KR20230056639A - System and Method for detecting security threats using log information - Google Patents

Abstract

Disclosed is a security threat detection system using firewall logs which can protect an asset and information of a user from an attack of an attacker and derive a near-real-time result by using machine learning and detection methods to identify a type of the attack and the attacker. The security threat detection system comprises: a gateway connected to an Internet network; a firewall that stores connection information from the gateway and generates a firewall log; and a processing unit that determines whether to detect a security threat by using the firewall log.

Description

System and method for detecting security threats using log information {System and Method for detecting security threats using log information}

The present invention relates to network security technology, and more particularly, to a security threat detection system and method capable of detecting anomalies and network attack types based on machine learning using firewall logs.

In addition, the present invention relates to a security threat detection system and method capable of detecting machine learning-based anomalies and network attack types using resource usage logs.

Anomaly detection in existing security equipment basically analyzes traffic and determines if it is an attack based on this when a certain threshold is exceeded. That is, a threshold-based filter was used. The value of the threshold is determined by the experience of the security controller or expert, and the accuracy of the threshold depends on the difference between the expert's experience and skill.

In order to detect security threats, the threshold method is used in the past, and real-time traffic and average traffic are compared, and real-time protocol ratio analysis and comparison are performed. In the existing method, a technique in which a threshold value is obtained from an average and an abnormality is determined when the threshold value is exceeded has been mainly used.

In this threshold method, it is difficult to calculate an accurate threshold value, and a large number of false positive events are generated by setting the threshold value very strictly. This makes security control more difficult and causes obstacles in controlling actual attacks. In addition, the existing method requires a manual correlation analysis and an expert's analysis to accurately find the type of attack and the attacker, so it takes a lot of response time.

To elaborate, the threshold method has been used in the past to detect security threats, and it is performed by comparing real-time traffic with average traffic, real-time protocol ratio analysis, and the like. In the existing method, a technique in which a threshold value is obtained from an average and an abnormality is determined when the threshold value is exceeded has been mainly used.

In this threshold method, it is difficult to calculate an accurate threshold value, and a large number of false positive events are generated by setting the threshold value very strictly. This makes security control more difficult and causes obstacles in controlling actual attacks. In addition, the existing method requires a manual correlation analysis and an expert's analysis to accurately find the type of attack and the attacker, so it takes a lot of response time.

1. Korean Patent Registration No. 10-2033169 (October 10, 2019)

The present invention is proposed to solve the problems caused by the above background art, and protects users' assets and information from attacks by attackers, and uses machine learning and detection methods to detect attack types and attackers in real time. Its purpose is to provide a security threat detection system and method using firewall logs that can derive results.

Another object of the present invention is to provide a security threat detection system and method enabling flexible anomaly detection.

In order to achieve the object presented above, the present invention protects users' assets and information from attackers' attacks, and uses machine learning and detection methods to find out the types of attacks and attackers, which can derive results close to real-time. A security threat detection system using firewall logs is provided.

The security threat detection system,

A gateway connected to the Internet network;

a firewall for generating a firewall log by storing access information from the gateway; and

and a processing unit that determines whether to detect a security threat using the firewall log.

In addition, the processing unit may include a log collection module for collecting the firewall log; a log processing module for creating a steady-state heat map or a real-time tracking heat map by grouping the firewall logs into a plurality of matrices by grouping them in a preset time unit; a machine learning module generating a heat map for each attack type through a deep learning model based on the steady state heat map; and an analysis module for determining whether to detect the security threat by comparing the real-time tracking heat map with the heat map for each attack type.

In addition, the time unit is characterized in that n minutes (here, n is an integer greater than 0).

In addition, the heat map for each attack type is characterized in that it is generated by repeating comparison of an attack scenario heat map prepared manually in advance with the steady state heat map.

In addition, the comparison is characterized in that it is a comparison between types of colors.

In addition, the steady state heat map may be generated using only normal log information among the firewall logs.

