KR20190134287A - security provenance providing system for providing of the root cause of security problems and the method thereof - Google Patents

Abstract

The present invention relates to a security source providing system for constructing an attack history graph for collecting forensic data in a dynamic network environment and delivering a cybercrime plan and a method thereof. According to the present invention, a security analysis platform that provides a network administrator with a clear view of attack information of an attack start point and attack procedures can be provided.

Description

Security provenance providing system for providing of the root cause of security problems and the method

The present invention relates to a system and method for providing a security source for providing a root cause of a security problem, and more particularly, to construct an attack history graph that collects forensic data in a dynamic network environment and delivers a cyber crime plan. It's about technology.

Modern enterprise networks include heterogeneous systems (eg, routers and hosts) for running various services of the web and email. This diversity and heterogeneity makes it very difficult for network administrators to track or monitor sophisticated attack attempts such as Advanced persistent threats (APTs), which employ multiple attack vectors.

In recent years, with the advent of major research innovations such as network virtualization and mobility management, enterprise networks are transitioning to the next generation. This shift has the advantage that corporate networks support a wider variety of complex services, such as e-commerce and e-voting, but with security side effects.

As heterogeneous systems and services are implemented, it becomes very difficult for network administrators to detect all security problems, because the structure and services of the network are more complex than ever before.

Representatively, a number of advanced persistent threats (APTs) have recently emerged that target key assets within the corporate network. These compromise the accessible hosts used to enter the network to steal and control key assets. As it is difficult to list various attack scenarios, it is very difficult to detect attack attempts. For example, an attacker could compromise a mobile node that has access to the internal network to open a channel to the internal network or send malicious emails to internal network users.

To detect such attacks, network administrators have made many efforts to minimize and reduce the attack surface of the network. For example, network administrators have deployed a variety of security functions, such as Network Intrusion Detection System (NIDS) and firewalls, to detect and monitor specific attack attempts and outsource external security services.

However, despite these efforts, complex and sophisticated attacks such as APT remain a problem. Because these attacks can use a variety of attack vectors and steps, it is very difficult for network administrators to recognize them. Moreover, network administrators are very likely to miss attacks or miss the start of an ongoing attack, which means other attacks will be accessible in the future.

An object of the present invention is to provide a security analysis platform that provides a network administrator with a clear view of the attack start point and attack information of the attack procedure.

In addition, the object of the present invention is to realize a framework that devises a new approach to monitor and collect all relevant network and security events to reconstruct, understand, and prevent advanced sustained attacks, and to reconstruct the attack history to find the root cause of the attack. I would like to.

The security source providing system according to an embodiment of the present invention collects security source data including a packet and a network snapshot due to a network event related to security in a dynamic network environment, and generates evidence information using the security source data. And a graph construction unit for constructing a relational attack history graph using the data collection unit and the security source data, and configuring an operation scenario of the attack.

The data collector may collect the security source data including the packet and the network snapshot including at least one of a network topology, a security policy, a network structure, and a forwarding rule.

The data collection unit is based on a test result received from a packet monitor unit that mirrors the packet, a network history recorder unit that tracks network changes in the dynamic network environment, and provides the network snapshot to a database and a source analyzer unit. It may include an evidence generating unit for generating the evidence information.

The packet monitor may mirror one packet twice in an egress and ingress switch using a two-phase packet capture (2PC) method.

The network history recorder unit may collect the network snapshot while the packet is monitored and reflect the network snapshot to the database according to a state change of an update or change of an internal state of a security policy and a network structure.

The network history recorder unit may perform source monitoring to generate a monitoring rule by tracking the state change in the dynamic network environment by using software-defined networking (SDN) technology.

The evidence generation unit cooperates with the source analysis unit that inspects the security source data using the packet, and generates the evidence information by performing an enterprise-wide security check on the two packets. .

The source analyzer compares two packets received at the exit and inlet switches to check whether the packets have been manipulated, and may check the security source data in order of generation to provide forensic information.

The graph unit may reconstruct the attack history graph by receiving the evidence information from the data collector until the security source data associated with a host is consumed.

The graph component analyzes the causal relationship of the security source data starting from a specific host defined by the network administrator or the network event related to the security, and the attack history graph until the security source data related to the malicious symptom is consumed. Can be reconstructed.

