엔드포인트 보안 솔루션의 시스템 이벤트 로그를 활용한 사용자 행위 기반 위협 탐지에 관한 연구

Abstract

This study develops a threat detection method based on user behavior modeling using system event logs from Endpoint security solution. Recently the approaches based on monitoring and responding from endpoint have been highlighted because they can find out and take measures to intelligent attacks like zero-day attack more promptly and flexibly than signature-based approaches. In this paper, we design the behavior model of each user from system event logs generated by solutions installed on personal computers. To do so, we apply Doc2Vec algorithm to transform event log sequences into numerical vectors. Then we conduct an experiment to verify a behavior pattern of each user with our vectorized log sequences. Experimental result shows that not only user classification using event log sequences can work well but also it can detect a change of user behavior over time. We expect that the proposed scheme can detect the possibility of external or internal threats by finding out an activity that deviates from the normal behavior pattern.

2020년 3월 18일 접수; 2020년 6월 2일 수정본 접수; 2020년 7월 30일 게재 확정.