KR20220081145A - AI-based mysterious symptom intrusion detection and system - Google Patents

Abstract

An AI-based anomaly intrusion detection and response system and method are disclosed. The AI-based anomaly intrusion detection and response system includes: a firewall installed in a router or gateway of an enterprise internal network; an intrusion detection system (IDS) or an intrusion prevention system (IPS) connected to the firewall; and Internet mail, malicious code connected to the intrusion detection system (IDS) or the intrusion prevention system (IPS) to detect security threats and intrusions related to AI-based anomalies such as IT system failures, security accidents, and rapid network traffic increase Analyze big data for each type of anomaly data through AI machine learning learned in advance for , virus/worm, and DDoS attacks, detect abnormal symptoms after learning normal data, and detect abnormal symptoms after learning abnormal data In addition, abnormal data is stored in the threat DB, and the IDS/IPS blocks the attack attempt IP in response to the security threat by the decision-making system, or registers it as a blacklist in the firewall (F/W) and IDS/IPS and registers it as a malicious code or virus It includes a threat information collection server that applies a vaccine solution in response.
The system refers to the TCP/IP packets coming from the external network for Internet mail, malicious code, virus/worm, and DDoS attacks. Analyzes big data through AI machine learning learned in advance for Internet mail, malware, virus/worm, and DDoS attacks by detecting security threats and intrusions related to signs, and detects abnormal symptoms after learning normal data After learning abnormal data, it detects abnormal symptoms, stores the abnormal data in the threat DB, and responds to security threats by the decision-making system, so that IDS/IPS blocks the attack IP, or the firewall (F/W) and IDS/IPS By registering as a blacklist and applying a vaccine solution against malicious codes or viruses, security threats and intrusions were prevented to prevent security breaches.

Description

AI-based mysterious symptom intrusion detection and response system

The present invention relates to an AI-based anomaly intrusion detection and response system, and more particularly, malicious code/virus by referring to TCP/IP packets flowing from an external network for Internet mail, malicious code, virus/worm, and DDoS attacks. AI machine learning learned in advance for Internet mail, malware, virus/worm, and DDoS attacks by detecting security threats and intrusions related to AI-based abnormal symptoms such as IT system failures, security accidents, and rapid network traffic increase Analyze big data using data mining through Prevents security breaches by blocking attack attempts by IDS/IPS, or registering as a blacklist in firewall (F/W) and IDS/IPS, and applying vaccine solutions in response to malicious codes or viruses to respond to security threats and intrusions do.

Recently, hacking damage that destroys important information systems including confidential documents in computers by malicious codes, malware, and viruses is frequently occurring.

Internet security threats are classified into network threats, system threats, and physical threats.

Internet Security Threats Contents network threats - Using protocol vulnerabilities: spoofing attack, session hijacking
- Service Interference: Data data falsification, deletion, leakage, DoS attack, Distributed Denial-of-Service (DDoS) attack, spam mail
- Information leak: network eavesdropping, user eavesdropping systemic threat - Account hijacking: cracking, decryption using sniffer program
- Hacking: Changing a specific program in the system to malicious
- Malware: Malware, malware, ransomware, virus physical threat - Information security accidents caused by internal and external visitors
- Confidential document management security vulnerabilities;
- Intruder's piracy / information leakage (Information Theft)

Hacking is an act in which an external attacker intrudes into an internal system through an illegal route by bypassing IDS and Firewall through a network or the Internet, acquires and destroys important data or data, and then attacks. Sniffer, finger, etc. are used by attackers to gain illegal access/user privileges in the attack target system. For example, intrusion tools are installed sniffers, backdoors, and Trojan horses.

패스워드 스니핑(Password Sniffing) 공격: 스니퍼(sniffer)는 단어의 의미(냄새를 맡다, 코를 킁킁거리다)에서도 알 수 있듯이 스니퍼는 “컴퓨터 네트워크상에 흘러 다니는 트래픽을 엿듣는 도청장치”라고 할 수 있다. 그리고 “스니핑”은 스니퍼를 이용하여 네트워크상의 데이터를 도청하는 행위이다. 패스워드 스니핑(Password Sniffing)은 접근 제어(Access Control)로 암호를 수시로 바꾸면 해결책이다.

Password Sniffing Attacks: As the meaning of the word (sniff, sniff) suggests, a sniffer is a “eavesdropper that eavesdrops on traffic flowing over a computer network.” . And “sniffing” is the act of eavesdropping on data on the network using a sniffer. Password sniffing is a solution by frequently changing passwords with access control.

서비스 거부(Denial of Service, DoS) 공격 또는 분산 서비스 거부(Distributed Denial of Service, DDoS) 공격은 분산된 복수의 공격자 컴퓨터로부터 표적시스템에 동시에 접속하여 단시간에 특정 웹사이트에 대용량 트래픽 데이터를 전송하여 과부하를 일으켜 트래픽(bandwidth), 프로세스 처리능력, 시스템 자원을 고갈시켜 시스템을 다운시켜 정상적인 서비스를 할 수 없도록 공격한다.

Denial of Service (DoS) attack or Distributed Denial of Service (DDoS) attack simultaneously accesses a target system from a plurality of distributed attacker computers and transmits large amounts of traffic data to a specific website in a short time, resulting in overload It causes the system to go down by depleting traffic (bandwidth), process processing power, and system resources to prevent normal service.

