KR20220073108A - System and Method for detecting security threats using log information - Google Patents

Abstract

A security threat detection system using a firewall log that can derive results close to real-time by using machine learning and detection methods to protect users' assets and information from attacker's attacks and to detect types of attacks and attackers is disclosed. . The security threat detection system may include a gateway connected to the Internet network, a firewall that stores access information from the gateway to generate a firewall log, and a processing unit that determines whether to detect a security threat using the firewall log. do it with

Description

System and Method for detecting security threats using log information}

The present invention relates to network security technology, and more particularly, to a security threat detection system and method capable of detecting machine learning-based anomalies and network attack types using firewall logs.

In addition, the present invention relates to a security threat detection system and method capable of detecting machine learning-based anomalies and network attack types using resource usage logs.

The detection of anomalies in the existing security equipment basically analyzes the traffic and when it exceeds a certain threshold, it determines whether an attack is made based on this. That is, a threshold-based filter was used. The value of the threshold is determined by the experience of a security controller or an expert, and the accuracy of the threshold depends on the difference between the expert's experience and skill.

In the past, the threshold method is used to detect security threats, and it is performed by comparing real-time traffic and average traffic, and comparing real-time protocol ratio analysis. Existing methods have mainly been used to obtain a threshold value from the average and to judge that it is abnormal when the threshold value is exceeded.

In this threshold method, it is difficult to calculate an accurate threshold, so a large number of false positive events are generated by setting the threshold very strictly. This makes security control more difficult, causing obstacles in controlling actual attacks. In addition, in order to accurately detect the type of attack and the attacker, the existing method requires a manual association analysis and an expert analysis, which takes a lot of time to respond.

In other words, the threshold method is conventionally used for security threat detection, but it is performed by comparing real-time traffic with average traffic, real-time protocol ratio analysis comparison, and the like. Existing methods have mainly been used to obtain a threshold value from the average and to judge that it is abnormal when the threshold value is exceeded.

In this threshold method, it is difficult to calculate an accurate threshold, so a large number of false positive events are generated by setting the threshold very strictly. This makes security control more difficult, causing obstacles in controlling actual attacks. In addition, in order to accurately detect the type of attack and the attacker, the existing method requires a manual association analysis and an expert analysis, which takes a lot of time to respond.

1. Korean Patent No. 10-2033169 (October 10, 2019)

The present invention has been proposed to solve the problems according to the above background art, and uses machine learning and detection methods to protect users' assets and information from an attacker's attack, and to detect the type of attack and the attacker close to real-time. An object of the present invention is to provide a security threat detection system and method using a firewall log that can draw results.

Another object of the present invention is to provide a security threat detection system and method enabling flexible anomaly detection.

The present invention protects user's assets and information from an attacker's attack in order to achieve the task presented above, and uses machine learning and detection methods to find out the type of attack and the attacker to derive results close to real-time A security threat detection system using firewall logs is provided.

The security threat detection system,

a gateway connected to the Internet network;

a firewall for generating a firewall log by storing access information from the gateway; and

and a processing unit that determines whether to detect a security threat by using the firewall log.

In addition, the processing unit, a log collection module for collecting the firewall log; a log processing module for creating a steady state heat map or a real-time tracking heat map by grouping the firewall logs into a preset time unit and forming a plurality of matrices; a machine learning module for generating a heat map for each attack type through a deep learning model based on the steady state heat map; and an analysis module for determining whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type.

In addition, the time unit is characterized in that n minutes (where n is an integer greater than 0).

In addition, the heat map for each attack type is characterized in that it is generated by repeating comparison of the manually created attack scenario heat map with the steady state heat map.

In addition, the comparison is characterized in that it is a comparison between shapes of colors.

In addition, the normal state heat map is characterized in that it is generated using only normal log information among the firewall logs.

In addition, the firewall log is characterized in that it includes destination IP (Destination Internet Protocol) information and destination port (Destination Port) information.

In addition, the plurality of matrix types is characterized in that the destination IP (Destination Internet Protocol) information is arranged on the Y-axis, and the destination port information is arranged on the X-axis.

In addition, the deep learning model is characterized in that CNN (Convolutional Neural Network).

In addition, the heat map for each attack type is a sync flooding heat map based on a sync flooding attack, a DDos heat map based on a DDos (Distributed Denial of Service) attack, and a server down heat map based on a server down attack. , and a worm infection heat map based on a worm infection attack.

