KR20140078329A - Method and apparatus for defensing local network attacks - Google Patents

Method and apparatus for defensing local network attacks Download PDF

Info

Publication number
KR20140078329A
KR20140078329A KR1020120147589A KR20120147589A KR20140078329A KR 20140078329 A KR20140078329 A KR 20140078329A KR 1020120147589 A KR1020120147589 A KR 1020120147589A KR 20120147589 A KR20120147589 A KR 20120147589A KR 20140078329 A KR20140078329 A KR 20140078329A
Authority
KR
South Korea
Prior art keywords
network
attack
event
detection sensor
present
Prior art date
Application number
KR1020120147589A
Other languages
Korean (ko)
Inventor
김혁준
Original Assignee
(주)나루씨큐리티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)나루씨큐리티 filed Critical (주)나루씨큐리티
Priority to KR1020120147589A priority Critical patent/KR20140078329A/en
Publication of KR20140078329A publication Critical patent/KR20140078329A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Abstract

The internal network target attack countermeasure device tracks and responds to the attack step by step based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) in the behavior profile.

Description

METHOD AND APPARATUS FOR DEFENSING LOCAL NETWORK ATTACKS [0002]

The present invention relates to an apparatus and method for countering an internal network target attack.

Since 2009, government and private sectors have spent tens of billions of won in budget for DDoS defense system. As a result, dedicated equipment has been installed in most government and private sectors to respond to DDoS. However, there are many cases in which such equipment does not successfully defend against an attack on well-equipped organs. This is because the current attack defense is centered on the defense function of the equipment, and it does not respond appropriately to evolving attacks such as attack using a new technique or simple modification to an existing attack. Also, Because of the structure in which large deviation occurs. In addition, the demand for internal network security control is also increasing.

An object of the present invention is to provide an internal network target attack countermeasure apparatus and method.

The internal network target attack countermeasure apparatus according to an embodiment of the present invention tracks and responds to attacks step by step based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) in the behavior profile.

According to the embodiment of the present invention, the attack profile can be tracked based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration). According to the embodiment of the present invention, it is possible to provide a tracking function and a related visualization function according to an attack progress state. In addition, according to the embodiment of the present invention, a tracking unit such as a service, a host, a network, an institution, and the like can be generated, and the degree of cooperation and the threat situation according to each attack step can be analyzed.

1 is a view for explaining a threat analysis method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
2 is a view for explaining an attack tracking method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
3 is a configuration diagram of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.
4 is a diagram illustrating a detection policy of a counterpart apparatus according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

Next, an internal network target attack countermeasure apparatus and method will be described.

1 is a view for explaining a threat analysis method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.

Referring to FIG. 1, an internal network target attack countermeasure device (hereinafter referred to as "counterpart device") determines an event corresponding to a threat analysis target.

An event is classified into each event based on the information protection context included in the event. All events include host and service (port) information that generated the event. The corresponding device classifies the event as a trigger event, a tracking event, and a general event according to each information protection context classification. Trigger events and trace events can be classified into several events according to the ECDMAX methodology. Here, ECDMAX means Exploit, C2, Download, Lateral Movement, External Network Attack, and Exfiltration.

The corresponding device tracks malicious activity based on the event, and each event is shown in Table 1.

Figure pat00001

Trigger events include, for example, events in which a particular host sends an icmp echo request to its internal network more than 12 times in 2 seconds, an event in which a particular host within the internal network sends an icmp unreachable event more than 3 times a second, An event in which the traffic information not included in the internal network address is detected more than 10 times, an event in which a request is made for a service that does not exist in the internal network host, a request response in the internal network host is an internal security policy A violation event, an event in which an incorrect authentication attempt to the internal network host occurs more than three times a minute, and an event in which the internal network host receives periodic data through continuous communication with an external host.

2 is a view for explaining an attack tracking method of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.

Referring to FIG. 2, a counterpart device generates a tracking object. The corresponding device generates a trace object when trigger event is generated and conducts a behavior profile for the generated host. The responding device associates attack step-by-step tracking events according to ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration) The counterpart device can expand general events and aggregate corresponding units.

The corresponding device specifies the tracking unit. Tracking units can be composed of six stages: Exploit, C2, Download, Lateral Movement, External Network Attack and Exfiltration. The corresponding device distinguishes trigger event and trace event by ECDMAX and adds tag information to each occurrence log. The corresponding device can provide a tracking function and related visualization function according to the attack progress. The responding device generates tracking units such as service, host, network, and institution, and analyzes the degree of connection and threat situation according to each attack step.