IP spoofing 공격: IP 스푸핑 공격(spoofing attack)은 바로 자기 자신의 식별정보를 속여 다른 대상 시스템을 공격하는 기법이다. 네트워크 상의 공격자는 TCP/IP(transfer control protocol/Internet protocol) 프로토콜 상의 취약성을 기반으로 해킹 시도시 자신의 시스템 정보(IP address, DNS 이름, MAC address 등)를 위장하여 감춤으로써 역추적이 어렵게 만든다. 스푸핑 공격은 패킷 스니퍼링이나 서비스 거부 공격, 세션 하이재킹(session hijacking) 등의 다른 여러 가지 공격을 가능하게 한다. IP 스푸핑 공격(IP spoofing attack)의 종류는 IP 스푸핑, ARP 스푸핑, 이메일 스푸핑, DNS 스푸핑이 있다. 만약, 공격자가 세션ID를 쿠키에 저장한다면, 쿠키 노출에 대한 하이재킹까지 가능하기 때문에 인터넷 보안에 취약하고 위험하며, 공격자가 세션IDffm 캡춰할 경우 HTTP 헤더의 다른 값을 모두 캡춰할 수 있다. 쿠키 노출은 브라우저의 취약점 또는 크로스 사이트 스크립팅(XSS, Cross-Site Scripting)과 관련되며, 희생자(victim) 컴퓨터는 모든 헤더의 정보를 알아낼 수 있는 공격자가 해당 웹사이트를 방문했을 가능성이 높다.

IP spoofing attack: An IP spoofing attack is a technique that attacks another target system by deceiving its own identification information. When an attacker on the network tries to hack based on a vulnerability in the transfer control protocol/Internet protocol (TCP/IP) protocol, it disguises and hides their system information (IP address, DNS name, MAC address, etc.), making it difficult to trace back. Spoofing attacks enable several other attacks, such as packet sniffing, denial of service attacks, and session hijacking. Types of IP spoofing attacks include IP spoofing, ARP spoofing, email spoofing, and DNS spoofing. If an attacker saves the session ID in a cookie, it is possible to hijack the cookie exposure, so it is vulnerable and dangerous to Internet security. If the attacker captures the session IDffm, all other values of the HTTP header can be captured. Cookie exposure is related to browser vulnerabilities or Cross-Site Scripting (XSS), and the victim computer is highly likely to have visited the website by an attacker who can find out information in all headers.

플러딩(flooding) 공격: Syn 플러딩 공격은 TCP의 초기 연결과정에서 TCP 3-way Handshaking을 이용, Syn 패킷을 요청하여 서버로 하여금 ACK 및 SYN 패킷을 송신하며, 이때 보내는 송신 주소가 무의미한 주소이므로 서버는 대기상태에 있게 되고, 이러한 요청 패킷들이 들어오면 서버의 대기 큐(queue)가 가득차 결국 서비스거부 상태에 들어가게 된다.

Flooding attack: Syn flooding attack uses TCP 3-way handshaking in the initial connection process of TCP, requests a Syn packet, and causes the server to send ACK and SYN packets. It is in the standby state, and when these request packets are received, the server's waiting queue is full, and eventually it enters the denial of service state.

The response technology for hacking is a network response method, including intrusion prevention system (firewall), intrusion detection system (IDS), application encryption/decryption communication (SSL, IPsec, etc.), integrated security management (ESM), and integrated Authorization and Authorization Rights (EAM), anti-virus software is being used.

An intrusion detection system (IDS) is a system that detects and responds to security threats that illegally duplicate/delete network system resources, damage data through abnormal actions, or make service unavailable. Firewall controls Local Host information of external Internet and internal intranet networks by establishing a firewall host. Intrusion Detection System (IDS) is a representative system that paralyzes network resources due to system paralysis or network performance degradation by generating a large amount of traffic on the network when a distributed denial of service (DDoS) attack occurs on a specific website. Blocks traffic flooding attacks.

Intrusion detection methodology is largely classified into misuse detection and abnormal behavior detection according to the method of analyzing detection. Misuse detection is signature analysis, expert systems, state transition analysis, petri-nets, anomaly detection is statistics, expert systems, It uses neural networks, data mining, and Hidden Markov Models (HMM) technologies.

IPSec (Internet Protocol Security protocol) is a standard still in use to maintain security at the packet processing layer of network communications. In previous security techniques, security was inserted into the application layer of the communication model. IPSec will be particularly useful for virtual private networks and remote user access to private networks. A great advantage of IPSec is that security provisions can be handled without changes to individual user computers.

SSL/TLS is used as a Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cipher protocol.

S-HTTP (Secure Hypertext Transfer Protocol, Secure HTTP) is an extension of HTTP that allows WWW files to be exchanged securely. Each S-HTTP file is encrypted and includes an electronic signature. S-HTTP is used as an alternative to SSL, another well-known security protocol. The main difference between the two technologies is that S-HTTP allows the client to send a certificate to prove that it is an authorized user, whereas in SSL only the server can authenticate. S-HTTP is more often used in situations where authentication is required from a more secure user than using a user ID and password, or where a server is located on behalf of a bank. S-HTTP does not use any single encryption system, but RSA (Rivest Shamir Adleman) public/private key encryption system is supported. SSL operates at a higher program layer than the TCP layer. S-HTTP operates on the upper layer of HTTP application. Both security protocols can be used by one user, but only one of them can be used for a given document. Terisa Systems includes both SSL and S-HTTP within its Internet security tools.

