KR20170058140A - An analysis system of security breach with analyzing a security event log and an analysis method thereof - Google Patents

An analysis system of security breach with analyzing a security event log and an analysis method thereof Download PDF

Info

Publication number
KR20170058140A
KR20170058140A KR1020150161973A KR20150161973A KR20170058140A KR 20170058140 A KR20170058140 A KR 20170058140A KR 1020150161973 A KR1020150161973 A KR 1020150161973A KR 20150161973 A KR20150161973 A KR 20150161973A KR 20170058140 A KR20170058140 A KR 20170058140A
Authority
KR
South Korea
Prior art keywords
event
log
security
event log
analysis
Prior art date
Application number
KR1020150161973A
Other languages
Korean (ko)
Other versions
KR101788410B1 (en
Inventor
신희창
Original Assignee
(주)이스트소프트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)이스트소프트 filed Critical (주)이스트소프트
Priority to KR1020150161973A priority Critical patent/KR101788410B1/en
Publication of KR20170058140A publication Critical patent/KR20170058140A/en
Application granted granted Critical
Publication of KR101788410B1 publication Critical patent/KR101788410B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to an analysis system of security breach through analyzing a security event log and an analysis method thereof. More particularly, the present invention relates to an analysis system of security breach through analyzing a security event log, which analyzes an event log generated in a security breach process occurring in a local terminal and provides a result divided into a point of a departure or a point of destination, and to an analysis method thereof. According to the present invention, it is possible to record a security breach applied to various types of local terminals as a normalized event log for integrated analysis, and to check easily a security breach element by classifying and analyzing an event log associated with specific information. The analysis system includes an integrated log collecting part; a log normalization part; a single event detection part; a single event detection part; and a risk measurement part.

Description

TECHNICAL FIELD [0001] The present invention relates to a system and method for analyzing security violation through security event log analysis,

The present invention relates to a system and method for analyzing security violation through security event log analysis. More particularly, the present invention relates to a system and method for analyzing a security violation by analyzing an event log generated in a security violation process occurring in a local terminal, To a security attack analysis system and an analysis method using the security event log analysis.

Along with the increase of information system assets, various operating environments (OS), application programs for mobile terminals (APPLICATION), and security solutions have been developed and used. Security events recorded in such various environments are also stored in various forms, and their capacity is also rapidly increasing.

Events related to security breaches occurring in various types of local terminals are recorded in the event log by a local terminal or a monitoring device on the network. The administrator analyzes the generated event log to check the damage of the security breach, and takes measures to prevent further infringement.

FIG. 1 is a block diagram illustrating a network risk composite analysis system according to the prior art.

The plurality of detection sensors 10 included in the analysis system of FIG. 1 collect security events occurring in the respective networks in real time and store them in the DB in the form of a log file including the destination IP of the corresponding security event. The plurality of detection sensors 10 calculates the risk level and reliability of the collected security events using the risk level and reliability calculation formula set by the administrator based on the network security operation policy itself and calculates the calculated risk level and reliability Adds the log file to the log file, and stores the log file in the DB.

The log file normalization unit 11 collects log files of the security events from the DBs of the respective detection sensors 10 and stores log files of the security events in the log files of the respective security events as normalization information set by the administrator on the basis of the network security operation policy Into a normalized log file format.

The individual risk calculating section 13 calculates the risk value and the reliability, which are identified from the asset value of the IT asset of the network and the corresponding normalization log file calculated in correspondence with the normalization log file of the security event in the asset value calculating section 12, Based on the operation policy, it assigns to the risk calculation formula set by the administrator and calculates the individual risk of the security events. If the calculated risk exceeds the predetermined risk, the alarm generation signal is outputted.

However, in the related art, the generated network-based security event log is analyzed to measure the risk. In some cases, it is effective to group and analyze various security events related to each other. In addition, in the conventional technology for analyzing the network-based security event log, there is a problem that it is difficult to efficiently cope with such a need because the related analysis method can not be provided.

KR 10-1113615 B1

According to an aspect of the present invention, there is provided a method for processing a security event log of various types generated in a local terminal and a network based on a single format, processing a normalized event log into a JSON file, SQL), and analyzing a stored event log to analyze a security violation element, and to provide a security violation analysis system and analysis method using the security event log analysis.

Also, according to the present invention, a security event log analysis is performed so as to accurately grasp the flow of security violation, location, threat, vulnerability, etc. by performing linkage analysis of various event logs based on a source or destination according to a risk flag And to provide a security infringement analysis system and an analysis method thereof.

