KR20170046102A - System and method for improvement invasion detection - Google Patents

Abstract

The present invention relates to a system and a method for improvement of false detection in intrusion detection. According to the present invention, the system comprises: a vulnerability scanner checking vulnerability of at least one asset to be protected, and transmitting check result information and vulnerability information to a threat detection system; an intrusion blocking system for transmitting approval information and blocking information for protection of an internal network from the outside to the threat detection system; the intrusion detection system for detecting an external attack based on a signature, and transmitting an intrusion detection event to the threat detection system; and the threat detection system for collecting log information from the vulnerability scanner, the intrusion blocking system, and the intrusion detection system and updating at least one of an object to be checked, a correlation analysis scenario, and a detection rule.

Description

SYSTEM AND METHOD FOR IMPROVEMENT INVASION DETECTION FIELD OF THE INVENTION [0001]

The present invention relates to a system and method for improving intrusion detection false positives, and more particularly, to a system and method for improving intrusion detection false positives, And a system and method for improving detection false positives.

As the rapid spread of computers and the use of the Internet become common, security issues become more important as the service spreads over the Internet. In order to solve these security problems, an intrusion detection system or an intrusion prevention system for harmful traffic has been developed. Intrusion Prevention / Intrusion Prevention System is a system that can effectively prevent and block electronic intrusion. It is installed at a connection point between a subscriber network and a public network, or inside a subscriber network, .

The intrusion detection system can detect threats and attacks managed by the IDS regardless of the vulnerability of the individual assets constituting the network when attacking the network asset. Attack information, and the risk information of the attack specified by the user. This creates a large number of alarms or logs for intrusion attempts that are not relevant to the network assets being managed or that do not pose a threat to the assets (such as if they have been patched or upgraded already). This is called "false positive." Due to the high number of false positives, it increases the burden on the personnel who operate the network and also causes a lot of trouble in coping with security incidents.

In addition, the intrusion detection system builds a database of threat patterns based on a list of vulnerabilities provided by CVE lists (Common Vulnerabilities and Express List) and a list of threats related to vulnerabilities provided by CERT, And generates a warning and an alarm when the traffic corresponding to the threat pattern is generated, thereby notifying the threat.

For information, the information assets on the network have known / unknown software vulnerabilities. These vulnerabilities are typically managed by the National Institute of Security Technology (NIST) in the form of a Meta DB called ICAT. Is again processed into a refined form DB assigned with Common Vulnerability and Exposure (CVE) ID, and N (Network) -IDS or VAS vendors build DBs of related systems using these DBs and various known vulnerability information. The intrusion detection system detects a cyber attack based on the DB-based signature.

Since these intrusion detection systems determine performance by determining how many intrusions can be detected and how accurately they can detect intrusions, the probability of false positives (false positives) increases with increasing threat list and vulnerability list There is a problem.

Due to the above problem, in the network of the Internet communication service provider, there are too many results detected in the intrusion detection system, so that it is difficult to perform the analysis, and it is difficult to distinguish between the false detection and the accurate detection, so that it is difficult to operate the intrusion detection system.

In addition, intrusion detection system analyzes internal incoming traffic by using pattern matching method (signature) and threshold value, but it detects undetected traffic such as hackers and new exploits or encryption (including encapsulation) There is no problem.

Also, the intrusion detection system has a drawback in that it can not detect the vulnerability if traffic is not generated even if there is a vulnerability inside.

Prior Art 1: Korean Patent No. 1,092,024: Diagnosis of Real-Time Vulnerability of Web Services and Providing Result Information Service System

SUMMARY OF THE INVENTION It is an object of the present invention to provide a system and method for improving intrusion detection false positives that can reduce a false detection probability of an intrusion detection system.

It is another object of the present invention to provide a system and method for improving an intrusion detection falsehood in which an intrusion detection system can detect an internal vulnerability even when external attack traffic does not occur.

It is still another object of the present invention to provide a system for improving intrusion detection falsehood that can generate an IDS signature based on an internal vulnerability even if there is no external attack by automatically updating the detection rule of the intrusion detection system, And a method.

Yet another object of the present invention is to provide a system and method for intrusion detection false alarm improvement that enables active security control by ensuring a plurality of indications of compromise by updating the correlation analysis of the security log .

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed.

According to an aspect of the present invention, there is provided a vulnerability scanner for checking a vulnerability of at least one asset to be protected and transmitting the inspection result information and the vulnerability information to the threat detection system, An intrusion detection system that detects an external attack based on a signature and transmits an intrusion detection event to the threat detection system; and a vulnerability scanner , A risk detection system for collecting log information from an intrusion blocking system and an intrusion detection system and updating at least one of an object to be checked, a correlation analysis scenario and a detection rule based on the collected log information System is provided.

Wherein the threat detection system comprises at least one of an inspection result information from the vulnerability scanner, vulnerability information, approval information and blocking information from the intrusion blocking system, and an intrusion detection event from the intrusion detection system, And a check target extraction unit for comparing the result information with the blocking information to extract an inspection object and adding the extracted inspection object to the inspection schedule of the vulnerability scanner.

The threat detection system extracts intrusion detection events existing in the approval information and the inspection result information from the intrusion detection events stored in the database, extracts the detection rule related information from the extracted intrusion detection events and the corresponding inspection results, And a detection rule control unit for generating a detection rule.

Also, the threat detection system extracts intrusion detection events existing in approval information and inspection result information from intrusion detection events stored in the database, extracts vulnerability-related information from inspection results corresponding to the extracted intrusion detection events, And a vulnerability control unit for generating an analysis scenario.

The vulnerability scanner may generate a traffic to the inspection object added to the inspection schedule.

Wherein the threat detection system transmits traffic to the inspection object extracted by the inspection object extraction unit and stores the received intrusion detection event in the database when the intrusion detection event by the traffic is received from the intrusion detection system And may further include an event processing unit.

