Search

KR-102963665-B1 - APPARATUS FOR PROCESSING CYBER THREAT INFORMATION, METHOD FOR PROCESSING CYBER THREAT INFORMATION, AND MEDIUM FOR STORING A PROGRAM PROCESSING CYBER THREAT INFORMATION

KR102963665B1KR 102963665 B1KR102963665 B1KR 102963665B1KR-102963665-B1

Abstract

The present invention provides a method for processing cyber threat information, comprising: receiving a file or information about a file from a user through at least one interface; processing cyber threat information related to the received or input file or information about the file; providing the processed cyber threat information to a user through a user interface; and processing the processed cyber threat information in natural language.

Inventors

  • 김기홍

Assignees

  • 주식회사 샌즈랩

Dates

Publication Date
20260512
Application Date
20230412

Claims (7)

  1. A processor for processing data receives input from a user regarding a file or information about a file through at least one interface; The above processor processes cyber threat information related to the input file or information about the file; and The above processor provides the processed cyber threat information to a user through a user interface; Includes, The above cyber threat information is processed using natural language, and The public or private status of the input file is set by the above user, and If the above-mentioned input file is set to public, cyber threat information including analysis results for the above-mentioned public file is included in the file search targets of the web page, and A method for processing cyber threat information, wherein if the input file is set to private, cyber threat information including analysis results for the private file is excluded from the file search target of the web page or API (Application Programming Interface).
  2. In Article 1, The steps provided above are, A method for processing cyber threat information, comprising the step of the processor providing the cyber threat information processed in the natural language to the user in the form of a feed.
  3. In Article 1, A method for processing cyber threat information, wherein if a file identical to the file set as private is identified on an open web through web crawling, or if the file set as private is a file associated with another publicly disclosed campaign or attack group, the file is changed to a public file.
  4. Cyber threat information is a database; and A server including a processor; and The above server is, At least one interface receives input from a user regarding a file or information about a file, and The above processor is, Processing cyber threat information related to the above-mentioned input file or information about the above-mentioned file, and The above-mentioned processed cyber threat information is provided to the user through a user interface, and The above cyber threat information is processed using natural language, and The public or private status of the input file is set by the above user, and If the above-mentioned input file is set to public, cyber threat information including analysis results for the above-mentioned public file is included in the file search targets of the web page, and A cyber threat information processing device in which, when the above-mentioned input file is set to private, cyber threat information including analysis results for the above-mentioned private file is excluded from the file search targets of the above-mentioned web page or API (Application Programming Interface).
  5. In Paragraph 4, The above processor is, A cyber threat information processing device that provides the above-mentioned cyber threat information processed in natural language to the above-mentioned user in the form of a feed.
  6. In Paragraph 4, If, through web crawling, a file identical to the aforementioned private file is identified on the open web, or if the aforementioned private file is a file associated with another public campaign or attack group, the said file is changed to a public file. Cyber threat information processing device.
  7. At least one interface receives input from a user regarding a file or information about a file; Processing cyber threat information related to the above-mentioned input file or information about the above-mentioned file; The above-mentioned processed cyber threat information is provided to the user through a user interface, and The above cyber threat information is processed using natural language, and The public or private status of the input file is set by the above user, and If the above-mentioned input file is set to public, cyber threat information including analysis results for the above-mentioned public file is included in the file search targets of the web page, and A computer-readable storage medium storing a cyber threat information processing program that executes computer commands, wherein cyber threat information including analysis results for the private file is excluded from file search targets of the web page or API (Application Programming Interface) when the input file is set to private.

Description

Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program for processing cyber threat information The disclosed embodiments relate to a cyber threat information processing device, a cyber threat information processing method, and a storage medium storing a program for processing cyber threat information. The damage caused by increasingly sophisticated cyber security threats, centered on new or variant forms of malware, is growing. To mitigate this damage and enable early response, we are simultaneously advancing our response technologies through multi-dimensional pattern construction and various complex analyses. However, rather than being adequately countered within the scope of control, recent cyber attacks are on the rise. These attacks are extending beyond existing ICT (Information and Communication Technology) infrastructure to pose threats to sectors that directly impact our lives, such as finance, transportation, the environment, and health. One of the foundational technologies for detecting and responding to most existing cyber security threats involves creating a database of patterns for cyber attacks or malware in advance and utilizing appropriate monitoring techniques where data flow is required. Existing technologies have evolved based on a method of identifying and responding to threats when data flows or code matching monitored patterns are detected. While such conventional technologies have the advantage of rapid and accurate detection when a match is found with pre-existing patterns, they suffered from the problem that detection was impossible or analysis was extremely time-consuming in the case of new or variant threats for which patterns are not established or that bypass them. Conventional technology, even when utilizing artificial intelligence analysis, focuses on methods to enhance the detection and analysis of malware itself. However, there is a problem in that there are limitations and it is difficult to respond to new types of malware or their variants using only these methods, as there is no fundamental technology to address cyber security threats. For example, there is a problem in that technology capable of detecting and analyzing already discovered malware alone cannot respond to decoy or fake information designed to deceive the detection or analysis system, leading to confusion. In the case of mass-produced malware, where there is sufficient training data, it is possible to distinguish between malicious and malicious types because sufficient characteristic information can be obtained. However, for Advanced Persistent Threat (APT) attacks, which are produced in relatively small quantities and executed with sophistication, there are often discrepancies with training data. Furthermore, since targeted attacks constitute the majority, existing technologies face limitations even with advancements. Furthermore, conventionally, methods and expression techniques for describing malicious code, attack code, or cyber threats varied depending on the analyst's position or perspective. For instance, since there were no global standards for describing malicious code and attack behaviors, experts in the field provided differing explanations even when detecting the same incident or the same type of malware, leading to confusion. Even the naming of detected malware was not standardized, resulting in discrepancies in how specific attacks were identified or categorized, even for identical malicious files. Consequently, there was a problem in being unable to describe identified attack techniques in a normalized and standardized manner. Conventional malware detection and analysis methods focused on detecting the malware itself, which had the problem of failing to identify attackers when the creators of malware performing very similar malicious behaviors were different. In connection with the aforementioned problems, conventional methods had the drawback of making it difficult to predict what cyber threat attacks might occur in the near future due to detection methods focused on individual cases. FIG. 1 is a drawing illustrating an embodiment of a method for processing cyber threat information. FIG. 2 is a drawing disclosing an embodiment of a cyber threat information processing device. FIG. 3 is a drawing disclosing an embodiment of a cyber threat information processing device. FIG. 4 is a drawing illustrating an example of performing static analysis of an executable file according to the disclosed embodiment. FIG. 5 is a drawing illustrating an example of performing dynamic analysis of an executable file according to the disclosed embodiment. FIG. 6 is a drawing disclosing an example of determining that a file contains malicious activity by disassembling malicious code as an example of in-depth analysis. FIG. 7 is a drawing illustrating a flow for processing cyber threat information according to an embodiment disclosed. FIG. 8