1. Technical Field
The present disclosure relates generally to an indexing apparatus and method for the search of security monitoring data, and, more particularly, to an indexing apparatus and method that enable the efficient search of a massive amount of security monitoring data that is generated by the performance of network security monitoring.
2. Description of the Related Art
In general, in commercialized security monitoring systems, a massive amount of event, log and other information, generated by multiple heterogeneous pieces of security equipment, is stored and managed in a database management system (DBMS). However, due to the security monitoring task characteristics of collecting and searching a massive amount of security monitoring data in real time, it takes an excessively long time to use a DBMS because all data should be sequentially searched according to monitoring information data search conditions.
In other words, existing security monitoring data is stored and searched using a DBMS. However, this conventional method is problematic in that search performance is reduced in proportion to the accumulation of data due to the delay of search time attributable to the storage of a massive amount of data performed in real time and the extension of a data search range. Furthermore, when searches are performed using specific elements used in the search of security monitoring data, this method has its limitations in terms of performance for security monitoring systems because this method outputs matching resulting values obtained by simple comparison with a massive amount of DB content.
As a related preceding technology, Korean Patent Application Publication No. 10-2010-0027836 entitled “Method and System of Advanced Web Log Preprocess Algorithm for Rule Based Web IDS System” discloses a technology that provides the function of performing the efficient search of web log information and performs preprocessing in order to increase the efficiency of rule-based attack detection performed on a massive amount of log information generated by a web server, thereby improving the attack detection performance of a web IDS system.
The technology disclosed in Korean Patent Application Publication No. 10-2010-0027836 uses a method of preprocessing web logs configured in specific format in order to support the attack detection of the rule-based IDS system. In the preprocessing, a duplicated character string index table is established by dividing log files into field units, and an attack is detected using this table.