KR20180079049A - Detection system of cyber information leaking action - Google Patents

Abstract

The present invention relates to a system which defines a behavior model for extracting acts which an insider leaks inside information to the outside in a cyber network environment, and extracts leaking acts, and particularly, to a system implementing method which identifies and defines acts leaking inside information to the outside in a cyber environment, and, through a meaning-based behavior modelling which a system and a human can understand, finally analyzes meanings of data packets, and based on the same, extracts a data packet leaking inside information to the outside to prevent inside information from being leaked to the outside in a cyber environment. The system comprises: a data management module which collects data on a network, and, based on a pre-defined behavior model and a risk standard defined in each behavior model, defines the collected data and individual information leakage act; an ontology management module which generates an ontology model based on the data defined as the individual information leakage act, and extracts data corresponding to the individual leakage act among the collected data on the network based on the generated ontology model.

Description

DETECTION SYSTEM OF CYBER INFORMATION LEAKING ACTION [0002]

The present invention relates to a system for extracting an action model definition and an action for extracting an action of an insider leaking internal information in the cyber network environment, and more particularly, And semantic-based behavior modeling that can be understood by the system and people. Finally, the semantics of the data packet is analyzed and the data packet in which the internal information is leaked out is extracted based on the semantic-based behavior modeling. To the outside of the apparatus.

In recent cyber environment, criminal activities that leak internal information to the outside frequently occur. The leakage and intrusion crime related to the protection of information about cyber environment is a method of accessing a specific system or a server in an existing organized group to disclose information to a member in the company or an organization, The scope of this is gradually expanding to the outside. In addition, the range of information that is leaked is also becoming diverse, including confidential information, sensitive information, and personal information.

In particular, unlike existing organized cybercrime activities, the act of outsourcing internal information within a company or organization can not predict the method, period, etc., and the timing of resolution depends on the individual's motivation. In order to prevent, prevention and prediction are very important.

In order to prevent or predict the outflow of internal information within a company or organization, it is necessary to observe a series of actions of the user. Conventionally, a general observation method for identifying an activity of leakage of internal information in the cyber environment is to collect all the data generated in the cyber environment in units of real time or specific period, analyze the data, It is judged whether or not it occurs. However, in the cyber environment, it is impossible to identify specific information leakage activity through observation because a large amount of data is generated due to various actions (work, search, leisure, etc.) performed using the Internet or a network.

An object of the present invention is to prevent or prevent internal information from being leaked to the outside in the cyber environment.

It is another object of the present invention to provide a system for extracting a cyber information leakage behavior based on data collected in a cyber environment.

The present invention relates to a data management module for collecting data on a network and defining the individual information leakage behavior based on the predefined behavior model and the risk level defined in each behavior model, And an ontology management module for generating an ontology model based on the defined data and extracting data corresponding to the individual outflow behavior among the data collected on the network based on the generated ontology model.

In one embodiment, the data management module includes a behavior definition component that defines an individual information outflow behavior, a data collection component that collects data generated on the network, and an action model file load that loads data collected on the network into the behavior definition component. And a component (106).

In one embodiment, the predefined behavioral model includes a host, a destination IP, a protocol type, a transmission type, a file type, a file name, a URL, an HTTP type, a message, An address, and an attached file.

In one embodiment, the ontology management module includes an ontology generation component that generates a semantic-based ontology model based on the individual information outflow behavior defined from the behavior definition component, And a semantic analysis component for analyzing the extracted data from the semantic-based behavior search component based on the semantic relationship model.

In one embodiment, the cyber information leakage behavior extracting system further includes an ontology database stored by the ontology model and the ontology graph.

In one embodiment, the ontology management module analyzes the relationship between ontology data and the extracted data existing in the ontology database, and based on the analysis result, determines whether the extracted data corresponds to an individual information outflow behavior .

In the present invention, an insider existing in a company or an organization in the cyber environment analyzes the meaning contained in the data based on the data generated and collected by the internal leakage of confidential information, sensitive information, personal information, , It is possible to easily and efficiently identify the behavior of the internal information leaked to the outside.

In addition, the present invention allows a user (or a manager) of a corresponding system to define information on an action and a data structure in accordance with the characteristics of the environment to which the user belongs, thereby generating an action model that can be operated in accordance with a specific organization .

