WO2018079867A1 - Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée - Google Patents

Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée Download PDF

Info

Publication number
WO2018079867A1
WO2018079867A1 PCT/KR2016/012033 KR2016012033W WO2018079867A1 WO 2018079867 A1 WO2018079867 A1 WO 2018079867A1 KR 2016012033 W KR2016012033 W KR 2016012033W WO 2018079867 A1 WO2018079867 A1 WO 2018079867A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
file
recovery
network
terminal
Prior art date
Application number
PCT/KR2016/012033
Other languages
English (en)
Korean (ko)
Inventor
소준영
전석기
Original Assignee
주식회사 아이티스테이션
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020160138078A external-priority patent/KR101904415B1/ko
Priority claimed from KR1020160138079A external-priority patent/KR101872605B1/ko
Application filed by 주식회사 아이티스테이션 filed Critical 주식회사 아이티스테이션
Publication of WO2018079867A1 publication Critical patent/WO2018079867A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to a recovery method using a network recovery system of an intelligent persistent threat environment, and in particular, an intelligent persistent risk network capable of restoring a state to a target recovery time or data recovery point set in response to external intrusion such as hacking.
  • a recovery method using a recovery system is a process of restoring a state to a target recovery time or data recovery point set in response to external intrusion such as hacking.
  • Cyber attacks are organized and intelligent, and in particular, advanced persistent threats (APTs), in which hacking organizations are economically targeted, perform stealthy, continuous, and intelligent attacks against specific attack targets. It is rapidly increasing and is a big social problem.
  • APT attacks involve hackers or hacking organizations infiltrating malicious code into the target organization to illegally steal the important information of the organization, and then continuously update the malware to infect the host of important information accessors with malware. This is an attack method that leaks important information.
  • Korean Patent No. 10-0635130 (“Kernel backdoor detection system and method through Windows network monitoring”), a network packet passing through a TDI (Transport Driver Interface) layer and a Network Driver Interface Specification (NDIS) layer among the Windows network components.
  • TDI Transport Driver Interface
  • NDIS Network Driver Interface Specification
  • the kernel backdoors are detected and the network packets generated from these kernel backdoors are filtered.
  • a system and method for detecting a kernel backdoor that can prevent intrusion by a kernel backdoor are disclosed.
  • Korean Patent No. 10-0635130 is a technology limited to preventing intrusion into the kernel backdoor, and it is not only able to prevent document leakage or hacking through terminals connected to the system server or the internal network, but also to prevent viruses, spyware, etc. There is no disclosure of immediate recovery if a system is compromised.
  • the problem to be solved by the present invention is to provide the availability and continuity of the task by reducing the maximum tolerable period of disruption by restoring the system to a predetermined target recovery time or data target recovery time in case of external intrusion such as hacking
  • the present invention provides a recovery method using a network recovery system in an intelligent persistent threat environment.
  • the present invention provides a plurality of user terminals using an internal network, a system server for storing a plurality of main information or document information generated in at least one of the plurality of user terminals, and manages the plurality of user terminals.
  • the security server is important to be attacked from an external hacking of the plurality of main information or document information
  • a preventive control module for identifying a document and analyzing a risk factor to restrict access of a user terminal to control external access; Monitoring the network traffic to access the important document, and stores the log file of the user terminal that generated the network traffic to access the important document, if the abnormal behavior including hacking in the user terminal is monitored the work of the user terminal Detection control module to terminate the; And generating and storing a backup system image when the plurality of user terminals access the system server, and performing a restoration operation through the backup system image when the abnormal behavior is monitored among the plurality of user terminals.
  • the calibration control module includes a TCP tagging and recognition unit for tagging a unique ID to network traffic or a network packet generated in the user terminal; A security agent manager for monitoring the installation of the security agent installed in the user terminal and transmitting the security agent to the user terminal in which the security agent is not installed; A user terminal controller which determines that the main information or document information is an external attack when the user terminal does not perform authentication and blocks access to the system server; And a system restoration unit for determining that the user terminal is infected with at least one of the virus, malicious code, and spyware, and storing a backup image of the infected user terminal and restoring to a state before infection, wherein the system restoration unit is in the recovery mode. It may include a recovery mode selection unit to select at least one of 1 to 3.
  • the system restorer may further include a check point setter configured to set at least one of a time, a patch program installation time, and a window termination time as the checkpoint when operating in the recovery mode 1.
