KR20200025043A - Method and system for security information and event management based on artificial intelligence - Google Patents

Abstract

The present invention relates to an integrated log management system based on artificial intelligence and a system thereof. Various security events occurring in an enterprise environment are analyzed to build a knowledge base (KB) for the enterprise security and attacks of malicious and abnormal behavior can be detected by performing correlation analysis for the entire system based on the built KB.

Description

Integrated log management method and system based on artificial intelligence {METHOD AND SYSTEM FOR SECURITY INFORMATION AND EVENT MANAGEMENT BASED ON ARTIFICIAL INTELLIGENCE}

The present invention relates to an artificial intelligence-based integrated log management method and system, and more particularly, to a technique for providing an automated detection function for malicious attacks through atypical data analysis and correlation analysis.

The security information and event management system, or integrated log management system (SIEM) collects various security logs generated in an enterprise environment and analyzes and responds to the security status of the system using a unified interface.

Various attacks occurring in the enterprise environment are becoming more advanced, but various attacks to incapacitate the system are detected by distributed security equipment built by the administrator of the system.

Existing SIEM systems lack correlations for events obtained from different security devices, and there is very little ground for specifying advanced and complex attacks. In addition, since the existing SIEM system analyzes based on the standardized data, there is a limit in collecting a feature for specifying the attack behavior, which makes it difficult to detect an advanced attack.

Furthermore, the existing SIEM system has some problems, the biggest of which is that log analysis is very difficult because it stores complex logs as text in a relational DB. When complex logs are stored on a text basis, it is difficult to detect what correlation exists between the logs, there are limitations in analyzing patterns, and there is a problem of inaccuracy.

Hereinafter, the problems and limitations of the existing SIEM system will be described in detail with reference to FIGS. 1 and 2.

1 illustrates an example for explaining a problem of an existing SIEM system.

Referring to FIG. 1, when it is assumed that ransomware invades a network by infecting hosts, log data of the hosts is stored in a text form in a database of an existing SIEM system. As a result, the existing SIEM system can analyze that hosts A, B, and C are infected, but it is difficult to analyze the correlation between log data, and there is a limit that it cannot detect which host ransomware is infected first.

In order to analyze the correlation as a way to overcome these limitations, recently, a product that constructs a relational graph using a log based on a network diagram and a network communication connection and analyzes an attack has been released.

A good example is the graph solution sold by LINKURIOUS. Existing SIEM system detects attacks based on graph solution by acquiring relational graph based on data communication network information.

2 shows an example of analyzing an attack using a conventional graph solution.

More specifically, FIG. 2 illustrates an example of analyzing a UDP storm attack using a graph solution provided by LINKURIOUS.

Referring to FIG. 2, it can be seen that the existing SIEM system using the graph solution detects an attack using only IP and port information. As a result, existing SIEM systems were limited to detecting very simple attacks.

Therefore, the log is saved in a text format, which is used in existing SIEM systems, to analyze attacks based on pattern matching, or to analyze the attacks through simple relational graphs using network communication connection information. What is needed is a SIEM system to collect and manage information.

Furthermore, it is less rapid for administrators to create and detect rules (or roles) using the data stored in the system. Therefore, a SIEM system is needed to automatically analyze the data and generate rules for faster response. .

An object of the present invention is to analyze the various security events occurring in the enterprise environment to build a knowledge base (KB) for enterprise security, and to perform a correlation analysis for the entire system based on the established knowledge base to attack To provide a technique for detecting this.

It is also an object of the present invention to provide a technique that can analyze the attacks that can not be detected by the existing method by performing correlation analysis with only the significant elements included in the log.

In a method of operating a security information and event management system or an integrated log management system (SIEM) incorporating artificial intelligence according to an embodiment of the present invention, the security log from a plurality of security devices (Security devices) Collecting, analyzing the security log for attack behavior detection using natural language processing (NLP) and semantic, and a plurality of features obtained based on the analysis result Generating a relational graph by analyzing the correlation between and detecting the malicious and abnormal behavior by analyzing the association of the attack or disorder based on the relation graph.

