Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

The Analysis of the APT Prelude by Big Data Analytics

빅데이터 분석을 통한 APT공격 전조 현상 분석

  • Choi, Chan-young (Department of Convergence Technology, Hoseo Graduate School of Venture) ;
  • Park, Dea-woo (Department of Convergence Technology, Hoseo Graduate School of Venture)
  • Received : 2016.05.19
  • Accepted : 2016.06.08
  • Published : 2016.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

The NH-NongHyup network and servers were paralyzed in 2011, in the 2013 3.20 cyber attack happened and classified documents of Korea Hydro & Nuclear Power Co. Ltd were leaked on december in 2015. All of them were conducted by a foreign country. These attacks were planned for a long time compared to the script kids attacks and the techniques used were very complex and sophisticated. However, no successful solution has been implemented to defend an APT attacks(Advanced Persistent Threat Attacks) thus far. We will use big data analytics to analyze whether or not APT attacks has occurred. This research is based on the data collected through ISAC monitoring among 3 hierarchical Korean Defense System. First, we will introduce related research about big data analytics and machine learning. Then, we design two big data analytics models to detect an APT attacks. Lastly, we will present an effective response method to address a detected APT attacks.

2011년 NH농협 전산망마비 사건, 2013년 3.20 사이버테러 및 2015년 12월의 한국수력원자력 원전 중요자료 유출사건이 있었다. 이러한 사이버테러는 해외(북한)에서 조직적이고 장기간의 걸친 고도화된 APT공격(Advanced Persistent Threat Attack)을 감행하여 발생한 사이버테러 사건이다. 하지만, 이러한 APT공격을 방어하기 위한 탁월한 방안은 아직 마련되지 못했다. APT공격은 현재의 관제 방식으로는 방어하기가 힘들다. 본 논문에서는 빅데이터 분석을 통해 APT공격을 예측할 수 있는 방안을 연구한다. 본 연구는 대한민국 3계층 보안관제 체계 중, 정보공유분석센터(ISAC)를 기준으로 하여 빅데이터 분석, APT공격 및 취약점 분석에 대해서 연구와 조사를 한다. 그리고 외부의 블랙리스트 IP 및 DNS Log를 이용한 APT공격 예측 방안의 설계 방법, 그리고 전조현상 분석 방법 및 APT공격에 대한 대응방안에 대해 연구한다.

Keywords

References

  1. S. B. Han and S. K. Hong, "Financial Services Industry's Reaction Plan to Defend APT Attack," J. Korea Inst. Info. Security & Cryptology, vol. 2, no. 1, pp. 44-53, 2013.
  2. Ministry of Science, ICT and Future Planning in Rep. of Korea. 3.20 Cyberterror Investigation Interim Report[Internet]. Available: http://korea.kr/policy/mainView.do?newsId=148758717.
  3. Privacy Info. Crime Gov. Joint Investigation Dept. in Rep. of Korea. KHNP Cyberterror Incident Investigation Interim Report[Internet]. Available: http://www.spo.go.kr/_custome/spo/_common/board/download.jsp?attach_no=154704.
  4. Peter Zadrozny and Ragha Kodali, Big Data Analytics Using Splunk,,1st ed, New York, NY: Apress,, 2013.
  5. John D. Kelleher, Brian Mac Namee and Aoife D'Arcy, Fundamentals of Machine Learning for Predictive Analytics, 1st ed, Cambridge, MA: The MIT Press, 2015.
  6. W. P. Kim, "Analysis of Global Research Trend on Information Security," J. Korea Inst. Inf. Commun. Eng, vol. 19, no. 5, pp. 1110-1116, May 2015. https://doi.org/10.6109/jkiice.2015.19.5.1110
  7. D. H. Choi et al., "Tha Application Method of Machine Learning for Analyzing User Transaction Tendency in Big Data environment," J. Korea Inst. Inf. Commun. Eng, vol. 19, no. 10, pp. 2232-2240, Oct. 2015. https://doi.org/10.6109/jkiice.2015.19.10.2232
  8. Sumeet Dua and Xian Du, Data Mining and Machine Learning in Cybersecurity, New York, NY: CRC Press, 2011.
  9. Elshoush. H. Tagelsir. and I. M. Osmank, "Alert correlation in collaborative intelligent intrusion detection systems - A survey." Applied Soft Computing In Press, vol. 11, no. 7, pp. 4349-4365, Oct. 2011. https://doi.org/10.1016/j.asoc.2010.12.004
  10. K. Julish, "Mining alarm clusters to improve alarm handling efficiency.," Proceedings of the 17th Annual Conference on Computer Security Applications, vol. 10, no. 14, pp. 12-21, Dec. 2001.
  11. S. Cheung, U. Lindqvist, "Modeling multistep cyber attacks for scenario recognition," DARPA Information Survivability Conference and Exposition, vol. 1, pp.284-292, Apr. 2003.
  12. H. Debar. and A. Wespi, "Aggregation and correlation of intrusion detection alerts," Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pp. 85-103, 2001.
  13. B. Morin, L. Me, H. Debar, and M. Ducasse, "M2D2: A formal data model for IDS alert correlation," Proc. Recent Advances in Intrusion Detection, pp. 115-137, 2002.
  14. X. Qin and W. Lee, "Statistical causality analysis of infosec alert data." in Proceedings of The 6th International Symposium on Recent Advances in Intrusion Detection (RAID 2003), Pittsburgh, PA, Sep. 2003.
  15. X. Qin and W. Le, "Statistical causality analysis of infosec alert data", Lecture Notes in Computer Science, vol. 2820, pp. 73-93, Sep. 2003. https://doi.org/10.1007/978-3-540-45248-5_5
  16. A. Valdes and K. Skinner, Probabilistic alert correlation, Berlin, HDB: Springer, 2001.
  17. O. Dain and R. Cunninghan, "Building scenarios from a heterogeneous alert stream," in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 231-235, Jun. 2001.
  18. K. H. Son, T. J. Lee and D. Won, "Design for Zombie PCs and APT Attack Detection based on traffic analysis," J. Korea Inst. Info. Security & Cryptology, vol. 24, no. 3, pp. 491-498, Jun. 2014. https://doi.org/10.13089/JKIISC.2014.24.3.491
  19. C. Y. Choi and D. W. Woo, "The Analysis of the APT Prelude by Big Data Analytics", in Proceedings of The 39th Conference of KIICE, vol. 20, no. 1, pp. 317-320, May 2016.

Cited by

  1. 시계열 데이터에 적합한 다단계 비정상 탐지 시스템 설계 vol.16, pp.6, 2016, https://doi.org/10.7236/jiibc.2016.16.6.1
  2. 국가 사이버안보를 위한 정책 연구 vol.21, pp.9, 2016, https://doi.org/10.6109/jkiice.2017.21.9.1666
  3. 보안로그 빅데이터 분석 효율성 향상을 위한 방화벽 로그 데이터 표준 포맷 제안 vol.30, pp.1, 2016, https://doi.org/10.13089/jkiisc.2020.30.1.157