For reference, SSL (Secure Socket Layer) was developed by Netscape for security such as e-commerce. It was later standardized under the name TLS (Transport Layer Security). Since SSL is a transport layer encryption method, it can be used regardless of application layer protocols such as NNTP (Network News Transfer Protocol), FTP (file transfer protocol), and XMPP as well as HTTP. Basically, authentication, encryption, and integrity are guaranteed.

Recently, many malicious codes, malware (ransomware), worms, and viruses included in email attachments are occurring, and email malware detection and response technology is required.

Web pages require technologies to prevent hacking by malicious code and distributed denial of service (DDoS) attacks that generate large-scale traffic to a specific website URL in the network and download overload. DNS-based DDoS attacks are not only difficult to detect, they can affect internal and external DNS servers by constantly changing their appearance like moving targets. Attackers use a wide range of techniques, from basic methods such as amplification/reflection, disruption of service attacks, and simple non-existent domains (NXDOMAINs) to more sophisticated attacks such as botnets, chain reaction and malfunctioning domains.

Referring to FIG. 3 , DNS attacks are a major target of application-layer DDoS attacks, but DNS threat defense is insufficient with existing firewalls. In particular, it cannot defend against DNS-based DDoS attacks using amplification/reflection techniques. However, Infoblox Advanced DNS Protection (ADP) effectively defends against a wide range of DNS-based attacks such as DNS DDoS, exploits, NXDOMAIN, DNS data exfiltration and DNS hijacking attacks. ADP intelligently detects and mitigates DNS attacks while only responding to normal queries without relying on infrastructure over-provisioning or response rate limiting.

Last year, ransomware DDoS attacks were rampant against large domestic companies and banks. Ransom DDoS is 'Ransom', which means hostage, and 'Distributed Denial of Service (DDoS)' attack that shuts down the service due to network overload of a specific website.

In addition, smishing using an SMS message including a URL of a mobile communication terminal and pharming using a messenger including harmful URL information are frequently occurring.

As a related prior art 1, "A network-based Internet worm detection apparatus and method using vulnerability analysis and attack method modeling" is registered in Patent Registration No. 10-0862187.

1 is a block diagram illustrating a network-based Internet worm detection apparatus 220 using a conventional vulnerability analysis and attack method modeling. The Internet worm detection apparatus 220 includes a threat existence determination unit 120 , a packet content extraction unit 140 , an attack determination unit 170 , and a vulnerability information storage unit 150 .

Additionally, the fragment packet processing unit 130 , the session management information storage unit 160 , the attack response unit 180 , the manager 190 or the security device 200 may be included.

As a NIC device 110 (network interface card), it is an interface means for allowing the Internet worm detection device 220 of the present invention to collect packets from the network 100 .

A network-based Internet worm detection device using vulnerability analysis and attack method modeling provides vulnerability information necessary for vulnerability attack detection, including keywords used to attack vulnerabilities found in applications. Vulnerability information storage unit 150 to store); a threat existence determination unit 120 that determines whether a packet transmitted over a network is transmitted to an application program having a vulnerability; a packet content extraction unit 140 for extracting information necessary for intrusion determination by using the vulnerability information from the packet determined to be transmitted to the application program having the vulnerability; and an attack determination unit 170 that determines whether an attack packet is an attack packet by comparing/analyzing the information extracted from the packet and the vulnerability information stored in the vulnerability storage unit, thereby utilizing the vulnerability information of the application program and modeling the attack method In this way, it is possible to detect Internet worms and prepare countermeasures before an actual attack occurs, and by storing only a portion of information belonging to a specific session of a packet that arrives divided or changed in order, the efficiency of storage device usage is secured and packet processing is performed. Required resources can be reduced.

As a related prior art 2, "Forensic-based SACT system and its driving method" is registered in Patent Registration No. 10-1553172, and as an information protection technology, an attacker terminal (suspect) attacks a victim terminal (victim) with an attack packet SACT (Sinkhole and Compressed Filter based Trackback) that forwards the attack packet to the sinkhole router, inducing the attacker's terminal to misunderstand that the attack packet has been transmitted to the router, and generates the analysis result data and backtrace route information for the attack packet. ) system is provided.

Referring to FIG. 2 , the SACT (Sinkhole and Compressed Filter based Trackback) system 1000 transmits the attack packet to the sinkhole router 400 when the attacker terminal 100 (suspect) attacks the victim terminal 110 (victim) with an attack packet. ) to induce the attacker terminal 100 to mistakenly believe that the attack packet has been transmitted to the router 300, as well as the data of the attack packet analysis result and the actual IP spoofing packet. A system for generating backtracking route information for finding a source, including a management server 200, a router 300, a sinkhole router 400, and an attack analysis server 500, and the router 300 includes an attack detection module ( 320), and a router management module 310.