According to another embodiment of the present invention, there is provided a method for improving an intrusion detection false by a threat detection system, the method comprising the steps of: And an event, and adding the inspection result information to the inspection schedule of the vulnerability scanner by comparing the inspection result information with the blocking information, extracting an inspection object, and adding the extracted inspection object to the inspection schedule of the vulnerability scanner. A method for improving detection false positives is provided.

The method for improving the intrusion detection false alarm extracts an intrusion detection event existing in approval information and inspection result information from the collected intrusion detection events and extracts detection rule related information from the extracted intrusion detection event and the corresponding inspection result And generating a new detection rule.

In addition, the method for improving the intrusion detection error may further include extracting an intrusion detection event existing in the approval information and the inspection result information from the collected intrusion detection events, and extracting the information on the vulnerability from the inspection result corresponding to the extracted intrusion detection event And extracting the correlation analysis scenario to generate a correlation analysis scenario.

The vulnerability scanner may generate a traffic to the inspection object added to the inspection schedule.

Meanwhile, the above-mentioned 'system and method for improving intrusion detection false' can be recorded in a recording medium readable by an electronic device after being implemented in the form of a program, or distributed through a program download management device (server or the like) have.

According to the present invention, it is possible to reduce the probability of false detection (false detection) of the intrusion detection system.

Also, an intrusion detection system can detect an internal vulnerability without external attack traffic.

In addition, by automatically updating the detection rules of the intrusion detection system, the IDS signature can be generated based on the internal vulnerability without any external attack, and harmful traffic can be detected through the IDS signature.

In addition, by updating the correlation analysis of the security log, a plurality of indications of compromise can be ensured and an active security control can be performed.

The effects of the present invention are not limited to the above-mentioned effects, and various effects can be included within the scope of what is well known to a person skilled in the art from the following description.

FIG. 1 is a diagram illustrating a system for improving intrusion detection false positives according to an embodiment of the present invention. Referring to FIG.
2 is a diagram for explaining an operation of a system for improving an intrusion detection false according to an embodiment of the present invention.
3 is a block diagram schematically illustrating the configuration of a threat detection system according to an embodiment of the present invention.
4 is a diagram illustrating an exemplary structure of an event database according to the present invention.
5 is an exemplary view showing a structure of a check result database according to the present invention.
FIG. 6 is a diagram illustrating a structure of a vulnerability database according to the present invention.
Fig. 7 is a view showing the structure of an approval database according to the present invention.
8 is a diagram illustrating an exemplary structure of a blocking database according to the present invention.
9 is a diagram illustrating a method for improving intrusion detection false according to an embodiment of the present invention.
10 is a diagram illustrating a method for improving intrusion detection false positives in the threat detection system according to an embodiment of the present invention.
11 is a view for explaining a recording medium for performing a method for intrusion detection false improvement according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a system and method for improving intrusion detection false according to the present invention will be described in detail with reference to the accompanying drawings. The embodiments are provided so that those skilled in the art can easily understand the technical spirit of the present invention, and thus the present invention is not limited thereto. In addition, the matters described in the attached drawings may be different from those actually implemented by the schematic drawings to easily describe the embodiments of the present invention.

In the meantime, each constituent unit described below is only an example for implementing the present invention. Thus, in other implementations of the present invention, other components may be used without departing from the spirit and scope of the present invention.

In addition, each component may be implemented solely by hardware or software configuration, but may be implemented by a combination of various hardware and software configurations performing the same function. Also, two or more components may be implemented together by one hardware or software.

Also, the expression " comprising " is intended to merely denote that such elements are present as an expression of " open ", and should not be understood to exclude additional elements.

FIG. 1 illustrates a system for improving intrusion detection false according to an embodiment of the present invention, and FIG. 2 illustrates an operation of a system for improving intrusion detection false according to an embodiment of the present invention.

Referring to FIG. 1, a system for improving intrusion detection false positives includes a vulnerability scanner 100, an intrusion blocking system 200, an intrusion detection system 300, a security log correlation analysis system 400, and a threat detection system 500 , Which are capable of transmitting and receiving data over a communication network. Here, the communication network may include a wired communication network, a wireless communication network, a short-range wireless communication network, and the like.

The vulnerability scanner 100 periodically inspects and analyzes the vulnerability of an interlocked asset in association with at least one asset to be protected and transmits the analysis result to the threat detection system. Here, the asset includes a transmission equipment providing an information distribution function, which is a basic service provided by the network, and various systems on the network providing an information processing function, for example, an intrusion detection system, various switches, routers, . Vulnerability can be a software defect that can be exploited to cause the system to perform abnormal operations.

The vulnerability scanner 100 may perform a port scan on at least one of the interlocked assets to detect an asset in which at least one port is open as an asset that can be an attack target. Thus, the vulnerability scanner 100 may collect response information for at least one command set from the detected asset, and may check and analyze the vulnerability of the asset 120 based on the collected response information. At this time, port scan is generally known as a preparation process for hacking, which refers to a method of finding out which port is open or closed to a server having a specific IP address or domain name.

In addition, the vulnerability scanner 100 not only stores the results of the inspection and analysis in the database, but also transmits the results of the inspection and analysis to the threat detection system 500. The vulnerability scanner 100 can notify the manager of the vulnerability check result. For example, the vulnerability scanner 100 can transmit an E-mail or SMS message to an administrator terminal operated by the administrator.