In a method of operating a security source providing system for providing a root cause of a security problem according to an embodiment of the present invention, in a dynamic network environment, security source data including a packet and a network snapshot due to a network event related to security may Collecting, generating evidence information using the security source data, constructing a relational attack history graph using the security source data, and constructing an operation scenario of the attack.

The security source data may include the network snapshot including the packet and at least one of a network topology, a security policy, a network structure, and a forwarding rule.

Gathering the security source data and generating the evidence information includes mirroring the packet, in the dynamic network environment, tracking network changes, providing the network snapshot to a database and the security source Generating the evidence information based on the inspection result of the data.

Collecting the security source data and generating the evidence information may generate the evidence information by inspecting the security source data using the packet.

Configuring the attack scenario of the attack may receive the evidence information and reconstruct the attack history graph until the security source data associated with the host is consumed.

Configuring the attack scenario of the attack may analyze the causal relationship of the security source data starting from a specific host defined by the network administrator or the network event related to the security, and consume the security source data related to the malicious symptom. Until the attack history graph can be reconstructed.

According to an embodiment of the present invention, it is possible to provide a security analysis platform that provides a network administrator with a clear view of the attack start point and attack information of the attack procedure.

In addition, according to an embodiment of the present invention, in order to reconstruct, understand, and prevent advanced sustained attacks, a frame devised a new approach to monitor and collect all relevant network and security events, and reconstruct the attack history to find the root cause of the attack. Work can be realized.

1 shows an example of an information leakage attack.
2 shows a detailed configuration of a security source providing system according to an embodiment of the present invention.
3 shows a detailed configuration of a data collection unit according to an embodiment of the present invention.
4 illustrates an example of capturing a packet at an inlet switch and an outlet switch according to an embodiment of the present invention.
5 is a diagram illustrating a format of evidence information according to an embodiment of the present invention.
6 illustrates a logical integrity violation according to an embodiment of the present invention.
7 is a diagram illustrating a causal relationship of a security problem according to an embodiment of the present invention.
8 illustrates a process of constructing an attack history graph according to an embodiment of the present invention.
9 shows a state transition diagram.
10 illustrates an intrinsic security relationship.
11 shows a table of lists of security relationships.
12 illustrates a flowchart of a method for providing a security source for providing a root cause of a security problem according to an embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the present invention is not limited or limited by the embodiments. Also, like reference numerals in the drawings denote like elements.

Also, the terminology used herein is a term used to properly express a preferred embodiment of the present invention, which may vary depending on a viewer, an operator's intention, or customs in the field to which the present invention belongs. Therefore, the definitions of the terms should be made based on the contents throughout the specification.

The present invention provides a system and method for providing a security source for providing a root cause of a security problem.

The present invention can help network administrators analyze suspicious symptoms using maximized security visibility by constructing an attack history graph that collects forensic data in a dynamic network environment and delivers cybercrime plans. . The security analysis platform (SecTracer) of the present invention can dramatically minimize the overhead of manually analyzing security data and minimize the possibility of missing critical information such as the starting point of the APT.

Contributions of a security source providing system and method for providing a root cause of a security problem according to an embodiment of the present invention are as follows.

1. The present invention is useful for accurately and securely investigating the root cause of a security problem by understanding the overall behavior of the attack by introducing security provenance.

2. The present invention implements a security analysis platform (SecTracer), a prototype system, in order to realize a security source in an enterprise network, which efficiently completes security / network audit data without modifying the existing enterprise network and its components. To collect.

3. The present invention uses a security analysis platform to track the root cause of advanced network attack scenarios, providing higher efficiency than existing technologies.

Hereinafter, a system and method for providing a security source for providing a root cause of a security problem according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 12.

1 shows an example of an information leakage attack.

More specifically, FIG. 1 illustrates an example of an attack scenario in which an attacker attempts to steal a record of confidential data via a stepping stone attack.

Referring to FIG. 1, a network manager strategically enforces a security policy using security devices to protect internal assets such as a DB server and a web server. In particular, the DB server is also an attacker's main target.

An attacker may first try to attack the DB server directly (Exploit DB server). However, this attempt can be blocked by a firewall configured by the administrator to deny all remote access to the DB server (Block by Firewall).

Recognizing the defense, the attacker can change the target from the DB server to the web server (Exploit Web server), but this can also be blocked by IPS (Block the attack).