3 is a configuration diagram of an internal network target attack countermeasure apparatus according to an embodiment of the present invention.

Referring to FIG. 3, the corresponding device includes a detection sensor system that detects an attack in each region, and a central control device system that responds to an attack from the center in conjunction with a detection sensor system of each region.

The detection sensor may include a detection sensor module, a collection agent, a detection policy application module, and an asset information profile module.

The detection sensor collects network packets. The detection sensor detects the security policy operation of the central control device and the network abnormality signs. The detection sensor can collect session based content rather than packet based. Detection sensors can be forcefully bypassed at the network level for policy violation malicious traffic. Since the detection sensor is required to record all the normal behaviors out of the center of the information protection event, it is possible to record network activity information. Detection sensors can collect information across the network stack through the comprehensive traffic analysis from Layer 2 to Layer 7. Detection sensors can perform network protocol level analysis. Detection sensors are installed at multiple locations to collect information and transmit it to a central control device. The detection sensor can check the status of the network detection sensor and control the operation by the central control device.

The detection sensor can be configured with a passive response mode using a network tap and an active response mode using a network bridge.

The detection sensor can automatically recognize the network service that detects the host according to the network classification by analyzing the network communication traffic which is operating on the automatically recognized internal asset without using the host probe.

The detection sensor can automatically recognize the operating system that identifies the operating system of the host that generated the packet by analyzing the characteristics of the communication packet within the network.

The detection sensor can recognize application information such as a web browser that enables protocol-level content separation through analysis of application traffic operated in the network.

Detection sensors can detect real-time protocol violations that detect unauthorized protocol operation on port 80.

The detection sensor can detect policy violations that report as policy violation events in the event of five failed ssh logins for 10 seconds.

The malicious traffic bypass function of the detection sensor can bypass the policy violation traffic to the device such as active honeypot which can observe the behavior in the active response mode configured in the bridge mode.

The detection sensor can apply an intrusion detection device creation signature that applies a signature of a type generated by a general intrusion detection device.

The detection sensor can collect communication information between internal assets by collecting communication information between internal assets and communication fact aggregation function.

Detection sensor can apply policy downloading and real-time application from the central control device with the function of applying the policy without transferring the policy and restarting the equipment to the detection sensor installed at a plurality of points.

According to each installation environment, the detection sensor can apply the selective local policy according to the installation environment through the policy application and execution function that is specific to the region.

The detection sensor can collect logs including traffic information logs, application traffic information logs (DNS, HTTP, SSL), abnormal behavior information logs, and the like.

The detection module, which is implemented in the central control system that responds to attacks from the center in conjunction with the detection sensor system and the detection sensor system of each region, can detect the violation of the internal control through the audit of the DNS query, the irregular protocol control, External access to intrusions / malicious activity can be detected and blocked. In addition, the counterpart device can detect and block information disclosure and exposure attempts through specific harmful domain connection detection and Blacklist IP connection detection.

Detection module DNS query forcible bypass function can be configured to detect domain based countermeasure avoiding traffic. The detection module can detect protocol violations for key traffic such as HTTP, FTP, IRC, SMTP, SSH, FTP, and POP. The detection module can detect the use of external communication channel (backdoor) based on the kill chain model when malicious code is infected. The detection module can provide domain and IP level correspondence to harmful domain access traffic.

4 is a diagram illustrating a detection policy of a counterpart apparatus according to an embodiment of the present invention.

Referring to FIG. 4, the counterpart device defines all the information generated in the network as events that can occur in a step-by-step manner. And the corresponding device collects differential information through the Horizontal Meta Data Correlation Technique. The corresponding device can establish a differential context based information collection system by linking with the accumulated cyber threat knowledge system through the large capacity management module.

The counterpart device sets various security topologies for internal control. And the counterpart device can monitor the topology-specific situation and respond to attacks on various types of networks.

Topology Environment description monitoring  / Direction of audit

Figure pat00002
The structure of network separation is ambiguous with the same structure of local / wide area access authority Configure the sensor network for logical network gateways by geographical unit after classifying / separating mixed privileges by threat
Figure pat00003
 Clearly define / define the access authority of the regional network centered on the wide area network Threat management for central violation and infringement / espionage attempts, per unit area network, clear granting authority
Figure pat00004
 Wide area network access through specific technologies (IPSEC, VPN, etc.) in scattered local networks A centralized audit should be possible on the part of the unit area network that wants to access the uppermost area of the wide area.
Figure pat00005
 Local authority or
Different classification After classifying whether there is auditing necessity for the access or network use band in which local authority is mixed,
Figure pat00006
 The authority of the upper area or the resource in the unit area The control of the unit area should be auditable in the centralized area regardless of the authority.
Figure pat00007
 Multidimensional wide area network with access privileges Centralized auditing should be possible at the same level of wide-area manganese regardless of mixed access rights

