DOI QR코드

DOI QR Code

SIEM 기반 사이버 침해사고 대응을 위한 데이터 보완 메커니즘 비교 분석

Analysis of Cyber Incident Artifact Data Enrichment Mechanism for SIEM

  • 이형우 (한신대학교 컴퓨터공학부)
  • Lee, Hyung-Woo (Division of Computer Engineering, Hanshin University)
  • 투고 : 2022.07.20
  • 심사 : 2022.09.05
  • 발행 : 2022.10.31

초록

최근 IoT 및 휴대용 통신 단말에 각종 서비스가 연동되면서 해당 디바이스의 보안 취약점을 악용한 사이버 공격이 급증하고 있다. 특히 지능형 지속위협(APT) 공격을 통해 대단위 네트워크 환경에서 이기종 형태의 디바이스를 대상으로 한 사이버 공격이 급증하고 있다. 따라서 침해사고 발생시 대응 체계의 유효성을 향상시키기 위해서는 위협 분석 및 탐지 성능이 향상되도록 수집된 아티팩트 데이터에 대한 데이터 보완(Data Enrichment) 메커니즘을 적용할 필요가 있다. 이에 본 연구에서는 침해사고 분석을 위해 수집된 아티팩트를 대상으로 기존의 사고관리 프레임워크에서 수행하는 데이터 보완 공통 요소를 분석하여 실제 시스템에 적용 가능한 특징 요소를 도출하고, 이를 토대로 개선된 사고분석 프레임워크 프로토타입 구조를 제시하였으며 도출된 데이터 보완 확장 요소의 적합도를 검증하였다. 이를 통해 이기종 디바이스로부터 수집된 아티팩트를 대상으로 사이버 침해사고 분석 시 탐지 성능을 향상시킬 수 있을 것으로 기대된다.

As various services are linked to IoT(Internet of Things) and portable communication terminals, cyber attacks that exploit security vulnerabilities of the devices are rapidly increasing. In particular, cyber attacks targeting heterogeneous devices in large-scale network environments through advanced persistent threat (APT) attacks are on the rise. Therefore, in order to improve the effectiveness of the response system in the event of a breach, it is necessary to apply a data enrichment mechanism for the collected artifact data to improve threat analysis and detection performance. Therefore, in this study, by analyzing the data supplementation common elements performed in the existing incident management framework for the artifacts collected for the analysis of intrusion accidents, characteristic elements applicable to the actual system were derived, and based on this, an improved accident analysis framework The prototype structure was presented and the suitability of the derived data supplementary extension elements was verified. Through this, it is expected to improve the detection performance when analyzing cyber incidents targeting artifacts collected from heterogeneous devices.

키워드

과제정보

이 논문은 2022학년도 한신대학교 학술연구비의 지원에 의하여 연구되었음.

참고문헌

  1. S.N.Swamy and S.R.Kota, "An Empirical Study on System Level Aspects of Internet of Things (IoT)," IEEE Access, Vol.8, pp.188082-188134, 2020. https://doi.org/10.1109/access.2020.3029847
  2. Hassannataj Joloudari, J., Haderbadi, M., Mashmool, A., GhasemiGol, M., Shahab, S., and Mosavi, A., "Early detection of the advanced persistent threat attack using performance analysis of deep learning", arXiv e-prints, 2020.
  3. Chen, P., Desmet, L., Huygens, C., "A Study on Advanced Persistent Threats," Communications and Multimedia Security. CMS 2014, Lecture Notes in Computer Science, Vol.8735. Springer.
  4. Gustavo Gonzalez-Granadillo, Susana Gonzalez-Zarzosa, Rodrigo Diaz, "Security Information and Event Managment (SIEM): Analysis, Trends, and Usage in Critical Infrastructures," Sensors, Vol.21, No.14, 2021,
  5. Md Sahrom Abu, Siti Rahayu Selamat, Aswami Ariffin, Robiah Yusof, "Cyber Threat Intelligence - Issue and Challenges," Indonesian Journal of Electrical Emgineering and Computer Science, Vol.10, No.1, April 2018, pp.371-379. https://doi.org/10.11591/ijeecs.v10.i1.pp371-379
  6. Hussam Mohammed, Hathan Clarke, Fudong Li, "An Automated Approach for Digital Forensic Analysis of Heterogeneous Big Data," Journal of Digital Forensics, Security and Law, Vol.11, No.2, 2016, pp.137-152.
  7. A. Alenezi, H. Atlam, R. Alsagri, M. Alassafi, and G. Wills, "IoT Forensics: A State-of-the-Art Review, Challenges and Future Directions," Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk (COMPLEXIS 2019), pp.106-115.
  8. H.Lee, "Intrusion Artifact Acquisition Method based on IoT Botnet Malware," Journal of The Korea Internet of Things Society, Vol.7, No.3, pp.1-8, 2021.
  9. Maria Stoyanova, Yannis Nikoloudakis, Spyridon Panagiotakis, Evangelos Pallis, and Evangelos K. Markakis, "A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues," IEEE COMMUNICATIONS SURVEYS & TUTORIALS, Vol.22, No.2, pp.1191-1221, SECOND QUARTER 2020. https://doi.org/10.1109/COMST.2019.2962586
  10. MISP, Open Source Threat Intelligence and Sharing Platform, "https://www.misp-project.org".
  11. IntelMQ, "https://intelmq.readthedocs.io".
  12. TheHive, "https://thehive-project.org".
  13. Cortex, "https://github.com/TheHive-Project/Cortex".
  14. Splunk, "https://www.splunk.com".
  15. CyberTriage, "https://www.cybertriage.com"
  16. Google GRR, "https://github.com/google/grr"
  17. Elastic Security, "https://www.elastic.com/security"