In addition, the operation method of the security information and event management system or integrated log management system (SIEM) incorporating artificial intelligence according to an embodiment of the present invention, the newly detected malicious or abnormal behavior according to the detection result The method may further include reporting security information about the (Reports).

The collecting of the security log may include collecting the security log and audit information including at least one of timestamp, IP address, and port information from which the log was generated from the plurality of security devices. Can be.

In the analyzing of the security log, after applying a preprocessing technique to the security log, the graph form for the graph data structure may be analyzed using the natural language processing technique and the semantics.

The analyzing of the security log may include extracting a predetermined amount of data from natural language data (corpus) due to the preprocessed security log using the natural language processing technique, and based on grammatical or semantic information of the extracted data. Annotation of the pattern may be performed, and the patterns may be trained in a machine learning or artificial intelligence algorithm to generate an NLP model based on the graph form.

Generating the relational graph may include deriving the plurality of features that are sets of grounds for detecting an attack behavior in the security log collected from the plurality of security devices through the natural language processing model; Generating and managing the relationship graph by analyzing the correlation of the plurality of features through a correlation analysis (correlation analysis).

Generating and managing the relationship graph may include obtaining a common denominator for the plurality of features, analyzing associations and correlations between the plurality of features, and deriving an explicit relationship and an embedded relationship in the security log. Through the process of generating the nodes that are the subjects of the relationship, the relationship graph expressing the data by the subject node Vertex, the relationship between the subject nodes, and the property of the node and the relationship may be generated.

In the generating and managing of the relationship graph, in the process of generating the nodes, duplicate information in the security log is combined into one, and relationships not acquired in a single log are additionally derived through the correlation analysis to specify a relationship. can do.

In the generating and managing of the relation graph, the construction of the relation graph and efficient data management may be performed using a graph-based database.

The detecting of the malicious and abnormal behaviors may be performed based on the relationship graph and analyze the correlations between the correlation and the attack or the disorder, and may detect the malicious and abnormal behaviors according to a predefined behavior rule by the user.

The detecting of malicious and abnormal behaviors may be performed by performing reputation-based behavior analysis and classifying the reputation function of the user's behavior in stages to provide a final conclusion on the malicious and abnormal behaviors.

In the security information and event management system or integrated log management system (SIEM) combining artificial intelligence according to an embodiment of the present invention, a log for collecting security logs from a plurality of security devices (Security devices) Log analyzer for analyzing the security log for attack behavior detection using a collector, Natural Language Processing (NLP) and Semantic, a plurality of features obtained based on the analysis result A graph generating unit for generating a relational graph by analyzing the correlation between and a detection unit for detecting malicious and abnormal behavior by analyzing the association of an attack or a disorder based on the relationship graph.

In addition, the security information and event management system or integrated log management system (SIEM) that combines artificial intelligence according to an embodiment of the present invention, according to the detection result, security for newly detected malicious or abnormal behavior The communication unit may further include a communication unit for reporting threat information.

The graph generator is a feature derivation unit and correlation analysis (correlation analysis) for deriving the plurality of features that is a set of grounds for the detection of attack behavior in the security log collected from the plurality of security devices through the natural language processing technique model It may include a graph management unit for generating and managing the relationship graph by analyzing the correlation of the plurality of features through the).

According to an embodiment of the present invention, it is possible to analyze the attacks that cannot be detected by the existing method by performing correlation analysis on only the significant elements included in the log.

In addition, according to an embodiment of the present invention, by analyzing the attack through the analysis and correlation analysis of the unstructured data, and accumulating know-how for attack detection in a logical centralized Knowledge Base (KB), it will occur later Can provide automated detection of attacks.