  • the system restore unit may include a file change monitoring unit that monitors a file change of the system file when the window is not normally closed when operating in the recovery mode 2; As a result of the monitoring by the file change monitoring unit, when the file change of the system file is a file related to the update of the patch program, the file change monitoring unit may further include an original image storage unit storing the system file including the changed file as an original image.
  • the system restorer may further include a patch program updater for updating the patch program.
  • Another embodiment of the present invention (a) checking the boot signal input from the user terminal or the administrator terminal; (b) checking whether a backup of an MBR (Master Boot Recoder; hereinafter referred to as 'MBR') is performed in a booting area of a hard disk drive of the user terminal or the administrator terminal; (c) checking for damage of the MBR when there is a backup of the MBR; (d) starting Windows booting if there is no damage to the MBR; (e) monitoring an abnormal behavior including an attempt to install or hack an abnormal program including spyware of the user terminal or the administrator terminal; (f) terminating the task of the terminal when detecting abnormal behavior of the user terminal or the administrator terminal; (g) selecting a recovery mode for recovering the system file of the corresponding terminal; And (h) terminating the window of the corresponding terminal, wherein the recovery mode includes recovery mode 1 for recovering to a preset checkpoint, recovery mode 2 for recovering to an original image of a system file, and a system file before the window is closed. And a recovery mode 3 for updating
  • the system recovery method monitors a file change of the system file if the window is not normally closed, and changes the file if the file change of the system file is a file related to the update of the patch program.
  • the method may further include storing the system file including the image as an original image.
  • the method may further include storing an update time of the patch program as a checkpoint when the window is normally terminated after the step (h).
  • the recovery method using the network recovery system of the intelligent persistent threat environment can immediately recover when the system is damaged by a virus, spyware, and the like. Recovery can reduce the Maximum Tolerable Period of Disruption.
  • FIG. 1 is a system diagram showing a network recovery system of an intelligent threat environment according to an embodiment of the present invention.
  • FIG. 2 is a block diagram showing the main components of the user terminal shown in FIG.
  • FIG. 3 is a block diagram showing the main components of the security server shown in FIG.
  • FIG. 4 is a block diagram showing the main components of the calibration control shown in FIG. 3;
  • FIG. 5 is a block diagram showing main components of the system restoration unit shown in FIG. 4; FIG.
  • FIG. 6 is a flowchart illustrating a recovery method using a network recovery system of an intelligent persistent threat environment according to an embodiment of the present invention.
  • the present invention provides a plurality of user terminals using an internal network, a system server for storing a plurality of main information or document information generated in at least one of the plurality of user terminals, an administrator terminal for managing the plurality of user terminals, and the user terminal.
  • a network recovery system comprising a security server for protecting the administrator terminal and the system server,
  • a preventive control module for identifying an important document to be attacked from an external hack among the plurality of main information or document information, analyzing a risk factor, and restricting access of the user terminal to control external access;
  • a calibration control module for generating and storing a backup system image when the plurality of user terminals access the system server, and performing restoration work through the backup system image when the abnormal behavior is monitored among the plurality of user terminals; Including,
  • recovery mode 1 for recovering to a preset checkpoint
  • recovery mode 2 for recovering to the original image of the system file
  • system file before exiting Windows It can provide a recovery method using a network recovery system of the intelligent persistent threat environment, characterized in that executing any one of recovery mode 3 to update the patch program associated with.
  • first and second are terms used to describe various components, and are not limited in themselves, and are used only to distinguish one component from other components.
  • FIG. 1 is a system diagram showing a network recovery system of an intelligent threat environment according to an embodiment of the present invention
  • Figure 2 is a block diagram showing the main components of the user terminal shown in Figure 1
  • Figure 3 1 is a block diagram showing the main components of the security server shown in Figure 1
  • Figure 4 is a block diagram showing the main components of the calibration control unit shown in FIG.
  • the network recovery system may include a user terminal 10, an administrator terminal 20, a security server 40, and a system server 30.
  • the user terminal 10 may include a personal computer, a notebook, a smart terminal, or the like used in an enterprise, a school, an institution, or the like.
  • the user terminal 10 may be equipped with various software to perform tasks such as document preparation, statistics, image processing, and the like.
  • the user terminal 10 may be connected to an internal network to share information by using a wired or wireless internet, and may be connected to an external network such as an individual or an enterprise, an organization, or an organization by connecting to an external network.
  • the user terminal 10 may include a hard disk driver 11, a central processing unit 15, a display device (not shown), an input device (not shown), and the like.
  • the hard disk driver 11 may store a system file, a general data file, and a system file for restoration. In addition, the hard disk driver 11 may store a patch program for updating system files.
  • the hard disk driver 11 includes a system file storage area 12 for storing system files, a data file storage area 13 for storing general data files, and a system file storage area 14 for restoring system files for restoration. ) Can be distinguished.
  • the hard disk driver 11 may set an area in which an MBR (Master Boot Recoder) (hereinafter referred to as 'MBR') is stored in the outermost sector.
  • MBR Master Boot Recoder
  • the CPU 15 is a processor for booting the user terminal 10 by using a system file such as a Windows operating system, and executes various application programs used in the user terminal 10.
  • the central processing unit 15 may recover by using a system file in the recovery data storage area or by using a checkpoint in which a patch update is recorded. This will be described later.
  • the manager terminal 20 may include a personal computer such as the user terminal 10, a notebook computer, a smart terminal, or the like.
  • the manager terminal 20 may transmit a security related item to each user terminal 10 by accessing the internal network.
  • the manager terminal 20 may access the security server 30 to execute the determined security policy.
  • the manager terminal 20 has the same components as the user terminal 10.
  • the system server 30 may be connected to the user terminal 10 through an internal communication network to store a plurality of pieces of main information or document information generated in the user terminal 10.
  • the system server 30 may provide a usage environment of the user terminal 10 to access the system server 30.
  • the security server 40 evaluates the importance of a plurality of pieces of main information or document information and sets access rights according to the importance. For example, the security server 40 assigns scores for confidentiality, integrity, and availability of a plurality of pieces of key information or document information to evaluate the importance of the key information or document information, and the evaluated key information or document information to importance. Accordingly different access rights.
  • the security server 40 analyzes the risk factors to control the access of the main information or document information that has risk factors.
  • the security server 40 controls access to main information or document information of the user terminal 10 according to authority for access control of main information or document information.
  • the security server 40 registers an external server used for hacking in order to protect key information or document information from external external hacking, and in advance, the user terminal 10 accesses an external server that is a main route of hacking. Block or control access to the user terminal 10 from an external server. To this end, the security server 40 monitors the network traffic of the user terminal 10. In addition, the security server 40 stores a log file of the user terminal 10, and terminates the work of the user terminal when abnormal behavior including hacking through the user terminal 10 is monitored, or the user terminal 10 Log off).
  • the security server 40 may generate and store a backup image of the user terminal 10, restore the backup image, and provide the backup image to the user terminal 10.
  • the security server 40 may update the risk factors for risks such as a hacking server connected through the user terminal 10 before the backup image restoration and notify the user terminal 10.
  • the security server 40 may include a preventive control unit 100, a detection control unit 200, and a calibration control unit 300.
  • the preventive control unit 100 may evaluate the importance of the main information or the document information generated in the user terminal 10, and may evaluate whether or not the defect is about the completed document.
  • the preventive control unit 100 evaluates the importance of the main information or the document information by assigning a score to the confidentiality, the integrity, and the availability of the plurality of the main information or the document information according to preset criteria.
  • the information asset evaluating unit 110 stores the main information or the document information stored in the system server 30 in the upper, middle, lower or A, B, C,... Or 1, 2, 3,... Set the rating with For example, in the case of personal information, financial information, etc., confidentiality is set high, and documents, such as general work documents, are set relatively low.
  • the preventive control unit 100 sets a rating, such as a confidentiality assessment for the availability of the main information or document information.
  • the preventive control unit 100 may change the access authority when the user terminal 10 or the administrator terminal 20 accesses according to the grade.
  • the preventive control unit 100 may analyze the vulnerability of the network or the vulnerability of the main information or document information. For example, the preventive control unit 100 analyzes a potential risk factor of key information or document information by using a vulnerability analysis tool, and if a new vulnerability is found, the preventive control unit 100 performs a safety check on a new vulnerability. Provides information on finding new vulnerabilities.
