• Title/Summary/Keyword: event log

Search Result 147, Processing Time 0.024 seconds

MITRE ATT&CK and Anomaly detection based abnormal attack detection technology research (MITRE ATT&CK 및 Anomaly Detection 기반 이상 공격징후 탐지기술 연구)

  • Hwang, Chan-Woong;Bae, Sung-Ho;Lee, Tae-Jin
    • Convergence Security Journal
    • /
    • v.21 no.3
    • /
    • pp.13-23
    • /
    • 2021
  • The attacker's techniques and tools are becoming intelligent and sophisticated. Existing Anti-Virus cannot prevent security accident. So the security threats on the endpoint should also be considered. Recently, EDR security solutions to protect endpoints have emerged, but they focus on visibility. There is still a lack of detection and responsiveness. In this paper, we use real-world EDR event logs to aggregate knowledge-based MITRE ATT&CK and autoencoder-based anomaly detection techniques to detect anomalies in order to screen effective analysis and analysis targets from a security manager perspective. After that, detected anomaly attack signs show the security manager an alarm along with log information and can be connected to legacy systems. The experiment detected EDR event logs for 5 days, and verified them with hybrid analysis search. Therefore, it is expected to produce results on when, which IPs and processes is suspected based on the EDR event log and create a secure endpoint environment through measures on the suspicious IP/Process.

A Study for Integrating ICS Security Logs with Centralized SIEM (Security Information and Event Management) using OPC Protocol (OPC 프로토콜을 활용한 제어시스템 보안로그 전송방법 고찰 및 통합 로그서버 구축방안)

  • Kim, Jaehong;Park, Yongsuk
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.26 no.8
    • /
    • pp.1205-1212
    • /
    • 2022
  • Cyber threat targeting ICS (Industrial Control System) has indicated drastic increases over the past decade and Cyber Incident in Critical Infrastructure such as Energy, Gas Terminal and Petrochemical industries can lead to disaster-level accidents including casualties and large-scale fires. In order to effectively respond to cyber attacks targeting ICS, a multi-layered defense-in-depth strategy considering Control System Architecture is necessary. In particular, the centralized security log system integrating OT (Operational Technology) and IT (Information Technology) plays an important role in the ICS incident response plan. The paper suggests the way of implementing centralized security log system that collects security events and logs using OPC Protocol from Level 0 to Level 5 based on IEC62443 Purdue Model to integrate ICS security logs with SIEM (Security Information Event Management) operated in IT environment.

An Event-Driven Failure Analysis System for Real-Time Prognosis (실시간 고장 예방을 위한 이벤트 기반 결함원인분석 시스템)

  • Lee, Yang Ji;Kim, Duck Young;Hwang, Min Soon;Cheong, Young Soo
    • Korean Journal of Computational Design and Engineering
    • /
    • v.18 no.4
    • /
    • pp.250-257
    • /
    • 2013
  • This paper introduces a failure analysis procedure that underpins real-time fault prognosis. In the previous study, we developed a systematic eventization procedure which makes it possible to reduce the original data size into a manageable one in the form of event logs and eventually to extract failure patterns efficiently from the reduced data. Failure patterns are then extracted in the form of event sequences by sequence-mining algorithms, (e.g. FP-Tree algorithm). Extracted patterns are stored in a failure pattern library, and eventually, we use the stored failure pattern information to predict potential failures. The two practical case studies (marine diesel engine and SIRIUS-II car engine) provide empirical support for the performance of the proposed failure analysis procedure. This procedure can be easily extended for wide application fields of failure analysis such as vehicle and machine diagnostics. Furthermore, it can be applied to human health monitoring & prognosis, so that human body signals could be efficiently analyzed.

Development of Risk Assessment Models for Railway Casualty Accidents (철도 사상사고 위험도 평가 모델 개발에 관한 연구)

  • Park, Chan-Woo;Wang, Jong-Bae;Kim, Min-Su;Choi, Don-Bum;Kwak, Sang-Log
    • Journal of the Korean Society for Railway
    • /
    • v.12 no.2
    • /
    • pp.190-198
    • /
    • 2009
  • This study shows the developing process of the risk assessment models for railway casualty accidents. To evaluate the risks of these accidents, the hazardous events and the hazardous factors were identified by the review of the accident history and engineering interpretation of the accident behavior. The frequency of each hazardous event was evaluated from the historical accident data and structured expert judgments by using the Fault Tree Analysis (FTA) technique. In addition, to assess the severity of each hazardous event, the ETA (Event Tree Analysis) technique and other safety techniques were applied. The risk assessment models developed can be effectively utilized in defining the risk reduction measures in connection with the option analysis.

Construction of Event Tree & Fault Tree for Train Fire Risk Assessment (철도화재사고 위험도평가를 위한 Event Tree 및 Fault Tree 구성)

  • Kwak, Sang-Log;Wang, Jong-Bae;Lee, Bong-Seob;Park, Chan-Woo
    • Journal of the Korean Society for Railway
    • /
    • v.11 no.6
    • /
    • pp.530-535
    • /
    • 2008
  • After train fire accident in Daegue, many research on train fire safety improvement have been carrying out. Since many alternative fire safety measures can be applied in our railway system, the effect of the each safety measure must be quantified prior to the safety investment. In order to estimate the effects of each safety measure quantitatively, fault trees and event trees are constructed in this study. Results can be applied for cost-benefit analysis or sensitivity analysis for safety measures in risk assessment process.