1 illustrates an example for explaining a problem of an existing SIEM system.
2 shows an example of analyzing an attack using a conventional graph solution.
3 is a flowchart illustrating an integrated log management method based on artificial intelligence according to an embodiment of the present invention.
4 is a block diagram illustrating a detailed configuration of an artificial intelligence-based integrated log management system according to an embodiment of the present invention.
5 is a structural diagram of an integrated log management system based on artificial intelligence according to an embodiment of the present invention.
6 shows an example of botnet spreading.
7 illustrates an example of botnet spreading through correlation analysis according to an embodiment of the present invention.
8 is a diagram illustrating nodes and relationships in a graph.
9 illustrates an example of detecting malicious behavior using reputation based behavior analysis according to an embodiment of the present invention.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the present invention is not limited or limited by the embodiments. Also, like reference numerals in the drawings denote like elements.

In addition, terms used in the present specification (terminology) are terms used to properly express preferred embodiments of the present invention, which may vary depending on the intention of the viewer, the operator, or customs in the field to which the present invention belongs. Therefore, the definitions of the terms should be made based on the contents throughout the specification.

3 is a flowchart illustrating an integrated log management method based on artificial intelligence according to an embodiment of the present invention, and FIG. 4 is a block diagram illustrating a detailed configuration of an integrated log management system based on artificial intelligence according to an embodiment of the present invention. It is.

3 and 4, the artificial intelligence-based integrated log management method and system according to an embodiment of the present invention provides an automated detection function for malicious attacks through atypical data analysis and correlation analysis.

To this end, in Figure 4, the artificial intelligence-based integrated log management system 400 according to an embodiment of the present invention is a log collector 410, a log analyzer 420, a graph generator 430 and a detector 440 ). In addition, each of the steps (steps 310 to 360) of FIG. 3 includes components of the artificial intelligence-based integrated log management system 400 according to the embodiment of the present invention, that is, the log collecting unit 410. The log analyzer 420, the graph generator 430, the detector 440, the communicator 450, and the system controller 470 may be performed.

Referring to FIG. 3, in step 310, the log collector 410 collects security logs from a plurality of security devices.

The log collector 410 may include timestamp, IP address, and port at which a log is generated from a security device such as an intrusion detection system (IDS), a firewall, a middlebox, and the like. Security logs and audit information including at least one of the information may be collected.

At this time, the security log may include a timestamp (timestamp) when the log occurs, and, in the case of a log generated by packet communication, may include the IP address and port information of the host. For this reason, the artificial intelligence-based integrated log management method and system according to an embodiment of the present invention can determine the order in which events occur among the plurality of security devices from the security log, and the network connection from the IP address and port information of the host And it can grasp the flow of data, it can detect the type of network service.

In addition, the security log may include a description of why the log occurs. This is described in natural language, and the level of information may be simple (eg, login failure) or detailed (eg, login failure: unknown user name), depending on the type of security device.

In addition, since the security log has a very wide range in the case of a system log, the security log may include information that can be distinguished for each field such as a file system, a user program, a kernel program, and a memory access. In the case of the file system log, information about a file to be accessed and information about a subject to access the file (for example, Chrome browser writes 127 bytes in /var/log/chrome.log) may be provided. In the case of a program crash log, information such as the name and reason of the terminated program (for example, Safari browser crash: not enough memory) may be included. In the case of a log of memory access, information about an accessing subject or a memory area may be included.

The above-described information is stored in one or a plurality of logically connected log databases, and afterwards, related information can be delivered or an attack can be detected according to a search query transmitted by an administrator through analysis. In addition, there are various types of security devices, and since the security logs generated by each security device are very different, the artificial intelligence-based integrated log management method and system according to an embodiment of the present invention have manual analysis of actual logs. In parallel, we want to maximize the level of information that can be obtained from each log. At this time, the log database may be included in the graph-based database 460 shown in FIG.

In operation 320, the log analyzer 420 analyzes a security log for attack behavior detection using Natural Language Processing (NLP) and Semantic.

To automate log analysis, it is necessary to mechanize the security log. Accordingly, the log analyzer 420 may analyze the security log using natural language processing techniques and semantics.

Natural Language Processing (NLP) can translate different types of security logs into a unified form of machine language. As such, the natural language processing technique that transforms the natural language in the system extracts a certain amount of data for training from the collected large amount of natural language data (corpus), and then based on the grammatical or semantic information of the data. Annotates patterns and trains them on machine learning or artificial intelligence algorithms to create models.

