Although various researches for enhancing efficiency in detecting a mass security event and performing an analytic work have been performed at home and abroad, most of the researches focused on identifying a trend of a cyber threat and an indirect approach (statistical analysis, visualizing, etc.) for reducing the number of security events becoming targets of analysis using basic information (IP, port, protocol, event name, etc.) on a security event only. As a result, since it was difficult to determine whether or not an actual hacking attack occurs on a security event, it was necessary to perform additional analysis when a security control operation is performed.
According to the previous researches, a data mining technology and a machine learning technology are mainly applied to automatically verifying a mass security event. Yet, this approach has a fundamental problem that accuracy is low. However, in case of a cyber hacking attack, since detection accuracy and analysis accuracy are very important, it is difficult to practically apply the technologies to a cyber security center.
Currently, large amounts of security events are triggered in accordance with the increase of a consistent cyber threat attempt. According to the domestic security control system, a security event triggered by a detection rule-based security equipment (IDS/IPS, TMS, etc.) depends on manual analysis and experience of a security control personnel. Moreover, when a security control result is induced, a phenomenon that an analysis is leaning to a specific type is occurring.
Currently, a government led centralized security control system shares a detection pattern for detecting a cyber hacking attack and focuses on constructing an international and unitary hacking incident cooperation system that promptly detects an attack and responds to the attack based on the detection pattern. However, the pattern-based security control system may have a critical point shown in the drawing. Currently, a security event triggered by a detection pattern is explosively and consistently increasing according to the rapidly increasing cyber threat. However, it is realistically impossible for a security control personnel to analyze all security events to determine whether or not a corresponding security event is actually attacked. For example, since it is necessary for a security personnel to analyze hundreds, even thousands of security events per minute, immediacy and accuracy of security control are degraded. And, since a current security control work completely depends on expertise and/or experience of the security personnel, a work bias phenomenon concentrating on an analysis of a specific security event only may occur. Hence, there is a lack of reaction capability for a new unknown hacking attack technique.
According to the legacy detection pattern-based security control, since the security control is performed based on a detection pattern, a new type attack or a mutated type attack bypassing the detection pattern increases and it is unable to respond to a known attack which has no detection pattern. Moreover, if the security control is performed based on a text, detection workload and/or analysis workload according to the rapid increase of cyber threat increases and it is difficult to intuitively recognize a mass cyber-attack. Moreover, if the security control is performed by human, it may spend too much time in analyzing a frequently appearing cyber threat and a previously appeared cyber-attack only. Hence, a difference may exist in service quality according to a personal analysis level.