The forensic-based SACT system is

a management server for generating backtrace request information instructing backtracking for an attack packet;

a router that detects the attack packet and transmits the attack packet to a sinkhole router when the attacker terminal attacks the victim terminal with the attack packet, and forwards traceback response information in response to the traceback request information to the management server;

a sinkhole router that continuously receives the attack packet through the router and transmits it to an attack analysis server so that the attacker terminal may mistakenly believe that the attack packet has been transmitted to the router; and

and an attack analysis server that receives the attack packet from the sinkhole router, generates analysis result data for the attack packet, and transmits it to the management server,

The management server generates backtrace path information for the attack packet using the backtrace response information and stores it in a storage module,

The router management module pre-connected with the router compresses the BF binary value generated from the attack packet into a Compressed Bloom Filter (CBF) compression value using a CBF compression algorithm, and thus traces back the attack packet invading for a certain period of time. and

The management server restores the CBF (Compressed Bloom Filter) compression value generated by the router management module to the BF (Bloom Filter) binary value using a CBF restoration algorithm, so that the attack packet is restored even after the predetermined time has elapsed. It is characterized by backtracking.

The management server generates backtrace request information instructing backtracking of the attack packet (S100).

When the attacker terminal attacks the victim terminal with an attack packet, the router detects the attack packet and forwards it to the sinkhole router, and forwards traceback response information in response to the traceback request information to the management server (S110, S120).

When the router management module connected to the router confirms that the router receives the traceback request information from the management server, it recognizes that the attack packet passing through the router is registered in the bloom filter.

At this time, the bloom filter generates an attack packet as a BF binary value in which the address value of the BF table address is updated to '0' or '1'.

The router management module transmits backtrace response information set to False (if BF binary value is '0') or backtrace response information set to True (in case BF binary value is '1') to the management server.

Also, the router management module compresses the BF binary value generated from the attack packet into a CBF compression value using the CBF compression algorithm.

The sinkhole router continuously receives attack packets through the router and transmits them to the attack analysis server so that the attacker terminal misunderstands that the attack packets have been transmitted to the router (S130).

The attack analysis server receives the attack packet from the sinkhole router, generates analysis result data for the attack packet, and transmits it to the management server (S140).

Management server generates backtrace route information for attack packets using backtrace response information, or utilizes CBF (Compressed Bloom Filter) compression value generated by router management module to restore CBF (Bloom Filter) binary number It restores the value and generates backtracking path information through this (S150).

Here, the management server extracts only the traceback response information set to True and then combines the router ID and timestamp retrieved from the traceback response information set to True to create the traceback route information. It is stored in the non-removed storage module.

However, password sniffing hacking by crackers or hackers attack through the Internet network to the host computer through the router; receiving emails containing viruses, malware (such as ransomware), or malicious code; And cyber security attacks such as DDoS (Distributed Denial-of-Service) attacks on specific websites, and spam emails are increasing. , it is necessary to secure Internet security response technology for this in websites and endpoint computers.

Patent registration number 10-0862187 (registration date October 01, 2008), "Network-based Internet worm detection device and method using vulnerability analysis and attack method modeling", Korea Electronics and Telecommunications Research Institute Patent registration number 10-1553172 (registration date September 08, 2015), "Forensic-based SACT system and its operating method", Catholic Kwandong University Industry-Academic Cooperation Foundation

It is an object of the present invention to solve the above problems by referring to TCP/IP packets flowing in from an external network for Internet mail, malicious code, virus/worm, and DDoS attacks, and it is possible to prevent IT system failure caused by malicious code/virus, security accident, Detect security threats and intrusions related to AI-based anomalies such as sudden increase in network traffic, and use data mining to use data mining to learn big data from pre-learned AI machine learning for Internet mail, malware, virus/worm, and DDoS attacks. , detects abnormal symptoms after learning normal data, detects abnormal symptoms after learning abnormal data, stores abnormal data in the threat DB, responds to security threats by the decision-making system, and blocks IP attempts by IDS/IPS Or, by registering as a blacklist in the firewall (F/W) and IDS/IPS, and applying a vaccine solution in response to malicious codes or viruses to respond to security threats and intrusions to prevent security breaches, AI-based abnormal symptom intrusion detection and A response system is provided.

In order to achieve the object of the present invention, an AI-based anomaly intrusion detection and response system includes: a firewall installed in a router or gateway of an enterprise internal network; an intrusion detection system (IDS) or an intrusion prevention system (IPS) connected to the firewall; and Internet mail, malicious code connected to the intrusion detection system (IDS) or the intrusion prevention system (IPS) to detect security threats and intrusions related to AI-based anomalies such as IT system failures, security accidents, and rapid network traffic increase Analyze big data for each type of anomaly data through AI machine learning learned in advance for , virus/worm, and DDoS attacks, detect abnormal symptoms after learning normal data, and detect abnormal abnormal symptoms after learning abnormal data In addition, abnormal data is stored in the threat DB, and IDS/IPS blocks the attack attempt IP in response to security threats by the decision-making system, or registers as a blacklist in the firewall and IDS/IPS and responds to malicious codes or viruses to provide a vaccine solution It includes a threat information collection server that provides to apply

The AI-based anomaly intrusion detection and response system of the present invention refers to TCP/IP packets flowing in from external networks against Internet mail, malicious code, virus/worm, and DDoS attacks to prevent IT system failure and security by malicious code/virus. Detect security threats and intrusions related to AI-based anomalies such as accidents and rapid network traffic increase, and use data mining through AI machine learning learned in advance for Internet mail, malware, virus/worm, and DDoS attacks. Analyzes big data, detects abnormal symptoms after learning normal data, detects abnormal symptoms after learning abnormal data, stores abnormal data in the threat DB, and responds to security threats by decision-making system, so that IDS/IPS attacks IP It has the effect of preventing security breaches by blocking security threats and intrusions by blocking them or registering them as blacklists in the firewall (F/W) and IDS/IPS and applying vaccine solutions against malicious codes or viruses.

