using security vulnerabilities that are not yet known by the manufacturer or security company, and attacking key information systems of enterprises or public institutions quietly and for a long period of time .
Because these attacks attack unknown vulnerabilities, signature-based detection of existing security systems is difficult to defend. Also, since the system tries to attack very slowly for a long period of time to disable the system detecting the abnormal traffic, the damaged system will not recognize the damage.
The present invention provides a technique for detecting a cyber-target attack that attacks over a long period of time using an unknown vulnerability.
Specifically, the present invention provides a technique for detecting an attacking behavior by inputting and storing information from various sources of an information system, comparing the stored information with a previously stored normal behavior, and comparing the similarity.
According to an embodiment of the present invention, there is provided an information processing method including collecting an information source for a predetermined period of time, classifying genetic information from the information source to be collected, comparing the genetic information to be classified with predetermined genetic information, And generating an abnormal behavior detection alarm when the genetic information to be classified and the predetermined genetic information do not coincide with each other.
The present invention introduces the concept of cyber-genetic information to detect cyber-target attacks that attack unknown vulnerabilities for a long period of time. Attacks can be detected by detecting abnormal behavior through profiling of cyber-genetic information from logs collected from various sources for a long period of time. In addition, genetic information evolves into a complex form with the concept of evolution, which enables more sophisticated detection.
1 is a block diagram of a cyber attack detection apparatus according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating an exemplary cyber attack detection method according to an embodiment of the present invention;
3 is an exemplary illustration of cyber-genetic information that may be applied to embodiments of the present invention;
4 is a diagram illustrating an evolution form of the cyber genetic information of FIG. 3;
BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like numbers refer to like elements throughout.
In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.
Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.
Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.
A target attack is attacked using a security system that is zero-day vulnerability or a vulnerability that is not recognized by the manufacturer, so it can not be defended by a security system that detects an attack with a signature pattern of malicious code. In addition, there is a characteristic that it is difficult to detect by executing an attack quietly for a long period of time in order not to generate abnormal traffic.
In the present invention, the concept of cyber-genetic information is introduced to detect a cyber-target attack that attacks an unknown vulnerability for a long period of time, and an abnormal behavior is detected through profiling cyber-genetic information from logs collected from various sources for a long period of time And it is possible to easily attain the object of the present invention from such a technical idea.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 is a schematic block diagram of a cyber attack detecting apparatus according to an embodiment of the present invention, and may include an information source collecting unit 100, a
As shown in FIG. 1, the information source collecting unit 100 may perform a role of collecting information sources for a long period of time.
At this time, the information source may include various sources for detecting a target attack, such as a network router log, a database log, PC event information, Information, an enterprise information system log, e-mail, or the like. A technique for detecting a target attack using such information sources is one of features according to an embodiment of the present invention, and can be compared with a conventional technique of recognizing an attack using only a network log.
The
The abnormal behavior detection unit 104 according to an embodiment of the present invention compares the genetic information classified in the
Hereinafter, a cyber attack detection method according to an embodiment of the present invention will be described in detail with reference to the flowchart of FIG. 2 together with the above-described configuration.
2, the information source collecting unit 100 may collect information sources such as a network router log, a database log, a PC event information, a smartphone access record information, a company information system log, and an e-mail for a predetermined period of time (S100).
The
At this time, the genetic information is cyber genetic information for distinguishing normal action from aggressive action, and can be defined as a series of actions performed by one subject in the information system. For example, a series of processes such as booting and log-in of a personal PC by a person in charge of an information system, confirming an e-mail, and processing an electronic approval that has been passed to the person is one cyber genetic information .
FIG. 3 exemplarily shows such cyber-genetic information. Cyber-genetic information can be composed of elements and chains.
An element can refer to a cyber behavior in genetic information, and a chain can refer to a relationship between an element and an element.
The following [Table 1] shows the genetic information and corresponding profiles.
As shown in [Table 1], the profiling is performed periodically, thereby detecting abnormal behavior that does not fit existing genetic information.
In step S104 of FIG. 2, the abnormal behavior detection unit 104 may compare the genetic information classified through the
If the classified genetic information does not match the predetermined genetic information, the abnormal behavior detection unit 104 may generate an abnormal behavior detection notification (S108) ). The abnormal behavior detection notification may be a process of notifying the security officer of the abnormal behavior detection through a separate alarm system (not shown).
On the other hand, if the classified genetic information and the predetermined genetic information match each other, the normal behavior can be recorded (S112).
Meanwhile, in the embodiment of the present invention, the abnormal behavior may be repeatedly performed, and this case may be accepted as evolution and recorded as a normal behavior. For example, an electronic approval item may be added to the genetic information of FIG. 3, or a database log may be included in which detailed information can be included.
The evolution of the genetic information may be complex and may be illustrated in the form of FIG.