  • the preventive control unit 100 stores a history related to vulnerability inspection and vulnerability discovery information of potential risk factors, and may provide such a history to the manager terminal 20.
  • the preventive control unit 100 controls the user terminal 10 or the administrator terminal 20 access to an unauthorized web server in order to control access to the main information or document information.
  • the preventive control unit 100 presets URL information of an accessible web server or a blocked web server.
  • the preventive control unit 100 may force the security notification to the user terminal 10.
  • the preventive control unit 100 may transmit the security notification sent to the user terminal 10 to determine whether the security notification sent from the manager terminal 20 is confirmed by the user terminal 10. Feedback to 130 may be made.
  • the detection controller 200 may perform access authentication of the system server 30 for the task of the user terminal 10 or the manager terminal 20.
  • the detection control unit 200 may use a two-factor authentication method that can authenticate using two or more authentication elements.
  • the detection control unit 200 performs the primary authentication when the ID (ID) and password (Password) input in the user terminal 10 or the administrator terminal 20, and after the first authentication is completed, OTP, Secondary authentication is performed using a method such as an accredited certificate, ARS or QR code. Through this, the access security of the terminal can be strengthened.
  • the system server 30 may be notified so that the user terminal 10 or the manager terminal 20 may access the system server 30.
  • the detection control unit 200 manages the IP list of the C & C Command & Control Server (C & C) server, which serves as a host of the Advanced Persistent Threat (APT), and collects and analyzes related information. .
  • the detection control unit 200 periodically updates the list of new C & C servers provided by the RSS service and accesses the user terminal 10 or the manager terminal 20 through the C & C server, or the user terminal 10 through the C & C server.
  • the manager terminal 20 may manage access to the system server 30.
  • the detection control unit 200 may control the user terminal 10 or the administrator terminal 20 to access the P2P server or the harmful site.
  • the detection control unit 200 may control the access of the harmful site by using the above-described P2P server or the URL information of the harmful site. At this time, the detection control unit 200 controls the access of P2P server or harmful sites other than the C & C server access.
  • the detection control unit 200 detects this when the user terminal 10 accesses the main information or document information and notifies the manager terminal 20.
  • the detection control unit 200 collects all network traffic generated in the user terminal 10 and stores the path. On the other hand, the detection control unit 200 may not perform a packet monitoring for a site or server registered in advance by using the pre-matching URL and IP.
  • the detection control unit 200 may monitor the secret packet transmitted through the encrypted communication for the detection of the IP-based C & C server.
  • the calibration controller 300 may include a TCP packet tagging and recognition unit 310, a security agent manager 320, a central document manager 330, a user terminal controller 340, and a system restorer 350.
  • the TCP packet tagging and recognition unit 310 may tag a unique ID to all TCP packets generated in the user terminal 10 in order to distinguish the network packet generated in the user terminal 10 using the router of the internal network. have. Through this, the TCP packet tagging and recognizing unit 310 can distinguish the TCP packet so that the network traffic collected by the detection control unit 200 can be easily analyzed.
  • the security agent manager 320 monitors the installation of a security agent (for example, a security program or an antivirus program) installed in the user terminal 10, and installs the security agent in the user terminal 10 on which the security agent is not installed.
  • the security agent may be transmitted to the user terminal 10 to install.
  • the security agent manager 320 proceeds to update the latest version to the security agent installed in the user terminal 10.
  • the central document manager 330 uses a file system driver to store a document worked on the user terminal 10 in the system server 30.
  • the file system driver may be a document preparation standard file system of the user terminal 10.
  • the user terminal control unit 340 determines that the external attack, and the network of the user terminal 10 as a communication and a main medium (system server, etc.). You can block access.
  • the user terminal controller 340 approaches the user terminal 10 and forcibly terminates execution of a process or a program classified as a threat, such as malware, spyware, a virus, a spy bot, or executes the processor. Can be prevented.
  • the user terminal controller 340 generates and transmits a one-time password to allow access to the system server 30 to the user terminal 10 where the risk factor is not found, and transmits the password to the system server 30 when the password is input. Grant access
  • the system restorer 350 stores a backup image of the corresponding user terminal.
  • the system restorer 350 may restore the user terminal 10 or the administrator terminal 20 to a state before infection with a virus, malware, spyware, spy bot, or the like. At this time, the system restorer 350 reduces the maximum interruption allowable time by immediately restoring the recovery target time or the data target recovery point when the user terminal 10 or the manager terminal 20 is restored. To this end, the system restorer 350 may set an optional recovery mode.
  • the system restoration unit 350 includes a recovery mode selection unit 3510, a checkpoint setting unit 3520, an original image storage unit 3530, a patch program update unit 3540, and the like.
  • the file change monitoring unit 3550 and the forensic analysis unit 3560 may be included.
  • the recovery mode selection unit 3510 may selectively set recovery mode 1 for recovering to a checkpoint, recovery mode 2 for recovering to an original system file, and recovery mode 3 for terminating the window.
  • the recovery mode 1 when the user terminal 10 or the administrator terminal 20 is determined to be infected with a virus, malware, spyware, spy bot, etc. by designating a recovery point with a preset checkpoint, the checkpoint point The state of the user terminal 10 or the manager terminal 20 is restored using the system file.
  • Recovery mode 2 is a recovery mode using an image of an original system file stored in the original image storage unit 3530.
  • the system restoration unit 350 monitors system file changes of the user terminal 10 or the administrator terminal 20 when the operating system such as Windows does not terminate normally, and if the patch program is normally updated, the system restoration unit 350. Save as a file and use it as the system file original image.
  • the recovery mode 3 is a recovery mode through the shutdown and reboot of the window.
  • the recovery mode 3 checks the reception of a patch program for updating the system file and normal operation of the system file, and then exits the window.
  • the checkpoint setting unit 3520 stores a checkpoint set in advance to recover the system file.
  • the checkpoint may be used based on time, patch program installation time, and window termination time. For example, when the recovery mode is set to recovery mode 1, preset checkpoint information is provided when system file recovery is required.
  • the checkpoint may be set to the point in time at which the patch program is set immediately before the virus, malware, spyware, spy bot, or the like. Accordingly, if a virus, malware, spyware, spy bot, etc. is detected, even if a patch program installed thereafter is stored in the system file storage area, system errors and hacks due to viruses, malware, spyware, spy bots, etc. Etc. can be prevented.
  • the checkpoint setting unit 3520 may provide the patch program stored in the patch program update unit 3540 or the system file original image stored in the original image storage unit 3530 at a recovery time corresponding to a preset time point.
  • the original image storage unit 3530 stores the original of the system file.
  • the original image may store an original system file stored before the recovery mode.
  • the original image storage unit 3530 may provide the restored system file original image to the recovery target terminal when the recovery mode is set to the recovery mode 2.
  • the original image storage unit 3530 may store the system image when the patch program is normally updated as described above.
  • the patch program updater 3540 may update the patch program used for the user terminal 10 or the manager terminals 20 and provide the same.
  • the patch program updater 3540 may be a window-related patch program or a security-related patch program of a network system.
  • the patch program updater 3540 may provide update information of the patch program to the user terminal 10 or the manager terminal 20 at all times or before the window is terminated.
  • the file change monitoring unit 3550 monitors whether the system file has been changed when the window is closed.
  • the file change monitoring unit 3550 stores the system file including the changed file in the original image storage unit 3530 when the changed file system is normal during monitoring and the changed file is a patch program associated with the system file.
  • the forensic analysis unit 3560 monitors the file change monitoring unit 3550, when the changed file is not related to the system file or the patch program, the forensic analysis unit 3560 temporarily stores the changed data and analyzes it.
  • the forensic analysis unit 3560 may track the history of the changed file, analyze the changed file type, and the like, and notify when the changed file is associated with a virus, malware, spyware, spy, or the like.
  • the system restorer 350 has been described as being mounted on the security server 40 by way of example, but may be installed in each of the user terminal 10 or the manager terminal 20.
  • system restoration unit 350 has been described as a component, but may be implemented as a program running on a computer.
  • FIG. 6 is a flowchart illustrating a recovery method using a network recovery system of an intelligent persistent threat environment according to an embodiment of the present invention.
  • a recovery method using a network recovery system of an intelligent persistent threat environment may include checking a boot signal (S100) and checking whether a backup of an MBR is performed in a boot area (S110). Checking the presence or absence of damage to the MBR (S130), starting window booting step (S150), performing work step (S160), abnormal behavior monitoring step (S170), ending work step (S180), recovery mode selection step (S200), Operation in recovery mode 1 (S210), operation in recovery mode 2 (S220), operation in recovery mode 3, window termination step (S300), checkpoint storage step (S310), file change monitoring step ( S320), whether the patch program is related (S330), the system file storage step (S350) and the temporary data storage step (S340) may be included.
  • a start signal for starting a booting area of the internal memory of the user terminal 10 is checked (S100). In addition, this is also the case when rebooting when operating in recovery mode 1 or recovery mode 2.
  • a boot signal when a boot signal is received, it is checked whether a backup of an MBR (Master Boot Recoder; hereinafter referred to as 'MBR') is performed in a boot area set in a hard disk drive of a user terminal (S110).
  • MBR Master Boot Recoder
  • 'MBR' Master Boot Recoder
  • a user terminal is considered to be backed up when it is stored in a designated memory area at boot time, and is not backed up when there is no MBR in the designated area.
  • a computer including a user terminal stores an MBR in a designated sector of a hard disk drive, and when a boot signal is received, searches for the MBR code by searching for the MBR of the designated sector. At this time, if there is no MBR in the predetermined sector, it is considered that the backup is not made, the MBR is stored, and the stored memory sector is designated (S120).
  • MBR MBR If there is an MBR, it is determined whether the MBR is damaged (S130). If it is determined that any one of information corruption of partition information and execution code has occurred during booting, the MBR is restored (S140).
  • the user terminal executes a processor for general tasks of the user (S160).
  • the security server or the user terminal or the administrator terminal terminates the operation when the external abnormal access, for example, hacking by viruses, malware, spyware, spy bots and the like is monitored (S170, S180).
  • the recovery mode is selected (S200).
  • any one of recovery modes 1, 2, and 3 may be designated by the user or the administrator in advance, or a recovery mode selection message may be output for the user or administrator to select.
  • the recovery mode 1 When the recovery mode 1 is selected, recovery is performed using a checkpoint (S210). That is, the recovery mode 1 may recover a system file by using a checkpoint preset by a user or a security server. For example, it can be used based on the time set for recovery of the checkpoint of the system file, the point of time when the patch program is installed, and the time point of closing the window.
  • a checkpoint S210
  • the recovery mode 1 may recover a system file by using a checkpoint preset by a user or a security server. For example, it can be used based on the time set for recovery of the checkpoint of the system file, the point of time when the patch program is installed, and the time point of closing the window.
  • the user may set the checkpoint to a specific date. That is, the checkpoint may be set to a specific date preset by the user, and date information for setting the specific date may be provided in advance.
  • the checkpoint may be set at the time of installing the patch program. That is, the checkpoint may be set to the last installation time of the patch program that is mainly updated among system files.
  • the checkpoint may be set to the end of the window. That is, since it is possible to determine that the update patch program installed at the end of the window is operating normally, the end point of the final window can be set as the checkpoint.
  • the system may be recovered using the system file original image stored in the system file storage area (S220).
  • the system file original image is generated with a system file original image without abnormalities in the security server, and the original image may be provided to the corresponding user terminal or the administrator terminal at the time of recovery, or may be periodically provided.
  • the process proceeds after returning to the boot signal checking step S100 for rebooting the window.
  • the work execution step (S160) to the work termination step (S180) is excluded.
  • the recovery mode 3 may be a step that is always performed after the recovery mode 1 or the recovery mode 2 is operated. That is, after the system is restored to recovery mode 1 or 2, the window is terminated to update the patch program.
  • the step of updating the patch program at any time before the end of the window may be added. That is, the update for the normal use of the system file is always provided with a patch program from the external system file providing server, if such a patch program is provided, the user terminal or the administrator terminal detects it and updates the patch program.
  • a checkpoint is stored to know the patch program update information (S310).
  • the check point is stored based on the point in time or area where the normal patch program is installed when the patch program is updated.
  • the security server monitors whether there is a change in the system file, and returns to the recovery selection mode if the changed system file is abnormal.
  • the system file is stored when it is related to the patch program (S330 and S350).
  • the patch program stores the updated system file as an original image so that the recovery time can be reduced later.
  • recovery mode 1 may be performed first, and if recovery to recovery mode 1 is not performed, system recovery may be performed again to recovery mode 2.
  • the recovery mode 1 may repeat the process for a set number of times, and then proceed to the recovery mode 2 when an error occurs in the system recovery even after the set number of times.
  • the security server executes a recovery mode when an abnormality is detected in a user terminal, an administrator terminal, or a system server.
  • the program performing the step S330 may be installed in the user terminal, the manager terminal, and the system server and executed in each terminal.
  • the recovery method using the network recovery system of the intelligent persistent threat environment can immediately recover when the system is damaged by a virus, spyware, etc., set target recovery time or data target recovery By recovering the system to a point in time, you can reduce the Maximum Tolerable Period of Disruption.