On the other hand, another embodiment of the present invention is a security threat detection system using a resource use log, a log collection module for collecting the resource use log; a log processing module for creating a steady-state heat map or a real-time tracking heat map by grouping the resource usage logs into a preset time unit and forming a plurality of matrices; a machine learning module for generating a heat map for each attack type through a deep learning model based on the steady state heat map; and an analysis module for determining whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type.

In this case, the resource usage log is characterized in that it is any one of a central processing unit (CPU) usage rate, a memory occupancy rate, and a process operation rate.

On the other hand, another embodiment of the present invention comprises the steps of: (a) generating a firewall log by storing access information from a gateway connected to the Internet network by the firewall; and (b) determining, by the processing unit, whether to detect a security threat by using the firewall log.

In addition, the step (b) includes: (b-1) collecting the firewall log by the log collection module; (b-2) creating, by the log processing module, a steady state heat map or a real-time tracking heat map by grouping the firewall logs into a preset time unit and forming a plurality of matrix types; (b-3) generating, by the machine learning module, a heat map for each attack type through a deep learning model based on the steady-state heat map; and (b-4) determining, by an analysis module, whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type; providing a security threat detection method using a firewall log comprising: do.

Also, the step (b-4) may include outputting, by the analysis module, whether the security threat has been detected as alarm information to the output unit 250 .

In addition, the alarm information is characterized in that the combination of voice, text, and graphics.

On the other hand, another embodiment of the present invention provides a security threat detection method using a resource use log, comprising the steps of: (a) collecting, by a log collection module, a resource use log; (b) creating, by the log processing module, a steady state heat map or a real-time tracking heat map by grouping the resource use logs into a preset time unit and configuring them in a plurality of matrix formats; (c) generating, by the machine learning module, a heat map for each attack type through a deep learning model based on the steady-state heat map; and (d) determining, by the analysis module, whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type. .

According to the present invention, it is possible to effectively detect the detection of a cyber attack, and to overcome the fixed limitations of human and program detection techniques.

In addition, as another effect of the present invention, for example, when the threshold of a DoS attack determined by a program or manpower is replaced with artificial intelligence, it has the advantage of being more flexible and capable of detecting based on probability.

In addition, as another effect of the present invention, when a new attack type occurs, it is detected as deviating from the normal traffic category, and it is possible to preemptively respond before being attacked.

1 is a block diagram of a security threat detection system using a firewall log according to an embodiment of the present invention.
FIG. 2 is a detailed block diagram of the processing unit 140 shown in FIG. 1 .
3 is a flowchart illustrating a process of creating a normal heat map and a heat map for each attack type according to an embodiment of the present invention.
4 is a flowchart illustrating a normal and abnormal determination process by heat map comparison after the process of FIG. 3 .
5 is an example of preparing a DDoS heat map according to an embodiment of the present invention.
6 is an image of a normal heat map according to an embodiment of the present invention.
7 is an image of a SynFlooding heat map according to an embodiment of the present invention.
8 is an image of a Distributed Denial of Service (DDos) heat map according to an embodiment of the present invention.
9 is an image of a server down heat map according to an embodiment of the present invention.
10 is an image of a worm infection heat map according to an embodiment of the present invention.

Advantages and features of the present invention, and a method for achieving them will become apparent with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in a variety of different forms, and only these embodiments allow the disclosure of the present invention to be complete, and those of ordinary skill in the art to which the present invention pertains. It is provided to fully inform the person of the scope of the invention, and the present invention is only defined by the scope of the claims. Sizes and relative sizes of components indicated in the drawings may be exaggerated for clarity of description.

Like reference numerals refer to like elements throughout, and "and/or" includes each and every combination of one or more of the recited items.

The terminology used herein is for the purpose of describing the embodiments and is not intended to limit the present invention. In this specification, the singular also includes the plural unless specifically stated otherwise in the phrase. As used herein, a referenced element, step, operation and/or element to "comprises" and/or "consisting of" does not exclude the presence or addition of one or more other elements, steps, operations and/or elements. .

Although it is used to describe various elements such as first and second, these elements are not limited to these terms, of course. These terms are only used to distinguish one component. Accordingly, it goes without saying that the first component mentioned below may be the second component within the spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used with the meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in a commonly used dictionary are not to be interpreted ideally or excessively unless clearly defined in particular.