As a result, the log analyzer 420 may analyze the graph form for the graph data structure by using the natural language processing technique, and generate and train the NLP model based on the graph form.

Artificial log-based integrated log management method of the present invention and the natural language processing technique (NLP) used in the system includes part-of-speech tagging, semantic domain determination and entity name recognition.

Part-of-speech tagging (POS tagging) is a technique for analyzing the grammatical relations of a given sentence and then indicating what grammatical role the words make up. For example, when the error message 'Multiple login failures are detected in a mail server' is collected as shown in [Example 1] below, the part-of-speech tagging analyzes the sentence to determine what grammatical elements each word exists in the sentence. Figure out. In this case, the part-of-speech tagging may identify a noun (NN), a verb (VB), a preposition (IN), an adjective (JJ), etc. using a part-of-speech tagging model.

Example 1

Semantic Role Labeling (SRL) is a technique that analyzes the semantic role of a word or phrase in a sentence based on the grammatical information of the sentence elements. For example, as in [Example 2] below, 'login failures' and 'mail server' are both nouns, but differ in their actual meanings. Accordingly, the semantic domain determination refers to SPO as a subject, predicate, and object, which are the most important elements in the sentence, and can distinguish a modifier phrase (AM) indicating additional meaning of place, time, etc. together with the SPO in the sentence. Here, in the case of a predicate, since the term “the subject performs on the object” includes a directionality, it is possible to form a graph in which the subject and the object are represented as a node in the SPO information, and the predicate is represented as an edge.

[Example 2]

Named Entity Recognition (NER) is a technique for identifying the meaning of the entities in a sentence. Although the grammatical and semantic information of the sentence can be grasped through the above-described parts of speech tagging and natural language processing techniques of semantic domain determination, it is difficult to know what the elements actually refer to. To address this, entity name recognition can determine what information each element actually conveys.

For example, referring to [Example 3] below, 'login' belongs to a group called 'Authentication' because it is a term related to authentication, and 'mail server' belongs to a group called 'End host' because it exists at the end of the network. Belong. Accordingly, entity name recognition can be detected quickly by first verifying attacks that generate similar patterns.

[Example 3]

Artificial intelligence-based integrated log management method and system according to an embodiment of the present invention can use a variety of techniques, as well as the above-described three natural language processing techniques, it is not limited thereto.

Referring back to FIG. 3, in step 320, the log analyzer 420 may apply the preprocessing technique to the security log before using the natural language processing technique (NLP) and semantics.

The preprocessing technique may be a process of removing unnecessary elements for the collected security logs or preprocessing a predefined or unique log format. Subsequently, the log analyzer 420 may analyze a graph form representing an edge value and a vertex value for the graph data structure using a natural language processing technique (NLP) and semantics on the preprocessed security log. .

Furthermore, the log analyzer 420 may define a graph form that may be merged into more accurate information by comparing the accuracy of the analyzed content with manual analysis information stored and maintained in the graph-based database 460.

In operation 330, the graph generator 430 may generate a relational graph by analyzing correlations between a plurality of features acquired based on the analysis result.

In operation 330, the graph generator 430 may derive a plurality of features or a feature derivation unit that is a set of basis for attack behavior detection in the security log collected from the plurality of security devices through the natural language processing model. May include a graph management unit (not shown) or a step of generating and managing a relation graph by analyzing correlations of a plurality of features through correlation analysis and correlation analysis.

For example, the graph generator 430 may derive a plurality of features for the security log, analyze correlations through common denominators between features, and derive an association.

Hereinafter, a process of deriving a common denominator will be described in detail with reference to [Example 4].

Example 4

[Example 4] shows an example of logs generated by an intrusion detection system (IDS) and a firewall. In general, logs contain rules (Semantic) for log generation by security device. For example, a typical network security device includes a port information indicating an address of a source and a destination and information about each service when generating a log.

