초록 ▼

[주요 연구성과]
o 침해사고 증거보존을 위한 네트워크 트래픽 수집기술 개발
- 대용량 트래픽 무손실 수집 및 데이터 무결성 보장 기술
※ End Product : 사이버 블랙박스(HW, SW)

o 트래픽 기반 침해사고 분석대상 추출 및 원인분석 기술 개발
- 네트워크 트래픽 기반 침해공격 정보 분석 지원 기술
※ End Product : 침해공격 원인분석/공격재현 시스템(SW)

o 침해정보 연관정보 자동 수집 기술 개발
- 다양한 외부채널을 통한 침해사고 정보 자동 수집기술

[주요 연구성과]
o 침해사고 증거보존을 위한 네트워크 트래픽 수집기술 개발
- 대용량 트래픽 무손실 수집 및 데이터 무결성 보장 기술
※ End Product : 사이버 블랙박스(HW, SW)

o 트래픽 기반 침해사고 분석대상 추출 및 원인분석 기술 개발
- 네트워크 트래픽 기반 침해공격 정보 분석 지원 기술
※ End Product : 침해공격 원인분석/공격재현 시스템(SW)

o 침해정보 연관정보 자동 수집 기술 개발
- 다양한 외부채널을 통한 침해사고 정보 자동 수집기술
※ End Product : 대량의 사이버 침해사고 탐지/분석 시스템 (SW)

o 침해정보/연관정보 기반의 침해사고 연관분석 기술 개발
- 다수 침해사고 연관정보 자동 추출 및 분석 기술
※ End Product : 보안관제 Intelligence/정보공유 시스템(SW)

(출처 : 보고서 요약서 3p)

Abstract ▼

Purpose & Contents
< Final Research Objective >

o Development of cyber blackbox technology capable of preserving evidence and analyzing cyber incidents quickly and Development of integrated cyber security situation analysis technology that can detect and analyze massive cyber incidents,

Purpose & Contents
< Final Research Objective >

o Development of cyber blackbox technology capable of preserving evidence and analyzing cyber incidents quickly and Development of integrated cyber security situation analysis technology that can detect and analyze massive cyber incidents, provide security intelligence service, and share cyber incidents information (figure 28) Conceptual diagram

< 1st year >
o Development goals
- Evidence-based cyber black box and cyber attack analysis
- Development of intelligence element technology based on collecting/analyzing/clustering of massive wired and wireless cyber accidents

o Development Contents
- Development of network traffic collection/storage/management element technology
• Development of real-time collection and management technology for 2G network traffic
• Development of collection data processing/classification elemental technology according to application·IP
• Development of network-based executable(PE, APK file) reconstruction and metadata extraction technology
• Design of black box-based network malicious behavior analysis technology

- Research on elemental technology to preserve evidence of cyber incident and analyze cause of attack
• Evidence preservation techniques and case studies of network collected data
• Design of selecting data for evidence retention and large-capacity data archiving technology
• Attack analysis based on information such as attack IP and malicious code
• Research of analyze cause of attack based on anomaly analysis such as DDoS attack and information leakage
• Analyze the requirements for developing an active analysis tool for cyber attack

- Development of interlocking technology between black box/security situation analysis system
• Development of interlock specification and interlocking data generation/ management module
• Implement malicious pattern information collection and interworking protocol
• Development of additional malicious information transmission module collected from black box

- Development of detection ‧ analytical element technology of massive cyber incidents
• Development of technology for detection and analysis of malicious code, attack path, etc.
• Developing a scalable information recording format for cyber incidents
• Construction of scalable large-scale cyber incident analysis/management environment

- Development of code block classification and similarity analysis element technology for cyber incidents
• Study on Relation and Characteristics between Natural Language Code and Machine Language Code
• Key factor extraction technology design related to similarity information
• Development of disassembly code parsing tool for machine code
• Development of known code(whitelist, etc.) exception handling technology and classification of code blocks
• Development of code block based cyber incident similarity analysis element technology