Research on Security Detection Policy Model in the SIEM for Ship (선박용 Security Information Event Management (SIEM) 개발을 위한 보안 정책 모델에 관한 연구)

  • Gumjun Son;Jongwoo Ahn;Changsik Lee;Namseon Kang;Sungrok Kim
    • Journal of the Society of Naval Architects of Korea
    • /
    • v.61 no.4
    • /
    • pp.278-288
    • /
    • 2024
  • According to International Association of Classification Societies (IACS) Unified Requirement (UR) E26, ships contracted for construction after July 1, 2024 should be designed, constructed, commissioned and operated taking into account of cyber security. In particular, ship network monitoring tools should be installed in accordance with requirement 4.3.1 in IACS UR E26. In this paper, we propose a Security Information and Event Management (SIEM) security policy model for ships as an effective threat detection method by analyzing the cyber security regulations and ship network status in the maritime domain. For this purpose, we derived the items managed in the SIEM from the maritime cyber security regulations such as those of International Maritime Organization (IMO) and IACS, and defined 14 detection policies considering the status of the ship network. We also presents the detection policy for non-expert crews to understand it, and occurrence conditions depending on the ship's network environment to minimize indiscriminate alarms. We expect that the results of this study will help improve the efficiency of ship SIEM to be installed in the future.

Design and Implementation of Web Attack Detection System Based on Integrated Web Audit Data (통합 이벤트 로그 기반 웹 공격 탐지 시스템 설계 및 구현)

  • Lee, Hyung-Woo
    • Journal of Internet Computing and Services
    • /
    • v.11 no.6
    • /
    • pp.73-86
    • /
    • 2010
  • In proportion to the rapid increase in the number of Web users, web attack techniques are also getting more sophisticated. Therefore, we need not only to detect Web attack based on the log analysis but also to extract web attack events from audit information such as Web firewall, Web IDS and system logs for detecting abnormal Web behaviors. In this paper, web attack detection system was designed and implemented based on integrated web audit data for detecting diverse web attack by generating integrated log information generated from W3C form of IIS log and web firewall/IDS log. The proposed system analyzes multiple web sessions and determines its correlation between the sessions and web attack efficiently. Therefore, proposed system has advantages on extracting the latest web attack events efficiently by designing and implementing the multiple web session and log correlation analysis actively.

A MapReduce-Based Workflow BIG-Log Clustering Technique (맵리듀스기반 워크플로우 빅-로그 클러스터링 기법)

  • Jin, Min-Hyuck;Kim, Kwanghoon Pio
    • Journal of Internet Computing and Services
    • /
    • v.20 no.1
    • /
    • pp.87-96
    • /
    • 2019
  • In this paper, we propose a MapReduce-supported clustering technique for collecting and classifying distributed workflow enactment event logs as a preprocessing tool. Especially, we would call the distributed workflow enactment event logs as Workflow BIG-Logs, because they are satisfied with as well as well-fitted to the 5V properties of BIG-Data like Volume, Velocity, Variety, Veracity and Value. The clustering technique we develop in this paper is intentionally devised for the preprocessing phase of a specific workflow process mining and analysis algorithm based upon the workflow BIG-Logs. In other words, It uses the Map-Reduce framework as a Workflow BIG-Logs processing platform, it supports the IEEE XES standard data format, and it is eventually dedicated for the preprocessing phase of the ${\rho}$-Algorithm that is a typical workflow process mining algorithm based on the structured information control nets. More precisely, The Workflow BIG-Logs can be classified into two types: of activity-based clustering patterns and performer-based clustering patterns, and we try to implement an activity-based clustering pattern algorithm based upon the Map-Reduce framework. Finally, we try to verify the proposed clustering technique by carrying out an experimental study on the workflow enactment event log dataset released by the BPI Challenges.

Windows 7 Operating System Event based Visual Incident Analysis System (윈도우즈 7 운영체제 이벤트에 대한 시각적 침해사고 분석 시스템)

  • Lee, Hyung-Woo
    • Journal of Digital Convergence
    • /
    • v.10 no.5
    • /
    • pp.223-232
    • /
    • 2012
  • Recently, the leakage of personal information and privacy piracy increase. The victimized case of the malicious object rapidlies increase. Most of users use the windows operating system. Recently, the Windows 7 operating system was announced. Therefore, we need to study for the intrusion response technique at the next generation operate system circumstances. The accident response technique developed till now was mostly implemented around the Windows XP or the Windows Vista. However, a new vulnerability problem will be happen in the breach process of reaction as the Windows 7 operating system is announced. In the windows operating system, the system incident event needs to be efficiently analyzed. For this, the event information generated in a system needs to be visually analyzed around the time information or the security threat weight information. Therefore, in this research, we analyzed visually about the system event information generated in the Windows 7 operating system. And the system analyzing the system incident through the visual event information analysis process was designed and implemented. In case of using the system developed in this study the more efficient accident analysis is expected to be possible.

Sound event detection based on multi-channel multi-scale neural networks for home monitoring system used by the hard-of-hearing (청각 장애인용 홈 모니터링 시스템을 위한 다채널 다중 스케일 신경망 기반의 사운드 이벤트 검출)

  • Lee, Gi Yong;Kim, Hyoung-Gook
    • The Journal of the Acoustical Society of Korea
    • /
    • v.39 no.6
    • /
    • pp.600-605
    • /
    • 2020
  • In this paper, we propose a sound event detection method using a multi-channel multi-scale neural networks for sound sensing home monitoring for the hearing impaired. In the proposed system, two channels with high signal quality are selected from several wireless microphone sensors in home. The three features (time difference of arrival, pitch range, and outputs obtained by applying multi-scale convolutional neural network to log mel spectrogram) extracted from the sensor signals are applied to a classifier based on a bidirectional gated recurrent neural network to further improve the performance of sound event detection. The detected sound event result is converted into text along with the sensor position of the selected channel and provided to the hearing impaired. The experimental results show that the sound event detection method of the proposed system is superior to the existing method and can effectively deliver sound information to the hearing impaired.