Hereinafter, a security threat detection system and method using a firewall log according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram of a security threat detection system 100 using a firewall log according to an embodiment of the present invention. Referring to FIG. 1 , the security threat detection system 100 may include an Internet network 110 , a gateway 120 , a firewall 130 , a processing unit 140 , and the like.

The Internet network 110 refers to a connection structure capable of exchanging information between each node such as a plurality of terminals and servers, and includes a public switched telephone network (PSTN), a public switched data network (PSDN), and an integrated information network (ISDN). : Integrated Services Digital Networks), Broadband ISDN (BISDN), Local Area Network (LAN), Metropolitan Area Network (MAN), Wide LAN (WLAN), etc. However, the present invention is not limited thereto, and wireless communication networks such as CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), Wibro (Wireless Broadband), WiFi (Wireless Fidelity), HSDPA (High Speed) Downlink Packet Access) network, Bluetooth (bluetooth), NFC (Near Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, etc. may be. Alternatively, it may be a combination of these wired communication networks and wireless communication networks.

The gateway 120 enables communication between networks using different Internet networks and protocols, and may be composed of a computer or software. Of course, the gateway 120 may be a concept including a router. Therefore, it functions to send packets to other networks.

The firewall 130 is to protect the network from access by unauthorized sources. It blocks traffic by using source address, destination address and traffic type information. Only for that, entry is allowed.

Accordingly, the firewall 130 may include an intrusion detection system (IDS), an intrusion prevention system (IPS), and the like. An intrusion detection system (IDS) collects and/or analyzes security events that occur in a managed network, and when it detects malicious network traffic, it performs a function of alerting an administrator. Intrusion prevention system (IPS) collects and/or analyzes security events occurring in the managed network, and when malicious network traffic is detected, it alerts the administrator of this fact and also performs a function to block it immediately.

1 , the firewall 130 also stores access records according to communication protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) as logs to log the firewall log. function to create A storage unit (not shown) may be configured to store such a firewall log. The storage unit is a flash memory type, a hard disk type, a multimedia card micro type, or a card type memory (eg, SD (Secure Digital) or XD (eXtreme Digital)) memory, etc.), Random Access Memory (RAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Programmable Read Only Memory (PROM), Magnetic Memory , a magnetic disk, and an optical disk may include at least one type of storage medium. In addition, it may operate in relation to a web storage that performs a storage function on the Internet and a cloud server.

The firewall log includes destination Internet protocol (IP) information, destination port information, and the like. The firewall has a function of allowing normal traffic (Allow) and rejecting abnormal traffic (Deny).

The processing unit 140 performs a function of performing an algorithm to determine a cyber attack and its type in real time using a special form for each type and a heat map form data that can be clearly distinguished even by color due to an increase in the number of connections do.

FIG. 2 is a detailed configuration block diagram of the processing unit 140 shown in FIG. 1 . Referring to FIG. 2 , the processing unit 140 may be configured to include a log collection module 210 , a log processing module 220 , a machine learning module 230 , an analysis module 240 , an output unit 250 , and the like. can

The log collection module 210 performs a function of collecting firewall logs.

The log processing module 220 processes the collected firewall logs to form a matrix. In other words, as a preprocessing process, machine learning through an artificial intelligence model and processing are necessary to detect it. Therefore, it is grouped in n-minute units to form a plurality of matrices. The matrix-type Y-axis indicates destination IP (Destination IP (server)) information, the matrix-type X-axis indicates destination port information, and the value indicates the number of access sessions, indicating the number of users who accessed the service for n minutes. make it known A normal heat map is created through these multiple matrix types. That is, the normal heat map is created based on the server IP and server PORT in the normal state. A diagram showing this is shown in FIG. 5 . This will be described later.

2 , the machine learning module 230 performs a function of generating a heat map for each attack type by applying a normal heat map and a manually created attack scenario heat map to deep learning model learning. A deep learning model consists of a Recurrent Neural Network (RNN), a Deep Neural Network (DNN), and a Convolutional Neural Network (CNN). A 256*256 heat map image that labels the attack type becomes the input layer, and the hidden layer reduces the height and width in half with 2 strides in a 2*2 window with a 32-channel filter of a Convolutional 2D 3*3 window and MaxPooling2D. The activation function uses relu. Finally, the output layer uses softmax for multiclassification. In the case of the hidden layer, it can be transformed according to the learning result.