- Development of cyber attack factor clustering and attack scenario analysis element technology
• Development of clustering element technology between cyber attack and attack paths
• Development of clustering elemental technology between cyber attack and malicious behavior
• Development of technology for cyber attack clustering by domain/IP/owner
• Development of technology for cyber attack clustering by history of cyber attack and geographic information
• Research on attack scenario analysis technology by cyber incident type and time series
• Analyze requirements for developing security intelligence tools

- Establishment of cyber incident information sharing network with cyber black box and external organizations
• A study on framework for information sharing of cyber incidents with external organizations such as KrCERT
• Development of cyber black box information protocol and interface
• Construction of BigData based incident and profiling information management environment

- Development of technology for automatic acquisition of mobile apps and native malicious codes in various channels
• Developing app collection technology via PC/mobile-based crawler
• Development of Native malicious code collection technology in the form of driveby-download
• Development of email, SMS interlocking based Native code and mobile app collection technology
• Study of bypass techniques for harvest restriction in app market/web/black market

- Development of large-scale mobile incident analysis technology
• Automated malicious behavior analysis of mobile apps
• Development of automatic analysis technology for exploit code in mobile web
• Development of native malicious code automatic analysis technology

- Development of clustering elemental technology by propagation path, attack action in mobile incident
• Development of clustering elemental technology between distribution channel/exploit code/malicious app/attack server
• Development of clustering elemental technology considering time series analysis, attack feature/target

< 2nd year >
o Development goals
- Development of 10G-level cyber black box system and internal cyber incident cause analyze tool based on Logical View
- Development of cyber incident intelligence analysis prototype and development of collection/management of mass incident information
- Development of Intelligence element technology such as attacker tracking, attack prediction and cyber incident information sharing technology

o Development Contents
- Development of network traffic collection and analysis technology
• 10G network traffic and session information collection/processing module
• Network collection data retrieval processing index creation module
• Advanced network-based executable and metadata extraction modules

- Development of collection data integrity assurance and management technology
• Virtual volume-based integrity guaranteed data storage(Evidence-Lock) module
• Automatic deletion and management module for continuously collectable data
• Long-term data archiving module for post-analysis

- Development of a cyber black box-based cause of internal cyber incident analysis tool
• Analysis of causes of cyber incident and manager-oriented Logical View configuration module
• Cyber attack cause analyzing module by related information such as attack IP, malicious code, etc.
• Analysis support tool that can be used by the security administrator for analyzing cause of cyber attack

- Enhancement of cyber incidents related information collecting and analyzing function for intelligence analysis
• Cyber Incident information collection and past malicious activity history management module
• Malicious IP/Domain collection module in DNS based Blacklist(DNSBL)
• Domain owner-based historical cyber incident history trace module
• Study on IP-domain mapping history store, management based malicious behavior blocking avoidance detection technology

- Developed automatic management technology for mass cyber incident information
• Study on high-speed search indexing algorithm for massive storage
• Design and implementation of dual DB structure for storing/managing mass/long-term collected data
• Extraction and normalization of storage information metadata for intelligence analysis
• Cyber incident information management module through historical information management and information update
• Built a storage platform for massive cyber incident analysis/related information management

- Large-scale malicious code similarity analysis and collected information based similar cyber incident clustering technology
• Large amount of malicious code N:N comparative base similarity detection tool
• Similarity analysis tool based on variable information in malicious code
• Development of large-scale similarity analysis DB and system interlocking for intelligence analysis
• Large-scale similarity analysis DB based similar incident(malicious code) automatic clustering module

- Analysis of mass cyber incident information based cyber incident Intelligence analysis and attacker tracking technology
• Researching cyber incident information retrieval/association analysis algorithm for detecting similar cyber incidents
• Collection data base cyber incident clustering module by inflow path/attack type/malicious behavior
• Study of attacker tracking algorithm for attacker group detection
• Association analysis result based cyber incident intelligence analysis module