The AI-based anomaly intrusion detection and response system builds a highly reliable system by increasing the accuracy of the numerical prediction results of security incident intrusion detection from a technical point of view i) Preemptive situation recognition and situation through big data analysis/prediction Reinforcing responsiveness, improving IT operation capabilities, ii) economically, reducing IT operation and management costs, iii) socially, recruiting workers in the 4th industry, such as Internet security, AI and big data engineers. It has been able to foster professional IT operation core personnel with the ability to analyze big data related to IT operation and failure and develop AI-based anomaly detection models.

1 is a block diagram illustrating a network-based Internet worm detection apparatus 220 using a conventional vulnerability analysis and attack method modeling.
2 is a diagram illustrating a conventional SACT (Sinkhole and Compressed Filter based Trackback) system.
3 is a conceptual diagram of a DrDoS attack and DNS cache poisoning.
4 is a configuration diagram of an AI-based anomaly intrusion detection and response system according to the present invention.

Hereinafter, a preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings, the configuration and operation of the invention. In the description of the present invention, if it is determined that a detailed description of a related known function or known configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. In addition, when the accompanying drawing numbers indicate the same configuration, the same reference numbers are given in different drawings.

The AI-based anomaly intrusion detection and response system of the present invention provides IT system failures, security accidents, and rapid network traffic caused by malicious codes/viruses flowing from external networks by type for Internet mail, malicious code, virus/worm, and DDoS attacks. To detect security threats and intrusions related to AI-based anomalies such as increase, analyze big data through pre-learned AI machine learning for Internet mail, malicious code, virus/worm, and DDoS attacks, and after learning normal data Detects abnormal symptoms, learns abnormal data, detects abnormal symptoms, extracts and classifies normal/abnormal data, passes normal data, stores abnormal data in threat DB, and responds to security threats by decision-making system IDS/IPS Blocks the attack attempt IP or registers it as a blacklist in the firewall (F/W) and IDS/IPS, and responds to malicious codes or viruses by applying a vaccine solution to respond to security threats and intrusions to prevent security breaches.

4 is a configuration diagram of an AI-based anomaly intrusion detection and response system according to the present invention.

When the attacker PC 700 enters the internal network from the external network through the router (L3 switch) 710 and 720, a firewall 900 and an intrusion detection system (IDS) or (IPS) 910 are provided. The detection system (IDS) or intrusion prevention system (IPS) 910 is interlocked with the threat information collection server 920, the threat DB, and the vaccine DB, and thereafter, a plurality of user terminals (PCs) 940 are provided in the intranet.

[Measures to be taken when 'Intrusion Detection' or 'Network Intrusion Prevention' occurs]

1. Record the attacker's IP address and the victim's IP address in the 'Network Intrusion Prevention' log.

2. Full manual scan with the latest V3 engine from the PC of the attacker's IP left in the 'Network Intrusion Prevention' log. Since it can be attacked by malicious code (malware such as ransomware) or virus/worm, manually scan all disk drivers using a vaccine such as the latest V3 engine

3. If you use TcpView to check if there are any processes connecting to the network unnecessarily, you can check the programs currently using the network.

4. Network traffic uses SNMP (Simple Network Management Protocol) to measure network traffic on network links using MRTG (Multi Router Traffic Grapher) network traffic monitoring measurement software.

For reference, MRTG is written in Perl, uses SNMP protocol, and can be run on Windows, Linux, Unix, Mac OS and Netware. MRTG is a tool to monitor TCP/IP network traffic. It can also detect anomalies in which TCP/IP network traffic increases rapidly to a specific website due to a DDoS attack.

The TCP/IP protocol communicates with the sender IP address and port number, and the receiver IP address and port number.

The hacking penetration method basically maintains access rights and includes information gathering; reconnaissance; port scanning of the target IP address to determine which ports of the target computer are open and which services are provided; It consists of four phases including an attack.

For example, the whois service allows you to obtain the contact information of the attack target such as IP address, host name, company address, and phone number registered in the company's DNS server.

whois target@domain

If you do a search, you may get a hostname rather than an IP address as a result. In this case, you can use the host tool to convert the hostname to an IP address.

host target_hostname

host aaa.example.com

Also, to extract information from the DNS server, use nslookup or dig. nslookup uses a tool that queries by entering the IP address of a DNS server and obtains a record of the host.

nslookup

> server 33.77.88.99

If dig enters the actual target IP address (target_ip) for zone transfer, it can acquire the IP address of the target DNS server and all the list of hosts. Using dig's "-t AXFR" dhqtusdmf, you can transfer the zone outside the company's DMZ zone.

dig @target_ip

dig @192.168.1.23 example.com -t AXFR

In the case of e-mail spam filtering, an e-mail consists of a header and a body, and a specific spam keyword in the e-mail header is checked by a spam filter. If a spam phrase exists, the spam folder is saved as

Emails with unidentified sender emails and emails with virus attachments with no sender information are suspicious of attachments with abnormal symptoms (e.g., a compressed file compressed in RAR format including PDF) If you download and save the attachment, you can prevent infection by scanning the attachment for a virus using an antivirus right away to avoid getting infected with a virus. In this case, the antivirus detects and scans in real time.

