Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Threat Detection Model using Cyber Strongholds

사이버 거점을 활용한 위협탐지모델 연구

  • 김인환 (세종대학교/컴퓨터공학과) ;
  • 강지원 (세종대학교/컴퓨터공학과) ;
  • 안훈상 (강릉원주대학교/소프트웨어학과) ;
  • 전병국 (강릉원주대학교/소프트웨어학과)
  • Received : 2021.12.03
  • Accepted : 2021.12.31
  • Published : 2022.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

With the innovative development of ICT technology, hacking techniques of hackers are also evolving into sophisticated and intelligent hacking techniques. Threat detection research to counter these cyber threats was mainly conducted in a passive way through hacking damage investigation and analysis, but recently, the importance of cyber threat information collection and analysis is increasing. A bot-type automation program is a rather active method of extracting malicious code by visiting a website to collect threat information or detect threats. However, this method also has a limitation in that it cannot prevent hacking damage because it is a method to identify hacking damage because malicious code has already been distributed or after being hacked. Therefore, to overcome these limitations, we propose a model that detects actual threats by acquiring and analyzing threat information while identifying and managing cyber bases. This model is an active and proactive method of collecting threat information or detecting threats outside the boundary such as a firewall. We designed a model for detecting threats using cyber strongholds and validated them in the defense environment.

ICT 기술의 혁신적인 발전에 따라 해커의 해킹 수법도 정교하고 지능적인 해킹기법으로 진화하고 있다. 이러한 사이버 위협에 대응하기 위한 위협탐지 연구는 주로 해킹 피해 조사분석을 통해 수동적인 방법으로 진행되었으나, 최근에는 사이버 위협정보 수집과 분석의 중요성이 높아지고 있다. 봇 형태의 자동화 프로그램은 위협정보를 수집하거나 위협을 탐지하기 위해 홈페이지를 방문하여 악성코드를 추출하는 다소 능동적인 방법이다. 그러나 이러한 방법도 이미 악성코드가 유포되어 해킹 피해를 받고 있거나, 해킹을 당한 이후에 식별하는 방법이기 때문에 해킹 피해를 예방할 수 없는 한계점이 있다. 따라서, 이러한 한계점을 극복하기 위해 사이버 거점을 식별, 관리하면서 위협정보를 획득 및 분석하여 실질적인 위협을 탐지하는 모델을 제안한다. 이 모델은 방화벽 등의 경계선 외부에서 위협정보를 수집하거나 위협을 탐지하는 적극적이고 능동적인 방법이다. 사이버 거점을 활용하여 위협을 탐지하는 모델을 설계하고 국방 환경에서 유효성을 검증하였다.

Keywords

Acknowledgement

본 연구는 방위사업청과 국방과학연구소의 지원으로 수행되었음. (No, UD210029TD)