Abstract

La présente invention concerne un procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée. Lorsqu'un terminal d'utilisateur ou un terminal de gestionnaire surveille et détecte une action anormale telle qu'une tentative de piratage ou l'installation d'un programme anormal comprenant des logiciels espions, afin de restaurer un fichier système du terminal approprié, le système de restauration de réseau dans un environnement de menace persistante avancée selon la présente invention peut restaurer un système à un temps de restauration cible prédéfini ou à un point de restauration de données cible dans le temps par restauration du fichier système au moyen d'un mode de restauration parmi le mode de restauration 1 permettant la restauration à un point de contrôle prédéfini, le mode de restauration 2 permettant la restauration à l'image d'origine du fichier système et le mode de restauration 3 permettant la mise à jour d'une retouche associée au fichier système avant l'arrêt de Windows, de façon à réduire une période maximale tolérable de perturbation.
PCT/KR2016/012033 2016-10-24 2016-10-26 Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée WO2018079867A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR1020160138078A KR101904415B1 (ko) 2016-10-24 2016-10-24 지능형 지속위협 환경에서의 시스템 복구 방법
KR1020160138079A KR101872605B1 (ko) 2016-10-24 2016-10-24 지능형 지속위협 환경의 네트워크 복구 시스템
KR10-2016-0138079 2016-10-24
KR10-2016-0138078 2016-10-24

Publications (1)

Publication Number Publication Date
WO2018079867A1 true WO2018079867A1 (fr) 2018-05-03

Family

ID=62025149

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/012033 WO2018079867A1 (fr) 2016-10-24 2016-10-26 Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée

Country Status (1)