1 is a block diagram showing a configuration of a system for extracting a cyber information leakage action according to the present invention.
FIG. 2 is a diagram illustrating an outflow result in operation of the cyber information leakage activity extracting system according to the present invention. FIG.
FIG. 3 is a diagram illustrating an example of a data format of a user in the cyber information leakage activity extraction system according to the present invention.
4 is a diagram showing an ontology model for discriminating individual information leakage behavior.
5 is a representation of the relationship between individual objects processed through an ontology model on data collected on a network.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, wherein like reference numerals are used to designate identical or similar elements, and redundant description thereof will be omitted. The suffix "module" and " part "for the components used in the following description are given or mixed in consideration of ease of specification, and do not have their own meaning or role. In the following description of the embodiments of the present invention, a detailed description of related arts will be omitted when it is determined that the gist of the embodiments disclosed herein may be blurred. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. , ≪ / RTI > equivalents, and alternatives.

Terms including ordinals, such as first, second, etc., may be used to describe various elements, but the elements are not limited to these terms. The terms are used only for the purpose of distinguishing one component from another.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The singular expressions include plural expressions unless the context clearly dictates otherwise.

In the present application, the terms "comprises", "having", and the like are used to specify that a feature, a number, a step, an operation, an element, a component, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

The present invention uses an ontology as a means for previously identifying and defining an individual information leakage operation that causes internal information to leak to the outside. The ontology is a kind of dictionary composed of relations between words and words. It is a web-based knowledge processing and sharing model in which words are hierarchically represented and inference rules are included so that additional words can be extended.

Hereinafter, a method for detecting an activity of leakage of internal information in the cyber information leakage activity extraction system using the ontology according to the present invention will be described.

Referring to FIG. 1, the system 100 for extracting cyber information leakage behavior according to the present embodiment may be implemented by a computing device including a notebook computer, a server, and the like.

The cyber information leakage operation system 100 includes a data management module 101 for managing individual leakage information defined by a user (or a manager) and data collected in a cyber environment, An ontology management module 102 for creating and / or managing an ontology-based behavior model based on the collected data, and an ontology database 103 for storing ontology data related to an ontology-based behavior model . Here, a user or an administrator refers to a person who uses the cyber information leakage behavior system 100 to prevent information leakage.

The data management module 101 may be configured to integrally manage all the data of the cyber information leakage activity system 100.

1, the data management module 101 includes an action definition component 104 that defines an individual information outflow behavior, a data collection component 105 that collects data generated in the cyber environment, an action model And a file load component 106.

The behavior defining component 104 analyzes the data and uses the analysis results to define the individual information outflow behavior. Here, the data is network packet data that occurs when any member on the network uses the Internet or performs document downloading or uploading using the local network.

A user who uses the cyber information leakage behavior system according to the present invention defines a behavior model for leakage of internal information in the cyber environment and a risk level for each activity in order to define individual information leakage behavior using the ontology. The behavior model is a cyber behavior of any member who is at risk of leakage of internal information, and typically includes a printer action, a search action, and an access action. The risk level is an indicator of the risk of leakage of internal information for each action. It can be defined as an avoidance indicating the degree of risk, a suspicion indicating the degree of intermediate risk, and an anomaly indicating the degree of the highest risk.

Meanwhile, in the present invention, the data on the behavior model and the risk level can be defined in an accelerated format. More specifically, the user can define the behavior model in advance and set the risk level for each behavior model using the accelerator format. However, the present invention is not limited to this, and various data formats other than the accelerator format may be used. However, for the sake of convenience, the accelerator format will be described with reference to the accelerator format.

For example, referring to FIG. 3, data defined in the Excel format includes a host, a destination IP, a protocol type, a transmission type, a file type, a file name, a URL, an HTTP type, A recipient email address, and an attachment item may be included. The items included in the data defined in the Excel format may be added or deleted according to the usage environment of the user (or the administrator).

The action definition component 104 analyzes the data defined in the Excel format based on a predetermined algorithm, and can predefine the individual information leakage behavior using the analysis result.

The data collection component 105 may collect data generated in an actual cyber environment based on the defined individual information leakage behavior. More specifically, the data collection component 105 can selectively collect data corresponding to the defined individual information outflow behavior among data generated in the cyber environment, based on the defined individual information outflow behavior.

The behavior model file load component 106 may load a specific file. That is, the behavior model file load component 106 may communicate data defined in the Excel format to the behavior definition component 104 such that the behavior definition component 104 defines an individual information outflow behavior. More specifically, the behavior model file load component 106 functions to load data defined in the Excel format from the cyber information leakage behavior extraction system 100.