By virtue of the aforementioned defense, an attacker can try various alternatives for access to internal assets. For example, an attacker can gain an administrator's authority by remotely exploiting the administrator's machine through a kernel kernel exploit, infiltrate the DB server using the acquired authority, and finally obtain the protected records. Connection by stepping stone and Information leakage.

As shown in FIG. 1, an attacker can access and attack internal assets using a variety of methods. However, network administrators have limitations in predicting and detecting all attacker's various attack scenarios, and they could not detect the exploitation of DB records even after the attack occurred.

Therefore, the security source providing system and method for providing the root cause of the security problem according to an embodiment of the present invention extracts the root cause for various attack scenarios of attackers, the operation scenario of the attack associated with the history events associated with the attack To configure and provide to the administrator.

Furthermore, a security source providing system and method for providing a root cause of a security problem according to an embodiment of the present invention may be secured using causality analysis, limited security information, and limited event information in order to clearly understand the overall attack scenario. Root Cause Analysis (S-RCA) can be performed.

2 shows a detailed configuration of a security source providing system according to an embodiment of the present invention.

Referring to FIG. 2, the security source providing system 200 according to an embodiment of the present invention constructs an attack history graph 310 that collects forensic data in a dynamic network environment and delivers a cyber crime plan.

Security source providing system 200 according to an embodiment of the present invention proposes an intelligent security analysis platform (SecTracer) for tracking the root cause of security problems, network-oriented approach to realizing security sources Consider. For example, if the manager 110 wants to track a host's security event (ie, security source), the manager 110 may set the operational requirements 120 to the security source providing system according to the embodiment of the present invention. 200). Accordingly, the security source providing system 200 according to the embodiment of the present invention receives an operation requirement 120 and information about the host and constructs an attack history graph 310 corresponding to the host.

In this case, the operational requirements 120 may be information for the administrator 110 to monitor and collect security-related information. For example, security policy 121 corresponds to a routing policy that specifies which hosts visit which security devices and which access control policies should be restricted, while network configurations 122 The location policy includes the location of the device or middle boxes, and a provision policy 123 embodies the monitoring of security source data contained in a particular host.

Based on this, the security source providing system 200 according to an embodiment of the present invention generates an attack history graph 310 for a specific host.

To this end, the security source providing system 200 according to an embodiment of the present invention includes a data collector 210 and a graph configuration unit 220.

2, the data collector 210 of the security source providing system 200 according to an embodiment of the present invention may secure the dynamic network environment through the database 230 and the source analyzer 240. Collecting source data to generate evidence information, and provides the collected security source data to the graph configuration unit 220.

Hereinafter, a data collector according to an embodiment of the present invention will be described in detail with reference to FIG. 3.

3 shows a detailed configuration of a data collection unit according to an embodiment of the present invention.

2 and 3, the data collector 210 collects security source data including a packet and a network snapshot due to a network event related to security in a dynamic network environment, and uses the security source data. Generate evidence information.

The data collector 210 publishes data to the database 230 through monitoring rules for capturing packets for security source monitoring, tracking historical network changes, and when a request for evidence is received. Work with the Provenance Analyzer (240) to generate evidence.

In this case, the security source data includes a packet and a network snapshot, and the network snapshot may include at least one or more of a network topology, a security policy, a network structure, and a forwarding rule.

In detail, the security provenance data is source data related to security and may be data including a raw packet, a security policy, and a network snapshot. In addition, the network snapshot may be a historical view of a security policy, a network structure, a topology including a host location, forwarding rules, and packet monitoring information at a specific point in time.

Referring to FIG. 3, the data collector 210 may include a packet monitor 211, a network history recorder 212, and an evidence generator 213, and may cooperate with the source analyzer 240.

The packet monitor 211 may mirror the packet. For example, the packet monitor 211 may forward the packet to the source analyzer 240 by monitoring the security device or the middle box in the data plane. In this case, the packet monitor 211 may track the integrity and reachability of the packet for checking a security problem. The source analyzer 240 may not only collect packets but also inspect security source data.

Referring to FIG. 3, the packet monitor 211 mirrors one packet twice in an egress and ingress switch using a two-phase packet capture (2PC) method. . More specifically, the packet monitor 211 mirrors one packet twice at an egress switch and an ingress switch using a two-phase packet capture (2PC) method, and mirrors it. The packet monitoring rule for transmitting the two packets to the source analyzer 240 may be performed.