Country Link
WO (1) WO2018079867A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070089399A (ko) * 2006-02-28 2007-08-31 엘지전자 주식회사 디지털 저장장치의 부팅 제어방법
US20110023114A1 (en) * 2009-07-22 2011-01-27 Wael William Diab Method and System For Traffic Management Via Virtual Machine Migration
KR20130129184A (ko) * 2010-08-25 2013-11-27 룩아웃, 인코포레이티드 서버 결합된 멀웨어 방지를 위한 시스템 및 방법
KR101343693B1 (ko) * 2007-02-05 2013-12-20 주식회사 엘지씨엔에스 네트워크 보안시스템 및 그 처리방법
KR20140116498A (ko) * 2012-02-14 2014-10-02 알까뗄 루슨트 클라우드 네트워크에서 신속한 재해 복구 준비를 위한 방법 및 장치

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070089399A (ko) * 2006-02-28 2007-08-31 엘지전자 주식회사 디지털 저장장치의 부팅 제어방법
KR101343693B1 (ko) * 2007-02-05 2013-12-20 주식회사 엘지씨엔에스 네트워크 보안시스템 및 그 처리방법
US20110023114A1 (en) * 2009-07-22 2011-01-27 Wael William Diab Method and System For Traffic Management Via Virtual Machine Migration
KR20130129184A (ko) * 2010-08-25 2013-11-27 룩아웃, 인코포레이티드 서버 결합된 멀웨어 방지를 위한 시스템 및 방법
KR20140116498A (ko) * 2012-02-14 2014-10-02 알까뗄 루슨트 클라우드 네트워크에서 신속한 재해 복구 준비를 위한 방법 및 장치

Similar Documents

Publication Publication Date Title
WO2021060856A1 (fr) Système et procédé pour un accès au réseau sécurisé d'un terminal
WO2017034072A1 (fr) Système de sécurité de réseau et procédé de sécurité
RU2568295C2 (ru) Система и способ временной защиты операционной системы программно-аппаратных устройств от приложений, содержащих уязвимости
KR101380908B1 (ko) 해커 바이러스 보안통합관리기기
CN105409164B (zh) 通过使用硬件资源来检测网络业务中的矛盾的根套件检测
US7657941B1 (en) Hardware-based anti-virus system
WO2011105659A1 (fr) Système, procédé, programme, et support d'enregistrement pour la détection et le blocage en temps réel de programmes nuisibles par le biais d'analyse comportementale d'un processus
US8060933B2 (en) Computer data protecting method
US20150256554A1 (en) Attack analysis system, cooperation apparatus, attack analysis cooperation method, and program
MXPA05012560A (es) Manejo de seguridad de computadora, tal como en una maquina virtual o sistema operativo reforzado.
KR100788256B1 (ko) 네트워크를 이용한 웹서버 위변조 모니터링 시스템 및모니터링 방법
CN113660224A (zh) 基于网络漏洞扫描的态势感知防御方法、装置及系统
JP2022530288A (ja) rootレベルアクセス攻撃を防止する方法および測定可能なSLAセキュリティおよびコンプライアンスプラットフォーム
WO2018164503A1 (fr) Détection de logiciel rançonneur en fonction de la sensibilité au contexte
WO2021112494A1 (fr) Système et procédé de détection et de réponse de type gestion basée sur des points d'extrémité
CN111444519A (zh) 保护日志数据的完整性
JP6918269B2 (ja) 攻撃推定装置、攻撃制御方法、および攻撃推定プログラム
CN113132412B (zh) 一种计算机网络安全测试检验方法
WO2018043832A1 (fr) Procédé d'exploitation d'un navigateur web sécurisé
KR20110131627A (ko) 악성 코드 진단 및 복구 장치, 그리고 이를 위한 단말 장치
CN117494144A (zh) 基于云平台的安全环境防护方法
JP2008071210A (ja) 検疫装置、検疫プログラム、検疫方法、健全性チェック端末及び検疫システム
CN110086812B (zh) 一种安全可控的内网安全巡警系统及方法
KR101872605B1 (ko) 지능형 지속위협 환경의 네트워크 복구 시스템
WO2018079867A1 (fr) Procédé de restauration utilisant un système de restauration de réseau dans un environnement de menace persistante avancée

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16920350

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16920350

Country of ref document: EP

Kind code of ref document: A1