The vulnerability scanner 100 can detect a path that can be accessed. For example, the vulnerability scanner 100 performs a scan on ports of all service servers interlocked through a port scan, (Device, system) that can be detected. When a server that can be an external attack target is detected, the vulnerability scanner 100 can sequentially transmit at least one command previously set to the detected server and collect response information for at least one command transmitted . Then, the vulnerability scanner 100 can check and analyze the vulnerability of the server based on the collected response information. The vulnerability scanner 100 compares the collected response information with the pattern information stored in the database and compares the vulnerability of the server with the pattern information stored in the database Inspection and analysis. At this time, the pattern information may be information about a vulnerability corresponding to each server to be checked, and may be stored and managed in a database. The vulnerability scanner 100 stores the result of checking and analyzing the vulnerability of the corresponding server in the database or transmits it to the threat detection system 500.

As described above, the vulnerability scanner 100 detects a server that can be an attack target through a port scan, receives response information according to at least one command set from the detected server, checks the vulnerability of the server based on the received response information, By sending the contents to the threat detection system, the server can be prevented from being damaged.

The vulnerability scanner 100 searches for a vulnerability of a server managed on a regular basis according to the vulnerability scanning schedule and reports the result. That is, the vulnerability scanner 100 checks the existence of a vulnerability that may exist in the server managed based on the information related to the vulnerability. It can detect vulnerabilities that could allow unauthorized access, vulnerabilities that interfere with normal service, and the presence of vulnerabilities that could leak, tamper with, or delete data. Then, the vulnerability scanner 100 collects the information based on the information having the probable vulnerability, and optimizes a part where the vulnerability is likely to become a weak point through logical operation. In other words, it derives a result that is likely to become a real vulnerability based on the results derived from a number of external search engines. The vulnerability scanner 100 checks the vulnerability of the actually managed server based on the derived vulnerability information. This vulnerability check is to identify vulnerabilities that are likely to be vulnerabilities on managed servers, including system security vulnerabilities, network security vulnerabilities, and application security vulnerabilities.

When the vulnerability scanner 100 requests the threat detection system 500 to add an inspection target, the vulnerability scanner 100 adds the inspection target to the inspection schedule. Then, the vulnerability scanner 100 generates traffic according to the inspection schedule and transmits the traffic to the added inspection object.

The intrusion blocking system 200 blocks an unauthorized network connection from the outside and protects and distinguishes the internal network from the outside. The result of the blocking and blocking of the intrusion blocking system 200 is transmitted to the threat detection system 500 ).

The intrusion blocking system 200 blocks a specific intruder by using intruder information stored in the blocking DB and access permitted information of an access control list stored in the denial DB. The intrusion blocking system 200 then sends the result of the denial and blocking to the threat detection system 500.

The intrusion blocking system 200 is capable of effectively preventing and blocking electronic tampering. The intrusion blocking system 200 is installed at a connection point between a subscriber network and a public network, or inside a subscriber network, do.

Such an intrusion blocking system 200 may include, for example, a firewall or the like. When the Internet data coming from the external Internet environment is transmitted to the multiple management web servers managed by the web firewall, the web firewall transmits various abnormal query transmission, parameter modulation and input values included in the Internet data to the web It is responsible for blocking various attacks on the server.

The IDS 300 is a threat managed by the intrusion detection system 300 irrespective of the vulnerability of individual assets constituting the network when attacking a network asset. And attack information, and the risk information of the corresponding attack designated by the user.

The intrusion detection system 300 builds a detection rule for a threat pattern based on a list of vulnerabilities provided by a CVE list (Common Vulnerabilities and Express List) and a list of threats related to vulnerabilities provided by CERT, And generates a warning and alarm when traffic corresponding to the threat pattern is generated to inform the threat.

The intrusion detection system 300 detects an external attack and transmits the detection result to the security log correlation analysis system 400 and the threat detection system 500. The intrusion detection system 300 detects an external attack by a signature-based detection mechanism and transmits an intrusion detection event to the security log correlation analysis system 400 and the threat detection system 500. The signature database stores the signature ID, signature name, severity level, and packet payload for information corresponding to the suspicious information.

The security log correlation analysis system 400 serves to correlate events collected from the intrusion detection system 300 according to predefined rules and scenarios. For example, events occurring when the same event occurs in multiple IPs are shortened, and event generation is restricted in the case of an IP to which an exception is applied.

The security log correlation analysis system 400 analyzes the causal relationship between the normal detection log selection and the individual log generated in the intrusion detection system 300.

The security log correlation analysis system 400 analyzes association of all the event items that can be analyzed such as time, attacker, target system, and event type. The process of analyzing the correlation can use data mining algorithms such as order patterns and classification rules.

The security log correlation analysis system 400 contains details of the language format of the correlation analysis rule script that defines the rules for event correlation analysis between events or events. Through the correlation analysis language, it is possible to create a rule, update the generated rule, designate the name of the rule for the generated rule, the class of the large classification to which the generated correlation analysis rule belongs, The normalized event parameter information such as the time of the security event, the device ID, the network ID, the event, the firewall rule ID, the signature ID of the intrusion detection / intrusion prevention system, Contexts are generated by combining the contexts and conditional contexts created by the correlation analysis rules by using the combination of the contexts and conditional expressions Indicates that a new context / condition can be created as a group of context / conditions. Using the correlation analysis language, it is possible to analyze the correlation of events, information protection facilities, and inter-network events based on normalization event parameters from the information protection facilities.

The threat detection system 500 collects log information from the vulnerability scanner 100, the intrusion blocking system 200, and the intrusion detection system 300, and based on the collected log information, Update at least one.

The threat detection system 500 compares the inspection result information of the vulnerability scanner 100 and the blocking information of the intrusion blocking system 200 to extract the missing IP as the inspection result information and outputs the extracted inspection object to the vulnerability scanner (100). Then, the vulnerability scanner 100 generates traffic according to the inspection schedule and transmits the traffic to the added inspection object.

The threat detection system 500 compares the intrusion detection event with the inspection result information of the vulnerability scanner when the intrusion detection event is received from the intrusion detection system 300, Update the correlation analysis scenario.

