Journal of the Korea Institute of Military Science and Technology (한국군사과학기술학회지)

The Korea Institute of Military Science and Technology (한국군사과학기술학회)
권호 표지
DOI QR코드

DOI QR Code

Cyberattack Tracing System Operational Architecture

사이버공격 추적시스템 운용아키텍처

  • Ahn, Jae-hong (Defense Cyber Technology Center, Agency for Defense Development)
  • 안재홍 (국방과학연구소 국방첨단과학기술연구원 사이버기술센터)
  • Received : 2022.10.05
  • Accepted : 2023.02.27
  • Published : 2023.04.05
Download PDF
⟨ Previous Next ⟩

Abstract

APT cyber attacks have been a problem for over a past decade, but still remain a challenge today as attackers use more sophisticated techniques and the number of objects to be protected increases. 'Cyberattack Tracing System' allows analysts to find undetected attack codes that penetrated and hid in enterprises, and to investigate their lateral movement propagation activities. The enterprise is characterized by multiple networks and mass hosts (PCs/servers). This paper presents a data processing procedure that collects event data, generates a temporally and spatially extended provenance graph and cyberattack tracing paths. In each data process procedure phases, system design considerations are suggested. With reflecting the data processing procedure and the characteristics of enterprise environment, an operational architecture for CyberAttack Tracing System is presented. The operational architecture will be lead to the detailed design of the system.

Keywords

Acknowledgement

이 논문은 2023년 정부(방위사업청)의 재원으로 국방과학연구소에서 수행한 연구결과임(912410301).

References

  1. https://attack.mitre.org ATT&CK, 2022.4.
  2. https://gartner.com, "Endpoint Detection and Response (EDR) Solutions Reviews and Ratings," 2022.
  3. https://car.mitre.org, MITRE Cyber Analytic Repository, 2020. 4.
  4. Wajih Ul Hassan, Adam Bates and Daniel Marino, "Tactical Provenance Analysis for Endpoint Detection and Response Systems," IEEE Symposium on Security and Privacy, 2020.
  5. Yuanzhao Gao, XingYuan Chen and Xuehui Du, "A Big Data Provenance Model for Data Security Supervision Based on PROV-DM Model," IEEE Access, Vol. 8, pp. 38742-38752, 2020.
  6. w3c.org/TR/2013/NOTE-prov-primer-20130430/#intuitive-overview-of-prov, "PROV Model Primer," W3C Working Group Note 30 April 2013.
  7. Ashish Gehani and Dawood Tariq, "SPADE: Support for Provenance Auditing in Distributed Environments," 13th ACM/IFIP/USENIX International Conference on Middleware, 2012.
  8. Ashish Gehani, Hasanat Kazmi, and Hassaan Irshad, "Scaling SPADE to "Big Provenance," 8th USENIX Workshop on the Theory and Practice of Provenance (TaPP), 2016.
  9. Ashish Gehani, Raza Ahmad, Hassaan Irshad, Jianqiao Zhu and Jignesh Patel, "Digging Into 'Big Provenance'(With SPADE)," ACM Queue, Vol. 19(3),
  10. Do-Hyeon Choi and Jung-Oh Park, "Graph Database based Malware Behavior Detections Techniques," Journal of Convergence fro Information Technology, Vol. 11, No. 4, pp. 55-63,
  11. Xhang Xu, Zhenyu Wu and Zhichun Li, "High Fidelity Data Reduction for Big Data Security Dependency Analyses," In: Proceedings of the 2016  ACM SIGSAC Conference on Computer and Communications Security, pp. 504-16, 2016 October 24-28.
  12. Zhenyuan Li, Ai Alfred Chen, Runqing Yang, Yan Chen and Wei Ruan, "Threat Detection and Investigation with System-Level Provenance Graphs: A Survey," Computers & Security, Vol. 106, July 2021, 102282.
  13. Republic of Korea Ministry of Defense, "Ministry of Defense Architecture Framework Version 1.5," 2019.
  14. Deirdre Doherty and Brian McKenney, "Implementing A Zero Trust Atchitecture: Are we there yet?," The MITRE, 2021.