Search

US-12627698-B2 - Cyber threat information method and apparatus for identifying malware and predicting cyber threat attack using machine learning techniques

US12627698B2US 12627698 B2US12627698 B2US 12627698B2US-12627698-B2

Abstract

Provided is a cyber threat information processing method including receiving input of a file or information on the file from a user through at least one interface, processing cyber threat information related to the received or input file or the information on the file; and providing the processed cyber threat information to the user through a user interface.

Inventors

  • Ki Hong Kim
  • Sung Eun Park
  • Shin Kyo IN
  • Jin Ki CHEON
  • Ji Woo Seo

Assignees

  • SANDS LAB Inc.

Dates

Publication Date
20260512
Application Date
20230424
Priority Date
20230412

Claims (12)

  1. 1 . A method of processing cyber threat information, the method comprising: receiving input of a file or information on the file from a user through a user interface; processing cyber threat information related to the received or input file or the information on the file; and providing the processed cyber threat information to the user through the user interface, wherein the user interface comprises at least one of a hashtag combined with a keyword related to the cyber threat information, an attack group information for the cyber threat information, and a search function in a form of a query based on set information for a range and condition of the cyber threat information, and wherein the cyber threat information is provided based on at least one of a first user input for the hashtag, a second user input for the attack group information and a third user input comprising a search word for the search function, wherein the processing cyber threat information comprises: obtaining dumping data stored in a memory when a memory process is suspended upon calling a function of a plurality of functions of an application of a reader program corresponding to a plurality of application programming interfaces (APIs) in a pre-stored API hooking list information; extracting a threat feature from the dumping data stored in the memory immediately before execution of the application of the reader program when the reader program is executed in a kernel area of an operating system; and processing the cyber threat information related to the file or the information on the file based on performing a normalization or vectorization process on the threat feature including an opcode.
  2. 2 . The method according to claim 1 , wherein the provided cyber threat information includes the provided cyber threat information at any time or any region.
  3. 3 . The method according to claim 1 , wherein the provided cyber threat information includes cyber threat actions appearing in chronological order or information on the cyber threat actions for each attack type.
  4. 4 . The method according to claim 1 , wherein the provided cyber threat information includes upper advanced persistent threat (APT) attack information according to an occurrence frequency among APT attacks at a specific time point.
  5. 5 . An apparatus for processing cyber threat information, the apparatus comprising: a database configured to store cyber threat information; and a server comprising a processor, wherein: the server receives input of a file or information on the file from a user through a user interface, and the processor: processes cyber threat information related to the input file or the information on the file; and provides the processed cyber threat information to the user through the user interface, wherein the user interface comprises at least one of a hashtag combined with a keyword related to the cyber threat information, an attack group information for the cyber threat information, and a search function in a form of a query based on set information for a range and condition of the cyber threat information, and wherein the cyber threat information is provided based on at least one of a first user input for the hashtag, a second user input for the attack group information and a third user input comprising a search word for the search function, wherein the processor is configured to: obtain dumping data stored in a memory when a memory process is suspended upon calling a function of a plurality of functions of an application of a reader program corresponding to a plurality of application programming interfaces (APIs) in a pre-stored API hooking list information; extract a threat feature from the dumping data stored in the memory immediately before execution of the application of the reader program when the reader program is executed in a kernel area of an operating system; and process the cyber threat information related to the file or the information on the file based on performing a normalization or vectorization process on the threat feature including an opcode.
  6. 6 . The apparatus according to claim 5 , wherein the provided cyber threat information includes the provided cyber threat information at any time or any region.
  7. 7 . The apparatus according to claim 5 , wherein the provided cyber threat information includes cyber threat actions appearing in chronological order or information on the cyber threat actions for each attack type.
  8. 8 . The apparatus according to claim 5 , wherein the provided cyber threat information includes upper APT attack information according to an occurrence frequency among APT attacks at a specific time point.
  9. 9 . A non-transitory computer-readable storage medium storing a cyber threat information processing program that executes computer instructions for: receiving input of a file or information on the file from a user through a user interface; processing cyber threat information related to the received or input file or the information on the file; and providing the processed cyber threat information to the user through the user interface, wherein the user interface comprises at least one of a hashtag combined with a keyword related to the cyber threat information, an attack group information for the cyber threat information, and a search function in a form of a query based on set information for a range and condition of the cyber threat information, and wherein the cyber threat information is provided based on at least one of a first user input for the hashtag, a second user input for the attack group information and a third user input comprising a search word for the search function, wherein the processing cyber threat information comprises: obtaining dumping data stored in a memory when a memory process is suspended upon calling a function of a plurality of functions of an application of a reader program corresponding to a plurality of application programming interfaces (APIs) in a pre-stored API hooking list information; extracting a threat feature from the dumping data stored in the memory immediately before execution of the application of the reader program when the reader program is executed in a kernel area of an operating system; and processing the cyber threat information related to the file or the information on the file based on performing a normalization or vectorization process on the threat feature including an opcode.