The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a security intrusion analysis system for analyzing a security event occurring in a local terminal and providing the security event to an administrator, An integrated log collecting unit 102 for receiving the event log collected and transmitted and storing the received event log in the integrated log DB 114; A log normalization unit 104 for normalizing the event log received by the integrated log collecting unit 102, converting the received event log into a JSON (JavaScript Object Notation) file format, and storing the normalized event log in the integrated log DB 114, Wow; A single event detection unit 106 for analyzing the normalized event log by referring to a detection rule stored in the event detection rule DB 112 and analyzing whether the event log includes an event recording that may cause security breach; A linkage analysis unit (108) for linking and analyzing a plurality of event logs when a risk flag assigned to an event log to be analyzed by the single event detection unit (106) is a predetermined value; And a risk measurement unit 110 for determining a connection log type of the event log to be detected by referring to the risk flag column of the detection rule stored in the event detection rule DB 112.

The normalized event log is composed of data having fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE". TIME is a time of detection of a security event in unix time format, TYPE is the type of security event, HOST is the IP address or host name of the sensor from which the security event was detected, SRC is the origin IP in the security event, DST is the destination IP in the security event, CONTENTS_001 through CONTENTS_004 are security And LINKED_LOGTYPE is defined as the target of the event log to perform linkage analysis. The LINKED_LOGTYPE is an event log in which a security event of a predetermined threshold value or more occurs for a certain period of time before and after a single event occurrence time.

If the risk flag included in the event log to be detected is 1, the association analyzer 108 extracts the SRC from the event log and performs an OR operation between the SRC and the DST on the event log defined in the "LINKED_LOGTYPE & When the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the event log defined in "LINKED_LOGTYPE" is subjected to OR operation of SRC and DST If the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log, and the event log defined in "LINKED_LOGTYPE" is subjected to an AND operation between SRC and DST And a linkage analysis is carried out.

The single event detection unit 106 performs pattern matching on the CONTENTS_001 to CONTENTS_004 among the data included in the normalized event log through a combination of AND, OR, and NOT operators in a keyword referred to in the event detection rule DB 112 Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. .

According to another embodiment of the present invention, there is provided a security infringement analysis method using a security intrusion analysis system. When the local log collection unit 202 installed in the local terminal 200 collects and transmits event logs, the integrated log collection unit 102, And stores it in the integrated log DB 114; The log normalization unit 104 normalizes the event log received by the integrated log collecting unit 102 and converts the event log into a JSON (JavaScript Object Notation) file, and stores the normalized event log in the integrated log DB 114 A second step of: The single event detection unit 106 analyzes the normalized event log by referring to the detection rule stored in the event detection rule DB 112 and analyzes the normalized event log to determine whether the event log includes an event Step 3; A fourth step of the risk measurement unit 110 determining a joint log type of the event log to be detected by referring to the risk flag column of the detection rule stored in the event detection rule DB 112; And a fifth step of linking and analyzing a plurality of event logs when the linkage analysis unit 108 determines that the risk flag for the event log to be analyzed by the single event detection unit 106 is a predetermined value.

The normalized event log is composed of data having fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE". TIME is a time of detection of a security event in unix time format, TYPE is the type of security event, HOST is the IP of the sensor where the security event is detected, SRC is the IP of the origin of the security event, DST is the destination IP in the security event, CONTENTS_001 to CONTENTS_004 are the security event And LINKED_LOGTYPE is defined as a target of event log to perform linkage analysis. It is characterized in that an event in which a security event of a predetermined threshold value or more occurs for a predetermined time before and after a single event occurrence time is logged.

If the risk flag included in the event log to be detected is 1, the association analyzer 108 extracts the SRC from the event log and performs an OR operation between the SRC and the DST on the event log defined in the "LINKED_LOGTYPE & When the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the event log defined in "LINKED_LOGTYPE" is subjected to OR operation of SRC and DST If the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log, and the event log defined in "LINKED_LOGTYPE" is subjected to an AND operation between SRC and DST And a linkage analysis is carried out.

The single event detection unit 106 performs pattern matching on the CONTENTS_001 to CONTENTS_004 among the data included in the normalized event log through a combination of AND, OR, and NOT operators in a keyword referred to in the event detection rule DB 112 Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. .

According to the present invention, it is possible to record a security infringement applied to various types of local terminals as a normalized event log and perform an integrated analysis. By classifying and analyzing event logs associated with specific information, security breaches, threats, There is an effect that can be grasped.

In addition, it is possible to easily identify the security breach attempt process by sorting the event occurrence order by time zone, thereby minimizing human, time, and material resources required for event analysis.

