Search

KR-102961025-B1 - APPARATUS FOR PROCESSING CYBER THREAT INFORMATION, METHOD FOR PROCESSING CYBER THREAT INFORMATION, AND MEDIUM FOR STORING A PROGRAM PROCESSING CYBER THREAT INFORMATION

KR102961025B1KR 102961025 B1KR102961025 B1KR 102961025B1KR-102961025-B1

Abstract

The disclosed embodiment provides a method for providing cyber threat information, comprising: receiving a request from a client for cyber threat information (CTI) analysis regarding a document script; analyzing the document script to obtain analysis information of cyber threat information (CTI) regarding the script; generating a cyber threat information (CTI) query related to the document script based on the analysis information of cyber threat information (CTI) and transmitting it to a natural language model; and providing the client with the analysis information of cyber threat information (CTI) and natural language explanation information according to the cyber threat information (CTI) query from the natural language model. According to the embodiment, even if the user is not an expert, the mechanism and basis of analysis of the cyber threat information can be easily understood.

Inventors

  • 김기홍
  • 박성은
  • 최민준
  • 장세준
  • 이현종
  • 김창균

Assignees

  • 주식회사 샌즈랩

Dates

Publication Date
20260508
Application Date
20230719

Claims (6)

  1. A processor for processing data receives a request from a client for cyber threat information (CTI) analysis regarding a document script contained in a file; The above processor analyzes the file in accordance with the cyber threat intelligence (CTI) analysis request to obtain cyber threat intelligence (CTI) analysis information regarding whether the file is malicious; If the maliciousness of the file is determined based on the analysis information of the cyber threat intelligence (CTI), the step of generating a cyber threat intelligence (CTI) query related to the document script included in the file based on the analysis information of the cyber threat intelligence (CTI), which includes information on the maliciousness of the document script included in the file, information on attack techniques, information on attack groups, and information on attack campaigns; The above processor transmits a cyber threat intelligence (CTI) query corresponding to the document script to a natural language model to obtain natural language descriptive information explaining a cyber threat mechanism related to the document script; and The above processor includes the step of providing the analysis information of the cyber threat intelligence (CTI) and the natural language description information to the client; The above cyber threat mechanism includes one or more functions that are executed when the above document script is executed, and The above natural language description information describes the commands, variables, or paths executed by the above one or more functions, and A method for providing cyber threat information, wherein the above natural language descriptive information describes the code included in the above document script, the language in which the code is written, the subroutine in which the code exists, and the one or more functions executed by each subroutine within the code.
  2. In Article 1, A method for providing cyber threat information, wherein the cyber threat information (CTI) query comprises at least one of a keyword of the cyber threat information (CTI), a hash value associated with the cyber threat information (CTI), an attack identifier associated with the cyber threat information (CTI), an attack group identifier associated with the cyber threat information (CTI), an attack technique associated with the cyber threat information (CTI), or attack campaign information associated with the cyber threat information (CTI).
  3. A database that stores data; and Includes a processor; The above processor is, An operation that receives a request from a client for cyber threat information (CTI) analysis of a document script contained in a file; An operation to analyze the file in accordance with the above cyber threat intelligence (CTI) analysis request and obtain cyber threat intelligence (CTI) analysis information regarding whether the file is malicious; When it is determined that the file is malicious based on the analysis information of the cyber threat intelligence (CTI), an operation to generate a cyber threat intelligence (CTI) query related to the document script included in the file based on the analysis information of the cyber threat intelligence (CTI), which includes information on whether the document script included in the file is malicious, information on attack techniques, information on attack groups, and information on attack campaigns; An operation to transmit a cyber threat intelligence (CTI) query corresponding to the above document script to a natural language model to obtain natural language descriptive information explaining a cyber threat mechanism related to the above document script; and Performing operations including providing analysis information of the above cyber threat intelligence (CTI) and the above natural language description to the client; The above cyber threat mechanism includes one or more functions that are executed when the above document script is executed, and The above natural language description information describes the commands, variables, or paths executed by the above one or more functions, and The above natural language description information is a cyber threat information providing device that describes the code included in the document script, the language in which the code is written, the subroutine in which the code exists, and the one or more functions executed by each subroutine within the code.
  4. In Paragraph 3, A cyber threat information providing device comprising at least one of the following: a keyword of the cyber threat information (CTI), a hash value associated with the cyber threat information (CTI), an attack identifier associated with the cyber threat information (CTI), an attack group identifier associated with the cyber threat information (CTI), an attack technique associated with the cyber threat information (CTI), or attack campaign information associated with the cyber threat information (CTI).
  5. Receive a request from a client for cyber threat information (CTI) analysis regarding a document script included in a file; In accordance with the above request for cyber threat intelligence (CTI) analysis, the above file is analyzed, and if it is determined that the above file is malicious based on the cyber threat intelligence (CTI) analysis information regarding whether the above file is malicious, a cyber threat intelligence (CTI) query related to the document script included in the above file is generated based on the cyber threat intelligence (CTI) analysis information including information on whether the document script included in the above file is malicious, information on attack techniques, information on attack groups, and information on attack campaigns; A cyber threat intelligence (CTI) query corresponding to the above document script is passed to a natural language model to obtain natural language descriptive information explaining the cyber threat mechanism related to the above document script; and Providing the analysis information of the above cyber threat intelligence (CTI) and the above natural language description to the client; including commands, The above cyber threat mechanism includes one or more functions that are executed when the above document script is executed, and The above natural language description information describes the commands, variables, or paths executed by the above one or more functions, and A storage medium storing a computer-executable program providing cyber threat information, wherein the above natural language description information describes code included in the document script, the language in which the code is written, a subroutine in which the code exists, and one or more functions executed by each subroutine within the code.
  6. In Paragraph 5, The above Cyber Threat Intelligence (CTI) query is, A storage medium storing a program for providing cyber threat information, comprising at least one of the following: a keyword of the cyber threat information (CTI), a hash value associated with the cyber threat information (CTI), an attack identifier associated with the cyber threat information (CTI), an attack group identifier associated with the cyber threat information (CTI), an attack technique associated with the cyber threat information (CTI), or an attack campaign information associated with the cyber threat information (CTI).