Also, the threat detection system 500 compares the intrusion detection event with the vulnerability information of the vulnerability scanner 100, and updates the detection rule of the intrusion detection system 300 that requires new creation based on the comparison result. That is, if there is a vulnerability but there is no detection rule, the threat detection system 500 notifies the administrator of the detection rule so that the detection rule is generated.

In addition, when the intrusion detection event is included in the permission information of the intrusion blocking system 200 and the inspection result information of the vulnerability scanner 100, the threat detection system 500 extracts vulnerability related information from the inspection result information corresponding to the intrusion detection event And updates the correlation analysis scenario of the security log correlation analysis system 400 based on the extracted vulnerability-related information. That is, the threat detection system 500 automatically applies the intrusion detection event to the correlation analysis scenario when the intrusion detection event occurs in the IP allowed in the intrusion blocking system 200.

Also, the threat detection system 500 can reduce the false positives of the intrusion detection system 300 by comparing the traffic generation condition of the vulnerability scanner 100 with the detection rule of the intrusion detection system.

The threat detection system 500 will be described with reference to FIG.

Hereinafter, the operation of the system for improving the intrusion detection falsehood will be described with reference to FIG.

The vulnerability scanner 100 scans the server to be protected to check the vulnerability to the server, and transmits the information and the vulnerability information to the threat detection system 500.

The threat detection system 500 collects and stores log information from the vulnerability scanner 100, the intrusion blocking system 200, and the intrusion detection system 300. Here, the log information may include inspection result information and vulnerability information from the vulnerability scanner 100, approval information and blocking information from the intrusion blocking system 200, and an intrusion detection event from the intrusion detection system 300.

The threat detection system 500 compares the inspection result information of the vulnerability scanner 100 and the blocking information of the intrusion blocking system 200 to extract the missing IP as the inspection result information and outputs the extracted inspection object to the vulnerability scanner (100). The vulnerability scanner 100 adds an inspection object requested to be added to the inspection schedule, generates traffic according to the inspection schedule, and transmits the generated inspection object to the inspection object.

Then, the intrusion detection system 300 detects an intrusion by inspecting traffic generated in the vulnerability scanner 100, and when an intrusion is detected, transmits an intrusion detection event to the threat detection system 500 and the security log correlation analysis system 400 ).

The threat detection system 500 compares the intrusion detection event with the inspection result information, and updates the correlation analysis scenario of the security log correlation analysis system 400 based on the comparison result. Also, the threat detection system 500 compares the intrusion detection event with the vulnerability information, and updates the detection rule of the intrusion detection system 300 based on the comparison result. In addition, when the intrusion detection event is included in the permission information and the inspection result information, the threat detection system 500 extracts the vulnerability-related information from the inspection result information corresponding to the intrusion detection event, and based on the extracted information on the vulnerability, The correlation analysis scenario of the log correlation analysis system 400 is updated.

FIG. 3 is a block diagram schematically illustrating a configuration of a threat detection system according to an embodiment of the present invention. FIG. 4 is a diagram illustrating the structure of an event database according to the present invention. FIG. 6 is a view showing the structure of a vulnerability database according to the present invention, FIG. 7 is a view showing the structure of an approval database according to the present invention, and FIG. 8 is a structure of a blocking database according to the present invention. Fig.

3, the threat detection system 500 includes a database 510, an inspection object extraction unit 520, an event processing unit 530, a correlation analysis control unit 540, a detection rule control unit 550, a vulnerability control unit 560 And a control unit 570.

The database 510 stores log information collected from the vulnerability scanner, the intrusion prevention system, and the intrusion detection system. The database 510 includes an event database 511, a check result database 512, a vulnerability database 513, an approval database 514, and a shutdown database 516.

The event database 511 stores information on events detected by the intrusion detection system. 4, the event database 511 stores time, event name, source IP (SRC_IP), destination IP (Target_IP), event information (Event_Info (URL , PROTOCOL, PORT, Argument)) is stored in the event table (Event_table).

One) The inspection result database 512 stores inspection result information on the systems checked by the vulnerability scanner. Referring to FIG. 5, the structure of the inspection result information stored in the inspection result database 512 includes IP, Hostname, OS, Scan time, Scan_IP, Malware_exit, Exploit_exist, Service, Port, Protocol, CVE_ID, Common Validity and Exposures ), CVSS (Common Vulnerability Scoring System), Vul_ID (Vulnerability Identification), and the like are stored in the check result table (Asset_table). Here, Malware_exit indicates presence of malware, and exploit_exist indicates presence of a vulnerability. CVE_ID is a numbering scheme for vulnerabilities. Similar vulnerabilities are characterized by different IDs depending on the attack method. CVSS can be a concept for scoring vulnerabilities for importance and impact.

The vulnerability database 513 stores vulnerability information exposed by the vulnerability scanner. Vulnerability information (Vul_ID), IP, Title, PORT, CVE, X-force, Proof, and OSVDB (Open Source Vulnerability Database) vulnerability information, which is stored in the vulnerability database 513, Is stored in the vulnerability table (Exploit_table). Here, X-force is the name of the vulnerability research institute, and Proof may be the evidence used in the vulnerability diagnosis result.

The approval database 514 stores information on the approval result of the intrusion prevention system. Approval information is stored in the approval database 514 in the form shown in FIG. 7, authorization information such as Host, ID, time, DST (Destination), DST_Port (Destination Port), DST_Zone, Policy_ID, Action, Protocol, SENT_Size, Service_port, Session_ID, SRC (Source), SRC_port, SRC_Zone And stored in an approval table (Access_table).

