Search

US-12627693-B2 - Cyber-attack tracking method and device using behavior event-based relationship data collected from multiple domains, and storage medium storing instructions to perform cyber-attack tracking method

US12627693B2US 12627693 B2US12627693 B2US 12627693B2US-12627693-B2

Abstract

Proposed is a method for tracking a cyber-attack to be performed by a cyber-attack tracking device including a memory and a processor. The method may include determining a plurality of behavior events performed by network devices in one or more domains, and mapping the plurality of the behavior events onto metadata of preset standards. The method may also include generating relationship data indicating a relationship between behavior events mapped onto metadata designated as a preset group based on the metadata mapped onto the behavior events. The method may further include counting a number of behavior events related to a preset suspected behavior among behavior events having a relationship data same as a relationship data of a first behavior event to calculate score for the relationship data including the first behavior event.

Inventors

  • JaeHong AHN
  • Chanil PARK
  • Minsang LEE
  • Taehyung Kim
  • Hyun Yu

Assignees

  • AGENCY FOR DEFENSE DEVELOPMENT

Dates

Publication Date
20260512
Application Date
20240522
Priority Date
20231106

Claims (11)

  1. 1 . A method for tracking a cyber-attack to be performed by a cyber-attack tracking device including a memory and a processor, the method comprising: determining a plurality of behavior events performed by network devices in one or more domains by: determining original data for each behavior event that occurred in the network devices, detecting a preset suspected attack behavior in the original data, generating data related to the preset suspected attack behavior, and generating behavior events comprising the data related to the preset suspected attack behavior, wherein the generating the data, the generating the behavior events, and the detecting the preset suspected attack behavior are performed by the processor to improve an efficiency of cyber-attack detection; mapping the plurality of behavior events onto metadata of preset standards, wherein the metadata includes at least one of information classified as an event type, a process action, a file specification, a module characteristic, a network characteristic, or registry information for the plurality of behavior events, wherein mapping the plurality of behavior events onto metadata enables systematic identification and analysis of network activity; generating relationship data indicating a relationship between behavior events mapped onto metadata designated as a preset group based on the metadata mapped onto the plurality of behavior events to systematically identify and analyze event paths from an initial stage of the cyber-attack to current behavior events to identify an intra-host attack behavior and an inter-host attack behavior of an attacker through the relationship data; and counting a number of behavior events related to a preset suspected behavior among behavior events having the same relationship data as a first behavior event to calculate a score for the relationship data including the first behavior event to prioritize potential threats in real-time; and providing a user terminal with the relationship data sorted in descending order of calculated scores and information on a domain, host, and behavior events included in the relationship data corresponding to a highest score, wherein a user of the user terminal is enabled to analyze the behavior events included in the provided relationship data to respond to cyber-attacks in advance and analyze causal relationships between behavior events to prevent advanced cyber-attacks, wherein generating the relationship data includes generating inter-device relationship data indicating an inter-relationships between the plurality of behavior events occurred in network devices, and wherein generating the inter-device relationship data includes generating the inter-device relationship data by grouping behavior events including a port of a transmission network device same as a port of a reception network device among behavior events having metadata related to a preset network characteristic for the plurality of the behavior events and including a file name of a transmitted file same as a file name of a received file or a hash value of the transmitted file same as a hash value of the received file.
  2. 2 . The method of claim 1 , wherein the metadata of the preset standards includes: an event identification value specifying information on an event occurrence time, an event identification (ID), an event sequence, and an event group ID; an event unique value specifying information on a file name and a file path; and a suspected behavior value specifying information on attack tactics and attack techniques.
  3. 3 . The method of claim 1 , wherein generating the relationship data includes generating intra-device relationship data indicating an internal-relationship between the plurality of behavior events occurred in each network device.
  4. 4 . The method of claim 3 , wherein generating the intra-device relationship data includes generating the relationship data by grouping behavior events having metadata related to the same event group ID among behavior events having metadata related to a preset process action for the plurality of the behavior events.
  5. 5 . The method of claim 1 , wherein counting the number of behavior events related to the preset suspected behavior includes counting the number of duplicate behavior events as one when behavior events related to the preset suspected behavior occurs repeatedly among behavior events having the relationship data same as the first behavior event.
  6. 6 . A non-transitory computer readable storage medium storing computer executable instructions that cause, when executed by one or more processors, the one or more processors to perform the method of claim 1 .
  7. 7 . A cyber-attack tracking device comprising: a memory configured to store one or more instructions; and a processor configured to execute the one or more instructions to: determine a plurality of behavior events performed by network devices in one or more domains by: determining original data for each behavior event that occurred in the network devices, detecting a preset suspected attack behavior in the original data, generating data related to the preset suspected attack behavior, and generating behavior events comprising the data related to the preset suspected attack behavior, wherein the generating the data, the generating the behavior events, and the detecting the preset suspected attack behavior are performed by the processor to improve an efficiency of cyber-attack detection; map the plurality of the behavior events onto metadata of preset standards, wherein the metadata includes at least one of information classified as an event type, a process action, a file specification, a module characteristic, a network characteristic, or registry information for the plurality of behavior events, wherein mapping the plurality of behavior events onto metadata enables systematic identification and analysis of network activity; generate relationship data indicating a relationship between behavior events mapped onto metadata designated as a preset group based on the metadata mapped onto the plurality of behavior events to systematically identify and analyze event paths from an initial stage of a cyber-attack to current behavior events to identify an intra-host attack behavior and an inter-host attack behavior of an attacker through the relationship data; count a number of behavior events