Referring to [Example 4], (1) specifies the same log generation rules in logs derived from different security devices. As described above, since each log basically includes a common denominator, the graph generator 430 may first derive a clear common denominator of each log.

However, each security device has a different role and function. Therefore, the logs provided are different, and although the log generation rules are specified, there are some parts that are difficult to derive. In the log of the intrusion detection system of [Example 4], (2) indicates that the current attacking host (192.168.0.100) has performed an SSH random password guessing attack on the target host (192.168.0.101), and (2) Indicates that the attacking host tried to access the FTP service of the target host, but failed because of unauthorized privileges. In addition, (3) is a sentence determined by the security administrator defining the rules of the intrusion detection system, the information includes detailed information.

The security log derived from each security device may be classified into an explicit relationship based on a log generation rule and an implicit relationship representing hidden information through log analysis of the security manager. At this time, the clear relationship can be analyzed by the log generation rule, but there is a limit that the nested relationship is not revealed. To this end, in operation 330, the graph generator 430 may perform a task of defining correlations of security logs for a plurality of systems in advance using direct log analysis of the security manager.

Hereinafter, a process of generating a relationship graph according to the correlation will be described in detail with reference to FIG. 8.

8 is a diagram illustrating nodes and relationships in a graph.

In operation 330, the graph generator 430 may use graph theory to efficiently express a relational graph. Referring to FIG. 8, the graph theory represents data in a subject node (Vertex) and a subject (Edge) between the subjects, and each node and the relationship represents a property.

In operation 330, the graph generator 430 obtains a common denominator for the plurality of features, analyzes the associations and correlations between the plurality of features, derives the explicit and nested relationships of the security log, Through the process of generating the nodes that are the subjects, the relation graph representing the data by the subject node Vertex, the relationship between the subject nodes, and the property of the node and the relationship may be generated.

At this time, in the process of generating the nodes, the graph generator 430 may combine the duplicate information in the security log into one, and the relationship that is not obtained in a single log may be additionally derived through correlation analysis to specify the relationship. have.

Referring back to FIG. 3, in step 330, the graph generator 430 may perform an actual construction and efficient data management of the relationship graph by using a graph-based database (Graph DB) 460. It can be stored and maintained in the graph-based database 460.

Artificial intelligence-based integrated log management method and system according to an embodiment of the present invention based on the graph-based database 460, an interface for easily searching the correlation between the data due to the graph function according to the user query (user query) Can be provided.

In operation 340, the detection unit 440 detects malicious and abnormal behavior by analyzing an association such as an attack or a disorder based on the relationship graph.

The detector 440 analyzes the correlation between the correlation and the attack or the disorder based on the relationship graph, and detects malicious and abnormal behaviors according to a behavior rule defined by the user.

For example, the detector 440 may determine malicious and abnormal behavior by detecting behavior similar to an attack pattern based on a predefined behavior rule based on the analysis result of the correlation and the correlation. At this time, the detection unit 440 may detect whether there is aggression such as malicious or abnormal behavior by analyzing the similarity between the generated behavior and a predefined behavior using a machine learning based similarity analysis technique. .

Thereafter, in operation 350, the system controller 470 may determine whether new malicious and abnormal behaviors are used, rather than predefined behaviors stored and maintained in the graph-based database 460, based on the detection result. According to the determination result of the system controller 470, if at least one or more of the new malicious and abnormal behavior, in step 360, the communication unit 450 reports the security threat information for the new malicious or abnormal behavior to the administrator (Admin) ( Reports).

At this time, the communication unit 450 may communicate with the administrator (Admin) through the network. The network is a network that connects the artificial intelligence-based integrated log management system 400 and a plurality of security devices and administrators, according to an embodiment of the present invention, and includes a local area network (LAN) and a wide area (WAN). It may be a closed network such as a network, or an open network such as the Internet. Here, the Internet includes various services existing in the TCP / IP protocol and its upper layers, such as HTTP (HyperText Transfer Protocol), Telnet, File Transfer Protocol (FTP), Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), The global open computer network architecture that provides Simple Network Management Protocol (SNMP), Network File Service (NFS), and Network Information Service (NIS). In addition, the network is not limited to wired / wireless and may be combined with various wireless network technologies such as Long Term Evolution (LTE), Wibro, and the like.