1 is a block diagram illustrating a system for analyzing the overall network risk according to the prior art.
FIG. 2 is a block diagram illustrating a structure and a connection state of a security intrusion analysis system according to an embodiment of the present invention; FIG.
3 is a flowchart illustrating a process of a security invasion analysis method using the analysis system of the present invention.
4 is a table showing an example of a detection rule included in the event detection rule DB;
Figures 5A and 5B are tables showing the results of linkage analysis for event logs.

Hereinafter, a security infringement analysis system and analysis method using security event log analysis according to an embodiment of the present invention will be described with reference to the drawings.

FIG. 2 is a block diagram illustrating a structure and a connection state of a security intrusion analysis system according to an embodiment of the present invention.

(Hereinafter referred to as "analysis system") of the present invention collects, analyzes, analyzes and analyzes security violation events occurring in a local terminal 200 connected at a remote place connected to the network And provides the result to the administrator terminal 300 to remove the risk factors. In some cases, security events occurring on non-network-based devices may be collected and analyzed. In this case, since security events can not be collected in real time, event logs can be input and analyzed at regular intervals or when special events occur.

The local log collection unit 202 installed in the local terminal 200 monitors various types of security events generated in the local terminal 200 and generates a security related event log Collect. The local log collecting unit 202 transmits the event log collected by the local terminal 200 to the analysis system 100.

The analysis system 100 includes an integrated log collection unit 102, a log normalization unit 104, a single event detection unit 106, a linkage analysis unit 108, a risk measurement unit 110, an event detection rule DB 112, , And an integrated log DB (114).

The integrated log collection unit 102 receives the event log transmitted from the local log collection unit 202 and stores the received event log in the integrated log DB 114.

The log normalization unit 104 normalizes various types of event logs stored in the analysis system 100 and stores them in the integrated log DB 114 in the form of a JSON file. The log normalization unit 104 converts various types of log formats into a text (txt) log format and normalizes them into a JavaScript Object Notation (JSON) file format. A JSON file is an open standard format that uses human-readable text to convey data objects consisting of attribute-value pairs. For asynchronous browser / server communication (AJAX), it is widely a major data format that replaces XML. There is no particular restriction on the type of data that can be represented in a JSON file, and it is particularly suitable for expressing the value of a variable in a computer program.

In the present invention, normalizing the event log in JSON form is convenient for recording in the NoSQL-based integrated log DB 114.

The attributes of the event log that are normalized and stored by the log normalization unit 104 of the present invention represent time information, a detection sensor, a source and destination information, a content to be transmitted and received, a target of a linkage analysis security event, and the like.

The single event detection unit 106 scans the normalized JSON file with reference to the detection rule stored in the event detection rule DB 112 and analyzes the result of the scan to determine true / false. If the result of the analysis is true, the single event detection unit 106 processes the event log JSON file and sends a warning alarm to the administrator. In the present invention, the fact that the scan result is true means that the event log to be detected includes an event log having a possibility of security breach.

The linkage analysis unit 108 refers to the risk flag attribute of the security event in which the result of the single event detection unit 106 is true, and performs linkage analysis on an event requiring linkage analysis. Linkage analysis refers to an analysis that makes it possible to clearly observe a number of events by analyzing and sorting the association of event logs based on a specific field among the fields included in the security event log.

In the present invention, when the single event detection result is true, the risk flag (FLAG) of the event detection rule is checked to determine whether or not to analyze the linkage. The risk flag is determined by referring to the information protection guidelines set by the administrator and the experience of the activity, Common Vulnerabilities & Exposures (CVE), and the like. In accordance with the risk flags, the linkage analysis unit 108 correlates a plurality of event logs included in the event log, analyzes the results, and aligns the results.

The risk measurement unit 110 refers to a specific column (risk flag column) in the event detection rule DB 112 to determine a joint log type of a single event.

The event detection rule DB 112 stores a detection rule for the event log. The detection rules are determined and registered by the analysis system 100 or the administrator of the security service, and are a criterion for selecting an event log to be subjected to a single analysis or linkage analysis by the analysis system 100.

4 is a table showing an example of a detection rule included in the event detection rule DB. The meaning of each data field included in the detection rule is shown in Table 1 below.