In addition, the firewall log is characterized in that it includes destination IP (Destination Internet protocol) information and destination port (Destination Port) information.

In addition, the plurality of matrix types are characterized in that the destination IP (Destination Internet protocol) information is arranged on the Y-axis and the destination port information is arranged on the X-axis.

In addition, the deep learning model is characterized in that it is a convolutional neural network (CNN).

In addition, the heatmap for each attack type is a syncflooding heatmap based on a sink flooding attack, a DDos heatmap based on a Distributed Denial of Service (DDos) attack, and a server down heatmap based on a server down attack. , and a worm infection heat map based on a worm infection attack.

On the other hand, another embodiment of the present invention is a security threat detection system using resource use logs, comprising: a log collection module for collecting resource use logs; a log processing module that creates a steady-state heat map or a real-time tracking heat map by grouping the resource use logs into a plurality of matrices by grouping them in a preset time unit; a machine learning module generating a heat map for each attack type through a deep learning model based on the steady state heat map; and an analysis module that compares the real-time tracking heat map with the heat map for each attack type to determine whether the security threat is detected.

At this time, the resource use log is characterized in that any one of CPU (central processing unit) usage rate, memory occupancy rate, and process operation rate.

On the other hand, another embodiment of the present invention, (a) generating a firewall log by storing the access information from the gateway connected to the Internet network by the firewall; and (b) a processing unit determining whether to detect a security threat using the firewall log.

In addition, the step (b) may include (b-1) collecting the firewall logs by a log collection module; (b-2) creating a steady-state heat map or a real-time tracking heat map by a log processing module by bundling the firewall logs in a predetermined time unit and forming a plurality of matrices; (b-3) generating, by a machine learning module, a heat map for each attack type through a deep learning model based on the steady state heat map; and (b-4) an analysis module comparing the real-time tracking heat map and the heat map for each attack type to determine whether or not to detect the security threat. do.

In addition, the step (b-4) may include outputting, by the analysis module, whether or not the security threat has been detected as alarm information to the output unit 250.

In addition, the alarm information is characterized in that a combination of voice, text, and graphics.

On the other hand, another embodiment of the present invention is a security threat detection method using a resource usage log, comprising: (a) a log collection module collecting a resource usage log; (b) generating a steady-state heat map or a real-time tracking heat map by a log processing module by bundling the resource use logs in preset time units and forming a plurality of matrices; (c) generating, by a machine learning module, a heat map for each attack type through a deep learning model based on the steady state heat map; and (d) an analysis module comparing the real-time tracking heat map and the heat map for each attack type to determine whether or not to detect the security threat. .

According to the present invention, detection of cyber attacks can be effectively detected, and fixed limitations of human and program detection techniques can be overcome.

In addition, as another effect of the present invention, for example, when the DoS attack threshold determined by a program or manpower is replaced with artificial intelligence, more flexible and probability-based detection is possible.

In addition, another effect of the present invention is that when a new attack type occurs, it is possible to detect it as it deviate from the normal traffic category and respond preemptively before being attacked.

1 is a block diagram of a security threat detection system using a firewall log according to an embodiment of the present invention.
FIG. 2 is a detailed block diagram of the processing unit 140 shown in FIG. 1 .
3 is a flowchart illustrating a process of creating a normal heat map and a heat map for each attack type according to an embodiment of the present invention.
FIG. 4 is a flow chart showing a normal/abnormal determination process by heat map comparison after the process of FIG. 3 .
5 is an example of creating a DDoS heat map according to an embodiment of the present invention.
6 is an image of a normal heat map according to an embodiment of the present invention.
7 is an image of a sync flooding heat map according to an embodiment of the present invention.
8 is an image of a Distributed Denial of Service (DDos) heat map according to an embodiment of the present invention.
9 is an image of a server down heat map according to an embodiment of the present invention.
10 is an image of a worm infection heat map according to an embodiment of the present invention.

