DOI QR코드

DOI QR Code

Model Proposal for Detection Method of Cyber Attack using SIEM

SIEM을 이용한 침해사고 탐지방법 모델 제안

  • 엄진국 (고려대학교 정보보호대학원) ;
  • 권헌영 (고려대학교 정보보호대학원)
  • Received : 2016.10.11
  • Accepted : 2016.12.09
  • Published : 2016.12.31

Abstract

The occurrence of cyber crime is on the rise every year, and the security control center, which should play a crucial role in monitoring and early response against the cyber attacks targeting various information systems, its importance has increased accordingly. Every endeavors to prevent cyber attacks is being attempted by information security personnel of government and financial sector's security control center, threat response Center, cyber terror response center, Cert Team, SOC(Security Operator Center) and else. The ordinary method to monitor cyber attacks consists of utilizing the security system or the network security device. It is anticipated, however, to be insufficient since this is simply one dimensional way of monitoring them based on signatures. There has been considerable improvement of the security control system and researchers also have conducted a number of studies on monitoring methods to prevent threats to security. In accordance with the environment changes from ESM to SIEM, the security control system is able to be provided with more input data as well as generate the correlation analysis which integrates the processed data, by extraction and parsing, into the potential scenarios of attack or threat. This article shows case studies how to detect the threat to security in effective ways, from the initial phase of the security control system to current SIEM circumstances. Furthermore, scenarios based security control systems rather than simple monitoring is introduced, and finally methods of producing the correlation analysis and its verification methods are presented. It is expected that this result contributes to the development of cyber attack monitoring system in other security centers.

최근 각종 사이버 범죄 위협이 증가하고 있고, 근래 각종 정보시스템을 대상으로 하는 사이버 공격에 대해서 사전 탐지, 차단 등 최전방에서 초동대응을 해야 하는 보안관제센터의 중요성이 높아가고 있다. 보안관제센터, 침해대응센터, 사이버테러 대응센터, Cert Team, SOC(Security Operater Center) 등의 이름으로 국가기관 및 금융권 등의 보안관제센터 분석인원들은 사이버 공격 예방을 위한 많은 노력들을 하고 있다. 침해사고 탐지를 위한 방법으로 관제시스템을 이용하거나 네트워크 보안장비들을 활용하여 탐지를 하고 있다. 하지만 단순 패턴기반으로만 모니터링 하는 1차원적인 방법으로는 침해사고의 예방을 위한 탐지방법으로 많이 부족하다. 관제시스템도 많은 발전을 하고 있으며 침해위협에 대한 예방활동으로 탐지방법에 대한 연구들도 많이 진행하고 있다. 근래 ESM에서 SIEM 시대로 넘어가면서 관제시스템으로 많은 정보를 가져올 수 있게 되었고 필요한 데이터만을 파싱, 분석하여 침해위협 시나리오에 접목시켜 상관분석 정책을 만들 수 있게 되었다. 이에 본 논문에서는 초창기 관제시스템부터 지금의 SIEM(Security Information Event Management)을 이용한 관제시스템까지 노하우를 통하여 효과적인 침해위협의 탐지방법에 대한 사례연구를 발표한다. 본 사례연구 결과를 통해서 우리나라의 다른 관제센터에서 침해사고 탐지를 효과적으로 할 수 있도록 도움이 되었음 한다. 과거 단순 위협 탐지가 아닌 시나리오 기반의 관제체계를 소개하고 상관분석정책에 대한 제작 및 검증방법을 제시하고자 한다.

Keywords

References

  1. Hyun-A Park, Dong-Hoon Lee, Jong-In Lim, Sang-Hyun Cho "Privacy Preserving Audit Log for Intrusion Detection System" The Institute of Webcasting Internet and Telecommunication, PP 59-60 7 2007
  2. Myung-Hoon Kang, "Completion of information security monitoring system with complete control and security of the IDS pattern matching techniques discussed in Big Data Analytics", pp 40-41. 5 2013
  3. Jae Chan Yoo, "A Study on the Protection for Corporation Information Using Scenario Technique," The Graduate of SungKyunkwan University, pp. 14-16, August 2012
  4. Kelly M, Mark Nicolett, Oliver Rockford, "Magic Quadrant for Security Inofrmation and Event Management", Gartner Group, pp. 2-8, June 2014
  5. DongSung im, YoungMin Kim, "Enhancement of internal Control by expanding Security Information Event Management System", Korea Society of Computer and Information, pp 36-37. 8 2015 DOI: https://doi.org/10.9708/jksci.2015.20.8.035
  6. Jae-Hwa Sim, Sung-Hwan Kim, Tai-Myung Chung, "A Survey of Solutions using Security Information Event Management" Proceedings of Symposium of the Korean Institute of communications and Information Sciences, page 390-391. 1 2014
  7. Han-Dong Kim, "Security information / event management with intelligent log management platform evolving in big data environments (SIEM) trends", pp 11-13. 8 2013
  8. Mark Nicolett Kelly M, Kavanagh, "Magic Quadrant for Security Information and Event Management:, Garther Group, July. 2013
  9. R. Bejtlick, Tao of Network Security Monitoring, the beyond Intrusion Detection:What is Network Security Monitoring, Addision Wesley Professional. pp 40-41 July 2004.
  10. Young-Jin Kim, Su-yeon Lee, Hun-Young Kwon, Jong-in Lim "A Study on the Improvement of Effectiveness in National Cyber Security Monitoring and Control" Korean Institute if Information Security And Cryptology, pp 3-4, 2 2009
  11. Si-Jang Park, Jong-Hoon Park, "Current Status and Analysis if Domestic Security Monitoring Systems, korea institute of electronic communication science." 2 page 9. 2014 DOI: https://doi.org/10.13067/jkiecs.2014.9.2.261
  12. Young-Jin Kim, Su-yeon Lee, Hun-Young Kwon, Jong-in Lim "A Study on the Improvement of Effectiveness in National Cyber Security Monitoring and Control" Korean Institute if Information Security And Cryptology, pp 10-11, 2 2009)