Event detection rule DB column Justice logType Security events to be detected keyword String keywords used for single security event detection history History of the detection rules recorded by the security administrator registertime Date of creation of detection rule supervisionid The unique value of the security manager / system that registered the detection rule cnt Index number of the detection rule flag Risk flag

"logtype" is a type of security event to be detected in the present invention, and includes a network packet event log (syslogs), a firewall policy event log (iptableslogs), an intrusion detection / blocking system event log (detectionlogs) infectedlogs), router / switch network event logs (networklogs), Linux SSH (secure shell) event logs (securelogs), web firewall event logs (waflogs), Linux system command execution event logs (cmdlogs) malwarelogs), virtual private network (VPN) event logs (vpnlogs), Windows remote terminal event logs, file system monitor event logs (filemonlogs), Windows registry (regmonlogs) Event logs (httpdlogs), information system domain query event logs (dnslogs), web access event logs (accesslogs), database events (Dblogs), system security patch event logs (patchlogs), system account event logs (userlogs), system network event logs (netstatelogs), and rootkit event logs (rootkitlogs).

Each security event is recorded in a form dependent on the local terminal configuration environment such as a log file, a DB, a network Pcap (packet capture) file format, and the like.

The "history" records definitions and characteristics of detection rules, and is used as a column for managing the history of registration, modification, deletion, etc. of detection rules by the analysis system 100 or the security administrator.

"registertime" records the generation time of the detection rule, and defines the date and time when the detection rule is registered / created.

"supervisionid" is a unique value of the security manager or system that registered the detection rule, and it means the ID of the security manager.

"cnt " records the index number of the detection rule, and generates an index number that sequentially increases each time the security manager or the system registers / creates the detection rule.

"flag" records the risk flag. The risk flag is determined by substituting the risk for the detection rule (CVE, information protection guideline, risk assessment based on information protection organization experience) into the risk flag measurement calculation formula.

When the risk flag is 0, the single event detection unit 106 performs a single event analysis on one event log. However, when the risk flag is 1, 2, or 3, the linkage analysis unit 108 performs analysis by linking a plurality of event logs. When the risk flag is 1, linkage analysis is performed based on the SRC (origin IP). When the risk flag is 2, linkage analysis is performed based on DST (destination IP). In case of 3 days, linkage analysis is performed based on SRC and DST, which will be described later.

In the integrated log DB 114, an event log collected from the local terminal 200 and a normalization event log converted into a JSON file by the log normalization unit 104 are stored.

We will explain in detail how to analyze security breach using the above configuration.

FIG. 3 is a flowchart illustrating a process of a security invasion analysis method using the analysis system of the present invention.

First, the local terminal 200 collects various types of security events and records them in an event log. The integrated log collection unit 102 receives event logs from the local terminal 200 and stores them in the integrated log DB 114. S102)

The security event list collected by the local terminal 200 is the same as the event list described in "logtype ".

The log normalization unit 104 normalizes the security event log stored in the integrated log DB 114 by the integrated log collecting unit 102 and stores it in the integrated log DB 114. In step S104,

The normalization of the event log is intended to allow the administrator to quickly grasp the contents of the security event by displaying data fields having common attributes in the event log recorded in different forms.

In the present invention, the data included in the event log is sorted into "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, and LINKED_LOGTYPE" in the event log normalization. do.

The information represented by each field is shown in Table 2 below.

field Justice TIME Security event detection time TYPE Types of security events HOST The IP address or host name of the sensor from which the security event was detected. SRC IP of origin of security event DST IP of the destination of the security event CONTENTS_001 ~ CONTENTS_004 Details on security events LINKED_LOGTYPE Security event linkage analysis target

The TIME field records the time of the detection of the security event in unixtimestamp format.

The HOST field records the IP address or host name of the IPv4-based detection sensor. The hostname chooses DNS resolvability.

IP recorded in the SRC and DST fields also records IPv4-based addresses.

In the CONTENTS field, details recorded at the time of event log creation are described, and specific contents of the event log-related keywords may be included.

The LINKED_LOGTYPE field defines the target of the various event logs for which the event log will perform linkage analysis. The target of the linkage analysis is the event log in which the security event occurs over a predetermined threshold value for a certain time before or after the occurrence time of a specific single event.

For example, if a single single security event occurs at 1 PM on November 2, 2015 and you want to have a single analysis on it, you can associate another event log with more than 10 security events in the hour around 1 PM It can be analyzed. That is, select the event log of the type in which the security event occurred more than 10 times during the two hours from 12:00 pm to 2:00 pm.

The criterion such as the time of the reference time, the length of the time before and after the event, the threshold value of the abnormal event, and the like can be appropriately selected by the security administrator or the system.

The single event detection unit 106 extracts the event log stored in the form of a JSON file, and detects a single event in the log file to analyze the risk (S106). The single event detection unit 106 detects a security event . First, it is confirmed whether the detection rule is defined as a single security event detection target. In the present invention, when a primary detection keyword stored in a detection rule occurs in an individual security event, it is set to be a detection target.