The blocking database 515 stores information on the blocking result of the intrusion blocking system. Blocking information is stored in the blocking database 515 as shown in FIG. 8, blocking information such as Host, ID, time, DST, DST_port, DST_Zone, Policy_ID, Action, Protocol, SENT_Size, Service_port, Session_ID, SRC, SRC_port and SRC_Zone is stored in the blocking table Deny_table.

Although the database 510 is shown here as being comprised in the threat detection system 500, the database 510 may be configured separately from the threat detection system 500, according to the needs of those skilled in the art implementing the present invention It is possible.

The inspection object extracting unit 520 compares the inspection result information of the inspection result database 512 with the blocking information of the blocking database 515 to extract the inspection object and adds the extracted inspection object to the inspection schedule of the vulnerability scanner. That is, the inspection object extraction unit 520 compares the IP of the inspection result information with the IP of the blocking information, extracts the missing IP in the IP of the inspection result information from the IP of the blocking information, .

The event processing unit 530 generates and transmits traffic to the inspection objects extracted by the inspection object extraction unit, and stores the received intrusion detection event in the event database 511 when the intrusion detection event is received from the intrusion detection system . That is, even if a vulnerability exists in the intrusion detection system, if the traffic does not occur, the vulnerability is not detected. Therefore, the event processor 530 generates and transmits traffic to the inspection targets having the vulnerability. Then, the intrusion detection system determines the intrusion detection by applying the traffic to the objects to be inspected to the predetermined detection rule. The intrusion detection system transmits an intrusion detection event to the security log correlation analysis system and the threat detection system when an intrusion is detected.

The event processing unit 530 collects log information from the vulnerability scanner, the intrusion blocking system, and the intrusion detection system, and stores the collected log information in the data base 510.

That is, the event processing unit 530 collects the inspection result information and the vulnerability information from the vulnerability scanner, stores the inspection result information in the inspection result database, and stores the vulnerability information in the vulnerability database.

In addition, the event processing unit 530 collects approval information and blocking information from the intrusion blocking system, stores the collected approval information in the approval database, and stores the blocking information in the blocking database.

In addition, the event processor 530 collects intrusion detection events from the intrusion detection system, and stores the collected intrusion detection events in the event database. At this time, the event processing unit 530 collects event logs generated in the intrusion detection system through various types of log transfer protocols, normalizes them based on the IDMEF international standard, converts them into standardized events, ). The data storage format of the event database 511 may be stored in a hard disk, and may exist in a memory DB format for high-speed processing at times.

The correlation analysis control unit 540 compares the intrusion detection event with the inspection result information stored in the check result database 512, generates a correlation analysis scenario based on the comparison result, and outputs the generated correlation analysis scenario to the security log correlation analysis Update to the system.

That is, the correlation analysis control unit 540 extracts the IP information of time, SRC_IP, and Target_IP from the intrusion detection event, and determines whether the extracted IP information is included in the check result database 512. If the check result is included in the check result database 512, the correlation analysis control unit 540 extracts correlation analysis scenario related information such as event name (event_name), PROTOCOL, and PORT from the intrusion detection event, Generates the correlation analysis scenario using the related information, and updates the generated correlation analysis scenario to the security log correlation analysis system.

The correlation analysis control unit 540 includes details of the language format of the correlation analysis rule script that defines the rules for event correlation analysis between events or events and can generate a correlation analysis scenario through the correlation analysis language. By updating the correlation analysis scenario of the security log, it is possible to secure a plurality of indications of compromise and perform an active security control.

The detection rule control unit 550 compares the intrusion detection event with the vulnerability information of the vulnerability database 513, and updates the detection rule of the intrusion detection system based on the comparison result.

That is, the detection rule control unit 550 extracts IP information of time, SRC_IP, Target_IP, and event_name from the intrusion detection event, and determines whether the extracted IP information exists in the approval database 514. If the check result exists in the approval database 514, the detection rule control unit 550 determines whether the extracted IP information exists in the check result database 512. [ The detection rule control unit 550 extracts the detection rule related information 1 such as event_name, Target_IP, URL, and PROTOCOL from the intrusion detection event, And extracts detection rule related information 2 such as IP, Service, Port, and Vul_ID from the check result. Then, the detection rule control unit 550 generates a new detection rule by combining the detection rule related information 1 extracted from the intrusion detection event and the detection rule related information 2 extracted from the check result.

The detection rule control unit 550 updates the generated detection rule to the detection rule of the intrusion detection system. By automatically updating the detection rules of the intrusion detection system, harmful traffic such as hackers and new types of exploits can be detected.

When the intrusion detection event is included in the approval information of the approval database 514 and the inspection result information of the inspection result database 512, the vulnerability control unit 560 extracts the vulnerability-related information from the inspection result information corresponding to the intrusion detection event , Generates a correlation analysis scenario based on the extracted vulnerability information, and adds the generated correlation analysis scenario to the security log correlation analysis system.

That is, the vulnerability control unit 560 extracts IP information of time, SRC_IP, Target_IP, and event_name from the intrusion detection event, and determines whether the extracted IP information exists in the approval database 514. If the determination result is found in the approval database 514, the vulnerability control unit 560 determines whether the extracted IP information exists in the check result database 512. If the check result exists in the check result database 512, the vulnerability checker 560 extracts vulnerability information of the corresponding IP, Service, Port, and CVE from the check result database 512 and uses the extracted vulnerability information Generates a correlation analysis scenario, and updates the generated correlation analysis scenario to the security log correlation analysis system. At this time, the vulnerability control unit 560 can generate the correlation analysis scenario through the correlation analysis language.

When an intrusion detection event occurs in the IP allowed in the intrusion blocking system, the vulnerability control unit 560 automatically applies the intrusion detection event to the correlation analysis scenario of the security log correlation analysis system. By updating the correlation analysis scenario of the security log in this manner, it is possible to secure a plurality of indications of compromise and perform an active security control.