- Beverly Wang

- "Please this is the send mail..."

- Attachment: "PO-PRODUCT9988-PDF.rar"

The firewall 900 is installed in a router or gateway of the intranet inside the company, and blocks access to other than authorized users to block illegal intrusion of hackers or crackers in the computer network and to prevent network security incidents. and a packet filtering firewall, a dual-homed gateway firewall, and a screened host firewall.

The intrusion detection system (IDS) 910 detects a Trojan horse or malicious code to operate a vaccine, and detects and suppresses a backdoor. For reference, a backdoor is a method that allows access to a computer and encryption system without going through a normal authentication process. Backdoors are mainly intentionally planted in the design and development stage, but are also created by software (such as Trojan horses) transmitted through security vulnerabilities that exist in a running computer.

The intrusion prevention system (IPS) 910 detects/blocks traffic targeting OS or application vulnerabilities from the outside using a digital vaccine or security filter (malware filter and spam filter), is not infected with malicious codes or viruses/worms, and as a Reputation Feed (additional optional function), it blocks unauthorized communication to C&C servers and phishing sites from internal terminals in the IP address/DNS domain/URL blacklist.

The intrusion prevention system (IPS) 910 may be included in a firewall solution or used as a separate independent appliance in terms of network security.

One side of the threat information collection server 920 is connected to an intrusion detection system (IDS) 910 or an intrusion prevention system (IPS) 910, and the other side is connected to a GUI-based security manager 930, ,

The threat information collection server 920 is

In order to prevent IT system failures, security accidents, and threats caused by malicious codes/viruses, Internet mail with files containing malicious codes or viruses/worms attached, and DDoS attacks that cause rapid network traffic increase from external networks a data collection unit 921 for collecting security incident anomaly data for each type flowing into the internal network;

A sudden increase in network traffic detected by a network traffic monitoring program (MRTG, etc.) by checking the virus/malware of the file attached to the Internet mail to which the malicious code or virus/worm-containing file is attached from an external network AI-based intrusion detection unit 923 for detecting abnormal symptoms of AI-based security threats above the threshold of the usual traffic value by measuring traffic against DDoS attacks that cause ;

For Internet mail, malicious code, virus/worm, and DDoS attacks, through AI machine learning learned in advance by type, check whether the network traffic threshold is exceeded, analyze big data related to security incident threats, and learn abnormal data after learning normal data. a data analysis unit 927 that detects anomalies, detects abnormal abnormalities after learning abnormal data, stores abnormal data in a threat DB, and provides them to a decision-making system (DSS);

a breach response unit 929 for outputting security detection abnormal anomaly data and event information to the GUI-based security manager 930 by a decision-making system (DSS) to respond to a breach; and

It includes a vaccine DB that provides a vaccine solution against malicious codes or viruses.

The threat information collection server 920 is

It is connected to the intrusion response unit 929 and is connected to the GUI-based security manager 930,

The GUI-based security manager 930 outputs security detection abnormal anomaly data and event information, and the IDS/IPS blocks the attack attempt IP in response to the security threat by the GUI-based security manager 930, A decision-making system (DSS) that registers as a blacklist in the firewall (F/W) 900 and intrusion detection system (IDS/IPS) 910 and applies a vaccine solution in response to malicious codes or viruses provided in the vaccine DB. ; and

After learning normal data/abnormal data, it detects abnormal abnormal symptoms corresponding to security threats and further includes a threat DB that stores abnormal data.

The threat information collection server 920 is

By learning the log records and number of security incidents by type and anomaly data by type of security incident, predictive data is quantified, and threat security incident analysis statistics (daily/weekly/monthly security incident status/trend) are provided, and the data is visualized as a bar. A graph, a pie chart, a box plot (Box Plot), a statistical trend graph, and a scatter diagram (scatter diagram) further includes a statistical information providing unit for graphics.

For example, abnormal anomalies are stored in the spam folder filtered by specific phrase keywords included in the spam email in the email header of the spam filter, detection of malicious codes and viruses/worms, and the average threshold of sending and receiving emails in normal times. This includes an increase in spam emails more than the number of times, and a rapid increase in network traffic above the normal available traffic threshold.

The security manager is interlocked with the threat information collection server 920, is interlocked with the IT information system of the corporate internal network, and WEB and WAS generated while operating the IT information system (company server) 970 of the corporate internal network , ID/Passwd internal access control information collected from DB, access IP address, ID/Passwd log information, usage time, performance index and server performance index, business system usage record, personal information access log, event occurrence Record information collection and analysis/detection information of the log.