The single event detection unit 106 uses a combination of content based detection targeting CONTENTS_001, CONTENTS_002, CONTENTS_003, and CONTENTS_004 and host based detection targeting [HOST, SRC, DST] among security event details.

In the case of content-based detection, the patterns referenced in the event detection rule DB 112 are pattern-matched with CONTENTS_001 to CONTENTS_004 in which the detailed contents of the event log are recorded, and are detected through a combination of AND, OR, and NOT operators.

In the case of host-based detection, a keyword referred to in the event detection rule DB 112 is pattern-matched with respect to HOST, SRC, and DST in which the IP of the event log is recorded. The detection is performed through a combination of AND, OR, and NOT operators.

The single event detection unit 106 processes a single analysis result and transmits an alarm signal to an administrator responsible for information protection.

Next, the risk measurement unit 110 determines a linkage log type (LINKED_LOGTYPE) by referring to the risk flag of the event detection rule DB 112 with respect to the security event log detected by the single event detection unit 106 (S108)

The risk flag is determined when an information protection manager performing an information protection activity registers / creates a single event detection rule in the event detection rule DB 112. The risk flag is classified into an organizational information protection guideline, an information protection activity experience, CVE (Common Vulnerabilities &Exposures; Common security vulnerability and exposure).

In case of CVE, refer to High / Medium / Low classified by CVSS (Common Vulnerability Scoring system). For example, when the class classified by CVSS is High, 7 points to 10 points are given. In the case of Medium, 4 points to 6.9 points are given. In the case of Low, 0 points to 3.9 points are given. In some cases, it may be divided into two cases, that is, the case of "medium" or more and the case of "less than".

In the case of the information protection guideline, the first grade is awarded as 'up', the second grade as 'middle', and the third grade as 'lower'. In some cases, the risk flag may be raised in the case of class 2 or higher.

The administrator of the information protection may determine the flag value by referring to the experience in the security issue / analysis of the information security organization.

The risk flag can be determined by referring to the CVE, the information protection guidelines, and the manager's experience. In addition, the risk flag can be selected according to various criteria. In the analysis system 100 of the present invention, the risk measurement unit 110 determines a connection log type for the event log based on the event detection rule DB 112 registered according to the criteria. Then, the linkage analysis unit 108 determines linkage analysis according to the determined linkage log type, extracts an event log to be linkage analysis by referring to the normalization column "LINKED_LOGTYPE" of the security event (S110)

The linkage analyzing unit 108 performs linkage analysis on the event log according to the linkage log type, and transmits an alarm according to the linkage to the administrator terminal 300 (S112)

When the risk flag for the event log to be detected is 0, no linkage analysis is performed.

When the risk flag is 1, it extracts the value of SRC (originating IP from security event) in the corresponding security event log and analyzes the OR operation of SRC and DST defined in the column "LINKED_LOGTYPE" included in the normalization data Conduct.

When the risk flag is 2, the value of DST (the IP of the destination in the security event) is extracted from the corresponding security event log, and the OR operation of SRC and DST defined in the column "LINKED_LOGTYPE" included in the normalization data is analyzed Conduct.

When the risk flag value is 3, SRC and DST values are extracted together in the corresponding security event log, and an AND operation link analysis is performed on SRC and DST for the security events defined in the column "LINKED_LOGTYPE" included in the normalization data.

The linkage analyzing unit 108 converts the linkage analysis result into a JSON file and stores the linkage analysis result in the integrated log DB 114.

5A and 5B are tables showing a result of linkage analysis for event logs.

Referring to FIGS. 5A and 5B, events (events) are transmitted from the SRC (originating IP address) 125.141.XX.XX (tentative name) to the DST (destination IP address) 218.15.XX.XX (tentative) of the intrusion detection / The log was detected. Since the risk flag stored in the event detection rule DB 112 is determined to be 2, the DST is extracted from the normalized event log, and the link analysis is performed by ORing the SRC and DST of the event log defined in the "LINKED_LOGTYPE ".

Table 3 below describes the results of analysis of the security events in FIGS. 5A and 5B in time sequence.