- Development of intelligence element technology related to cyber attack prediction based on cyber incident analysis information
• Analysis of cyber incident according to change of time series for the analysis of diffusion trend of cyber incidents
• Study of prediction model of cyber attack through analysis of mass cyber incident trend
• A study on zombie PC detection technology based on e-mail analysis information based same attack estimation
• Cyber incident real-time monitoring tools such as structure/size/risk/extent of damage
• Analysis of cyber attack phase characteristics through time series analysis of cyber incidents and attack prediction core module

- Development of information sharing technology based on black box policy intervention
• Malicious pattern information delivery format and validation of information sharing protocol
• Development of system mutual authentication technology based on black box policy interlocking
• Development of policy interlock module test tool and establishment of field application plan

- Development of interoperability/integration analysis technology between cyber black box and external organization
• A study on format for cyber incident information/analysis result sharing according to attack type
• Study on interworking service model through the authority management of cyber black box or external organization
• Information sharing format based malicious information automatic interlocking tool(other system such as KrCERT)
• Development and demonstration of REST API based information transfer interface

< 3rd year >
o Development goals
- Development of prototype of 10G-level cyber black box and cyber incident analysis system
- Automatic collection of mass cyber incident information and prototype of intelligence/ information sharing system

o Development contents
- Advancement of network traffic collection and analysis technology through commercial environment verification result
• Stabilization of network traffic/session information collecting and processing module
• Improvement of the module that deduplicates network data
• Stabilization of the module that extract executable file and metadata from network
• Stabilization of network-based executable and metadata extraction modules

- Integrity protection of collected data and advancement of data managing technology
• Stabilization of integrity-protection data storage (Evidence-Lock) module based on virtual volumes
• Automatic deletion of collected data and improvement of management module

- Advancement of internal cause analysis tool based on cyber black box
• Improvement of cyber incident cause analysis and administrator-oriented Logical View configuration module
• Stabilization of cyber-attack cause analysis module by using attacking IP and malicious code
• Improvement of analytical support tool used by security administrators to analyze causes of cyber incidents

- Advancement of automatic collection of cyber incident information through commercial environment
• Enhancement of user-oriented system through commercial environment
• Enhancement and stabilization of cyber incident information collection system through commercial environment
• Development of additional information collection module based on similar information such as similar domain and malicious code string
• Development of data management module for continuous management of mass cyber incident information
• Analysis and improvement of the accuracy of the same cyber incident variant group
• Advancement of Malicious code similarity group classification technology and improvement of detection rate

- Advancement of cyber incident intelligence analysis technology using meta information
• Enhancement of intelligence analysis algorithm for cyber incident through sustainable operation of commercial environment
• Advancement of cyber incidents analysis technology through meta-information association analysis collected by external organizations
• Development of graph based cyber incidents correlation management technology
• Development of abnormality indication analysis/monitoring technology using cyber incident Intelligence analysis results

- Policy linkage and cyber black box commercialization through field verification
• Development of integrated GUI for sharing cyber incident prevention policy and demonstration of commercial environment
• Policy linkage of commercial product level and cyber black box enhancement
• Expanded linkage of external analysis system for commercialization
• Provide commercial level mutual authentication using equipment certificate issuing system
• Research on selection and automation of shared information according to organization and company characteristics

Results
o End Product
- Cyber Blackbox (HW, SW)
• (1st) Real-time collection and analysis of 2G network traffic/session, and mass data management
• (2nd) Evidence collection and preservation of 10G network on cyber blackbox
• (3rd) Advanced technology development, Troubleshooting, and Commercialization

- Cyber attack analysis/representation system (SW)
• (1st) Analysis of causes of internal cyber infringement based on cyber blackbox
• (2nd) Development of internal cyber infringement analyzer, and Manager-centric logical view
• (3rd) Enhancement of technologies, detection/analysis of major threats, and commercial environmental testing

1st year
· S/W WORM based Evidence Lock · Selecting data for evidence retention
2nd year
· 10G network traffic and session information collection/processing
· Virtual volume-based integrity guaranteed data storage
3rd year
· Commercial environmental testing for cyber blackbox · Development security products through commercialization

