사이버공격 실시간 추적 가시화 시스템

IP 주소에 대한 공격행위를 실시간 및 통계적으로 가시화 시킴으로써, 사이버공격 근원지·발원지 및 사이버 공격 구조 등 다각적·직관적으로 분석할 수 있는 기능 및 시스템 제

An Advanced Security Event Visualization Method for Identifying Real Cyber Attacks

Most organizations deploy and operate intrusion detection system (IDS) on their networks in order to defend their vital computer and network resources from malicious cyber attackers. Although IDS has been contributed to the improvement of network security, there is a fatal problem in that it records the tremendous amount of alerts, so that security operators are unable to deal with all of them and it is inevitable to miss real cyber attacks from the recorded IDS alerts. Many visualization methods of IDS alerts have been proposed in order to cope with this issue, but their main objective is to better understand only overall attack situations, not to detect real cyber attacks. In this paper, we propose an advanced visualization method of IDS alerts based on machine learning and statistical features derived from IDS alerts. The proposed visualization method can be contributed to the reduction of IDS alerts that must be analyzed by security operators and to effectively identify real cyber attacks from IDS alerts

Toward a more practical unsupervised anomaly detection system

During the last decade, various machine learning and data mining techniques have been applied to Intrusion Detection Systems (IDSs) which have played an important role in defending critical computer systems and networks from cyber attacks. Unsupervised anomaly detection techniques have received a particularly great amount of attention because they enable construction of intrusion detection models without using labeled training data (i.e., with instances preclassified as being or not being an attack) in an automated manner and offer intrinsic ability to detect unknown attacks, i.e., 0-day attacks. Despite the advantages, it is still not easy to deploy them into a real network environment because they require several parameters during their building process, and thus IDS operators and managers suffer from tuning and optimizing the required parameters based on changes of their network characteristics. In this paper, we propose a new anomaly detection method by which we can automatically tune and optimize the values of parameters without predefining them. We evaluated the proposed method over real traffic data obtained from Kyoto University honeypots. The experimental results show that the performance of the proposed method is superior to that of the previous one

A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic

In general, attackers carry out scanning or probing against a certain network when they start to attack their victims. Because of this, darknet is very useful to observe the scanning activities of attackers who want to find their victims that have security vulnerabilities in operating systems, applications, services, and so on. Thus, by observing and analyzing darknet traffic, it is able to obtain an insight into malicious activities that are happening on the Internet and to identify potential attackers who sent attack packets to the darknet. However, darknet has a fatal limitation that most of the darknet traffic has no payload data. This means that we cannot collect the real attack codes from the original darknet traffic. To cope with this problem, we propose a security monitoring and response model to analyze cyber threats trend and to trace potential attackers based on darknet traffic. We have evaluated the proposed model using one /24 darknet IP addresses and TMS alerts that were obtained from TMS. The experimental results provided the statistical information of all the incoming darknet traffic so that we could obtain the global cyber threats trend. Furthermore, the experimental results demonstrated that we could obtain malicious attack patterns and attack codes that were not detected by TMS

An Advanced Incident Response Methodology Based on Correlation Analysis of Polymorphic Security Events

In order to cope with the continuous evolution in cyber threats, many security products (e.g., IDS/IPS, TMS, Firewalls) are being deployed in the network of organizations, but it is not so easy to monitor and analyze the security events triggered by the security products constantly and effectively. Thus, in many cases, real-time incident analysis and response activities for each organization are assigned to an external dedicated security center. However, since the external security center deploys its security appliances to only the boundary or the single point of the network, it is very difficult to understand the entire network situation and respond to security incidents rapidly and accurately if they depend on only a single type of security information. In addition, security appliances trigger an unmanageable amount of alerts (in fact, by some estimates, several thousands of alerts are raised everyday, and about 99% of them are false positives), this situation makes it difficult for the analyst to investigate all of them and to identify which alerts are more serious and which are not. In this paper, therefore, we propose an advanced incident response methodology to overcome the limitations of the existing incident response scheme. The main idea of our methodology is to utilize polymorphic security events which can be easily obtained from the security appliances deployed in each organization, and to subject them to correlation analysis. We evaluate the proposed methodology using diverse types of real security information and the results show the effectiveness and superiority of the proposed incident response methodology

Visualization of security event log collection across multiple networks and its application to a CSOC

We introduce VisIDAC presented in Song at al (In:Nguyen, P.Q.,Zhou, J. (eds.) Information Security—20th International Conference, ISC 2017, Security and Cryptology, vol. 10599. Springer International Publishing, 2017), which is a 3-D real-time visualization of security event log collection detected by intrusion detection systems installed in multiple networks. VisIDAC consists of three parallel plane-squares which represent global source networks, target networks, and global destination networks. Security events are displayed in different shapes, colors and spaces, according to their main features. It helps security operators to immediately understand the key properties of security events.We also apply VisIDAC to a public cyber security operations center, Science and Technology Cyber Security Center (S&T-CSC), and demonstrate its usefulness.VisIDACallows users to grasp more intuitively the overall flow of security events and their trend, makes it easy to recognize large-scale security events such as network scanning, port scanning, and distributed denial of service attacks, and is also effective to distinguish security event types: which target network they  are related to; whether they are inbound or outbound traffic; whether they are momentary or continuous; and what protocol and port number are mainly used

Automated Verification Methodology of Security Events Based on Heuristic Analysis

We present an automated verification methodology of the security events, that is, IDS alerts, based on heuristic analysis. The proposed verification methodology aims to automatically identify real cyberattacks from the security events and filter out false positive, so that the security analyst is able to conduct security monitoring and response more effectively. For the proposed verification methodology, we used the 1,528,730,667 security events that were obtained from Science and Technology Security Center (S&T-SEC). We then extracted the core security events that were caused by the real cyberattacks. Among the core security events, we selected the top 20 types of the security events in the number of the real attacks that they raised. By analyzing the top 20 types of the security events, we discovered essential elements and optional elements for using in the automated verification of the security events. The evaluation results showed that the proposed verification methodology could contribute to the reduction (about 67%) of the meaningless security events. Furthermore, we demonstrated that the proposed verification methodology contributed to the detection of 140 true negatives that were not identified by the security analyst and the total accuracy of the proposed verification methodology was 96.1

An Efficient Secure Scheme Based on Hierarchical Topology in the Smart Home Environment

As the Internet of Things (IoT) has developed, the emerging sensor network (ESN) thatintegrates emerging technologies, such as autonomous driving, cyber-physical systems, mobilenodes, and existing sensor networks has been in the limelight. Smart homes have been researchedand developed by various companies and organizations. Emerging sensor networks have someissues of providing secure service according to a new environment, such as a smart home, and theproblems of low power and low-computing capacity for the sensor that previous sensor networkswere equipped with. This study classifies various sensors used in smart homes into three classes andcontains the hierarchical topology for efficient communication. In addition, a scheme for establishingsecure communication among sensors based on physical unclonable functions (PUFs) that cannot bephysically cloned is suggested in regard to the sensor’s low performance. In addition, we analyzed thisscheme by conducting security and performance evaluations proving to constitute secure channelswhile consuming fewer resources. We believe that our scheme can provide secure communication byusing fewer resources in a smart home environment in the future