• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.11a
• /
• pp.420-423
• /
• 2020

본 연구에서는 민간기업들이 전체적인 보안관제 인프라를 구축 할 수 있도록 오픈소스 빅데이터 솔루션을 이용하여 보안관제 체계를 구축하는 방법을 기술한다. 특히, 보안관제 시스템을 구축할 때 비용·개발시간을 단축 할 수 있는 하나의 방법으로 무료 오픈소스 빅데이터 분석 솔루션 중 하나인 Elastic Stack을 활용하여 인프라를 구축했으며, 산업에 많이 도입되는 제품인 Splunk와 비교실험을 진행했다. Elastic Stack을 활용해 보안로그를 단계별로 수집-분석-시각화 하여 대시보드를 만들고 대용량 로그를 입력 후 검색속도를 측정하였다. 이를 통해 Elastic Stack이 Splunk를 대체 할 수 있는 빅데이터 분석 솔루션으로서의 가능성을 발견했다.

• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.111-120
• /
• 2019

As cyber-attacks become more intelligent and sophisticated, the importance of Security Operations Center(SOC) has increased and the number of SOC has been increasing. In order to cope with cyber threats, institutions and organizations use a variety of cyber security standards to create business procedures. However, SOC often need to be improved in accordance with the SOC environment because they collaborate with managed security service specialists rather than their own personnel. The NIST cyber security framework, information security management system, and managed security service companies were compared and analyzed. As a result, it was found that the NIST CSF is a framework that is easy to apply to managed security service, The content was judged to be insufficient. Therefore, in this study, NIST CSF was used as a reference model to derive the management items required for SOC environment, and the necessity, importance and ease of each item were confirmed through an Delphi technique and an improved cyber security framework was proposed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.507-522
• /
• 2014

Domestic CERTs are carrying out monitoring and response against cyber attacks using security devices(e.g., IDS, TMS, etc) based on signatures. Particularly, in case of public and research institutes, about 30 security monitoring and response centers are being operated under National Cyber Security Center(NCSC) of National Intelligence Service(NIS). They are mainly using Threat Management System(TMS) for providing security monitoring and response service. Since TMS raises a large amount of security events and most of them are not related to real cyber attacks, security analyst who carries out the security monitoring and response suffers from analyzing all the TMS events and finding out real cyber attacks from them. Also, since the security monitoring and response tasks depend on security analyst's know-how, there is a fatal problem in that they tend to focus on analyzing specific security events, so that it is unable to analyze and respond unknown cyber attacks. Therefore, we propose automated verification method of security events based on their empirical analysis to improve performance of security monitoring and response.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.1
• /
• pp.175-185
• /
• 2019

The security control is to protect IT system from cyber infringement by deriving valid result values in the process of gathering and analyzing various information. Currently, security control is very effective by using SIEM equipment which enables analysis of systematic and comprehensive viewpoint based on a lot of data, away from analyzing cyber threat information with only fragmentary information. However, It can also be said that cyber attacks are analyzed and coped with the manual work of security personnel. This means that even if there is excellent security equipment, the results will vary depending on the user using. In case of operating a characteristic web service including information provision, This study suggests the basic point of security control through characteristics information analysis, and proposes a model for intensive security control through the type discovery and application which enable a step-wise analysis and an effective filtering. Using this model would effectively detect, analyze and block attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.2
• /
• pp.279-292
• /
• 2015

In this study, we propose an effective network managed security services model that can detect a presence of potential malicious codes inside the energy-based SCADA Systems. Especially, by analyzing the data obtained in the same environment of SCADA Systems, we develop detection factors to applicable to the managed security services and propose the method for the network managed security services. Finally, the proposed network managed security services model through simulation proved possibility to detect malicious traffic in SCADA systems effectively.

