APT 공격 탐지를 위한 온톨로지 기반의 상황인지 모델

Abstract

With the Internet of cloud services, big data, machine learning, mobile technology, artificial intelligence, and similar new technologies providing the ability to connect and intelligently handle every aspect of our lives, these recent developments in IT technology have facilitated a highly personalized service and dramatically improved the productivity of industry, leading to a better quality of life. However, such changes have become the source of serious threats to cyber security. As everything is connected and intelligently handled, the importance of data has been thrown into sharper focus. Every company has invested heavily in protecting important data in the enterprise resources to encrypt key data, control access, and build security information and event management solutions to detect signs of an attack However, the advanced persistent threats (APT) attack, which can bypass security devices, hides malicious code in the system and steals information in a covert and continuous manner, causing serious damage. APT attacks are one of the biggest challenges to conventional cyber security technology. this study constructed security threat ontology by analyzing and modeling the context information of a real APT attack, which is difficult to develop with security technology, and further designed reasoning rules based on inter-class relationships. The reasoning rules divide an APT attack into steps such as reconnaissance, attack using virus, acquisition of backdoor, action to achieve goal, acquisition of data after goal achievement, and finally, erasing traces of intrusion. Thus, to detect an anomaly in the context of an APT attack using the process of the APT attack, reasoning rules were designed by using Semantic Web Rule Language (SWRL) language for the context-aware reasoning of attack phase, penetration pahse, and collection phase based on the context information before and after the APT attack. Based on the SWRL language defined after designing the reasoning rules, the detection reasoning results for an APT attack context could be derived using the stepwise defined and designed rules. Future studies will continue to develop monitoring and context-aware control service systems with advanced functions to enable the integrated detection and control of various security threats using the application of various rules and the mapping of conventional designed ontologies via the modification and addition of rules.