Multistep integrated security management system and method using intrusion detection log collection engine and traffic statistic generation engine

Abstract

A multistep integrated security management system and method using an intrusion detection log collection engine and a traffic statistic generation engine is disclosed. An intrusion detection log collection engine capable of collecting logs generated from diverse intrusion detection engines and a traffic statistic generation engine collect and transmit analyzed data to a control intermediate management server. The control intermediate management server performs more accurate intrusion detection by relationally analyzing the intrusion detection log information and the traffic statistic information. A control uppermost management server performs an integrated security management on a large-scale group subject to control by performing an integrated analysis on a large-scale group subject to control, and thus can support the large-scale integrated security management efficiently.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principle of the invention. In the drawings:

FIG. 1 is a view illustrating the entire construction of a system for real-time integrated security management according to an embodiment of the present invention;

FIG. 2 is a view illustrating the internal construction of an intrusion detection log collection engine according to an embodiment of the present invention;

FIG. 3 is a view illustrating the internal construction of a traffic statistic generation engine according to an embodiment of the present invention;

FIG. 4 is a flowchart illustrating a process performed by intrusion detection analysis units and traffic analysis units of a control intermediate management server and a control uppermost management server according to an embodiment of the present invention; and

FIG. 5 is a flowchart illustrating a process performed by relational analysis units of a control intermediate management server and a control uppermost management server according to an embodiment of the present invention.

Claims

1. A multistep integrated security management system using an intrusion detection log collection engine and a traffic statistic generation engine, the system comprising: control agents provided for respective means that use independent networks, and each being composed of the intrusion detection log collection engine for collecting intrusion detection logs and the traffic statistic generation engine for generating traffic statistics; anda management server for individually or relationally analyzing the intrusion detection logs and the traffic statistics transferred from the respective control agents, and integrally or relationally analyzing intrusion detection log information and traffic statistic information that are results of the individual or relational analysis.

2. The system as claimed in claim 1, wherein the intrusion detection log collection engine comprises: an external interface unit for accessing to an intrusion detection system in order to collect the intrusion detection logs;a form conversion unit for converting the collected intrusion detection logs into a form that is used in the corresponding system;a log reduction unit for performing reduction of contents of the logs collected in a predetermined period by kinds of logs; anda transmission unit for transmitting the reduced logs to the management server.

3. The system as claimed in claim 2, wherein the traffic statistic generation engine comprises: a network interface for connecting to a network;a packet analysis unit for analyzing header information of packets collected from the network interface;a traffic information management unit for storing and managing packet information analyzed for a predetermined time in a database or a memory, and after the user of the corresponding information is completed, deleting the information;a statistic information generation unit for generating statistic information on the packet information collected for a predetermined period; anda transmission unit for transmitting the statistic information generated for the predetermined period to the management server.

4. The system as claimed in claim 3, wherein the statistic information includes the number of input/output packets, the number of input/output bytes, traffic statistics by ports, traffic statistics by protocols, traffic statistics by sizes, traffic statistics by source IPs, and traffic statistics by destination IPs.

5. The system as claimed in claim 3, wherein the management server comprises: a plurality of control intermediate management server for individually or relationally analyzing the intrusion detection logs and the traffic statistics transferred from the respective control agents; anda control uppermost management server for integrally or relationally analyzing the intrusion detection log information and the traffic statistic information transferred from the plurality of control intermediate management server.

6. The system as claimed in claim 5, wherein the control intermediate management server comprises: an intrusion detection analysis unit for individually analyzing the intrusion detection information collected by the intrusion detection log collection engine of the respective control agent, notifying the result of analysis through a management console if it is required to notify a user of the result of analysis, and notifying a relational analysis unit of an analysis performing if a relational analysis is required;a traffic analysis unit for individually analyzing the traffic statistic information collected by the traffic statistic generation engines, notifying the result of analysis through a management console if it is required to notify the user of the result of analysis, and notifying a relational analysis unit of an analysis performing if a relational analysis is required;a relational analysis unit for performing a relational analysis of the intrusion detection information and the traffic statistic information using the intrusion detection log information and the traffic statistic information, with respect to the relational analysis performing notified by the intrusion detection analysis unit and the traffic analysis unit; anda management console for providing diverse visualization of the user notification information and the information generated by the intrusion detection analysis unit, the traffic analysis unit, and the relational analysis unit.

7. The system as claimed in claim 5, wherein the control uppermost management server comprises: an intrusion detection analysis unit for individually analyzing the intrusion detection information transferred from the respective control intermediate management servers, notifying the result of analysis through an uppermost management console if it is required to notify a user of the result of analysis, and notifying a relational analysis unit of an analysis performing if a relational analysis is required;a traffic analysis unit for individually analyzing the traffic statistic information transferred from the respective control intermediate management servers, notifying the result of analysis through the uppermost management console if it is required to notify the user of the result of analysis, and notifying a relational analysis unit of an analysis performing if a relational analysis is required;a relational analysis unit for performing a relational analysis of the intrusion detection information and the traffic statistic information using the intrusion detection log information and the traffic statistic information, with respect to the relational analysis performing notified by the intrusion detection analysis unit and the traffic analysis unit;the uppermost management console for providing diverse visualization of the user notification information and the information generated by the intrusion detection analysis unit, the traffic analysis unit, and the relational analysis unit; andan extended interface for supporting a connection with an upper analysis system of the control uppermost management server.

8. A multistep integrated security management method using an intrusion detection log collection engine and a traffic statistic generation engine, the method comprising the steps of: the intrusion detection log collection engine collecting intrusion detection logs and the traffic statistic generation engine collecting traffic statistics, for each control agent;transferring the intrusion detection logs and the traffic statistics to control intermediate management servers, and the control intermediate management servers performing individual analysis, and performing relational analysis if the relational analysis is required; andtransferring intrusion detection log information and traffic statistic information that are results of the analysis to a control uppermost management server, and the control uppermost management server performing integrated analysis including individual analysis, and performing relational analysis if the relational analysis is required.

9. The method as claimed in claim 8, wherein the control uppermost management server transfers the result of process to another control management server, and the control management server processes the intrusion detection log information and the traffic statistic information.

10. The method as claimed in claim 8, wherein the relational analysis is performed using either of a method of performing the relational analysis using the traffic statistic information including a log-related IP for a corresponding period if the intrusion detection log statistics are found abnormal, and a method of performing the relational analysis using the intrusion detection log statistics for a corresponding period if the traffic statistics are found abnormal.