• Journal of Platform Technology
• /
• v.8 no.4
• /
• pp.38-46
• /
• 2020

This study describes how to build a security control system using an open source big data solution so that private companies can build an overall security control infrastructure. In particular, the infrastructure was built using the Elastic Stack, one of the free open source big data analysis solutions, as a way to shorten the cost and development time when building a security control system. A comparative experiment was conducted. In addition, as a result of comparing and analyzing the functions, convenience, service and technical support of the two solution, it was found that the Elastic Stack has advantages in the security control of Big Data in terms of community and open solution. Using the Elastic Stack, security logs were collected, analyzed, and visualized step by step to create a dashboard, input large logs, and measure the search speed. Through this, we discovered the possibility of the Elastic Stack as a big data analysis solution that could replace Splunk.

• Journal of Internet Computing and Services
• /
• v.22 no.3
• /
• pp.53-58
• /
• 2021

There is little research on actual business activities in the field of security control. Therefore, in this paper, we intend to present a practical research methodology that can contribute to the calculation of the size of the appropriate input personnel through the modeling of the threat information detection response time of the security control and to analyze the effectiveness of the latest security solutions. The total threat information detection response time performed by the security control center is defined as TIDRT (Total Intelligence Detection & Response Time). The total threat information detection response time (TIDRT) is composed of the sum of the internal intelligence detection & response time (IIDRT) and the external intelligence detection & response time (EIDRT). The internal threat information detection response time (IIDRT) can be calculated as the sum of the five steps required. The ultimate goal of this study is to model the major business activities of the security control center with an equation to calculate the cyber threat information detection response time calculation formula of the security control center. In Chapter 2, previous studies are examined, and in Chapter 3, the calculation formula of the total threat information detection response time is modeled. Chapter 4 concludes with a conclusion.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2022.05a
• /
• pp.379-380
• /
• 2022

KAIST 캠퍼스 기반의 실습환경 구축을 위하여 캠퍼스 전체를 스마트시티 테스트베드로 사용하며 CCTV 네트워크 기반 모니터링/관제 시스템 구축, 교통, 방범, 가로등, CCTV, 교내 버스 등 인프라 통합 관제 및 보안 실습실 구축하고 교내 자율주행 기술 연구진과 실습 협력 추진을 통한 캠퍼스 기반의 실전 스마트 환경을 토대로 다각도의 보안 공격/방어 실습을 진행하고 지자체 및 컨소시엄 기업들과 산학협력 프로젝트를 진행하기 위하여 구축한 내용을 설명한다.

• Proceedings of the Korea Contents Association Conference
• /
• 2019.05a
• /
• pp.331-332
• /
• 2019

로그 분석 솔루션의 필요성이 대두되어 공공기관 뿐만 아니라 사기업들도 앞다퉈 로그 분석 솔루션을 도입하여 보안관제센터를 구축하는 추세이다. 하지만 그 비용자체가 만만치 않아 아직까지 예산이 부족한 기관 및 기업은 도입하지 못하고 있다. 본 연구에서는 오픈소스를 활용하여 보안관제센터를 구축하는 방안을 제시하였다. ELK Stack을 이용하여 로그 분석 시스템을 구축하였다. ELK Stack의 검색 속도 및 로그 데이터의 시각화 성능은 시장 점유율 1위인 Splunk와 비교 했을 때 비슷하였다. 또한, 오픈소스를 이용하기 때문에 기업간 기술 공유를 통해 보안관제의 탐지기술이 한층더 업그레이드 될 수 있다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2011.11a
• /
• pp.992-995
• /
• 2011

ALADDIN(Advanced Layer-free DDoS Defense INfrastructure) 시스템은 양방향 10Gbps 트래픽을 처리할 수 있는 안티 DDoS 전용 시스템이다. 로드 밸런서 엔진, 안티 DDoS 분석 엔진, PCI-Express 엔진으로 구성된 세 개의 FPGA 기반 하드웨어 엔진과 소프트웨어 엔진으로 이루어진 시스템은 인라인 모드로 동작하면서 Wire-speed 로 패킷을 처리한다. 시스템은 네트워크 레벨의 DDoS 공격뿐만 아니라 어플리케이션 레벨의 DDoS 공격도 실시간으로 탐지하고 대응한다. 본 논문에서는 ALADDIN 시스템의 설계 및 구현, 테스트 결과에 대해 기술한다.