Advantages and features of the present invention, and methods for achieving them, will become clear with reference to the embodiments described below in detail in conjunction with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but will be implemented in a variety of different forms, only the present embodiments make the disclosure of the present invention complete, and those skilled in the art in the art to which the present invention belongs It is provided to fully inform the person of the scope of the invention, and the invention is only defined by the scope of the claims. The sizes and relative sizes of components shown in the drawings may be exaggerated for clarity of explanation.

Like reference numbers throughout the specification indicate like elements, and “and/or” includes each and every combination of one or more of the recited items.

Terms used in this specification are for describing embodiments and are not intended to limit the present invention. In this specification, singular forms also include plural forms unless specifically stated otherwise in a phrase. The referenced elements, steps, operations and/or elements that “comprise” and/or “comprise” as used in the specification do not exclude the presence or addition of one or more other elements, steps, operations and/or elements. .

Although used to describe various components such as first and second, these components are not limited to these terms, of course. These terms are only used to distinguish one component from another. Accordingly, it goes without saying that the first component mentioned below may also be the second component within the technical spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used in a meaning commonly understood by those of ordinary skill in the art to which the present invention belongs. In addition, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless explicitly specifically defined.

Hereinafter, a security threat detection system and method using a firewall log according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram of a security threat detection system 100 using a firewall log according to an embodiment of the present invention. Referring to FIG. 1 , the security threat detection system 100 may include an Internet network 110, a gateway 120, a firewall 130, a processing unit 140, and the like.

The internet network 110 refers to a connection structure capable of exchanging information between nodes such as a plurality of terminals and servers, such as a public switched telephone network (PSTN), a public switched data network (PSDN), and an integrated information communication network (ISDN). : Integrated Services Digital Networks), Broadband ISDN (BISDN), Local Area Network (LAN), Metropolitan Area Network (MAN), Wide LAN (WLAN), etc. However, the present invention is not limited thereto, and wireless communication networks CDMA (Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), Wibro (Wireless Broadband), WiFi (Wireless Fidelity), HSDPA (High Speed Downlink Packet Access) network, Bluetooth, NFC (Near Field Communication) network, satellite broadcasting network, analog broadcasting network, DMB (Digital Multimedia Broadcasting) network, and the like. Alternatively, it may be a combination of these wired communication networks and wireless communication networks.

The gateway 120 enables communication between networks using different Internet networks and protocols, and may be composed of a computer or software. Of course, the gateway 120 may be a concept including a router. Therefore, it functions to send packets to other networks.

The firewall 130 is to protect the network from access by an unauthorized source and blocks traffic using source address, destination address and traffic type information. It is allowed only for entry.

Accordingly, the firewall 130 may include an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), and the like. An intrusion detection system (IDS) collects and/or analyzes security events occurring in a network to be managed, and when it detects malicious network traffic, it performs a function of alerting an administrator. An intrusion prevention system (IPS) collects and/or analyzes security events occurring in a network to be managed, and when it detects malicious network traffic, it notifies the administrator of this fact and also performs a function of immediately blocking it.

1, the firewall 130 stores access records according to communication protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) as logs to log the firewall log. performs the function of generating A storage unit (not shown) may be configured to store such a firewall log. The storage unit is a flash memory type, a hard disk type, a multimedia card micro type, and a card type memory (for example, SD (Secure Digital) or XD (eXtreme Digital)). memory, etc.), RAM (Random Access Memory, RAM), SRAM (Static Random Access Memory), ROM (Read Only Memory, ROM), EEPROM (Electrically Erasable Programmable Read Only Memory), PROM (Programmable Read Only Memory), magnetic memory , a magnetic disk, and an optical disk may include at least one type of storage medium. In addition, it may operate in relation to a web storage and a cloud server that perform a storage function on the Internet.

The firewall log includes destination Internet protocol (IP) information, destination port information, and the like. A firewall has a function to allow normal traffic and deny abnormal traffic.