As described above, according to the embodiment of the present invention, the attack profile can be tracked based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, Exfiltration). According to the embodiment of the present invention, it is possible to provide a tracking function and a related visualization function according to an attack progress state. In addition, according to the embodiment of the present invention, a tracking unit such as a service, a host, a network, an institution, and the like can be generated, and the degree of cooperation and the threat situation according to each attack step can be analyzed.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (1)

A device that responds to internal network target attacks by tracking attacks in stages based on ECDMAX (Exploit, C2, Download, Lateral Movement, External Network Attack, and Exfiltration).
KR1020120147589A 2012-12-17 2012-12-17 Method and apparatus for defensing local network attacks KR20140078329A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120147589A KR20140078329A (en) 2012-12-17 2012-12-17 Method and apparatus for defensing local network attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120147589A KR20140078329A (en) 2012-12-17 2012-12-17 Method and apparatus for defensing local network attacks

Publications (1)

Publication Number Publication Date
KR20140078329A true KR20140078329A (en) 2014-06-25

Family

ID=51129965

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120147589A KR20140078329A (en) 2012-12-17 2012-12-17 Method and apparatus for defensing local network attacks

Country Status (1)

Country Link
KR (1) KR20140078329A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530243A (en) * 2015-12-03 2016-04-27 中国南方电网有限责任公司信息中心 Realizing method of network attack event quantitative hierarchical algorithm
KR102018348B1 (en) 2019-03-06 2019-09-05 엘에스웨어(주) User behavior analysis based target account exploit detection apparatus
KR102002560B1 (en) 2019-01-09 2019-10-01 엘에스웨어(주) Artificial intelligence based target account reconnaissance behavior detection apparatus
CN114363023A (en) * 2021-12-23 2022-04-15 国家电网有限公司 Method and system for implementing Web safety protection system and adjusting and optimizing strategy

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105530243A (en) * 2015-12-03 2016-04-27 中国南方电网有限责任公司信息中心 Realizing method of network attack event quantitative hierarchical algorithm
CN105530243B (en) * 2015-12-03 2016-11-16 中国南方电网有限责任公司信息中心 A kind of implementation method of assault quantitative classification algorithm
KR102002560B1 (en) 2019-01-09 2019-10-01 엘에스웨어(주) Artificial intelligence based target account reconnaissance behavior detection apparatus
KR102018348B1 (en) 2019-03-06 2019-09-05 엘에스웨어(주) User behavior analysis based target account exploit detection apparatus
CN114363023A (en) * 2021-12-23 2022-04-15 国家电网有限公司 Method and system for implementing Web safety protection system and adjusting and optimizing strategy

Similar Documents

Publication Publication Date Title
Pilli et al. Network forensic frameworks: Survey and research challenges
US7197762B2 (en) Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits
US7493659B1 (en) Network intrusion detection and analysis system and method
US7596807B2 (en) Method and system for reducing scope of self-propagating attack code in network
US20050216956A1 (en) Method and system for authentication event security policy generation
US20030188189A1 (en) Multi-level and multi-platform intrusion detection and response system
US20030084319A1 (en) Node, method and computer readable medium for inserting an intrusion prevention system into a network stack
Beg et al. Feasibility of intrusion detection system with high performance computing: A survey
Krishnan et al. An adaptive distributed intrusion detection system for cloud computing framework
Lin et al. Implementation of an SDN-based security defense mechanism against DDoS attacks
KR20140078329A (en) Method and apparatus for defensing local network attacks
KR20020072618A (en) Network based intrusion detection system
CN117614717A (en) Whole-flow handling system and method based on network security alarm event
Zaheer et al. Intrusion detection and mitigation framework for SDN controlled IoTs network
Araújo et al. EICIDS-elastic and internal cloud-based detection system
Chen et al. Active event correlation in Bro IDS to detect multi-stage attacks
JP2006018527A (en) Method, device and program for monitoring operation of computer network
JP2006050442A (en) Traffic monitoring method and system
Kumar et al. IPv6 network security using Snort
Fanfara et al. Autonomous hybrid honeypot as the future of distributed computer systems security
Anand et al. Network intrusion detection and prevention
Kumar et al. Recent advances in intrusion detection systems: An analytical evaluation and comparative study
Rawat et al. Securing WMN using hybrid honeypot system
Rizvi et al. A review on intrusion detection system
KR20100041533A (en) Network management method

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination