Search

KR-20260064431-A - SECURITY NETWORK ANALYSIS METHOD AND DEVICE

KR20260064431AKR 20260064431 AKR20260064431 AKR 20260064431AKR-20260064431-A

Abstract

A security network analysis method according to embodiments may include: receiving security network data; decoding the security network data; dividing the security network data and extracting features; calculating the influence and contribution of the features; extracting key features based on the consistency and substantial contribution of the contributions; and visualizing the security network data based on the key features.

Inventors

  • 송중석
  • 이준
  • 류범종
  • 박민우
  • 김병규
  • 권태웅
  • 이현우

Assignees

  • 한국과학기술정보연구원

Dates

Publication Date
20260507
Application Date
20250122
Priority Date
20241031

Claims (13)

  1. Step of receiving secure network data; A step of decoding the above security network data; Step of segmenting the above security network data and extracting features; A step of calculating the influence of the above features and calculating the contribution; A step of extracting key features based on the consistency and substantial contribution of the above contributions; and A step of visualizing the security network data based on the above key features; comprising Security Network Analysis Methods
  2. In paragraph 1, The step of decoding the above security network data is including converting the above-mentioned security network data into a readable code format, Security Network Analysis Methods
  3. In paragraph 1, The step of segmenting the above security network data and extracting features is It includes dividing the security network data into content units and extracting features of the security network data, The above content unit includes at least one of a URL, query, agent, or host, Security Network Analysis Methods
  4. In paragraph 1, The step of calculating the influence of the above features and calculating the contribution It includes calculating the influence of individual features on the security network data according to the above features, and calculating the contribution of the overall features to the security network data. The contribution of the above overall features is expressed as either a positive or a negative number, and The above positive number indicates that the contribution of the above overall feature contributes to the attack, and The above negative number indicates that the contribution of the above overall feature contributes to the normal, Security Network Analysis Methods
  5. In paragraph 1, The step of extracting key features based on the consistency and substantial contribution of the above contributions is Calculating a high consistency value of the contribution when the above feature contributes only to an attack, and calculating a low consistency value of the contribution when the above feature contributes to both an attack and normality, and including extracting a substantial contribution having an average value of the contribution based only on the number of data having the above feature. Security Network Analysis Methods
  6. In paragraph 1, The step of visualizing the security network data based on the above key features is including applying highlighting to content matching the security network data based on key features extracted based on the consistency of the contribution and the substantial contribution. Security Network Analysis Methods
  7. Memory; and A processor connected to the memory; comprising, and the processor: Receiving secure network data; Decoding the above security network data; Segment the above security network data and extract features; Calculate the influence of the above features and calculate the contribution; Extract key features based on the consistency and substantial contribution of the above contributions; and Configured to visualize the security network data based on the above key features, Security network analysis device.
  8. In Paragraph 7, The above processor Further configured to convert the above-mentioned secure network data into a readable code format, Security network analysis device.
  9. In Paragraph 7, The above processor The above security network data is further configured to divide the above security network data into content units to extract features of the above security network data, and The above content unit includes at least one of a URL, query, agent, or host, Security network analysis device.
  10. In Paragraph 7, The above processor It is further configured to calculate the influence of individual features on the security network data according to the above features, and to calculate the contribution of all features to the security network data, and The contribution of the above overall features is expressed as either a positive or a negative number, and The above positive number indicates that the contribution of the above overall feature contributes to the attack, and The above negative number indicates that the contribution of the above overall feature contributes to the normal, Security network analysis device.
  11. In Paragraph 7, The above processor It is further configured to calculate a high consistency value of the contribution when the above feature contributes only to an attack, and to calculate a low consistency value of the contribution when the above feature contributes to both an attack and normality, and is further configured to extract a substantial contribution having an average value of the contribution based only on the number of data having the above feature. Security network analysis device.
  12. In Paragraph 7, The above processor Further configured to apply highlighting to content matching the security network data based on key features extracted based on the consistency of the above contribution and the above substantial contribution, Security network analysis device.
  13. By the computer server: A security network analysis computer program stored on a medium for executing a method comprising: receiving security network data; decoding the security network data; segmenting the security network data and extracting features; calculating the influence and contribution of the features; extracting key features based on the consistency and substantial contribution of the contributions; and visualizing the security network data based on the key features.