* Build a JMachine system that can detect, analyze, and respond to sophisticated security threats using artificial intelligence (AI) and big data analysis technology

(1) Future failure prediction detection using IT operation data

- Numerical prediction for business and server performance indicators

- Realization of Korea’s unique High Value Date collection/analysis and failure prediction technology

(2) Numerical prediction and event-based IT failure analysis/detection

- After normal data learning, detection of abnormal abnormal signs of security threats

- After learning abnormal data, detection of abnormal anomalies of security threats

(3) Supports decision making on the type/characteristic of the occurrence event to the user based on the existing response history.

customer value Realization of failure-free AIOps-based IT infrastructure system

* Algorithms and accuracy indicators used to learn abnormal data in machine learning

Numerical prediction model prediction evaluation index: RMSE (Root Mean Square Error)

Accuracy indicator: Symmetric mean absolute percentage error (SMAPE)

* Pre-processing of training data

AI model creation and training data generation: Data with time series secured

* How to detect anomalies in security incidents

AI Variable Threshold: Automatically AI thresholding (based on averages and observations), such as normal network traffic values

AI Numerical Anomaly Detection: Automatic detection of multiple numerical abnormalities such as the rapid increase in the number of emails received

AI log anomaly detection: Automatic detection of anomaly patterns in text sentences using natural language processing technology (NLP)

AI anomaly detection/prediction: AI automatically detects anomalies through comprehensive analysis of multiple data

* Security threat data analysis and response

Supports GUI-based security manager so that users can decide the type of response by comparing the type/characteristic of the generated event with the existing response history

Customizable event response dashboard using DataMart

However, as a requirement of the IT operation control market, an IT failure prediction system that can predict and automatically respond to failures throughout the IT operation is required. It is urgently necessary to perform the following tasks in JMACHINE, which was developed with an intelligent module installed.

By learning the log record and number of security incident types, statistical figures and capacity data for each security incident type, predictive data is quantified, and threat security incident analysis statistics (daily/weekly/monthly security incident status/trend) are provided, and the data is visualized. Bar graph, pie chart, box plot, and scatter diagram to ensure intuition

Building a highly reliable system by increasing the accuracy of security accident statistics and numerical prediction results

Reinforcement of preemptive situation awareness and situation response ability through analysis/prediction

Realization of failure-free IT infrastructure system

Almost all data generated during operation of the IT information system (Web, WAS, DB, internal access control management (Access Control), log information, performance indicators and server performance indicators, business system usage records, personal information access logs, events occurrence log, etc.) information collection and analysis/detection are necessary.

There is a limit to human analysis/identification of information related to IT failure prediction from such vast and diverse data, and based on this, it is practically impossible to predict IT failure. The skill to predict is desperately needed.

[R&D scope]

* Algorithms used for training and accuracy indicators

Numerical prediction model prediction evaluation index: RMSE (Root Mean Square Error)

Accuracy indicator: Symmetric mean absolute percentage error (SMAPE)

* Pre-processing of training data

AI model creation and training data generation: Data with time series secured

* How to detect anomalies

AI Variable Threshold: Automatically AI thresholded (based on observations)

AI Variable Threshold Prediction: Automatically AI Threshold Prediction (Based on Prediction)

AI Numerical Anomaly Detection: Automatic detection of multiple numerical anomalies

AI log anomaly detection: automatic detection of abnormal patterns in text sentences

AI anomaly detection/prediction: AI automatically detects anomalies through comprehensive analysis of multiple data

* Analysis and response

By comparing with the existing response history for each type of anomaly symptom event (malware, virus, worm, DDoS attack) of the security incident that has occurred, it supports the administrator to decide the type of response.

Customizable event response dashboard using DataMart

Strategies for securing superiority with domestic and foreign competitors are presented as follows.

1) Instantly create AI models and start learning just by collecting data

2) Integration of AIOps analysis/detection data and work

- Establishment of IT failure prediction basis based on performance indicators and event occurrence data

3) Securing objective data that can provide numerical values for detection and reconnaissance rates

4) Pre-identification and detailed analysis of IT failures, and provision of user decision-making information

* Development/model building and data/function (unit/integration) verification

1. Preprocessing: data standardization for AI model creation and training

2. Detection: AI-based security accident anomaly detection.

3. Analysis: AI Numerical Prediction Analysis / AI Event Analysis

4. Response: Using AI to Automate Breach Response Decision Making

The AI-based anomaly intrusion detection and response system of the present invention provides an IT system failure, security accident, rapid increase in network traffic, etc. To detect security threats and intrusions related to AI-based anomalies, big data is analyzed through AI machine learning learned in advance for Internet mail, malware, virus/worm, and DDoS attacks, and abnormal abnormalities are learned after normal data learning. After detecting signs, learning abnormal data, detecting abnormal symptoms, extracting and classifying normal/abnormal data, passing normal data, storing abnormal data in threat DB, and responding to security threats by decision-making system, IDS/IPS attacks Prevents security breaches by blocking attempts IP or registering as a blacklist in firewall (F/W) and IDS/IPS, and applying vaccine solutions against malicious codes or viruses to respond to security threats and intrusions.

The AI-based anomaly intrusion detection and response system builds a high-reliability system by increasing the accuracy of the numerical prediction results of security incident intrusion detection from a technical point of view i) Preemptive situation recognition and situation through big data analysis/prediction Reinforcing responsiveness, improving IT operation capabilities, ii) economically, reducing IT operation and management costs, iii) socially, hiring 4th industry workforce such as Internet security, AI and big data engineers It has been able to foster professional IT operation core personnel with the ability to analyze big data related to IT operation and failures and develop AI-based abnormal behavior detection models.