related to a preset suspected behavior among behavior events having the same relationship data as a first behavior event to calculate score for the relationship data including the first behavior event to prioritize potential threats in real-time; and provide a user terminal with the relationship data sorted in descending order of calculated scores and information on a domain, host, and behavior events included in the relationship data corresponding to a highest score, wherein a user of the user terminal is enabled to analyze the behavior events included in the provided relationship data to respond to cyber-attacks in advance and analyze causal relationships between behavior events to prevent advanced cyber-attacks, wherein to generate the relationship data, the processor is configured to generate inter-device relationship data indicating an inter-relationships between the plurality of behavior events occurred in network devices, and wherein to generate the inter-device relationship data, the processor is configured to generate the inter-device relationship data by grouping behavior events including a port of a transmission network device same as a port of a reception network device among behavior events having metadata related to a preset network characteristic for the plurality of the behavior events and including a file name of a transmitted file same as a file name of a received file or a hash value of the transmitted file same as a hash value of the received file.
  8. 8 . The cyber-attack tracking device of claim 7 , wherein the metadata of the preset standards includes: an event identification value specifying information on an event occurrence time, an event identification (ID), an event sequence, and an event group ID; an event unique value specifying information on a file name and a file path; and a suspected behavior value specifying information on attack tactics and attack techniques.
  9. 9 . The cyber-attack tracking device of claim 7 , wherein the processor is configured to generate intra-device relationship data indicating an internal-relationship between the plurality of behavior events occurred in each network device.
  10. 10 . The cyber-attack tracking device of claim 9 , wherein the processor is configured to generate the relationship data by grouping behavior events having metadata related to the same event group ID among behavior events having metadata related to a preset process action for the plurality of the behavior events.
  11. 11 . The cyber-attack tracking device of claim 7 , wherein the processor is configured to count the number of duplicate behavior events as one when behavior events related to the preset suspected behavior occurs repeatedly among behavior events having the relationship data same as the first behavior event.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority to Korean Patent Application No. 10-2023-0152071 filed on Nov. 6, 2023, the entirety of which is incorporated herein by reference for all purposes. TECHNICAL FIELD The present disclosure relates to a method and device for tracking cyber-attacks using relationship data generated based on behavior events collected from one or more domains. BACKGROUND Most companies conduct breach investigations into cyber-attacks after they are internally aware of the damage caused by the cyber-attacks. However, recently, attackers carrying out cyber-attacks have been using various advanced technologies such as bypassing security systems and anti-forensics, which makes it difficult to secure data for investigation of breaches through long-term hidden attacks. SUMMARY According to an embodiment, technology for collecting behavior events from a large-scale host composed of one or more domains and a network and forming a causal relationship from behavior events at the initial stage to the current behavior events to identify an intra-host attach behavior and an inter-host attack behavior of an attacker is provided. The aspects of the present disclosure are not limited to the foregoing, and other aspects not mentioned herein will be clearly understood by those skilled in the art from the following description. In accordance with an aspect of the present disclosure, there is provided a method for tracking a cyber-attack to be performed by a cyber-attack tracking device including a memory and a processor, the method comprises: determining a plurality of behavior events performed by network devices in one or more domains; mapping the plurality of the behavior events onto metadata of preset standards; generating relationship data indicating a relationship between behavior events mapped onto metadata designated as a preset group based on the metadata mapped onto the behavior events; and counting a number of behavior events related to a preset suspected behavior among behavior events having a relationship data same as a relationship data of a first behavior event to calculate score for the relationship data including the first behavior event. The determining the plurality of behavior events may include determining original data for each behavior event occurred in the network devices; detecting a preset suspected attack behavior in the original data; generating data relating to the preset suspected attack behavior; and generating behavior events including data relating to the preset suspected attack behavior. The metadata may include at least one of information classified as an event type for the plurality of the behavior events, a process action for the plurality of the behavior events, a file specification for the plurality of the behavior events, a module characteristic for the plurality of the behavior events, a network characteristic for the plurality of the behavior events, and a registry information for the plurality of the behavior events. The metadata may include: an event identification value specifying information on an event occurrence time, an event identification (ID), an event sequence, and an event group ID; an event unique value specifying information on a file name and a file path; and a suspected behavior value specifying information on attack tactics and attack techniques. The generating relationship data may include generating intra-device relationship data indicating an internal-relationship between the plurality of behavior events occurred in each network device. The generating intra-device relationship data may include generating the relationship data by grouping behavior events having metadata related to the same event group ID among behavior events having metadata related to a preset process action for the plurality of the behavior events. The generating relationship data may include generating inter-device relationship data indicating an inter-relationships between the plurality of behavior events occurred in network devices. The generating inter-device relationship data may include generating the inter-device relationship data by grouping behavior events including a port of a transmission network device same as a port of a reception network device among behavior events having metadata related to a preset network characteristic for the plurality of the behavior events and including a file name of a transmitted file same as a file name of a received file or a hash value of the transmitted file same as a hash value of the a received file. The counting the number of behavior events related to the preset suspected behavior includes counting the number of duplicate behavior events as one when behavior events related to the preset suspected behavior occurs repeatedly among behavior events having the relationship data same as the first behavior event. In accordance with another aspect of the present disclosure, there is provided a cyber-attack tra