This enables the security source providing system 200 according to an embodiment of the present invention to examine the integrity and reachability of each packet. For example, the source analyzer 240 may check whether the packet is manipulated by comparing two packets received from the exit switch and the inlet switch. In another example, when a packet is dropped, the source analyzer 240 may receive only one packet from the exit switch and check whether the packet is manipulated. At this time, the source analysis unit 240 is characterized in that to check the security source data in order to provide forensic information.

Hereinafter, a process of capturing a packet in an inlet switch and an outlet switch will be described in detail with reference to FIG. 4.

4 illustrates an example of capturing a packet at an inlet switch and an outlet switch according to an embodiment of the present invention.

More specifically, FIG. 4 illustrates an example in which the security source providing system 200 according to an embodiment of the present invention captures packets at an entry point and an exit point of a flow by applying an OpenFlow command.

As shown in FIG. 4, assuming that a packet is transmitted from H1 (Sender) to H2 (Receiver), the inlet switch S1 and the outlet switch S2 forward the packet from H1 (Sender) to H2 (Receiver). Has a flow rule.

The security source providing system 200 according to an embodiment of the present invention may set a monitoring rule in advance through the SDN technology based on the operation requirement 120.

Referring to FIG. 4, when the packet reaches the inlet switch S1 from H1 (Sender), the packet monitor 211 of the security source providing system 200 according to the embodiment of the present invention outputs and goto_table the packet. It can be duplicated through two actions of and by adding a VLAN tag to the duplicated packet through the action of push_vlan, it can be delivered to the source analyzer 240. At this time, when the exit switch S2 receives a packet from the inlet switch S1, the monitoring rule in the outlet switch S2 operates in the same way as the monitoring rule in the inlet switch S1.

Accordingly, the source analyzer 240 may receive packets duplicated at each of the inlet switch S1 and the outlet switch S2.

The source analyzer 240 maintains packet monitoring information, including a list of host-host paths and visited middle-boxes, to track the monitoring of the packets, and maintains this network history. The recorder unit 212 may be forwarded.

Referring back to FIG. 3, the network history recorder 212 of the data collector 210 tracks network changes and provides / issues a network snapshot to the database 230 in a dynamic network environment. (publish) can be. The network snapshot may be a historical view of a security policy, network structure, topology including host location, forwarding rules, and packet monitoring information at specific points in time.

More specifically, the network history recorder unit 212 may manage an internal state to maintain the latest network snapshot. For example, the network history recorder unit 212 collects a network snapshot while the packet is monitored, and if at least one or more of the security policy, network structure, topology, host location, forwarding rule, and packet monitoring information is changed, Update Network Changes and issue an updated network snapshot to database 230 with a unique identifier for the updated version.

In this case, the network history recorder 212 may track a change in a dynamic network environment by using software-defined networking (SDN) technology and perform source monitoring to generate a monitoring rule.

The evidence generator 213 may generate evidence information based on a security diagnosis result received from the source analyzer 240. In more detail, the evidence generator 213 cooperates with the source analyzer 240 that inspects the security source data using the packet, and is enterprise-wide for the two packets monitored by the packet monitor 211. By performing wide-wide security checks, you can generate evidence.

Since more than 80% of cyber security problems are caused by known vulnerabilities, the source analyzer 240 utilizes attack detection capability systems such as Network Intrusion Detection Systems (NIDS) and anomaly detection systems. However, the attack detection capability system is a perimeter detection model that inspects only the local area, and to overcome the limitation of the model, the source analyzer 240 additionally supports enterprise-wide security inspection. .

Since the source analyzer 240 receives two packets per packet from the packet monitor 211 by a two-phase packet capture method (2PC), storage overhead due to duplicated packets is achieved. Must be processed.

In more detail, the source analyzer 240 preprocesses the reachability and physical integrity violation of each packet while monitoring the packets, and includes the packets and corresponding preprocessing results (ie reachability and integrity). The network snapshot may be stored in the database 230. Subsequently, when the graph constructing unit 220 requests evidence information in the process of constructing the attack history graph 310, the evidence generating unit 213 searches for packets by querying host information included in the database 230, If necessary, the source analysis unit 240 may further receive the security analysis result to generate evidence information for each packet.