- Large-scale cyber attack detection/analysis system(SW)
• (1st) Automatically collecting related cyber infringement, and correlation analysis
• (2nd) Mass data warehouse based analysis for cyber infringement
• (3rd) Graph database based analysis for cyber infringement, and risk assessment for threat information

1st year
· Time-line based analysis of cyber infringement · Topology based analysis of cyber infringement

2nd year
· Target packet extraction and analysis in raw PCAP files
· Time based < Penetration→Diffusion→Occurence > Analysis

3rd year
· Group query macro for detection of malicious network traffic
· Commercialization of cyber blackbox based cause of internal cyber infringement analysis tools

1st year
· collection/management of mass incident information
· Grouping a majority of incident-related information automatically

- Cyber incidents intelligence/information sharing system(SW)
• (1st) Construction of sharing association for cyber threat intelligence with cyber blackbox and external communities
• (2nd) Integrated analysis and sharing cyber threat intelligence for response cyber infringement
• (3rd) Policy integration through verification of fields, and diffusion of information sharing

Expected Contribution
o Plan for utilizing R&D achievements
- Launch commercial products of development results through technology transfer to security product developers

• Development of new security products based on cyber blackbox traffic processing/evidence retention technology
※ Zentilion will release cyber black box technology and release zPR-1000 high-speed packet storage device, Future products such as zPR-2G, zPR-20G, zPR-ncloud and zNPB-security will be released

• Development of new security equipment using analyzer technology
※ Gentilion transferred the analysis technology of the cause of the cyber incident, and developed the analyzer of the attack cause analysis(NetCase)
- Promoting commercialization of security products in cooperation with participating organizations

• Enhancement of security product function to cope with new attack

※ Wins, R&D participating company, transferred the cyber black box and attack cause analysis technology, and applied it to the SNIPER product family

※ The R&D participating company, D-Platform, has transferred Cyber-Siren technology and will release an API service to provide cyber threat information
- Improvement and utilization of national policy through application and operation of KISA Cyber Incidents Response Center

• Proliferation of research results in connection with C-TAS sharing information with more than 130 agencies/companies
※ Perform different intelligence analysis and sharing results according to the classification of the organization(request) that will share the information

※ Through the C-TAS interworking, data on cyber incidents of 15.5 million were collected from October 2015 to December 2016

o Expected Effect
- 3.20, 6.25 Due to the frequent occurrence of cyber terrorism and incidents, demand for security management market increased, such as log management related to preservation of evidence and rapid analysis
※ The market for domestic security management products is expected to grow by an average of 3.7% per year starting from 2015, and the market size is expected to increase to about 561.4 billion won in 2019 (KISIA, 2015)
※ The size of the global information security market is estimated to be $ 81,389 million in 2016, with an annual average growth rate of 7.4%, which is expected to increase to $ 103,127 million by 2019 (KISIA, 2015)

- Cyber black box development can create new areas of security market that is saturated

- Supports active analysis by security administrator through development of various Cyber-attack analysis tools

- Cyber-attack In the early stage of the formation of the intelligent cyber security market, which is capable of analyzing the cause of traffic storages and analysis of attack traffic, it is possible to secure global competitiveness through securing source technology and launching solution products
※ (market leader) IBM's share is about 10% (competition without absolute strength)

- Preemption effect against explosion demand of related product market expected due to various Cyber-incidents

(출처 : SUMMARY 14p)