INDEX TIMELINE Security event log Explanation of detection One October 01, 2015
11:10:24 AM detectionLogs Detecting SQL Injection Attacks on 125.141.XX.XX to 218.15.XX.XX Systems
Determine risk flag: Determine risk flag value as 2
Perform linkage analysis on the event log declared in the normalized column LINKED_LOGTYPE. 2 October 01, 2015
11:10:26 AM waflogs Detecting SQL Injection Attacks on 125.141.XX.XX to 218.15.XX.XX Systems 3 October 01, 2015
11:11:26 AM securelogs 218.15.XX.XX System SSH access attempt failure detection from 125.141.XX.XX 4 October 01, 2015
11:11:27 AM securelogs 218.15.XX.XX System SSH access attempt failure detection from 125.141.XX.XX 5 October 01, 2015
11:11:29 AM securelogs 218.15.XX.XX System SSH access attempt failure detection from 125.141.XX.XX 6 October 01, 2015
11:11:29 AM securelogs 218.15.XX.XX System SSH access attempt failure detection from 125.141.XX.XX 7 October 01, 2015
11:11:31 AM securelogs 218.15.XX.XX System SSH access attempt failure detection from 125.141.XX.XX 8 October 01, 2015
11:11:33 AM securelogs 218.15.XX.XX System SSH Access Success Detection at 125.141.XX.XX 9 October 01, 2015
11:20:32 AM cmdlogs Users who access the system from the 125.141.XX.XX to the 218.15.XX.XX system can use the vim / etc / passwd command to detect file browsing history 10 October 01, 2015
11:20:40 AM cmdlogs Users connecting from the 125.141.XX.XX to the 218.15.XX.XX system
Detecting file history by running vim / etc / shadows command 11 October 01, 2015
11:20:55 AM cmdlogs Users connecting from the 125.141.XX.XX to the 218.15.XX.XX system
Detecting file browsing history by running vim / etc / hosts command 12 October 01, 2015
11:21:05 AM cmdlogs Users connecting from the 125.141.XX.XX to the 218.15.XX.XX system
Detect wget http: xxx.xx.xx / backdoor.php download command execution 13 October 01, 2015
11:21:06 AM httpdlogs On a 218.15.XX.XX system
http: xxx.xx.xx / backdoor.php file download packet security event detection 14 October 01, 2015
11:21:56 AM cmdlogs Users connecting from the 125.141.XX.XX to the 218.15.XX.XX system
mv backdoor.php /tmp/system.php Command execution detection 15 October 01, 2015
11:22:01 AM cmdlogs Users connecting from the 125.141.XX.XX to the 218.15.XX.XX system
chmod 777 /tmp/system.php; php /tmp/system.php command execution detection 16 October 01, 2015
11:22:05 AM dnslogs On a 218.15.XX.XX system
Detecting domain queries that are suspected to be malicious sites 17 October 01, 2015
11:22:06 AM dnslogs On a 218.15.XX.XX system
Detecting domain queries that are suspected to be malicious sites 18 October 01, 2015
11:22:07 AM dnslogs On a 218.15.XX.XX system
Detecting domain queries that are suspected to be malicious sites 19 October 01, 2015 |
11:22:47 AM infectedlogs On a 218.15.XX.XX system
Vaccine malware detection 20 October 01, 2015
11:24:01 AM patchlogs On a 218.15.XX.XX system
SSL vulnerability detection 21 October 01, 2015
11:24:12 AM patchlogs On a 218.15.XX.XX system
BASH SHELL vulnerability detection

To summarize the security events in step 21 recorded in Table 3, an attempt was made to detect an SQL injection attack in the intrusion detection / prevention system event logs (detection logs). As a result of linkage analysis according to the risk flag (2) It is possible to use the web firewall event log (waflog), Linux SSH event log (securelogs), Linux system command execution event log (cmdlogs), executable file download event log (httpdlogs), system domain query event log (dnslogs) Code infected event logs (infectedlogs), and system patch event logs (pathclogs).

Therefore, it is possible to quickly check the flow and location of security violation occurred in a specific IP and security threat (vulnerability) of a specific system through linkage analysis.

If the risk flag of a specific security event log is 1, linkage analysis based on SRC can be performed and provided to the administrator. When the risk flag is 3, the linkage analysis is performed using both SRC and DST as a reference.

However, the selection criterion of the linkage analysis field according to the risk flag may vary depending on the characteristics of the system. That is, if the risk flag is 2, linkage analysis may be performed based on the SRC, and when the risk flag is 1, linkage analysis may be performed based on DST. In addition, a linkage analysis conditional expression may be set according to a new risk flag.

The result of the linkage analysis is stored in the integrated log DB 114. (S114)

Therefore, a single security event can easily detect security intrusion by link analysis result of limited intrusion detection, infringement causation, threat, vulnerability, etc., and by arranging the event occurrence sequence in the timeline, You can check.

It can also reduce the human, material, and temporal resources required to analyze security breaches.

While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, As will be understood by those skilled in the art. Therefore, it should be understood that the above-described embodiments are to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description, It is intended that all changes and modifications derived from the equivalent concept be included within the scope of the present invention.