The evidence is a result of a security diagnosis of the security source data, and single or multiple evidences may define a security relationship and provide forensic information corresponding to the security relationship. At this point, a security causality or relationship defines a relationship, which means that the subject is responsible for the CIA (confidentiality), integrity and availability of the object. Indicates that it affects triangles.

5 is a diagram illustrating a format of evidence information according to an embodiment of the present invention.

Referring to FIG. 5, the format of the evidence information includes an index field and a feature field. The index field includes an eID 511 and an sID 512, each of which represents a unique identifier of the evidence information itself and a network snapshot of when the packet is monitored.

Timestamp 520 represents the time at which the packet was captured, rPacket 530 contains the raw packet, and mPacket 540 stores the modified packet when the original packet is crafted. In addition, the results 550 indicate a security diagnosis result of the source analyzer 240.

In addition, the source analyzer 240 may store the detection result by the Network Intrusion Detection Systems (NIDS) in the exploitable 557 and IDSMsg 558 fields. According to an embodiment, the source analyzer 240 analyzes the warning message of the Network Intrusion Detection Systems (NIDS) instance and then indicates that the packet (or packet stream) is associated with an exploitable attack. In the case of analysis, the evidence generator 213 may set the exploitable 557 to true, and if it cannot be exploited, set the exploitable 557 to false, and store the raw warning message in the IDSMsg 558.

UserDefinedFields 559 provides user defined fields.

In addition, the source analyzer 240 may extract the pair of original packets by receiving the monitored packet, confirming whether the packet has reached the destination, and comparing the unchanged fields in the monitored packet. According to an embodiment, when the source analyzer 240 finds the pair, the reached 554 may be set to true, otherwise, the packet may be regarded as lost and the reached 554 may be set to false.

When the packet violates the security routing or access control policy, the evidence generator 213 may store the identifier of the violated policy in the SP 552 or the AC 553.

The security source providing system 200 according to an embodiment of the present invention regards a logical integrity violation as a man-in-the-middle attack. Hereinafter, the integrity violation will be described in detail with reference to FIG. 6. .

6 illustrates a logical integrity violation according to an embodiment of the present invention.

More specifically, FIG. 6 shows an example of an overall logical integrity violation in the network between Host A 610 and Host B 630, wherein the attacker 620 has the same MAC address but different IP addresses. do.

Source analysis unit 240 of the security source providing system 200 according to an embodiment of the present invention is connected to each of the connection from the host A (610) to the attacker 620, the attacker 620 to the host B (630) If two packets have the same invariant field and one of the hosts 610, 630 of the two connections have the same MAC structure, but with different IP addresses, then the logical violation caused by the ARP spoofing attack Can be obtained.

If the above condition is true, the source analyzer 240 may consider a node located between the hosts 610 and 630 as the attacker 620, and the evidence generator 213 may use the LIntegrity 555 in FIG. Is set to true, and the eID 511 of each piece of evidence information is set to the rID 551 of the other party. In this case, the rID 551 may be a reference ID indicating related evidence information.

Referring back to FIG. 2, the graph constructor 220 of the security source providing system 200 according to an embodiment of the present invention constructs a relational attack history graph 310 using security source data, and attacks Configure the operation scenario.

The graph constructer 220 may reconstruct the attack history graph 310 by receiving evidence information from the data collector 210 until the security source data associated with the host is consumed.

The graph configuration unit 220 analyzes the causal relationship of the security source data starting from the specific host or the security related network event defined by the network manager 110, and attacks until the security source data related to the malicious symptom is consumed. The history graph 310 may be reconstructed.

The attack history graph 310 defines a causal relationship between historical security with subjects and objects, which may be represented by data transformation functions.

Hereinafter, the attack history graph 310 will be described in detail with reference to FIGS. 7 to 11.

7 is a diagram illustrating a causal relationship of a security problem according to an embodiment of the present invention.

Referring to FIG. 7, an edge represents a security relationship between two hosts 710 and includes a direct relationship and an indirect relationship.

Each edge has an evidence attribute that contains a list of evidence with a time stamp. In addition, a node represents a host 710, and means a subject and an object of a security relationship.

Each node represents a state of victim and attacker status and may represent a pair of IP and MAC addresses, which are unique identifiers representing the host 710.