Each of the database 510, the inspection object extraction unit 520, the event processing unit 530, the correlation analysis control unit 540, the detection rule control unit 550 and the vulnerability control unit 560 may be configured to execute programs on the computing device And can be implemented by a necessary processor or the like, respectively. In this way, each of the database 510, the inspection object extraction unit 520, the event processing unit 530, the correlation analysis control unit 540, the detection rule control unit 550, and the vulnerability control unit 560 is implemented by each physically independent configuration Or may be implemented in a functionally distinct fashion within a single processor.

The control unit 570 includes a database 510, an inspection object extraction unit 520, an event processing unit 530, a correlation analysis control unit 540, a detection rule control unit 550, and a vulnerability control unit 560 500 in order to control the operation of various components.

The control unit 570 may include at least one computing unit, which may be a general purpose central processing unit (CPU), programmable device elements (CPLDs, FPGAs) suitably implemented for a particular purpose, Device (ASIC) or a microcontroller chip.

The threat detection system 500 may be implemented as a single computing device or in the form of an aggregate device in which two or more computing devices are interconnected. For example, the threat detection system 500 may be implemented as a single server or two or more servers connected together.

The threat detection system 500 configured as described above includes a communication unit for communicating through a communication network, an input unit for receiving information from the user, a display unit for displaying various information related to the operation of the threat detection system, And a storage unit for storing the data.

9 is a diagram illustrating a method for improving intrusion detection false according to an embodiment of the present invention.

Referring to FIG. 9, the threat detection system collects and stores log information from the vulnerability scanner, the intrusion blocking system, and the intrusion detection system (S902). At this time, the threat detection system collects inspection result information and vulnerability information from the vulnerability scanner, collects approval information and blocking information from the intrusion prevention system, and collects intrusion detection events from the intrusion detection system.

When the step S902 is performed, the threat detection system compares the inspection result information of the vulnerability scanner with the blocking information of the intrusion blocking system to extract the inspection object (S904). That is, the threat detection system extracts the IP from the inspection result information and the blocking information, extracts the missing IP in the IP of the inspection result information among the IPs of the blocking information, and extracts the IP as the inspection object.

Then, the threat detection system transmits a check target addition request signal including the check target information to the vulnerability scanner (S906). The inspection object information may include an IP extracted as a check target.

Upon receiving the check target addition request signal, the vulnerability scanner adds the check target to the check schedule (S908), and transmits the traffic to the added check targets (S910).

In step S912, the intrusion detection system determines whether intrusion is detected by applying the traffic to the objects to be inspected to the predetermined detection rule in step S912. If intrusion is detected, the intrusion detection system transmits the intrusion detection event to the threat detection system in step S914.

The threat detection system updates the correlation analysis scenario or the detection rule based on the intrusion detection event and the collected log information (S916). That is, the threat detection system extracts the information related to the correlation analysis scenarios such as the event name (event_name), PROTOCOL, and PORT in the intrusion detection event included in the IP information of the intrusion detection event as a result of checking the IP information of the intrusion detection event, Create a correlation analysis scenario using information related to the analysis scenario.

Also, if the IP information of the intrusion detection event is an IP approved by the intrusion prevention system and exists in the inspection result database, the threat detection system extracts detection rule related information 1 such as event_name, Target_IP, URL, PROTOCOL, etc. from the intrusion detection event , Detection rule related information 2 such as IP, Service, Port, and Vul_ID is extracted from the check result, and a new detection rule is generated by combining the extracted detection rule related information 1 and detection rule related information 2.

Also, the threat detection system extracts vulnerability information of IP, Service, Port, and CVE from the check result when the IP information of the intrusion detection event is IP approved by the intrusion prevention system and exists in the check result database, And creates a correlation analysis scenario using information related to the vulnerability.

10 is a diagram illustrating a method for improving intrusion detection false positives in the threat detection system according to an embodiment of the present invention.

Referring to FIG. 10, the threat detection system collects and stores log information from a vulnerability scanner, an intrusion prevention system, and an intrusion detection system (S1002).

When the step S1002 is performed, the threat detection system compares the inspection result information of the vulnerability scanner with the blocking information of the intrusion blocking system to determine an inspection object (S1004). That is, the threat detection system extracts the IP from the inspection result information and the blocking information, extracts the missing IP in the IP of the inspection result information from the IP of the blocking information, and adds the IP as the inspection object.

Then, the threat detection system generates traffic and transmits it to the objects to be checked (S1006), and receives an intrusion detection event from the intrusion detection system (S1008).

The threat detection system updates the correlation analysis scenario or the detection rule based on the intrusion detection event and the collected log information (S1010).

11 is a view for explaining a recording medium for performing a method for intrusion detection false improvement according to an embodiment of the present invention.

11, at least a part of a program executed by a computer performing the method for improving intrusion detection false according to the above-described embodiments may be stored and executed in the recording medium 580 of the threat detection system 500 have.

Collecting log information including at least one of the inspection result information and the vulnerability information from the vulnerability scanner, the approval information and the blocking information from the intrusion blocking system, and the intrusion detection event from the intrusion detection system, Extracting an inspection target from the inspection result information, adding the extracted inspection target to the inspection schedule of the vulnerability scanner, extracting an intrusion detection event existing in the approval information and the inspection result information from the collected intrusion detection events, Extracting detection rule related information from the extracted intrusion detection event and the corresponding inspection result to generate a new detection rule, extracting an intrusion detection event existing in the approval information and the inspection result information from the collected intrusion detection events, From the result of checking corresponding to the extracted intrusion detection event, The steps, such as extraction by generating a correlation scenario information is a program to be executed by the computer can be executed is stored in the recording medium 580.