The processing unit 140 performs a function of performing an algorithm to determine cyber attacks and their types in real time using data in the form of a heat map that can be clearly distinguished even by color due to the increase in the number of connections and special shapes for each type. do.

FIG. 2 is a detailed block diagram of the processing unit 140 shown in FIG. 1 . Referring to FIG. 2 , the processing unit 140 may include a log collection module 210, a log processing module 220, a machine learning module 230, an analysis module 240, an output unit 250, and the like. can

The log collection module 210 performs a function of collecting firewall logs.

The log processing module 220 processes the collected firewall logs into a matrix form. To elaborate, as a pre-processing process, machine learning through an artificial intelligence model is required, and processing is required to detect it. Therefore, it is organized in the form of a plurality of matrices by bundling them in units of n minutes. The matrix Y-axis represents the destination IP (Destination IP (server)) information, and the matrix X-axis represents the destination port (Destination PORT) information. make it possible to know A normal heat map is created through these multiple matrix forms. That is, a normal heat map is created based on the server IP and server PORT in normal state. A drawing showing this is shown in FIG. 5 . This will be described later.

Still referring to FIG. 2 , the machine learning module 230 performs a function of generating a heat map for each attack type by applying the normal heat map and the manually created attack scenario heat map to deep learning model learning. A deep learning model consists of a recurrent neural network (RNN), a deep neural network (DNN), and a convolutional neural network (CNN). A 256*256 heat map image labeled with the attack type becomes the input layer, and the hidden layer reduces the height and width by half with 2 strides in a 2*2 window with a 32-channel filter and MaxPooling2D of a Convolutional 2D 3*3 window. The activation function uses relu. Finally, the output layer uses softmax as multiclass. In the case of the hidden layer, it can be transformed according to the learning result.

Figures showing heat maps for each type of attack are shown in FIGS. 7 to 10 . This will be described later.

*The analysis module 240 determines whether to detect a security threat using the heat map for each attack type generated by the machine learning module 230. To elaborate, attack type information is generated through image comparison of the tracking heat map and the heat map for each attack type, and the normal or abnormal nature of the attack type is determined. In addition, it performs a function of generating this as alarm information.

The output unit 250 performs a function of displaying information processed by the log collection module 210, the log processing module 220, the machine learning module 230, the analysis module 240, and the like. Accordingly, the output unit 250 may output information in a combination of text, voice, and graphics. To this end, the output unit 250 may include a display, a sound system, and the like.

The display may be a liquid crystal display (LCD), a light emitting diode (LED) display, a plasma display panel (PDP), an organic LED (OLED) display, a touch screen, a cathode ray tube (CRT), a flexible display, or the like. In the case of a touch screen, it can function as an input means. Of course, in FIG. 2, the output unit 240 is shown as being included in the processing unit 140, but this is for understanding, and the output unit 250 is configured separately from the processing unit 140.

The log collection module 210, log transmission module 220, machine learning module 230, and analysis module 240 shown in FIG. 2 refer to units that process at least one function or operation, which are software and/or Alternatively, it may be implemented in hardware. In hardware implementation, ASIC (application specific integrated circuit), DSP (digital signal processing), PLD (programmable logic device), FPGA (field programmable gate array), processor, microprocessor, other It may be implemented as an electronic unit or a combination thereof.

In software implementation, software component components (elements), object-oriented software component components, class component components and task component components, processes, functions, properties, procedures, subroutines, segments of program code, drivers, firmware, microcode, data , databases, data structures, tables, arrays, and variables. Software, data, etc. may be stored in memory and executed by a processor. The memory or processor may employ various means well known to those skilled in the art.

3 is a flowchart illustrating a process of creating a normal heat map and an attack scenario heat map according to an embodiment of the present invention. Referring to FIG. 3 , first, the log collection module 210 collects firewall logs (step S310).