Embodiments according to the present invention may be implemented in the form of program instructions that can be executed by various computer means and recorded in a computer-readable recording medium. The computer-readable recording medium may include program instructions, data files, and data structures alone or in combination. Computer-readable recording media include storage, hard disks, magnetic media such as floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, and magnetic media such as floppy disks. A hardware device configured to store and execute program instructions in a magneto-optical media, and a storage medium such as ROM, RAM, flash memory, and the like may be included. Examples of program instructions may include those generated by a compiler and not only machine language code but also high-level language code that can be executed by a computer using an interpreter. The hardware device may be configured to operate as one or more software modules to perform the operations of the present invention.

As described above, the method of the present invention is implemented as a program and is readable using computer software in the form of a recording medium (CD-ROM, RAM, ROM, memory card, hard disk, magneto-optical disk, storage device, etc.) ) can be stored in

Although described with reference to a specific embodiment of the present invention, the present invention is not limited to the same configuration and operation as the specific embodiment in order to illustrate the technical idea as described above, and within the limit that does not depart from the technical spirit and scope of the present invention It can be implemented with various modifications. Accordingly, such modifications should be considered to fall within the scope of the present invention, and the scope of the present invention should be determined by the following claims.

700: attacker PC 710,720: router (L3 switch)
900: firewall 910: intrusion detection system (IDS)
920: threat information collection server 921: data collection unit
923: AI-based intrusion detection unit 927: data analysis unit
929 Breach Response Department 930 Security Manager
940: user terminal (PC) 970: corporate server

Claims (7)

firewalls installed on routers or gateways in the corporate internal network;
an intrusion detection system (IDS) or an intrusion prevention system (IPS) connected to the firewall; and
Internet mail, malicious code, Internet mail, malicious code, Analyzes big data for each type of anomaly data through AI machine learning learned in advance for virus/worm and DDoS attacks, detects abnormal symptoms after learning normal data, and detects abnormal symptoms after learning abnormal data. Abnormal data is stored in the threat DB and the IDS/IPS blocks the attack attempt IP in response to the security threat by the decision-making system, or registers it as a blacklist in the firewall and IDS/IPS and responds to malicious codes or viruses to provide a vaccine solution. Threat information collection server to apply;
AI-based anomaly intrusion detection and response system that includes. According to claim 1,
The intrusion detection system (IDS) detects a Trojan horse or malicious code, operates a vaccine, and detects and suppresses a backdoor, an AI-based anomaly intrusion detection and response system. According to claim 1,
The intrusion prevention system (IPS) detects/blocks traffic targeting the vulnerabilities of the OS or application program from the outside using a digital vaccine or security filter, and the host computer inside the company is infected with malicious codes or viruses/worms. AI-based anomaly intrusion detection and response system that blocks communication from internal terminals to C&C servers and phishing sites in the IP address/DNS domain/URL blacklist as an optional function. According to claim 1,
The intrusion prevention system (IPS) is an AI-based anomaly intrusion detection and response system that is included in a firewall solution or used as a separate independent appliance in terms of network security. According to claim 1,
One side of the threat information collection server is connected to the intrusion detection system (IDS) or intrusion prevention system (IPS), and the other side is connected to a GUI-based security manager, AI-based anomaly intrusion detection and response system . According to claim 1,
The threat information collection server
a data collection unit that collects security incident anomaly data for each type flowing into the internal network from the external network against Internet mail with files containing malicious codes or viruses/worms attached, and DDoS attacks that cause a rapid increase in network traffic;
Scans the virus/malware of the file attached to the Internet mail to which the malicious code or virus/worm-containing file is attached from an external network, and detects a sudden increase in network traffic detected by the network traffic monitoring program (MRTG). an AI-based intrusion detection unit that measures traffic against the DDoS attacks that cause it and detects abnormal symptoms of AI-based security threats that are above the threshold of the usual traffic value;
For Internet mail, malicious code, virus/worm, and DDoS attacks, through AI machine learning learned in advance by type, check whether the network traffic threshold is exceeded, analyze big data related to security incidents, and learn abnormal data after learning normal data. a data analysis unit that detects anomalies, detects abnormal symptoms after learning abnormal data, stores abnormal data in a threat DB, and provides it to a decision-making system (DSS);
a security manager based on GUI, which detects a security breach, and outputs abnormal symptom data and event information to respond to breaches; and
AI-based anomaly intrusion detection and response system including a vaccine DB that provides a vaccine solution against malicious codes or viruses. 7. The method of claim 6,
The threat information collection server
connected to the intrusion response unit and connected to the GUI-based security manager,
Security detection abnormality data and event information are output with the GUI-based security manager, and IDS/IPS blocks attack attempts IP in response to security threats by the GUI-based security manager, or firewall (F/W) and a decision-making system (DSS) that registers as a blacklist in the IDS/IPS and applies a vaccine solution in response to malicious codes or viruses provided in the vaccine DB; and
Threat DB that detects abnormal abnormal symptoms corresponding to security threats after learning normal data/abnormal data and stores abnormal data;
AI-based anomaly intrusion detection and response system further comprising a.

Images