Description

Security Network Analysis Method and Device Security Network Analysis Method and Device The frequency and sophistication of cyber attacks are increasing. Threats that previously occurred on operating systems and personal computers (PCs) are expanding to all Internet-connected devices (IoT devices), and large-scale security events are being collected through various security solutions. It takes an average of over 10 minutes to analyze threat events (alarms) in the security monitoring system, and additional time is required depending on the severity of the security threat. Currently, manual analysis by monitoring operators leads to an excessive workload due to the increasing number of repetitive analyses and response actions. Furthermore, consistent response is difficult because the time required for analysis and response varies due to differences in the operators' know-how and experience. Given the current situation where the diversity and complexity of attacks have increased due to technological advancements, there are limitations in dealing with them using only existing security equipment that operates based on signatures. To detect various and increasingly complex attacks with existing security equipment, more rough detection techniques are required. Currently, security equipment generates numerous events and false alarms, making it difficult to analyze them using human resources alone. In security environments where the risk of false positives is very high due to the black-box nature of current AI, there is a problem in that AI judgments cannot be cited as is. There is a lack of supporting evidence for judgments regarding the use of artificial intelligence, and there are issues with the difficulty of interpretation. Artificial Intelligence (AI) is a technique capable of effectively processing large-scale data, such as extracting inherent patterns; however, AI-based systems that are black-boxes and provide only results suffer from a lack of transparency and reliability. Explainable Artificial Intelligence (XAI) can enhance the transparency and reliability of models by providing interpretations of the results generated by the AI. Most interpretations are provided based on the features utilized in AI training and prediction. Therefore, while the visibility and relevance of interpretations directly lead to rapid decision support, previous examples—such as providing interpretations based on impact rather than actual figures, or utilizing features lacking intuitiveness—have limitations in terms of interpretability. Decision support through the provision of interpretations suitable for security monitoring environments is required. Drawings are included to further understand the embodiments, and the drawings illustrate the embodiments along with descriptions related to the embodiments. For a better understanding of the various embodiments described below, one must refer to the description of the embodiments below in relation to the following drawings, which include parts corresponding to similar reference numerals throughout the drawings. FIG. 1 illustrates a method and apparatus for improving decision-making for security monitoring based on explainable artificial intelligence according to embodiments. FIG. 2 illustrates a decision-making method for security monitoring according to embodiments. FIG. 3 shows a security network analysis device according to embodiments. FIG. 4 shows a security network analysis device according to embodiments. FIG. 5 illustrates a security network analysis method according to embodiments. Preferred embodiments of the embodiments are described in detail, and examples thereof are shown in the accompanying drawings. The following detailed description, with reference to the accompanying drawings, is intended to describe preferred embodiments of the embodiments rather than merely embodiments that may be implemented according to the embodiments. The following detailed description includes details to provide a thorough understanding of the embodiments. However, it is obvious to those skilled in the art that the embodiments may be practiced without these details. Most terms used in the embodiments are selected from those commonly used in the field, but some terms are chosen at the applicant's discretion, and their meanings are described in detail in the following description as necessary. Accordingly, the embodiments should be understood based on the intended meaning of the terms, rather than their mere names or meanings. FIG. 1 illustrates a method and apparatus for improving decision-making for security monitoring based on explainable artificial intelligence according to embodiments. The security network analysis method and apparatus according to the embodiments represent a method and apparatus for improving decision-making in security monitoring based on explainable artificial intelligence. The security network analysis method and device according to the embodiments may be referred to si