As cyber security threat increases in the online space recently, various methods for promptly sharing information on various kinds of security threats have been developed. A method most frequently used among them is sharing Indicator of Compromise (IoC) information by which many security products promptly identify and block the threat.
The IoC information includes information for performing a security function, such as IP information, hostname information, URL information, hash information of a malicious code file, information on Command and Control Server (C&C Server) and the like. Security companies use the IoC information for sharing security threat information or for promptly sharing counteract information to enhance security of companies or public institutions.
In many cases, IoC information generated by a company is transformed to a file of a specific format (XML or JSON) and the file is transferred to another company. The company receiving the file processes the file into a usable information form. In this case, it is general that information generated during a predetermined time period is collected through a batch process and is shared through an FTP server or an e-mail once in the predetermined time. Alternatively, the information is exchanged by a communication protocol mutually agreed among the companies. According to a general IoC information exchange method, the shared IoC information is stored in a server or a cloud storage so that a company receiving the IoC information may re-inquire through a re-inquiry interface, if necessary, the IoC information to the server of the company that has transferred the information.
According to the conventional technique like this, the communication span for exchanging the IoC information, i.e., the distance to the security equipment or the security software which performs the security function, is long; the physical resources increase; and transmitting and receiving the IoC information takes long time.
An on-demand method of inquiring information when needed, other than the batch process, is disadvantageous in that a server or a communication circuit which provides the information is heavily loaded since the information that should be identified is received too much from the security equipment or software for performing the security function.
A communication method of generally inquiring IoC information according to the conventional technique is shown in FIG. 3. In order to inquire to an IoC information providing server 300 and receive IoC information therefrom, a user terminal 250 goes through a connection process including at least three steps of a TCP connection step, an HTTP connection step, and an SSL encryption step of encrypting HTTP data. In the connection process like this, if the amount of data to be inquired increases due to the increasing number of users, i.e., if the number of queries increases, the server resources may not manage the load, and the data inquiry may not be performed smoothly, and therefore, too much cost is required to solve the problem since the server resources should be increased.
It is important to promptly share security threat information to promptly respond to cyber security threats. Further, a great deal of damage may occur if the increasing users and loads are handled inappropriately.