The ontology management module 102 may be configured to receive the individual information outflow behavior from the data management module 101 and generate a semantic-based ontology model based on the received individual information outflow behavior.

1, the ontology management module 102 includes an ontology generation component 107 for generating a semantic-based ontology model based on the individual information outflow behavior defined from the behavior definition component 104, A semantic-based behavior retrieval component 108 for extracting data corresponding to an individual information outflow behavior among data collected by the semantic-based behavior retrieval component 105, and a semantic-based behavior retrieval component 108 for analyzing data extracted from the semantic- And a semantic analysis component 109 for the semantic analysis.

The ontology generation component 107 can generate an ontology model based on the ontology graph of the individual information outflow behavior defined in the behavior definition component 104. [ Here, the ontology graph is a predefined graph for detecting individual information leakage behavior. For example, as shown in FIG. 4, the ontology graph is a graph showing relationship information between data related to individual information outflow behavior and / or data related to individual information outflow behavior.

More specifically, the ontology generation component 107 generates individual objects corresponding to data generated on the network. Here, an individual object means data forming an ontology graph. The ontology generation component 170 may define an ontology graph based on the generated individual objects, and generate an ontology model using the defined ontology graph.

Referring to FIG. 4, an ontology model according to an embodiment of the present invention can be defined in advance as shown in FIG. More specifically, the present invention can classify data on the basis of properties, and generate relationship information between data and data according to these attributes. The method for generating such an ontology model is the prior art, and a detailed description thereof will be omitted herein.

Referring to FIG. 5, the ontology generation component 107 can generate relationship information between individual objects based on the defined ontology model, as shown in FIG.

Based on the ontology graph, the semantic-based behavior search component 108 extracts data corresponding to the individual information outflow among the data collected by the data collection component 105.

The semantic analysis component 109 analyzes the relationship between the ontology data existing in the ontology database 103 and the data extracted from the semantic-based behavior search component 108. More specifically, the semantic analysis component 109 compares the extracted data with the ontology model to determine whether the searched individual information leakage operation actually corresponds to an individual information leakage operation.

Referring to FIG. 2, the present invention can visually output the result interpreted by the semantic analysis component 109. For example, data determined as an individual information leakage operation may be output to a monitor provided in the computing apparatus. Accordingly, the user (or the manager) can intuitively confirm whether or not the individual information leakage occurred.

The ontology database 103 may store an ontology model and an ontology graph.

In the foregoing, a method of extracting the individual information leakage behavior in the cyber information leakage behavior extraction system 100 according to the present invention has been described. Through this, the user (or the manager) can confirm whether or not the internal information is leaked even if the user does not monitor all the people in real time. Therefore, the present invention can dramatically reduce the time and cost required for confirming the leakage of the internal information as well as preventing leakage of the internal information.

Claims (6)

A data management module for collecting data on the network and defining the collected data according to a predefined behavior model and a risk level defined in each behavior model;
An ontology management module for generating an ontology model based on the data defined as the individual information outflow behavior and extracting data corresponding to the individual outflow behavior among the data collected on the network based on the generated ontology model; Cyber information leakage behavior extraction system. The method according to claim 1,
The data management module
An action definition component that defines an individual information leakage behavior,
A data collection component for collecting data occurring on the network, and
And a behavior model file load component (106) for loading the collected data on the network into a behavior definition component. The method according to claim 1,
The predefined behavioral model
Data including at least one of Host, destination IP, protocol type, transmission type, file type, file name, URL, HTTP type, message, mail title, referent, blind carbon copy, recipient email address and attachment And the cyber information leakage behavior extracting system. The method according to claim 1,
The ontology management module
An ontology generation component that generates a semantic-based ontology model based on the individual information leakage behavior defined from the behavior definition component,
A semantic-based behavior retrieval component for extracting data corresponding to the individual information leakage behavior from the data collected by the data collection component, and
And a semantic analysis component for analyzing the data extracted from the semantic-based behavior search component based on a semantic relation model. The method according to claim 1,
The cyber information leakage activity extraction system
Further comprising an ontology database stored by the ontology model and the ontology graph. 6. The method of claim 5,
The ontology management module
Analyzing a relationship between ontology data existing in the ontology database and the extracted data,
And determining whether the extracted data corresponds to an individual information leakage operation based on the analysis result.

Images