100: analysis system 102: integrated log collection unit
104: log normalization unit 106: single event detection unit
108: linkage analysis unit 110: risk measurement unit
112: event detection rule DB 114: integrated log DB
200: local terminal 202: local log collection unit
300: administrator terminal

Claims (8)

A security infringement analysis system for analyzing a security event occurring in a local terminal (200)
An integrated log collecting unit 102 for receiving the event log collected by the local log collecting unit 202 installed in the local terminal 200 and storing the received event log in the integrated log DB 114;
A log normalization unit 104 for normalizing the event log received by the integrated log collecting unit 102, converting the received event log into a JSON (JavaScript Object Notation) file format, and storing the normalized event log in the integrated log DB 114, Wow;
A single event detection unit 106 for analyzing the normalized event log by referring to a detection rule stored in the event detection rule DB 112 and analyzing whether the event log includes an event recording that may cause security breach;
A linkage analysis unit (108) for linking and analyzing a plurality of event logs when a risk flag assigned to an event log to be analyzed by the single event detection unit (106) is a predetermined value;
And a risk measurement unit (110) for determining a connection log type of the event log to be detected by referring to a risk flag column of a detection rule stored in the event detection rule DB (112) Security Infringement Analysis System. The method according to claim 1,
The normalized event log is composed of data of fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE"
TIME is the type of security event, HOST is the IP address or host name of the sensor where the security event was detected, SRC is the IP of the source in the security event, DST CONTENTS_001 to CONTENTS_004 are detailed contents of security event. LINKED_LOGTYPE is a definition of the target of event log to perform link analysis. It is defined as an event log for a predetermined time or more before and after a single event occurrence time. The event is logged in the event that the event occurred, characterized by security event log analysis through security breach analysis system. 3. The method of claim 2,
The linkage analysis unit 108
If the risk flag included in the event log to be detected is 1, the SRC is extracted from the event log and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
If the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
When the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log and link analysis is performed by the AND operation of SRC and DST on the event log defined in "LINKED_LOGTYPE" And analyzing the security event log. 3. The method of claim 2,
The single event detection unit 106 detects a single event among the data included in the normalized event log
Content-based detection for pattern-matching the keywords referenced in the event detection rule DB 112 with respect to the CONTENTS_001 through CONTENTS_004 through a combination of AND, OR, and NOT operators;
Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. Security Infringement Analysis System through Event Log Analysis. A security infringement analysis method using the security intrusion analysis system according to any one of claims 1 to 4,
When the local log collection unit 202 installed in the local terminal 200 collects and transmits an event log, the integrated log collection unit 102 receives the event log and stores the received event log in the integrated log DB 114;
The log normalization unit 104 normalizes the event log received by the integrated log collecting unit 102 and converts the event log into a JSON (JavaScript Object Notation) file, and stores the normalized event log in the integrated log DB 114 A second step of:
The single event detection unit 106 analyzes the normalized event log by referring to the detection rule stored in the event detection rule DB 112 and analyzes the normalized event log to determine whether the event log includes an event Step 3;
A fourth step of the risk measurement unit 110 determining a joint log type of the event log to be detected by referring to the risk flag column of the detection rule stored in the event detection rule DB 112;
And a fifth step of linking and analyzing a plurality of event logs when the risk analysis flag for the event log to be analyzed by the single event detection unit 106 is a predetermined value, How to analyze security breach through event log analysis. 6. The method of claim 5,
The normalized event log is composed of data of fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE"
TIME is the type of security event, HOST is the IP address or host name of the sensor where the security event was detected, SRC is the IP of the source in the security event, DST CONTENTS_001 to CONTENTS_004 are detailed contents of security event. LINKED_LOGTYPE is a definition of the target of event log to perform link analysis. It is defined as an event log for a predetermined time or more before and after a single event occurrence time. Wherein the event is logged in the event that the event occurred. The method according to claim 6,
The linkage analysis unit 108
If the risk flag included in the event log to be detected is 1, the SRC is extracted from the event log and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
If the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
When the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log and link analysis is performed by the AND operation of SRC and DST on the event log defined in "LINKED_LOGTYPE" And analyzing the security event log. The method according to claim 6,
The single event detection unit 106 detects a single event among the data included in the normalized event log
Content-based detection for pattern-matching the keywords referenced in the event detection rule DB 112 with respect to the CONTENTS_001 through CONTENTS_004 through a combination of AND, OR, and NOT operators;
Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. How to analyze security breach through event log analysis.
KR1020150161973A 2015-11-18 2015-11-18 An analysis system of security breach with analyzing a security event log and an analysis method thereof KR101788410B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150161973A KR101788410B1 (en) 2015-11-18 2015-11-18 An analysis system of security breach with analyzing a security event log and an analysis method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150161973A KR101788410B1 (en) 2015-11-18 2015-11-18 An analysis system of security breach with analyzing a security event log and an analysis method thereof