The H / W and S / W resources 590 collectively refer to hardware resources and software resources required for a program stored in the recording medium 580 to operate. Examples of hardware resources include a CPU (Central Processing Unit), a memory (MEMORY) , A hard disk, a network card, and the like. Examples of software resources include an operating system (OS) and a driver for driving hardware.

For example, a program for extracting a check target, generating a correlation analysis scenario, and generating a detection rule is loaded and operated under the control of the CPU. In this way, the hardware resources and / or software resources are required for the programs stored in the recording medium 580 to be executed, and the interaction between these resources and the tasks can be easily performed by anyone in the technical field to which the inventive concept belongs It will be an understandable skill.

The method for improving the intrusion detection falsehood can be created by a program, and the codes and code segments constituting the program can be easily deduced by a programmer in the field. Further, a program for a method for improving intrusion detection false positives can be stored in an information storage medium (Readable Media) readable by an electronic device, readable and executed by an electronic device.

Thus, those skilled in the art will appreciate that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. It is therefore to be understood that the above-described embodiments are illustrative only and not restrictive of the scope of the invention. It is also to be understood that the flow charts shown in the figures are merely the sequential steps illustrated in order to achieve the most desirable results in practicing the present invention and that other additional steps may be provided or some steps may be deleted .

The technical features and implementations described herein may be implemented in digital electronic circuitry, or may be implemented in computer software, firmware, or hardware, including the structures described herein, and structural equivalents thereof, . Also, implementations that implement the technical features described herein may be implemented as computer program products, that is, modules relating to computer program instructions encoded on a program storage medium of the type for execution by, or for controlling, the operation of the processing system .

The computer-readable medium can be a machine-readable storage device, a machine-readable storage substrate, a memory device, a composition of matter that affects the machine readable propagation type signal, or a combination of one or more of the foregoing.

In the present specification, the term " apparatus "or" system "includes all apparatuses, apparatuses, and machines for processing data, including, for example, a processor, a computer or a multiprocessor or a computer. The processing system may include any code that, in addition to the hardware, forms an execution environment for a computer program upon request, such as, for example, code that constitutes processor firmware, a protocol stack, a database management system, an operating system, can do.

A computer program, known as a program, software, software application, script or code, may be written in any form of programming language, including compiled or interpreted language or a priori, procedural language, Routines, or other units suitable for use in a computer environment.

On the other hand, a computer program does not necessarily correspond to a file in the file system, but may be stored in a single file provided to the requested program or in a plurality of interactive files (for example, one or more modules, File), or a portion of a file that holds another program or data (e.g., one or more scripts stored in a markup language document).

A computer program may be embodied to run on multiple computers or on one or more computers located at one site or distributed across a plurality of sites and interconnected by a wired / wireless communication network.

On the other hand, computer readable media suitable for storing computer program instructions and data include, for example, semiconductor memory devices such as EPROM, EEPROM, and flash memory devices, such as magnetic disks such as internal hard disks or external disks, And any type of non-volatile memory, media and memory devices, including CD and DVD discs. The processor and memory may be supplemented by, or incorporated in, special purpose logic circuits.

Implementations implementing the technical features described herein may include, for example, back-end components such as a data server, or may include middleware components, such as, for example, an application server, Or a client computer having a graphical user interface, or any combination of one or more of such backend, middleware or front end components. The components of the system may be interconnected by any form or medium of digital data communication, for example, a communication network.

Hereinafter, a more specific embodiment capable of implementing the configurations including the system described in this specification and the method for improving intrusion detection false-positive will be described in detail.

The systems described herein and methods for intrusion detection false improvement include means for executing computer software, program code, or instructions on one or more processors included in a server or server associated with a client device or a web-based storage system Lt; RTI ID = 0.0 > and / or < / RTI > The processor may be part of a computing platform, such as a server, a client, a network infrastructure, a mobile computing platform, a fixed computing platform, and the like, and may specifically be a type of computer or processing device capable of executing program instructions, code, The processor may further include a memory for storing a method, an instruction, a code, and a program for improving an intrusion detection false, and may include a method, an instruction, and a code for intrusion detection false improvement through a separate interface, And access storage devices such as a CD-ROM, DVD, memory, hard disk, flash drive, RAM, ROM, cache, etc. in which the program is stored.

In addition, the systems described herein and methods for intrusion detection false improvement may be used, in part or in whole, through a server, a client, a gateway, a hub, a router, or an apparatus executing computer software on network hardware. The software may be executed in various types of servers such as a file server, a print server, a domain server, an Internet server, an intranet server, a host server, a distributed server, A storage medium, a communication device, a port, a client, and other servers via a wired / wireless network.

In addition, methods, commands, codes, etc., for intrusion detection false improvement may also be performed by the server, and other devices required to implement methods for intrusion detection false improvement may be implemented as part of the hierarchy associated with the server .

In addition, the server can provide an interface to other devices including, without limitation, clients, other servers, printers, database servers, print servers, file servers, communication servers, distributed servers, The remote execution of the program can be facilitated.

In addition, any of the devices connected to the server via the interface may further include at least one storage device capable of storing methods, instructions, codes, etc. for intrusion detection error improvement, and the central processor of the server may be executed on a different device Commands, codes, and the like can be provided to the device and stored in the storage device.

Meanwhile, the system described in the present specification and the method for improving intrusion detection falsehood can be partially or wholly used through a network infrastructure. The network infrastructure may include both a device such as a computing device, a server, a router, a hub, a firewall, a client, a personal computer, a communication device, a routing device, etc. and a separate module capable of performing each function, In addition to one device and module, it may further include storage media such as a story flash memory, buffer, stack, RAM, ROM, and the like. In addition, a method, an instruction, and a code for improving intrusion detection false can be executed and stored by any one of a device, a module, and a storage medium included in a network infrastructure, and a method for a method for improving an intrusion detection false Other devices that are required to run may also be implemented as part of the network infrastructure.

