• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.527-545
• /
• 2022

In order to effectively detect APT attacks performed by well-organized adversaries, we implemented a system to detect attacks by reconstructing attack chains of APT attacks. Our attack chain-based APT attack detection system consists of 'events collection and indexing' part which collects various events generated from hosts and network monitoring tools, 'unit attack detection' part which detects unit-level attacks defined in MITRE ATT&CK^® techniques, and 'attack chain reconstruction' part which reconstructs attack chains by performing causality analysis based on provenance graphs. To evaluate our system, we implemented a test-bed and conducted several simulated attack scenarios provided by MITRE ATT&CK Evaluation program. As a result of the experiment, we were able to confirm that our system effectively reconstructed the attack chains for the simulated attack scenarios. Using the system implemented in this study, rather than to understand attacks as fragmentary parts, it will be possible to understand and respond to attacks from the perspective of progress of attacks.

• Review of KIISC
• /
• v.23 no.1
• /
• pp.44-53
• /
• 2013

APT 공격은 특정 기업 또는 기관의 핵심 정보통신 설비에 대한 중단 또는 핵심정보의 획득을 목적으로 공격자는 장기간 동안 공격대상에 대해 IT인프라, 업무환경, 임직원 정보 등 다양한 정보를 수집하고, 이를 바탕으로 제로데이공격 사회공학적 기법 등을 이용하여 공격대상이 보유한 취약점을 수집 악용해 공격을 실행하는 것을 말한다. APT 공격의 특징은 명확한 공격대상을 정하고 장기간 동안 다양한 정보를 수집하여 취약점을 악용할 수 있는 정교한 프로그램을 사용하여 매우 치밀하게 공격을 수행하는 것으로 현존하고 있는 보안솔루션이나 기술로는 탐지와 대응이 어려운 측면이 있다. 본 논문에서는 APT 공격의 정의와 국내외 사고사례에 대한 분석, 금융권에서의 APT 공격에 대응하기 위한 관리적 방안과 기술적 방안 그리고 이에 대한 보안솔루션에 대해 검토하여 금융권에 적절한 대응방안을 제시하고자 한다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2015.04a
• /
• pp.421-423
• /
• 2015

인터넷을 통한 악성코드의 확산이 나날이 증가하고 있는 가운데 특정 대상을 목표로 하여 지능적이고 지속적으로 공격하는 Advanced Persistent threat(APT) 공격이 이슈가 되고 있다. APT 공격은 특정 시스템을 목표로 하여 공격하기 때문에, 실제 공격이 성공 했을 시에는 그 피해가 더 치명적일 수 있다. 본 논문에서는 APT공격의 정의를 살펴보며, 최근에 발생하는 일반적인 APT 공격의 형태와 그 대응 방안에 대해 논의한다.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2013.05a
• /
• pp.234-237
• /
• 2013

National institutions and companies worldwide are damaged through serious, advanced and persistent attacks. The cyber attack that occurred on March 20, 2013 in South Korea, emerged as a serious problem in highlighting the urgent need for future countermeasures. In this paper, we examine the APT attacks that occurred over the last two years. In particular, we discuss strategies for handling a cyber crisis in Korea, focusing on APT attacks that may occur in the future.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2017.01a
• /
• pp.133-134
• /
• 2017

본 논문에서는 APT 공격의 공격 시나리오와 그에 따른 방어 시나리오를 구상하여 기존 방어법의 문제점을 찾고 방어대책을 제시하고 솔루션을 구축하였다. 제안된 방어 프로세스는 기존의 방식과 달리 END-POINT에서 침투에 대해 모니터링을 통하여 APT공격에 대응하는 방식이다. 공격 툴 넷버스, 백오리피스, 서브세븐, 스쿨버스를 이용해서 공격을 시도 한 뒤 본 논문에서 구축한 방어 프로세스를 이용하여 방어 실험을 실시하였다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2021.05a
• /
• pp.109-112
• /
• 2021

매년 슈퍼컴퓨터를 표적으로 공격이 증가하고 있고, 공격의 방식은 날로 진화하고 있다. 슈퍼컴퓨터를 대상으로 하는 공격에 대응하기 위해 기존의 연구는 공격 특성을 분석하여 맞춤형 대책을 제시하거나 분석을 통해 보안 요구사항을 도출하였다. 하지만 연구과정에서 APT life cycle 관점이 반영되지 않으면, 지능형 지속 위협인 APT를 인지 및 대응하기 어려운 문제점이 있다. 이러한 문제점을 해결하기 위해, 본 논문은 APT 시나리오 기반의 위협 모델링 분석을 통해 슈퍼컴퓨터 보안 요구사항을 도출 한다.

• Journal of Convergence Society for SMB
• /
• v.5 no.2
• /
• pp.1-6
• /
• 2015

Small and medium-sized companies lack countermeasures to secure the safety of a information system. In this circumstance, they have difficulties regarding the damage to their images and legal losses, when the information is leaked. This paper examines the information leakage of the system and hacking methods including APT attacks. Especially, APT attack, Advanced Persistent Threats, means that a hacker sneaks into a target and has a latency period of time and skims all the information related to the target, and acts in the backstage and neutralize the security services without leaving traces. Because he attacks the target covering up his traces not to reveal them, the victim remains unnoticed, which increases the damage. This study examines attack methods and the process of them and seeks a countermeasure.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.287-294
• /
• 2016

APT attack aimed at the interruption of information and communication facilities and important information leakage of companies. it performs an attack using zero-day vulnerabilities, social engineering base on collected information, such as IT infra, business environment, information of employee, for a long period of time. Fragmentary response to cyber threats such as malware signature detection methods can not respond to sophisticated cyber-attacks, such as APT attacks. In this paper, we propose a cyber intrusion detection model for countermeasure of APT attack by utilizing heterogeneous system log into big-data. And it also utilizes that merging pattern-based detection methods and abnormality detection method.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.5
• /
• pp.1027-1041
• /
• 2015

Recently, there are rapidly increasing cases of APT (Advanced Persistent Threat) attacks such as Verizon(2010), Nonghyup(2011), SK Communications(2011), and 3.20 Cyber Terror(2013), which cause leak of confidential information and tremendous damage to valuable assets without being noticed. Several anomaly detection technologies were studied to defend the APT attacks, mostly focusing on detection of obvious anomalies based on known malicious codes' signature. However, they are limited in detecting APT attacks and suffering from high false-negative detection accuracy because APT attacks consistently use zero-day vulnerabilities and have long latent period. Detecting APT attacks requires long-term analysis of data from a diverse set of sources collected over the long time, real-time analysis of the ingested data, and correlation analysis of individual attacks. However, traditional security systems lack sophisticated analytic capabilities, compute power, and agility. In this paper, we propose a Fast Data based real-time abnormal behavior detection system to overcome the traditional systems' real-time processing and analysis limitation.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2021.10a
• /
• pp.449-451
• /
• 2021

Cyber-attacks targeting endpoints have developed sophisticatedly into targeted and intelligent attacks, Advanced Persistent Threat (APT) targeting the Industrial Internet of Things (IIoT) has increased accordingly. Machine learning-based Endpoint Detection and Response (EDR) solutions combine and complement rule-based conventional security tools to effectively defend against APT attacks are gaining attention. However, universal EDR solutions have a high false positive rate, and needs high-level analysts to monitor and analyze a tremendous amount of alerts. Therefore, the process of optimizing machine learning-based EDR solutions that consider the characteristics and vulnerabilities of IIoT environment is essential. In this study, we analyze the flow and impact of IIoT targeted APT cases and compare the method of machine learning-based APT detection EDR solutions.