1. Technical Field
Example embodiments of the present invention relate to cyber security technology, and more specifically, to a device for detecting a cyber attack by analyzing an event generated in a user terminal according to a behavior of a user who uses a web service, and a method thereof.
2. Related Art
With the development of network technology, users can freely use various services such as reservations, banking, product order, and payment on the Internet using various information and communication devices. However, as an influence of the Internet increases in the modern society, damage caused by cyber attacks is increasing.
The recent cyber attack that intruded computer systems of Nonghyup and caused computer problems is an advanced persistent threat (APT) attack. The attack uses a new cyber attack method in which social engineering techniques stimulating curiosity about attack targets are used to infect systems of attack targets with malicious codes, and access rights gradually increase to cause security problems.
In general, the APT attack aims main information facilities of the government or companies, and attempts to steal information that should be secured such as industrial secrets, military secrets, and customer information.
In this way, recent cyber attacks have been performed by organized hacker groups who hack specific targets precisely and deliberately, hijack information of companies, invade control systems, and threaten national security.
In order to respond to gradually intellectualized cyber attacks of this type, the government and companies apply attack detecting technology and intrusion detecting technology for detecting cyber attacks from hackers and blocking access detected as an attack to systems in order to improve security.
For example, as security technology for blocking access upon unauthorized intrusion, a firewall is positioned among networks and physically separates networks. However, a flow of network traffic is blocked in order to detect cyber attacks, which may decrease a traffic speed, and it is difficult to detect an attack from hackers who use an Internet protocol (IP) from which access is allowed.
Also, security technology for detecting cyber threats in advance based on vulnerability information of systems and network traffic analysis information can respond to predictable cyber attacks through security policy setting, but it is open to unpredictable attacks.
In particular, cyber attacks performed by a plurality of systems infected with malicious codes, that is, zombie PCs, are difficult to be recognized in advance. Therefore, technology for detecting an attack upon abnormal access that is disguised as a normal event by a user for whom access is allowed is necessary.