목차 Contents

• 표지 ... 1제출문 ... 2보고서 요약서 ... 3연구개발사업 주요 연구성과 ... 4국문 요약문 ... 5SUMMARY ... 14목차 ... 25Table of Contents ... 28제 1 장. 연구개발과제의 개요 ... 31 1-1. 연구개발 목적 ... 31 1-2. 연구개발의 필요성 ... 31 1-3. 연구개발 범위 ... 33제 2 장. 국내외 기술 개발 현황 ... 35 2-1. 국내․외 기술 현황 ... 35 (1) 국내 기술 동향 및 수준 ... 35 (2) 국외 기술 동향 및 수준 ... 45 2-2. 국내․외 시장 현황 ... 57 (1) 국내․외 시장 규모 및 수출․입 현황 ... 57 (2) 국내․외 주요 수요처 현황 ... 58 2-3. 국내․외 경쟁기관 현황 ... 59 (1) 본 기술/제품과 직접적 경쟁관계에 있는 국내․외 기관․기업 현황 ... 59 2-4. 국내․외 지식재산권 현황 ... 65 (1) 관련 기술/제품의 국내 지식재산권(특허 등) 현황 ... 65 (2) 관련 기술/제품의 국외 지식재산권(특허 등) 현황 ... 67 2-5. 국내 ․ 외 표준화 현황 ... 69 (1) 관련 기술/제품의 국내 표준화 현황 ... 69 (2) 관련 기술/제품의 국외 표준화 현황 ... 70제 3 장. 연구 수행 내용 및 성과 ... 72 3-1. 최종목표 및 평가방법 ... 72 (1) 최종목표 ... 72 (2) 평가방법 ... 74 3-2. 연차별 개발내용 및 개발범위 ... 80 (1) 1차년도 개발내용 및 범위 ... 80 (2) 2차년도 개발내용 및 범위 ... 84 (3) 3차년도 개발내용 및 범위 ... 88 3-3. 연구개발 수행 내용 ... 91 (1) 연구개발 수행 일정 ... 91 (2) 1차년도 연구개발 수행 실적 ... 94 (3) 2차년도 연구개발 수행 실적 ... 127 (4) 3차년도 연구개발 수행 실적 ... 162 (5) 연구개발 수행 성과 ... 187제 4 장. 목표 달성도 및 관련 분야 기여도 ... 197 4-1. 목표 달성도 ... 197 (1) 1차년도 성능목표 달성현황 ... 197 (2) 2차년도 성능목표 달성현황 ... 203 (3) 3차년도 성능목표 달성현황 ... 212 4-2. 관련 분야 기여도 ... 219 (1) 기술적 측면 ... 219 (2) 경제적․산업적 측면 ... 220 (3) 사회적 측면 ... 220제 5 장. 연구개발성과의 활용계획 ... 221 5-1. 상용화 추진계획 ... 221 (1) 사업화 노력 및 결과물의 상용화 추진 계획 ... 221제 6 장. 연구 과정에서 수집한 해외 과학기술 정보 ... 225 6-1. 해외(국내) 연구개발 동향 요약 ... 225 6-2. 해외(국내) 연구개발 상세 분석 ... 226 (1) 사례기반 추론기법을 적용한 침해사고 프로파일링 시스템(2013) ... 226 (2) 사이버 방어작전 프레임워크 기반의 공격그룹 분류 및 공격예측 기법(2014) ... 227 (3) Semantic-aware Detection of Targeted Attack: a Survey(2016) ... 228 (4) Machine-assisted Cyber Threat Analysis using Conceptual Knowledge Discovery(2015) ... 229 (5) Investing the Dark Cyberspace-Profiling, Threat-Based Analysis and Correlation(2012) ... 230 (6) AI2 : Training a big data machine to defend(2016) ... 231 (7) Deep Learning 기반 기계학습 알고리즘을 이용한 야구 경기 Big Data 분석(2015) ... 232 (8) Predicting Network Security Situation Based on a Combination Modelof Multiple Neural Networks(2014) ... 233제 7 장. 연구개발성과의 보안등급 ... 235제 8 장. 국가과학기술종합정보시스템에 등록한 연구시설·장비 현황 ... 236제 9 장. 연구개발과제 수행에 따른 연구실 등의 안전 조치 이행 실적 ... 237 9-1. 위험요소 분석 및 안전관리대책 이행 결과 ... 237 (1) 기술적 위험요소 분석 ... 237 (2) 안전관리대책 ... 237제 10 장. 연구개발과제의 대표적 연구 실적 ... 238제 11 장. 기타 사항 ... 239제 12 장. 참고 문헌 ... 240붙임1. 자체 보안관리 진단표 ... 242붙임2. 연구실 안전조치 이행표 ... 243끝페이지 ... 244