References

  1. McMillan R. Definition: threat intelligence. Gartner; 2013. https://www.gartner.com/imagesrv/media-products/pdf/webroot/issue1_webroot.pdf.
  2. Chrismon D, Ruks M. Threat Intelligence: Collecting, analyzing, evaluating, MWR Infosecurity, UK Cert, United Kingdom; 2015. https://www.foo.be/docs/informations-sharing/Threat-Intelligence-Whitepaper.pdf.
  3. Dalziel H. How to define and build an effective cyber threat intelligence capability. Syngress Publishing of Elsevier; 2014. https://www.sciencedirect.com/book/9780128027301/how-to-define-and-build-an-effective-cyber-threat-intelligencecapabilit.
  4. Nenekazi N. P. Mkuzangwe, Zubeida C. Khan, "Cyber-Threat Information-Sharing Standards: A Review of Evaluation Literature", The African Journal of Information and Communication(AJIC) On-line version vol.25 Johannesburg 2020. DOI:http://dx.doi.org/10.23962/10539/29191.
  5. Md. Farhan Haque, Ram Krishnan, "Toward Automated Cyber Defense with Secure Sharing of Structured Cyber Threat Intelligence", Information Systems Frontiers 2021 -Springer, DOI:https://doi.org/10.1007/s10796-020-10103-7.
  6. Se-Ho Lee, In-June Jo, "Proposal of Security Orchestration Service Model based on Cyber Security Framework", The Journal of the Korea Contents Association Vol.20, No.7, pp.618-628, 2020. https://doi.org/10.5392/JKCA.2020.20.07.618.
  7. Jae-Hyun Choi, Hoo-Jin Lee, "A Study on the Real-time Cyber Attack Intrusion Detection Method", Journal of the Korea Convergence Society Vol. 9. No. 7, pp. 55-62, 2018. https://doi.org/10.15207/JKCS.2018.9.7.055.
  8. Alper Caglayan, Mike Toothaker, Dan Drapeau, Dustin Burke & Gerry Eaton, "Behavioral analysis of botnets for threat intelligence", Information Systems and e-Business Management Vol. 10, pp.491-519, Dec. 2012. https://doi.org/10.1007/s10257-011-0171-7
  9. Fireeye Mandiant, "what is cyber threat intelligence", DOI:https://www.fireeye.kr/mandiant/threat-intelligence/what-is-cyber-threat-intelligence.html
  10. Gartner, "Security Threat Intelligence Products and Services Reviews and Ratings", DOI:https://www.gartner.com/reviews/market/security-threat-intelligence-services.
  11. SANS, "The Evolution of Cyber Threat Intelligence(CTI) : 2019 SANS CTI Survey", DOI:https://www.sans.org/whitepapers/38790/.
  12. 김경한, 이슬기, 김병익, 박순태, "OSINT기반의 활용 가능한 사이버 위협 인텔리전스 생성을 위한 위협정보수집 시스템", 정보보호학회지, pp. 75-80, 제29권 제6호, Dec. 2019. DOI:https://www.koreascience.or.kr/article/JAKO201904533932647.pdf.
  13. SSeung-Soo Nam, Chang-Ho Seo, Joo-Young Lee, Jong-Hyun Kim, Ik-Kyun Kim, "Context cognition technology through integrated cyber security context analysis", Journal of Digital Convergence Vol. 13, No 1, pp.313-319, Jan, 2015. DOI : https://www.earticle.net/Article/A239116. https://doi.org/10.14400/JDC.2015.13.1.313
  14. Kim Namuk, Eom Jungho, "Attack Path and Intention Recognition System for detecting APT Attack", Journal of Korea Society of Digital Industry and Information Management, Vol. 16. No. 1, pp. 67-78, 2020. DOI: https://doi.org/10.17662/ksdim.2020.16.1.067.
  15. Lim Changwan, Shin Youngsup, Lee Dongjae, Cho Sungyoung, Han Insung, Oh Haengrok, "Real-time Cyber Threat Intelligent Analysis and Prediction Technique", KIISE transactions on computing practices Vol.25, No.11, pp.565-570, 2019. DOI : 10.5626/KTCP.2019.25.11.565.
  16. Han Choong-Hee, Han ChangHee, "Cyber threat Detection and Response Time Modeling", Journal of Internet Computing and Services, Vol.22, No.3, pp.53-58, Jun. 2021. https://doi.org/10.7472/jksii.2021.22.3.53.
  17. Se-Ho Lee, In-June Jo, "Proposal of Security Orchestration Service Model based on Cyber Security Framework", The Journal of the Korea Contents Association Vol.20, No.7, pp.618-628, 2020. https://doi.org/10.5392/JKCA.2020.20.07.618.
  18. Jae-Hyun Choi, Hoo-Jin Lee, "A Study on the Real-time Cyber Attack Intrusion Detection Method", Journal of the Korea Convergence Society Vol. 9. No. 7, pp. 55-62, 2018. https://doi.org/10.15207/JKCS.2018.9.7.055.
  19. Inhwan Kim, Dukyun Kim, Sungkuk Cho, Byungkook Jeon, "A Method for Original IP Detection of VPN Accessor", The Journal of The Institute of Internet, Broadcasting and Communication(IIBC) Vol. 21, No. 3, pp.91-98, Jun. 30, 2021. DOI:https://doi.org/10.7236/JIIBC.2021.21.3.91.
  20. T. Mattern, J. Felker, R. Borum, G. Bamford, "Operational Levels of Cyber Intelligence", International Journal of Intelligence and Counterintelligence, 27 : 702-719, 2014. https://doi.org/10.1080/08850607.2014.924811.
  21. ENISA, "Threat Landscape Report 2016", European Union Agency for Cybersecurity (ENISA), Jan. 2017. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2016.
  22. https://ichi.pro/ko/cti-cyber-threat-intelligence-yoyag-1-124932966514066.
  23. Jongwon Choi, Yesol Kim, Byung-gil Min, "A Study on ICS Security Information Collection Method Using CTI Model", Journal of The Korea Institute of Information Security & Cryptology Vol.28, No.2, pp.471-484, Apr. 2018. DOI:10.13089/JKIISC.2018.28.2.471.
  24. http://www.foolmoon.net/security/wft/index.html, "Windows Forensic Toolchest", (검색일: 2021.12.23.).
  25. https://www.krcert.or.kr/webprotect/ctas.do, "사이버 위협정보분석공유(C-TAS) 시스템", (검색일: 2021.12.23.).
  26. 엄정호, "모자이크전 수행 개념을 적용한 능동형 상황 탄력적 사이버 방어작전", 융합보안논문지, 21(4), pp.41-48, 2021.