7 to 10 are diagrams showing heat maps for each type of attack. This will be described later.

The analysis module 240 determines whether to detect a security threat by using the heat map for each attack type generated by the machine learning module 230 . In other words, attack type information is generated through image comparison between the tracking heat map and the heat map for each attack type, and normal or abnormal of this attack type is determined. In addition, it performs a function of generating it as alarm information.

The output unit 250 performs a function of displaying information processed by the log collection module 210 , the log processing module 220 , the machine learning module 230 , the analysis module 240 , and the like. Accordingly, the output unit 250 may output information in a combination of text, voice, and graphics. To this end, the output unit 250 may include a display, a sound system, and the like.

The display may be a liquid crystal display (LCD), a light emitting diode (LED) display, a plasma display panel (PDP), an organic LED (OLED) display, a touch screen, a cathode ray tube (CRT), a flexible display, or the like. In the case of a touch screen, it may function as an input means. Of course, in FIG. 2 , the output unit 240 is illustrated as being included in the processing unit 140 , but this is for the sake of understanding and the output unit 250 is configured separately from the processing unit 140 .

The log collection module 210 , the log song module 220 , the machine learning module 230 , and the analysis module 240 shown in FIG. 2 mean a unit that processes at least one function or operation, which is software and / Alternatively, it may be implemented in hardware. In hardware implementation, application specific integrated circuit (ASIC), digital signal processing (DSP), programmable logic device (PLD), field programmable gate array (FPGA), processor, microprocessor, other It may be implemented as an electronic unit or a combination thereof.

In software implementation, software composition component (element), object-oriented software composition component, class composition component and task composition component, process, function, attribute, procedure, subroutine, segment of program code, driver, firmware, microcode, data , databases, data structures, tables, arrays, and variables. Software, data, etc. may be stored in a memory and executed by a processor. The memory or processor may employ various means well known to those skilled in the art.

3 is a flowchart showing a process of creating a normal heat map and an attack scenario heat map according to an embodiment of the present invention. Referring to FIG. 3 , first, the log collection module 210 collects firewall logs (step S310 ).

Thereafter, the log processing module 220 processes the collected firewall logs, and generates a steady state heat map using only normal log information among the processed firewall logs (step S320).

Then, the user manually creates an attack scenario heat map according to the attack scenario (step S330). Of course, step S330 may be performed before the firewall log collection step S310. In this case, the attack scenario heat map is stored in the database in advance.

Then, the machine learning module 230 performs image learning such as deep learning (step S340). In other words, normal traffic is learned by learning the Allow log among firewall logs. Based on the normal log, a heat map for each attack type is manually created for each attack type as needed for each attack type in IP and PORT, and the attack type is learned to generate a heat map for each attack type (step S350).

FIG. 4 is a flowchart illustrating a process of determining normality and abnormality by comparing heat maps after the process of FIG. 3 . That is, FIG. 4 uses the heat map for each attack type generated by the process of FIG. 3 to determine the type of pore diameter of the tracking heat map collected in real time, and confirms whether there is an abnormality. Referring to FIG. 4 , first, the log collection module 210 collects firewall logs (step S410 ).

Thereafter, the log processing module 220 processes the collected firewall log, and generates a real-time tracking heat map using the log information (step S420 ).

Thereafter, the analysis module 240 detects a security threat by comparing the real-time tracking heat map with the heat map for each attack type (step S440). In other words, in the case of normal traffic, the heat map of the destination IP and destination port is evenly distributed, but when an attack or anomaly occurs, a special shape for each type and the number of connections increase, so that it can be clearly distinguished by color. . Using this type of data and using image learning such as CNN, cyber attacks and their types can be identified in real time.

The order shown in FIGS. 3 and 4 is for understanding, and the order may be changed, a plurality of steps may be formed as one, or one step may be subdivided into several steps.

5 is an example of creating a DDoS heat map according to an embodiment of the present invention. Referring to FIG. 5 , the firewall 130 has a function of allowing normal traffic (Allow) and rejecting abnormal traffic (Deny). Therefore, normal traffic is learned by learning the Allow log among firewall logs. Based on normality, manually create a heat map for each scenario as needed for each attack type for IP and PORT.