5 is a structural diagram of an integrated log management system based on artificial intelligence according to an embodiment of the present invention.

Referring to FIG. 5, the artificial intelligence-based integrated log management system 500 according to an embodiment of the present invention collects security logs from a plurality of security devices 510 and provides log data that is a structureless data structure. After the preprocessing process, a log analysis 520 is applied to extract a security log provided from different security devices 510 in a standardized form by applying a natural language processing technique (NLP).

At this time, the artificial intelligence-based integrated log management system 500 analyzes logs using computing resources (521) including a natural language processing technique (NLP) of a predetermined method and a predefined semantic. 520 may be performed, and a feature derivation may be derived through the log analysis 520 to extract a feature required for attack detection from the standardized data extracted from the data.

Thereafter, the artificial intelligence-based integrated log management system 500 analyzes 530 a correlation between features for attack detection such as malicious and abnormal behavior. Artificial intelligence-based integrated log management system 500 is a relationship graph showing the relationship between the log and the alarm (alert) derived from each distributed security device 510 through the correlation analysis (Correlation Analysis, 530) (Relational Graph, 531) is generated (Graph generation).

As a result, the artificial intelligence-based integrated log management system 500 stores the generated relationship graph 531 in a graph-based database, and the relationship graph 531 that is stored and maintained using a machine learning-based similarity analysis technique. An analysis of correlations between future behaviors and relations such as attacks or disorders is performed to detect attack similarities such as malicious and abnormal behaviors (540). The similarity analysis technique may increase the detection rate of an attack by matching 'probable behavior' to a predefined relation graph 531 even if the defined relation graph 531 does not exactly match the generated behavior.

The artificial intelligence-based integrated log management system 500 may collect opinions of experts (or administrators) to reduce false positives and increase detection rates by supplementing the system itself and detection rules in the long term. Accordingly, the artificial intelligence-based integrated log management system 500 reports (541) a detection result 540 of attack similarity such as malicious and abnormal behavior to an expert (or an administrator), and determines the system through expert judgment. Rules can be modified and supplemented.

That is, as shown in Figure 5, artificial intelligence-based integrated log management system 500 according to an embodiment of the present invention collects a variety of security logs, based on this knowledge base for attack detection (Knowledge Base; KB) ) Can be built.

In addition, the artificial intelligence-based integrated log management system 500 according to an embodiment of the present invention may provide an automated attack detection function based on a predefined rule, and is defined in advance, not directly by a user. Similarity analysis between a rule (or predefined action) and the rule (or action) can also include early detection and alarming for violations.

6 shows an example of botnet spreading, and FIG. 7 shows an example of botnet spreading through correlation analysis according to an embodiment of the present invention.

Referring to FIG. 6, for a host 610 infected with ransomware, the existing SIEM system may be configured to detect a 'suspicious connection' detected by an intrusion detection system (620) and an intrusion prevention system (640). Information such as 'Malicious payload' provided by the Prevention System (IPS) is transmitted to the manager 650. In other words, the existing SIEM system describes 'facts', but does not include an analysis of how 'facts' affect the overall security and the 'relevance' of various security events. Accordingly, existing SIEM systems can only perform limited responses such as "limit suspicious connection" or "block malicious host" through notification.

Referring to FIG. 7, the artificial intelligence-based integrated log management system according to an embodiment of the present invention uses each node through the fact of 'Suspicious connection to' and 'malware propagation to'. Expressing the correlation between the two and the correlation analysis (Relational analysis) of the information can derive a new result of 'Botnet propagation'.

In FIG. 7, the artificial intelligence-based integrated log management system according to an embodiment of the present invention derives the C & C server 730 through the 'suspicious connection' detected by the intrusion detection system 720 (IDS). In addition, the host 710 accessing the C & C server 730 may derive new information through distribution of malicious code.

