Threat Evaluation Method for Distributed Network Environment
KEUN-HEE HAN, IL-GON KIM, KANG-WON LEE, JIN-YOUNG CHOI+ AND SANG-HUN JEON*
Department of Computer Science and Engineering Korea University Seoul, 136-701 Korea * NHN Corporation, IT Security Team Kyunggido, 463-844 Korea
The approach proposed in this paper involves the creation of a new algorithm for analyzing correlation alerts and providing the correct information regarding the detection of various types of security attacks, such as DDoS. It also enables the evaluation of the attack status, the degree of danger from the viewpoint of a managed network environment and the assets protected by the security devices. This paper proposes an advanced ESM system (referred to as the “SIA System”), which is capable of grouping a large amount of alert messages, analyzing mixed attacks using correlation alert messages from each sensor and responding to security threats quickly, after classifying them into one of four different statuses. It was confirmed that this system implementation could identify and analyze all types of intrusion by attackers in a managed network. Therefore, it provides a very effective means for security experts to cope with security threats in real time.