In security relationships, direct relationships contain deterministic evidence indicating causal relationships, while indirect relationships lack the deterministic reasons for asserting security relationships, but are potentially at risk to the object host's CIA (confidentiality) with the runtime privileges of the attacker. Can affect. Depending on the embodiment, the indirect relationship may represent a potential security hole and, for example, if the host 710 is compromised, all connections to the compromised host may be vulnerable to stepping stone attacks.

8 illustrates a process of constructing an attack history graph according to an embodiment of the present invention. 9 shows a state transition diagram, FIG. 10 shows an intrinsic security relationship, and FIG. 11 shows a table of lists of security relationships.

Referring to FIG. 8, the graph constructing unit 220 requests evidence information from the evidence generating unit 213 and defines a security relationship.

The graph construction unit 220 may receive evidence 810 of a pair of IP and MAC address, which is a unique identifier representing a host, in operation 820, and collect evidence information. Then, the graph configuration unit 220 generates a security relationship (830), reflects the generated security relationship in the attack history graph 850, according to the priority (priority) of each security relationship shown in FIG. You can update the state of the vertex.

FIG. 9 shows a state transition diagram for specifying a state according to In / Out of each security relationship.

Referring to FIG. 9, the attacker 940 manages a dynamic attacker list, which is a list of hosts, to track the runtime privileges of the attacker. The graph constructer 220 then selects the next target host 910, one of the hosts 920 in the security association, according to the priority of each security association. Examine the targets, create a security association, and update the attack history graph 850 repeatedly.

The graph configuration unit 220 performs a threat propagation analysis 840 through a state transition diagram as shown in FIG. 9, and provides a security source according to an embodiment of the present invention when there is no target to be inspected. System 200 communicates attack history graph 850 to manager 110.

At this time, the attack history graph 850 represents a time sequence record (chronicle) of the attack, the security relationship of the time order means the order of the attack procedure.

10 shows an implicit security relationship that indicates that privilege escalation can be performed through compromised intermediate nodes.

FIG. 10 illustrates an algorithm for finding an intrinsic security relationship in an environment of privilege escalation in which an attacker 940 performs malicious actions via an intermediary victim 921 and 922.

In order to derive an indirect relationship according to the elevation of the attacker 940, the graph component 220 may traverse attack to from the attacker node 940 and analyze all connect_to from the end of the chain. Subsequently, when the victims 921 and 922 are controlled by the attacker 940, the graph constructer 220 implicit_ac_violate of each victim 921 and 922 according to whether the victims 921 and 922 have violated a security policy. And implicit_sp_violate may be defined.

12 illustrates a flowchart of a method for providing a security source for providing a root cause of a security problem according to an embodiment of the present invention.

The method of FIG. 12 is performed by a security source providing system according to the embodiment of the present invention shown in FIG.

Referring to FIG. 12, in step 1210, in a dynamic network environment, security source data including packets and network snapshots due to network events related to security are collected, and evidence information is generated using the security source data.

Security source data may include a network snapshot that includes the packet and at least one of a network topology, a security policy, a network structure, and a forwarding rule.

Step 1210 is a first step of mirroring packets, in a dynamic network environment, a second step of tracking network changes, providing a network snapshot to a database, and generating evidence information based on inspection results of the security source data. It may include three steps.

In this case, the third step may generate evidence information by inspecting the security source data using a packet.

In step 1220, the relational attack history graph is constructed using the security source data, and the operational scenario of the attack is constructed.

Step 1220 may reconstruct the attack history graph by receiving evidence information until security source data associated with the host is consumed. More specifically, step 1220 analyzes the causality of security source data originating from a specific host or network event related to security defined as a network administrator, and plots the attack history graph until the security source data associated with the malicious symptom is exhausted. Reconstruction may be performed.

The apparatus described above may be implemented as a hardware component, a software component, and / or a combination of hardware components and software components. For example, the devices and components described in the embodiments may be, for example, processors, controllers, arithmetic logic units (ALUs), digital signal processors, microcomputers, field programmable arrays (FPAs), It may be implemented using one or more general purpose or special purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to the execution of the software. For convenience of explanation, one processing device may be described as being used, but one of ordinary skill in the art will appreciate that the processing device includes a plurality of processing elements and / or a plurality of types of processing elements. It can be seen that it may include. For example, the processing device may include a plurality of processors or one processor and one controller. In addition, other processing configurations are possible, such as parallel processors.