In addition, the system described herein and the method for intrusion detection false improvement may be implemented in hardware or a combination of hardware and software suitable for a particular application. Herein, the hardware includes both general-purpose computer devices such as personal computers, mobile communication terminals, and enterprise-specific computer devices, and the computer devices may include memory, a microprocessor, a microcontroller, a digital signal processor, an application integrated circuit, a programmable gate array, Or the like, or a combination thereof.

Computer software, instructions, code, etc., as described above, may be stored or accessed by a readable device, such as a computer component having digital data used to compute for a period of time, such as RAM or ROM Permanent storage such as semiconductor storage, optical disc, large capacity storage such as hard disk, tape, drum, optical storage such as CD or DVD, flash memory, floppy disk, magnetic tape, paper tape, Memory such as storage and dynamic memory, static memory, variable storage, network-attached storage such as the cloud, and the like. Here, the commands and codes are data-oriented languages such as SQL and dBase, system languages such as C, Objective C, C ++, and assembly, architectural languages such as Java and NET, application languages such as PHP, Ruby, Perl and Python But it is not so limited and may include all languages well known to those skilled in the art.

In addition, "computer readable media" as described herein includes all media that contribute to providing instructions to a processor for program execution. But are not limited to, transmission media such as coaxial cables, copper wires, optical fibers, and the like that transmit data to nonvolatile media such as data storage devices, optical disks, magnetic disks, etc., volatile media such as dynamic memory and the like.

On the other hand, configurations implementing the technical features of the present invention, which are included in the block diagrams and flowcharts shown in the accompanying drawings, refer to the logical boundaries between the configurations.

However, according to an embodiment of the software or hardware, the depicted arrangements and their functions may be implemented in the form of a stand alone software module, a monolithic software structure, a code, a service and a combination thereof and may execute stored program code, All such embodiments are to be regarded as being within the scope of the present invention since they can be stored in a medium executable on a computer with a processor and their functions can be implemented.

Accordingly, the appended drawings and the description thereof illustrate the technical features of the present invention, but should not be inferred unless a specific arrangement of software for implementing such technical features is explicitly mentioned. That is, various embodiments described above may exist, and some embodiments may be modified while retaining the same technical features as those of the present invention, and these should also be considered to be within the scope of the present invention.

It should also be understood that although the flowcharts depict the operations in the drawings in a particular order, they are shown for the sake of obtaining the most desirable results, and such operations must necessarily be performed in the specific order or sequential order shown, Should not be construed as being. In certain cases, multitasking and parallel processing may be advantageous. In addition, the separation of the various system components of the above-described embodiments should not be understood as requiring such separation in all embodiments, and the described program components and systems are generally integrated into a single software product, It can be packaged.

As such, the specification is not intended to limit the invention to the precise form disclosed. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications, and variations will be apparent to those skilled in the art without departing from the spirit and scope of the present invention as defined by the appended claims. It is possible to apply a deformation.

The scope of the present invention is defined by the appended claims rather than the foregoing description, and all changes or modifications derived from the meaning and scope of the claims and equivalents thereof are deemed to be included in the scope of the present invention. .

The present invention provides a system and method for improving intrusion detection falsehood, thereby reducing the probability of false detection of an intrusion detection system, allowing an intrusion detection system to detect an internal vulnerability even when external attack traffic does not occur, It can detect harmful traffic such as hackers, new exploits and other unopened methods.

100: Vulnerability Scanner
200: Intrusion Prevention System
300: Intrusion detection system
400: Security log correlation analysis system
500: Threat detection system
510: Database
520: Inspection object extraction unit
530: Event processor
540: correlation analysis control section
550: detection rule control unit
560: Vulnerability control section
570:
150:

Claims (6)

A vulnerability scanner that checks the vulnerability of at least one asset to be protected and transmits the information and the vulnerability information to the threat detection system;
An intrusion blocking system for transmitting approval information and blocking information for protecting the internal network from the outside to the threat detection system;
An intrusion detection system for detecting an external attack based on a signature and transmitting an intrusion detection event to the threat detection system; And
A risk detection system for collecting log information from the vulnerability scanner, the intrusion blocking system, and the intrusion detection system, and updating at least one of an inspection object, a correlation analysis scenario, and a detection rule based on the collected log information;
≪ / RTI >
The vulnerability scanner is capable of scanning a port for at least one asset that is interlocked.
And detects at least one of the open ports as an asset that can be an attack target.
The method according to claim 1,
Wherein the threat detection system includes at least one of inspection result information from the vulnerability scanner, vulnerability information, approval information and blocking information from the intrusion blocking system, and an intrusion detection event from the intrusion detection system;
And an inspection target extracting unit for comparing the inspection result information stored in the database with the blocking information to extract an inspection object and adding the extracted inspection object to the inspection schedule of the vulnerability scanner. system.
3. The method of claim 2,
A detection rule for generating a new detection rule by extracting an intrusion detection event existing in approval information and inspection result information from the intrusion detection events stored in the database, extracting detection rule related information from the extracted intrusion detection event and the corresponding inspection result, Further comprising a control unit operable to control the intrusion detection system.
3. The method of claim 2,
A vulnerability control unit for extracting an intrusion detection event existing in the approval information and the inspection result information from the intrusion detection events stored in the database and extracting the vulnerability related information from the inspection result corresponding to the extracted intrusion detection event, Further comprising: means for detecting an intrusion detection error.
3. The method of claim 2,
Wherein the vulnerability scanner generates traffic to the inspection object added to the inspection schedule.
3. The method of claim 2,
And an event processor for transmitting the traffic to the inspection object extracted by the inspection object extraction unit and storing the received intrusion detection event in the database when the intrusion detection event by the traffic is received from the intrusion detection system A system for improving intrusion detection false positives.

Images