According to the embodiment of the present invention as described above, the concept of cyber genetic information is introduced to detect a cyber target attack that attacks an unknown vulnerability for a long period of time. The cyber genetic information is profiling from a log collected from various sources for a long time, Can be used to detect anomalous activity and detect attacks. Genetic information is developed into a complex form with the concept of evolution, which enables more sophisticated detection.
100: Information source collecting unit
102: Profiling section
104: abnormal behavior detector
Claims (1)
Classifying the genetic information from the information source to be collected,
Comparing the genetic information classified and predetermined genetic information,
And generating an abnormal behavior detection alarm when the genetic information to be classified and the predetermined genetic information do not coincide with each other
Cyber attack detection method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120146176A KR20140077405A (en) | 2012-12-14 | 2012-12-14 | Method and apparatus for detecting cyber target attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120146176A KR20140077405A (en) | 2012-12-14 | 2012-12-14 | Method and apparatus for detecting cyber target attack |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140077405A true KR20140077405A (en) | 2014-06-24 |
Family
ID=51129347
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120146176A KR20140077405A (en) | 2012-12-14 | 2012-12-14 | Method and apparatus for detecting cyber target attack |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140077405A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102120214B1 (en) | 2019-11-15 | 2020-06-08 | (주)유엠로직스 | Cyber targeted attack detect system and method using ensemble learning |
KR102120232B1 (en) | 2019-11-04 | 2020-06-16 | (주)유엠로직스 | Cyber targeted attack detect system and method using kalman-filter algorithm |
KR20210064848A (en) | 2019-11-26 | 2021-06-03 | 한전케이디엔주식회사 | System and method for security management based artificial intelligence using federated learning |
KR20220069544A (en) | 2020-11-20 | 2022-05-27 | (주)유엠로직스 | Explainable advanced persistent threat detect system and method using multiple machine learning |
KR20220072939A (en) | 2020-11-25 | 2022-06-03 | (주)유엠로직스 | Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques |
-
2012
- 2012-12-14 KR KR1020120146176A patent/KR20140077405A/en not_active Application Discontinuation
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102120232B1 (en) | 2019-11-04 | 2020-06-16 | (주)유엠로직스 | Cyber targeted attack detect system and method using kalman-filter algorithm |
KR102120214B1 (en) | 2019-11-15 | 2020-06-08 | (주)유엠로직스 | Cyber targeted attack detect system and method using ensemble learning |
KR20210064848A (en) | 2019-11-26 | 2021-06-03 | 한전케이디엔주식회사 | System and method for security management based artificial intelligence using federated learning |
KR20220069544A (en) | 2020-11-20 | 2022-05-27 | (주)유엠로직스 | Explainable advanced persistent threat detect system and method using multiple machine learning |
KR20220072939A (en) | 2020-11-25 | 2022-06-03 | (주)유엠로직스 | Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11165815B2 (en) | Systems and methods for cyber security alert triage | |
US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US20220201042A1 (en) | Ai-driven defensive penetration test analysis and recommendation system | |
US10721245B2 (en) | Method and device for automatically verifying security event | |
US8689336B2 (en) | Tiered exposure model for event correlation | |
CN110602041A (en) | White list-based Internet of things equipment identification method and device and network architecture | |
US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
Wang et al. | Attentional heterogeneous graph neural network: Application to program reidentification | |
US11698962B2 (en) | Method for detecting intrusions in an audit log | |
KR20140077405A (en) | Method and apparatus for detecting cyber target attack | |
US10193904B2 (en) | Data-driven semi-global alignment technique for masquerade detection in stand-alone and cloud computing systems | |
US11711383B2 (en) | Autonomous generation of attack signatures to detect malicious network activity | |
US20170155683A1 (en) | Remedial action for release of threat data | |
Abdullayev et al. | SQL injection attack: Quick view | |
CN103268447B (en) | A kind of anti-fishing method and system | |
JP2024536226A (en) | SYSTEM AND METHOD FOR DETECTING MALICIOUS HANDS-ON KEYBOARD ACTIVITY VIA MACHINE LEARNING | |
CN116319074B (en) | Method and device for detecting collapse equipment based on multi-source log and electronic equipment | |
Carrier | Detecting obfuscated malware using memory feature engineering | |
US8549631B2 (en) | Internet site security system and method thereto | |
Maamar et al. | Open challenges in vetting the internet‐of‐things | |
US20230018096A1 (en) | Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program | |
Nicula et al. | Technical and Economical Evaluation of IOT Attacks and their Corresponding Vulnerabilities. | |
Kaushik et al. | Advanced Techniques and Applications of Cybersecurity and Forensics | |
Chamiekara et al. | Autosoc: A low budget flexible security operations platform for enterprises and organizations | |
Deepserish et al. | PET-Droid: Android Malware Detection Using Static Analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |