System and method for tracking malware route and behavior for defending against cyberattacks
First Claim
1. A system for tracking a malware route and behavior in order to defend against cyberattacks, comprising:
- multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created using the first event data;
a tracking information database server for storing the pieces of host-based event information therein; and
a tracking information analysis server for creating behavior events by defining malware behavior from the pieces of host-based event information, for searching the pieces of host-based event information and the behavior events for a target to be analyzed based on a preset input value, for creating first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of host-based event information and a relationship between a set of the pieces of host-based event information and a set of the behavior events, which correspond to the target to be analyzed, and for creating second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts,wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack tracking system includes multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created therefrom; a tracking information database server storing the pieces of host-based event information; a tracking information analysis server creating behavior events by defining malware behavior from the pieces of host-based event information, retrieving targets to be analyzed from the pieces of host-based event information and the behavior events based on a preset input value, creating first tracking contexts for identifying the malware behavior by analyzing the relationship between the pieces of host-based event information and the relationship between a set of the pieces of host-based event information and a set of the behavior events, and creating second tracking contexts tracking malware routes and behavior events between the multiple hosts by analyzing the correlation between the first tracking contexts.
-
Citations
14 Claims
-
1. A system for tracking a malware route and behavior in order to defend against cyberattacks, comprising:
-
multiple hosts in which first event data concerning object behavior are collected and pieces of host-based event information are created using the first event data; a tracking information database server for storing the pieces of host-based event information therein; and a tracking information analysis server for creating behavior events by defining malware behavior from the pieces of host-based event information, for searching the pieces of host-based event information and the behavior events for a target to be analyzed based on a preset input value, for creating first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of host-based event information and a relationship between a set of the pieces of host-based event information and a set of the behavior events, which correspond to the target to be analyzed, and for creating second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts, wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for tracking a malware route and behavior in order to defend against cyberattacks, comprising:
-
collecting, by multiple hosts, first event data concerning object behavior and creating, by the multiple hosts, pieces of host-based event information using the first event data; storing, by the multiple hosts, the pieces of host-based event information in a tracking information database server; creating, by a tracking information analysis server, behavior events by defining malware behavior from the pieces of host-based event information; retrieving, by the tracking information analysis server, a target to be analyzed from the pieces of host-based event information and the behavior events based on, a preset input value; creating, by the tracking information analysis server, first tracking contexts, through which the malware behavior is capable of being identified, by analyzing a relationship between the pieces of the host-based event information and a relationship between a set of the pieces of the host-based event information and a set of the behavior events; and creating, by the tracking information analysis server, second tracking contexts, through which a malware route and behavior events between the multiple hosts are capable of being tracked, by analyzing a correlation between the first tracking contexts, wherein the first tracking contexts are tracking contexts inside at least one of the multiple hosts, and the second tracking contexts are tracking contexts between the multiple hosts.
-
Specification