Description

Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program for processing cyber threat information The disclosed embodiments relate to a cyber threat information processing device, a cyber threat information processing method, and a storage medium storing a program for processing cyber threat information. The damage caused by increasingly sophisticated cyber security threats, centered on new or variant forms of malware, is growing. To mitigate this damage and enable early response, we are simultaneously advancing our response technologies through multi-dimensional pattern construction and various complex analyses. However, rather than being adequately countered within the scope of control, recent cyber attacks are on the rise. These attacks are extending beyond existing ICT (Information and Communication Technology) infrastructure to pose threats to sectors that directly impact our lives, such as finance, transportation, the environment, and health. One of the foundational technologies for detecting and responding to most existing cyber security threats involves creating a database of patterns for cyber attacks or malware in advance and utilizing appropriate monitoring techniques where data flow is required. Existing technologies have evolved based on a method of identifying and responding to threats when data flows or code matching monitored patterns are detected. While such conventional technologies have the advantage of rapid and accurate detection when a match is found with pre-existing patterns, they suffered from the problem that detection was impossible or analysis was extremely time-consuming in the case of new or variant threats for which patterns are not established or that bypass them. Conventional technology, even when utilizing artificial intelligence analysis, focuses on methods to enhance the detection and analysis of malware itself. However, there is a problem in that there are limitations and it is difficult to respond to new types of malware or their variants using only these methods, as there is no fundamental technology to address cyber security threats. For example, there is a problem in that technology capable of detecting and analyzing already discovered malware alone cannot respond to decoy or fake information designed to deceive the detection or analysis system, leading to confusion. In the case of mass-produced malware, where there is sufficient training data, it is possible to distinguish between malicious and malicious types because sufficient characteristic information can be obtained. However, for Advanced Persistent Threat (APT) attacks, which are produced in relatively small quantities and executed with sophistication, there are often discrepancies with training data. Furthermore, since targeted attacks constitute the majority, existing technologies face limitations even with advancements. Furthermore, conventionally, methods and expression techniques for describing malicious code, attack code, or cyber threats varied depending on the analyst's position or perspective. For instance, since the methods for describing malicious code and attack behaviors were not standardized globally, experts in the field provided differing explanations even when detecting the same incident or the same type of malicious code, leading to confusion. Even the naming of detected malicious code was not unified, resulting in discrepancies in how specific attacks were identified or categorized, even for identical malicious files. Consequently, there was a problem in being unable to describe identified attack techniques in a normalized and standardized manner. Conventional malware detection and analysis methods focused on detecting the malware itself, which had the problem of failing to identify attackers when the creators of malware performing very similar malicious behaviors were different. In connection with the aforementioned problems, conventional methods had the drawback of making it difficult to predict what cyber threat attacks might occur in the near future due to detection methods focused on individual cases. FIG. 1 is a drawing illustrating an embodiment of a method for processing cyber threat information. FIG. 2 is a drawing disclosing an embodiment of a cyber threat information processing device. FIG. 3 is a drawing disclosing an embodiment of a cyber threat information processing device. FIG. 4 is a drawing illustrating an example of performing static analysis of an executable file according to the disclosed embodiment. FIG. 5 is a drawing illustrating an example of performing dynamic analysis of an executable file according to the disclosed embodiment. FIG. 6 is a drawing disclosing an example of determining that a file contains malicious activity by disassembling malicious code as an example of in-depth analysis. FIG. 7 is a drawing illustrating a flow for processing cyber threat information according to an embodime