Thereafter, the log processing module 220 processes the collected firewall logs and generates a normal state heat map using only normal log information among the processed firewall logs (step S320).

Thereafter, the user manually creates an attack scenario heat map according to the attack scenario (step S330). Of course, step S330 may be performed before the firewall log collection step (S310). In this case, the attack scenario heat map is stored as a database in advance.

Then, the machine learning module 230 performs image learning such as deep learning (step S340). To elaborate, normal traffic is learned by learning the Allow log among the firewall logs. Based on normal logs, heatmaps for each scenario are manually created for IP and PORT as needed for each attack type, and the attack type is learned to generate a heat map for each attack type (step S350).

FIG. 4 is a flow chart showing a normal/abnormal determination process by heat map comparison after the process of FIG. 3 . That is, FIG. 4 determines the attack type of the tracking heat map collected in real time using the heat map for each attack type generated by the process of FIG. 3 and checks whether there is an abnormality. Referring to FIG. 4 , first, the log collection module 210 collects firewall logs (step S410).

Thereafter, the log processing module 220 processes the collected firewall logs and generates a real-time tracking heat map using the log information (step S420).

Thereafter, the analysis module 240 compares the real-time tracking heat map with the heat map for each attack type to detect a security threat (step S440). To elaborate, in the case of normal traffic, the destination IP and destination port heatmaps are evenly distributed, but in the case of an attack or anomaly, a special form for each type and an increase in the number of connections can be clearly distinguished by color. . Using this type of data, image learning such as CNN can be used to determine cyber attacks and their types in real time.

The order shown in FIGS. 3 and 4 is for understanding, and the order may be changed, a plurality of steps may be made into one, or one step may be subdivided into several steps.

5 is an example of creating a DDoS heat map according to an embodiment of the present invention. Referring to FIG. 5 , the firewall 130 has a function of allowing normal traffic and denying abnormal traffic. Therefore, it learns the normal traffic by learning the Allow log among the firewall logs. Manually create heat maps for each scenario as needed for each attack type in IP and PORT based on normal.

In particular, FIG. 5 is an example of creating a heat map of IP and PORT for Distributed Denial of Service (DDoS). The horizontal axis is service destination port information, and the vertical axis is destination server IP information. The collection of firewall logs is organized in a number of matrices by grouping them in units of n minutes. Here, n is an integer greater than 0, and is about 10 minutes in one embodiment of the present invention. Also, the lower color bar increases in value from left to right. That is, the leftmost value is 0 and the rightmost value is 3000. Accordingly, it can be known whether there is a rapid increase in the number of access sessions (access session count) according to the color.

6 is an image of a normal heat map according to an embodiment of the present invention. Referring to FIG. 6, in the case of normal traffic, the destination IP and destination Port heatmaps are evenly distributed.

On the other hand, when an attack or anomaly occurs, it is possible to clearly distinguish it by color as the special form and number of access sessions increase for each type. Drawings showing this are shown in FIGS. 7 to 10 .

7 is an image of a sync flooding heat map according to an embodiment of the present invention. Referring to FIG. 7 , a sync flooding attack is a server attack using vulnerabilities when a TCP session is connected. Since the number of simultaneous user connections is limited for each server, other users are prevented from receiving the service provided by the server by pretending that a non-existent client is connected. Referring to FIG. 7 , destination port information is displayed on the Y-axis and destination port information is displayed on the X-axis. In addition, a value indicating the number of access sessions is displayed. The number of access sessions corresponds to a color in the drawing. As a heatmap, closer to indigo color means fewer access sessions, and closer to red color, more access sessions.

8 is an image of a Distributed Denial of Service (DDos) heat map according to an embodiment of the present invention. Referring to FIG. 8 , a DDoS attack is a malicious attack method in which users cannot use a web site or web application by incapacitating a site with a large amount of traffic, causing the site to crash or operate very slowly. Accordingly, traffic explosion occurs, and the heat map shown in FIG. 8 has relatively more red bands than other heat maps.