The software may include a computer program, code, instructions, or a combination of one or more of the above, and configure the processing device to operate as desired, or process it independently or collectively. You can command the device. Software and / or data may be any type of machine, component, physical device, virtual equipment, computer storage medium or device in order to be interpreted by or to provide instructions or data to the processing device. Or may be permanently or temporarily embodied in a signal wave to be transmitted. The software may be distributed over networked computer systems so that they are stored or executed in a distributed manner. Software and data may be stored on one or more computer readable recording media.

The method according to the embodiment may be embodied in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the media may be those specially designed and constructed for the purposes of the embodiments, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine code, such as produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described by the limited embodiments and the drawings as described above, various modifications and variations are possible to those skilled in the art from the above description. For example, the described techniques may be performed in a different order than the described method, and / or components of the described systems, structures, devices, circuits, etc. may be combined or combined in a different form than the described method, or other components. Or even if replaced or substituted by equivalents, an appropriate result can be achieved.

Therefore, other implementations, other embodiments, and equivalents to the claims are within the scope of the claims that follow.

Claims (17)

In a dynamic network environment, the data collection unit for collecting the security source data, including packets and network snapshots due to network events related to security, and generates evidence information using the security source data; And
A graph constructing unit constructing a relational attack history graph using the security source data and constructing an operation scenario of an attack
Security source providing system comprising a.
The method of claim 1,
The data collection unit
And collect the security source data including the packet and the network snapshot including at least one of a network topology, a security policy, a network structure, and a forwarding rule.
The method of claim 2,
The data collection unit
A packet monitor unit for mirroring the packet;
A network history recorder unit for tracking network changes and providing the network snapshot to a database in the dynamic network environment; And
Evidence generation unit for generating the evidence information based on the test results received from the source analysis unit
Security source providing system comprising a.
The method of claim 3,
The packet monitor unit
A system for providing a security source, characterized by mirroring one packet twice at an egress and ingress switch using a two-phase packet capture (2PC) method.
The method of claim 3,
The network history recorder unit
Collecting the network snapshot while the packet is monitored and reflecting the network snapshot to the database in accordance with a state change of an update or change of an internal state to a security policy and network structure.
The method of claim 5,
The network history recorder unit
A security source providing system for performing source monitoring to generate monitoring rules by tracking the state change in the dynamic network environment using Software-Defined Networking (SDN) technology.
The method of claim 3,
The evidence generating unit
Collaborating with the origin analysis unit for inspecting the security source data using the packet, and generating the evidence information by performing an enterprise-wide security check on the two packets.
The method of claim 7, wherein
The source analysis unit
And comparing the two packets received at the exit and inlet switches to check whether the packets have been manipulated, and to check the security source data in order of occurrence in order to provide forensic information.
The method of claim 1,
The graph component is
And receiving the evidence information from the data collection unit to reconstruct the attack history graph until the security source data associated with a host is consumed.
The method of claim 9,
The graph component is
Analyzing the causality of the security source data starting at a specific host defined by the network administrator or the security related network event, and reconstructing the attack history graph until the security source data related to the malicious symptom is exhausted. Featured security source providing system.
In the method of operating the security source providing system to provide the root cause of the security problem,
In a dynamic network environment, collecting security source data, including packets and network snapshots due to network events related to security, and generating evidence information using the security source data; And
Constructing a relational attack history graph using the security source data, and constructing an operation scenario of an attack
Security source providing method comprising a.
The method of claim 11,
The secure source data
And the network snapshot including at least one of the packet and a network topology, a security policy, a network structure, and a forwarding rule.
The method of claim 11,
Collecting the security source data and generating the evidence information
Mirroring the packet;
In the dynamic network environment, tracking network changes and providing the network snapshot to a database; And
Generating the evidence information based on the inspection result of the security source data
Security source providing method comprising a.
The method of claim 13,
Collecting the security source data and generating the evidence information
And examining the security source data using the packet to generate the evidence information.
The method of claim 11,
Configuring the operation scenario of the attack
Receiving the evidence information and reconstructing the attack history graph until the security source data associated with a host is exhausted.
The method of claim 15,
Configuring the operation scenario of the attack
Analyzing the causality of the security source data starting at a specific host defined by the network administrator or the security related network event, and reconstructing the attack history graph until the security source data related to the malicious symptom is exhausted. Characterized by a method of providing security sources.
A computer program stored in a computer readable recording medium for performing the method of any one of claims 11 to 16.

Images