That is, the artificial intelligence-based integrated log management system according to an embodiment of the present invention analyzes the correlation of a number of existing logs to derive a correlation between each event, and finally, each event is ultimately detected. Analyze the reason. Accordingly, the artificial intelligence-based integrated log management system according to an embodiment of the present invention is not simply a response such as 'blocking host performing malicious behavior' and 'limiting suspicious connection', but the host 710 is malicious. It is possible to fundamentally block the C & C server 730 attempting to access or to identify the initial point of attack of the host 710 to solve the fundamental security problem.

9 is a diagram illustrating an example of detecting malicious behavior using reputation based behavior analysis according to an embodiment of the present invention.

Artificial intelligence-based integrated log management system 900 according to an embodiment of the present invention performs a reputation-based behavior analysis on the security log collected from the security device 910, and classifies the reputation function for the user's behavior step by step To provide a final conclusion on malicious and abnormal behavior.

The resources for the system vary and the way users access and use each one is different. This diversity makes generalization more difficult. For this reason, the artificial intelligence-based integrated log management system 900 according to the embodiment of the present invention may perform reputation-based behavior analysis and provide a reputation function for malicious and benign behaviors of each user in stages.

At this time, the reputation-based behavior analysis is to determine the final conclusion by periodically tracking the benign and malignant degree of the target host. For example, even if the target host is malicious at a specific time, if the host has a good reputation, the artificial intelligence-based integrated log management system 900 according to an embodiment of the present invention detects attacks such as malicious and abnormal behaviors. The priority of the report may be adjusted to the manager 920 (921). This feature can reduce the total amount of detection logs and reduce false positives.

In addition, the manager 920 may provide an action rule to the security device 910, and may update the rule in real time to the artificial intelligence-based integrated log management system 900.

The apparatus described above may be implemented as a hardware component, a software component, and / or a combination of hardware components and software components. For example, the devices and components described in the embodiments may include, for example, processors, controllers, arithmetic logic units (ALUs), digital signal processors, microcomputers, field programmable arrays (FPAs), It may be implemented using one or more general purpose or special purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. The processing device may execute an operating system (OS) and one or more software applications running on the operating system. The processing device may also access, store, manipulate, process, and generate data in response to the execution of the software. For the convenience of understanding, the processing apparatus may be described as one used, but those skilled in the art will appreciate that the processing apparatus includes a plurality of processing elements and / or a plurality of types of processing elements. It can be seen that it may include. For example, the processing device may include a plurality of processors or one processor and one controller. In addition, other processing configurations are possible, such as parallel processors.

The software may include a computer program, code, instructions, or a combination of one or more of the above, and may configure the processing device to operate as desired, or process independently or collectively. You can command the device. Software and / or data may be any type of machine, component, physical device, virtual equipment, computer storage medium or device in order to be interpreted by or to provide instructions or data to the processing device. Or may be embodied permanently or temporarily in a signal wave to be transmitted. The software may be distributed over networked computer systems so that they may be stored or executed in a distributed manner. Software and data may be stored on one or more computer readable recording media.

The method according to the embodiment may be embodied in the form of program instructions that can be executed by various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the media may be those specially designed and constructed for the purposes of the embodiments, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware device described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described by the limited embodiments and the drawings as described above, various modifications and variations are possible to those skilled in the art from the above description. For example, the described techniques may be performed in a different order than the described method, and / or components of the described systems, structures, devices, circuits, etc. may be combined or combined in a different form than the described method, or other components. Or even by substitution or replacement by equivalents, an appropriate result can be achieved.

Therefore, other implementations, other embodiments, and equivalents to the claims are within the scope of the claims that follow.