  10. 10 . The non-transitory computer-readable storage medium according to claim 9 , wherein the provided cyber threat information includes the provided cyber threat information at any time or any region.
  11. 11 . The non-transitory computer-readable storage medium according to claim 9 , wherein the provided cyber threat information includes cyber threat actions appearing in chronological order or information on the cyber threat actions for each attack type.
  12. 12 . The non-transitory computer-readable storage medium according to claim 9 , wherein the provided cyber threat information includes upper advanced persistent threat (APT) attack information according to an occurrence frequency among APT attacks at a specific time point.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of Korean Patent Application No. 10-2023-0047970, filed on Apr. 12, 2023, which is hereby incorporated by reference as if fully set forth herein. BACKGROUND OF THE INVENTION Field of the Invention The disclosed embodiments relate to a cyber threat information processing apparatus, a cyber threat information processing method, and a storage medium storing a cyber threat information processing program. Discussion of the Related Art The damage from cybersecurity threats, which are gradually becoming more sophisticated, centering on new or variant malware, has been increasing. In order to reduce such damage even a little and to respond at an early stage, countermeasure technology has been advancing through multi-dimensional pattern composition, various types of complex analysis, etc. However, recent cyber-attacks tend to increase day by day rather than being adequately responded to within a control range. These cyberattacks threaten finance, transportation, environment, health, etc. that directly affect lives of people beyond the existing information and communication technology (ICT) infrastructure. One of basic technologies to detect and respond to most existing cybersecurity threats is to create a database of patterns for cyberattacks or malware in advance, and utilize appropriate monitoring technologies where data flow is required. Existing technology has evolved based on a method of identifying and responding to threats when a data flow or code matching a monitored pattern is detected. Such conventional technology has an advantage of being able to rapidly and accurately perform detection when a data flow or code matches a previously secured pattern. However, the technology has a problem in that, in the case of a new or mutant threat for which a pattern is not secured or is bypassed, detection is impossible or it takes a significantly long time for analysis. The related art is focused on a method of advancing technology to detect and analyze malware itself even when artificial intelligence (AI) analysis is used. However, there is no fundamental technology to counter cybersecurity threats, and thus there is a problem in that it is difficult to address new malware or new variants of malware with this method alone, and there is a limitation. For example, there is a problem in that only the technology for detecting and analyzing previously discovered malware itself cannot address decoy information or fake information for deceiving a detection or analysis system thereof, and confusion occurs. In the case of mass-produced malware having enough data to be learned, characteristic information thereof can be sufficiently secured, and thus it is possible to distinguish whether code is malicious or a type of malware. However, in the case of advanced persistent threat (APT) attacks, which are made in relatively small numbers and attack precisely, since training data does not match in many cases, and targeted attacks make up the majority, even when the existing technology is advanced, there are limitations. In addition, conventionally, methods and expression techniques for describing malware, attack code, or cyber threats have differed depending on the position or analysis perspective of an analyst. For example, a method of describing malware and attack activity has not been standardized worldwide, and thus there has been a problem in that, even when the same incident or the same malware is detected, explanations of experts in the field are different, and thus confusion had occurred. Even a malware detection name has not been unified, and thus, for the same malicious file, it has been impossible to identify an attack performed correctly, or attacks have been differently organized. Therefore, there has been a problem in that identified attack techniques cannot be described in a normalized and standardized manner. A conventional malware detection and analysis method focuses on detection of malware itself, and thus has a problem in that, in the case of malware performing significantly similar malicious activity, when generating attackers are different, the attackers cannot be identified. In connection with the above problems, the conventional method has a problem in that it is difficult to predict a type of cyber threat attack occurring in the near future by such an individual case-focused detection method. SUMMARY OF THE INVENTION The present disclosure is to address at least the above-mentioned problems and/or disadvantages and to provide at least the advantages described below. Accordingly, an aspect of the present disclosure is to provide a cyber threat information processing apparatus, a cyber threat information processing method, and a storage medium storing a cyber threat information processing program capable of detecting and addressing malware not exactly matching data learned by AI and addressing a variant of malware. Another aspect of the