9 is an image of a server down heat map according to an embodiment of the present invention. Referring to FIG. 9, it is an attack that sends a bunch of packets to one specific IP and downgrades it. In the case of the server down heatmap, there is almost no traffic. Based on FIG. 6, which is a heat map in a steady state, in FIG. 9, it is seen that the red series image is reduced. The disappearance of traffic from the IP and PORT where traffic should normally occur means a service failure such as a server down.

10 is an image of a worm infection heat map according to an embodiment of the present invention. Referring to FIG. 10, a worm infection attack is an attack in which a computer virus-infected computer is also infected when another computer uses a file infected with a computer virus through a storage medium or network. In the case of the worm infection heat map, a red band appears as a line crossing the vertical axis.

In one embodiment of the present invention, abnormal detection and attack types were determined using firewall logs, but cyber attacks can be determined using resource usage logs such as CPU (central processing unit) usage rate, memory share, and process operation rate. there is. As described above, CPU utilization, memory occupancy, and process operation rates in normal conditions can be prepared as heat maps, scenarios for each attack can be prepared, and anomalies can be determined by comparing the heat maps described above. Of course, for this purpose, the components shown in FIG. 2 may be included. In this case, the log collection module 210 collects the resource use log of the computer, the log processing module 220 processes the resource use log to generate a heat map, and the machine learning module 230 also attacks through resource use. Create a heatmap for each type. In addition, the analysis module 240 determines whether to detect a security threat using a real-time tracking heat map generated using the resource use log and a heat map for each attack type. Here, the computer is a server, but is not limited thereto, and may be a workstation, a personal computer (PC), a laptop computer, and the like.

In addition, the steps of a method or algorithm described in connection with the embodiments disclosed herein are implemented in the form of program instructions that can be executed through various computer means such as a microprocessor, processor, CPU (Central Processing Unit), etc. It can be recorded on any available medium. The computer readable medium may include program (instruction) codes, data files, data structures, etc. alone or in combination.

The program (command) code recorded on the medium may be specially designed and configured for the present invention, or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs, DVDs, and Blu-rays, and ROMs and RAMs ( A semiconductor storage element specially configured to store and execute program (instruction) codes such as RAM), flash memory, or the like may be included.

Here, examples of the program (command) code include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler. The hardware devices described above may be configured to act as one or more software modules to perform the operations of the present invention, and vice versa.

100: security threat detection system
110: internet network
120: gateway
130: firewall
140: processing unit

Claims (1)

(a) generating a firewall log by storing access information from the gateway 120 connected to the Internet network 110 by the firewall 130; and
(b) determining, by the processing unit 140, whether to detect a security threat using the firewall log;
In step (b),
(b-1) collecting, by the log collection module 210, the firewall logs;
(b-2) creating a steady-state heat map or a real-time tracking heat map by the log processing module 220 by grouping the firewall logs in a preset time unit and forming a plurality of matrices;
(b-3) generating, by the machine learning module 230, a heat map for each attack type through a deep learning model based on the steady state heat map; and
(b-4) determining, by the analysis module 240, whether the security threat is detected by comparing the real-time tracking heat map with the heat map for each attack type;
The heat map for each attack type is generated by repeatedly comparing an attack scenario heat map, which is manually prepared in advance as necessary for each attack type, with destination IP information and destination ports based on normal logs with the normal state heat map,
The steady state heat map is generated using only normal log information among the firewall logs;
In the matrix form, the number of access sessions is indicated so that the number of users accessing the corresponding service for n minutes can be known,
The analysis module 240 generates attack type information through image comparison of the tracking heat map and the heat map for each attack type, determines whether the attack type is normal or abnormal,
Characterized in that, when attacks and abnormal symptoms occur compared to normal traffic, special types and the number of access sessions are increased for each type of attack and classified by color
Security threat detection method using firewall logs.

Images