500: integrated log management system
610, 710: host
620, 720: Intrusion Detection System (IDS)
630, 730: C & C Server
640, 740: Intrusion Prevention System (IPS)
650, 750, 920: Admin
910: security device
921: reports

Claims (15)

In the security information and event management system that combines artificial intelligence, or a method of operating an integrated log management system (Security Information and Event Management (SIEM),
Collecting a security log from a plurality of security devices;
Analyzing the security log for attack behavior detection using Natural Language Processing (NLP) and Semantic;
Generating a relational graph by analyzing correlations between a plurality of features acquired based on the analysis result; And
Detecting malicious and abnormal behavior by analyzing the association of attacks or disorders based on the relationship graph
AI-based integrated log management method comprising a. The method of claim 1,
Reporting security threat information on newly detected malicious or abnormal behavior according to the detection result
AI-based integrated log management method further comprising. The method of claim 1,
Collecting the security log is
Artificial intelligence-based integrated log management method for collecting the security log and audit information including at least one of timestamp, IP address and port information that the log is generated from the plurality of security devices (Security devices) . The method of claim 1,
Analyzing the security log
An artificial intelligence-based integrated log management method of analyzing a graph form for a graph data structure using the natural language processing technique and the semantics after applying a preprocessing technique to the security log. The method of claim 4, wherein
Analyzing the security log
Sampling a predetermined amount of data from natural language data (corpus) due to the pre-processed security log using the natural language processing technique, and annotating patterns based on grammatical or semantic information of the extracted data. Artificial intelligence-based integrated log management method for generating the NLP model based on the graph form by learning the patterns in a machine learning or artificial intelligence algorithm. The method of claim 5,
The step of generating the relational graph (Relational Graph)
Deriving the plurality of features, which is a set of grounds for detecting an attack behavior in the security log collected from the plurality of security devices through the natural language processing technique model; And
Generating and managing the relationship graph by analyzing the correlation of the plurality of features through correlation analysis
AI-based integrated log management method comprising a. The method of claim 6,
Creating and managing the relationship graph
Obtaining common denominators for the plurality of features, analyzing associations and correlations between the plurality of features, and deriving explicit and nested relationships in the security log to create nodes that are subjects of the relationships Through the process, artificial log-based integrated log management method for generating the relationship graph representing the data in the subject node (Vertex), the relationship between the subject node (Edge), and the node and the property of the relationship (Property). The method of claim 7, wherein
Creating and managing the relationship graph
In the process of generating the nodes, the overlapped information in the security log is combined into one, and relationships not acquired in a single log are additionally derived through the correlation analysis to specify the relationship. How to manage logs. The method of claim 8,
Creating and managing the relationship graph
Artificial log-based integrated log management method that uses a graph-based database (Graph DB) to perform the actual construction of the relationship graph and efficient data management. The method of claim 1,
Detecting the malicious and abnormal behavior
An artificial intelligence-based integrated log management method that analyzes correlations between mutual correlations and attacks or disorders based on the relationship graphs, and detects malicious and abnormal behaviors according to behavior rules predefined by a user. The method of claim 10,
Detecting the malicious and abnormal behavior
An artificial intelligence-based integrated log management method that performs a reputation-based behavior analysis and provides a final conclusion on the malicious and abnormal behaviors by classifying the reputation function of the user's behavior step by step. A computer program stored in a computer readable recording medium for performing the method of any one of claims 1 to 11. Security information and event management system that combines artificial intelligence, or integrated log management system (Security Information and Event Management (SIEM),
A log collector configured to collect security logs from a plurality of security devices;
A log analyzer for analyzing the security log for attack behavior detection using Natural Language Processing (NLP) and Semantic;
A graph generator configured to generate a relational graph by analyzing correlations between a plurality of features acquired based on the analysis result; And
Detection unit that detects malicious and abnormal behavior by analyzing the association of attacks or disorders based on the relationship graph
Artificial intelligence-based integrated log management system that includes. The method of claim 13,
Communication unit for reporting security threat information about newly detected malicious or abnormal behavior according to the detection result
AI-based integrated log management system further comprising. The method of claim 13,
The graph generation unit
A feature derivation unit for deriving the plurality of features, which is a set of basis for detecting attack behavior in the security log collected from the plurality of security devices through the natural language processing technique model; And
Graph management unit for generating and managing the relationship graph by analyzing the correlation of the plurality of features through a correlation analysis (correlation analysis)
Artificial intelligence-based integrated log management system that includes.

Images