In particular, FIG. 5 is an example of creating a heat map of IP and PORT for Distributed Denial of Service (DDoS). The horizontal axis is service destination port information, and the vertical axis is destination server IP information. Firewall log collection is grouped in n-minute units to form a number of matrices. Here, n is an integer greater than 0, and in one embodiment of the present invention, it is about 10 minutes. Also, the value of the lower color bar increases from left to right. That is, the leftmost is 0 and the rightmost is 3000. Accordingly, it can be known whether there is a sudden increase in the number of access session counts according to the color.

6 is an image of a normal heat map according to an embodiment of the present invention. Referring to FIG. 6 , in the case of normal traffic, a heat map of a destination IP and a destination Port is evenly distributed.

On the other hand, when an attack or anomaly occurs, a special form and the number of connection sessions for each type increase, making it possible to clearly distinguish them by color. A diagram showing this is shown in FIGS. 7 to 10 .

7 is an image of a SynFlooding heat map according to an embodiment of the present invention. Referring to FIG. 7 , a sink flooding attack is a server attack using a vulnerability when a TCP session is connected. Since the number of simultaneous user connections is limited for each server, it is tricked into pretending that a non-existent client has accessed, preventing other users from receiving the services provided by the server. Referring to FIG. 7 , destination port information is displayed on the Y-axis, and destination port information is displayed on the X-axis. In addition, a value indicating the number of connection sessions is displayed. The number of connection sessions corresponds to a color in the drawing. In the heat map, the closer to indigo, the fewer connection sessions, and the closer to red, the more connection sessions.

8 is an image of a Distributed Denial of Service (DDos) heat map according to an embodiment of the present invention. Referring to FIG. 8 , a DDos attack is a malicious attack method that disables a website or a web application to a user by incapacitating the site with a large amount of traffic to cause the site to crash or operate very slowly. Accordingly, an explosion of traffic occurs, and the red bands in the heat map shown in FIG. 8 occur relatively more than other heat maps.

9 is an image of a server down heat map according to an embodiment of the present invention. Referring to FIG. 9 , it is an attack that sends a bunch of packets down to one specific IP. For server down heatmaps, there is almost no traffic. Based on FIG. 6, which is a heat map in a normal state, it is seen that the red-based image is reduced in FIG. 9 . The loss of traffic from IP and PORT where traffic normally should occur means a service failure such as a server down.

10 is an image of a worm infection heat map according to an embodiment of the present invention. Referring to FIG. 10 , a worm infection attack is an attack in which a computer virus-infected file is used in another computer through a storage medium or network, and the computer is also infected. In the case of a worm infection heat map, a red band appears in a straight line across the vertical axis.

In an embodiment of the present invention, anomaly detection and attack type using a firewall log were determined. have. As described above, the CPU usage rate, memory occupancy rate, and process operation rate in a normal state can be prepared as a heat map, and scenarios for each attack can be created and abnormal symptoms can be determined by comparing the heat maps described above. Of course, for this purpose, the components shown in FIG. 2 may be included. In this case, the log collection module 210 collects the resource use log of the computer, the log processing module 220 processes the resource use log to generate a heat map, and the machine learning module 230 also attacks through resource use. Create a heatmap for each type. In addition, the analysis module 240 determines whether to detect a security threat using a real-time tracking heat map generated using the resource usage log and a heat map for each attack type. Here, the computer may be a server, but is not limited thereto, and may be a workstation, a personal computer (PC), a notebook computer, or the like.

In addition, the steps of the method or algorithm described in relation to the embodiments disclosed herein are implemented in the form of program instructions that can be executed through various computer means such as a microprocessor, a processor, a CPU (Central Processing Unit), etc. It can be recorded on any available medium. The computer-readable medium may include program (instructions) codes, data files, data structures, etc. alone or in combination.

The program (instructions) code recorded on the medium may be specially designed and configured for the present invention, or may be known and available to those skilled in the art of computer software. Examples of the computer-readable recording medium include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs, DVDs, Blu-rays, and the like, and ROM, RAM ( A semiconductor memory device specially configured to store and execute program (instruction) code such as RAM), flash memory, and the like may be included.