Publications (2)

Publication Number Publication Date
KR20170058140A true KR20170058140A (en) 2017-05-26
KR101788410B1 KR101788410B1 (en) 2017-10-19

Family

ID=59052141

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150161973A KR101788410B1 (en) 2015-11-18 2015-11-18 An analysis system of security breach with analyzing a security event log and an analysis method thereof

Country Status (1)

Country Link
KR (1) KR101788410B1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102038926B1 (en) * 2018-11-17 2019-11-15 한국과학기술정보연구원 Aggressor selecting device and control method thereof
KR102158784B1 (en) * 2020-05-14 2020-09-22 주식회사 쿼리시스템즈 System for automatically blocking security threats that interoperate with heterogeneous security devices
KR102215228B1 (en) 2020-04-13 2021-02-10 서울과학기술대학교 산학협력단 Detection and Elimination System and Method of Redundant Access Patterns in Programs by Analyzing Log Data
CN113592690A (en) * 2021-07-30 2021-11-02 卡斯柯信号有限公司 Database model-based hazard management method
KR102426889B1 (en) * 2022-01-05 2022-07-29 주식회사 이글루코퍼레이션 Apparatus, method and program for analyzing and processing data by log type for large-capacity event log
CN114826727A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Flow data acquisition method and device, computer equipment and storage medium
CN116232751A (en) * 2023-03-16 2023-06-06 中国华能集团有限公司北京招标分公司 Safety alarm analysis method

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102038926B1 (en) * 2018-11-17 2019-11-15 한국과학기술정보연구원 Aggressor selecting device and control method thereof
KR102215228B1 (en) 2020-04-13 2021-02-10 서울과학기술대학교 산학협력단 Detection and Elimination System and Method of Redundant Access Patterns in Programs by Analyzing Log Data
KR102158784B1 (en) * 2020-05-14 2020-09-22 주식회사 쿼리시스템즈 System for automatically blocking security threats that interoperate with heterogeneous security devices
CN113592690A (en) * 2021-07-30 2021-11-02 卡斯柯信号有限公司 Database model-based hazard management method
CN113592690B (en) * 2021-07-30 2024-03-29 卡斯柯信号有限公司 Hazard management method based on database model
KR102426889B1 (en) * 2022-01-05 2022-07-29 주식회사 이글루코퍼레이션 Apparatus, method and program for analyzing and processing data by log type for large-capacity event log
KR20230106083A (en) * 2022-01-05 2023-07-12 주식회사 이글루코퍼레이션 Device, method and program that analyzes large log data using a distributed method for each log type
CN114826727A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Flow data acquisition method and device, computer equipment and storage medium
CN114826727B (en) * 2022-04-22 2024-05-07 南方电网数字电网研究院有限公司 Flow data acquisition method, device, computer equipment and storage medium
CN116232751A (en) * 2023-03-16 2023-06-06 中国华能集团有限公司北京招标分公司 Safety alarm analysis method

Also Published As

Publication number Publication date
KR101788410B1 (en) 2017-10-19

Similar Documents

Publication Publication Date Title
KR101788410B1 (en) An analysis system of security breach with analyzing a security event log and an analysis method thereof
JP6863969B2 (en) Detecting security incidents with unreliable security events
EP2953298B1 (en) Log analysis device, information processing method and program
KR101689298B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN111800395A (en) Threat information defense method and system
CN107295021B (en) Security detection method and system of host based on centralized management
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
US20030083847A1 (en) User interface for presenting data for an intrusion protection system
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN114640548A (en) Network security sensing and early warning method and system based on big data
EP3623983A1 (en) Method and device for identifying security threats, storage medium, processor and terminal
WO2016121348A1 (en) Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored
CN107465702A (en) Method for early warning and device based on wireless network invasion
CN107566401A (en) The means of defence and device of virtualized environment
KR101768079B1 (en) System and method for improvement invasion detection
CN113660115A (en) Network security data processing method, device and system based on alarm
KR20070072835A (en) Web hacking responses through real time web log collection
CN107509200A (en) Equipment localization method and device based on wireless network invasion
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
CN114189361A (en) Situation awareness method, device and system for defending threats
KR101767591B1 (en) System and method for improvement invasion detection
Lee et al. Sierra: Ranking anomalous activities in enterprise networks
KR101712462B1 (en) System for monitoring dangerous ip
KR101518233B1 (en) Security Apparatus for Threats Detection in the Enterprise Internal Computation Environment

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right