Here, examples of the program (instruction) code include not only machine language codes such as those generated by a compiler but also high-level language codes that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

100: security threat detection system
110: Internet network
120: gateway
130: firewall
140: processing unit

Claims (19)

a gateway 120 connected to the Internet network 110;
a firewall 130 for generating a firewall log by storing access information from the gateway 120; and
a processing unit 140 that determines whether to detect a security threat using the firewall log;
Security threat detection system using a firewall log, characterized in that it comprises a.
The method of claim 1,
The processing unit 140,
a log collection module 210 for collecting the firewall logs;
a log processing module 220 for creating a steady state heat map or a real-time tracking heat map by grouping the firewall logs into a preset time unit and forming a plurality of matrices;
a machine learning module 230 for generating a heat map for each attack type through a deep learning model based on the steady state heat map; and
and an analysis module (240) for determining whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type.
3. The method of claim 2,
The security threat detection system using a firewall log, characterized in that the time unit is n minutes (where n is an integer greater than 0).
3. The method of claim 2,
The heat map for each attack type is generated by repeating comparison of an attack scenario heat map created manually in advance with the normal state heat map.
5. The method of claim 4,
The comparison is a security threat detection system using a firewall log, characterized in that the comparison between colors.
3. The method of claim 2,
The security threat detection system using a firewall log, characterized in that the normal state heat map is generated using only normal log information among the firewall logs.
3. The method of claim 2,
The firewall log is a security threat detection system using a firewall log, characterized in that it includes destination IP (Destination Internet Protocol) information and destination port (Destination Port) information.
8. The method of claim 7,
A security threat detection system using a firewall log, characterized in that in the matrix form, the destination IP (Destination Internet Protocol) information is arranged on the Y-axis, and the destination port information is arranged on the X-axis.
3. The method of claim 2,
The deep learning model is a security threat detection system using a firewall log, characterized in that CNN (Convolutional Neural Network).
3. The method of claim 2,
The heat map for each attack type is a sync flooding heat map based on a sync flooding attack, a DDos heat map based on a DDos (Distributed Denial of Service) attack, a server down heat map based on a server down attack, and A security threat detection system using a firewall log, characterized in that it is one of the worm infection heatmaps based on the worm infection attack.
In the security threat detection system using the resource usage log,
a log collection module 210 for collecting resource usage logs;
a log processing module 220 for creating a steady state heat map or a real-time tracking heat map by grouping the resource usage logs into a preset time unit and forming a plurality of matrixes;
a machine learning module 230 for generating a heat map for each attack type through a deep learning model based on the steady state heat map; and
an analysis module 240 for determining whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type;
A security threat detection system using a resource usage log, characterized in that it comprises a.
12. The method of claim 11,
The resource usage log is a security threat detection system using a resource usage log, characterized in that one of a central processing unit (CPU) usage rate, a memory share, and a process operation rate.
(a) generating a firewall log by storing access information from the gateway 120 connected to the firewall 130 to the Internet network 110; and
(b) determining, by the processing unit 140, whether to detect a security threat using the firewall log;
A security threat detection method using a firewall log comprising a.
14. The method of claim 13,
The step (b) is,
(b-1) the log collection module 210 collecting the firewall logs;
(b-2) creating, by the log processing module 220, a steady state heat map or a real-time tracking heat map by grouping the firewall logs into a preset time unit and forming a plurality of matrices;
(b-3) generating, by the machine learning module 230, a heat map for each attack type through a deep learning model based on the steady state heat map; and
(b-4) determining, by the analysis module 240, whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type; .
15. The method of claim 14,
The heat map for each attack type is generated by repeatedly comparing an attack scenario heat map created manually in advance with the normal state heat map.
16. The method of claim 15,
The comparison is a security threat detection method using a firewall log, characterized in that it is a comparison between colors and shapes.
15. The method of claim 14,
The step (b-4) is,
and outputting, by the analysis module 240, whether the security threat has been detected as alarm information to the output unit 250.
18. The method of claim 17,
The alarm information is a security threat detection method using a firewall log, characterized in that a combination of voice, text, and graphics.
In the security threat detection method using the resource usage log,
(a) the log collection module 210 collecting resource usage logs;
(b) creating, by the log processing module 220, a steady state heat map or a real-time tracking heat map by grouping the resource use logs into a preset time unit and forming a plurality of matrices;
(c) generating, by the machine learning module 230, a heat map for each attack type through a deep learning model based on the steady state heat map; and
(d) determining, by the analysis module 240, whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type;
A security threat detection method using a resource usage log, characterized in that it comprises a.

Images