Çѱ¹ÀÎÅͳÝÁ¤º¸ÇÐȸ ³í¹®Áö
Current Result Document :
ÇѱÛÁ¦¸ñ(Korean Title) |
PageRank Ư¡À» È°¿ëÇÑ RDP±â¹Ý ³»ºÎÀüÆÄ°æ·Î ŽÁö ¹× SHAP¸¦ ÀÌ¿ëÇÑ ¼³¸í°¡´ÉÇÑ ½Ã½ºÅÛ |
¿µ¹®Á¦¸ñ(English Title) |
RDP-based Lateral Movement Detection using PageRank and Interpretable System using SHAP |
ÀúÀÚ(Author) |
À±Áö¿µ
±èµ¿¿í
½Å°ÇÀ±
±è»ó¼ö
ÇÑ¸í¹¬
Jiyoung Yun
Dong-Wook Kim
Gun-Yoon Shin
Sang-Soo Kim
Myung-Mook Han
|
¿ø¹®¼ö·Ïó(Citation) |
VOL 22 NO. 04 PP. 0001 ~ 0011 (2021. 08) |
Çѱ۳»¿ë (Korean Abstract) |
ÀÎÅͳÝÀÌ ¹ß´ÞÇÔ¿¡ µû¶ó ´Ù¾çÇÏ°í º¹ÀâÇÑ »çÀ̹ö°ø°ÝµéÀÌ µîÀåÇϱ⠽ÃÀÛÇß´Ù. °ø°ÝµéÀ» ¹æ¾îÇϱâ À§ÇØ ³×Æ®¿öÅ© ¿ÜºÎ¿¡¼ ´Ù¾çÇÑ ¹æ½ÄÀÇ Å½Áö ½Ã½ºÅÛµéÀÌ È°¿ëµÇ¾úÀ¸³ª ³»ºÎ¿¡¼ °ø°ÝÀÚ¸¦ ŽÁöÇÏ´Â ½Ã½ºÅÛ ¹× ¿¬±¸´Â ÇöÀúÈ÷ µå¹°¾î ³»ºÎ¿¡ µé¾î¿Â °ø°ÝÀÚ¸¦ ŽÁöÇÏÁö ¸øÇØ Å« ¹®Á¦¸¦ ¾ß±âÇϱ⵵ Çß´Ù. À̸¦ ÇØ°áÇÏ°íÀÚ °ø°ÝÀÚÀÇ ¿òÁ÷ÀÓÀ» ÃßÀûÇÏ°í ŽÁöÇÏ´Â ³»ºÎÀüÆÄ°æ·Î ŽÁö ½Ã½ºÅÛ¿¡ ´ëÇÑ ¿¬±¸°¡ µîÀåÇϱ⠽ÃÀÛÇß´Ù. ƯÈ÷ ±×Áß¿¡¼µµ Remote Desktop Protocol(RDP) ³» Ư¡À» ÃßÃâÇØ Å½ÁöÇÏ´Â ¹æ½ÄÀº °£ÆíÇϸ鼵µ ¸Å¿ì ÁÁÀº °á°ú¸¦ ³ªÅ¸³»¾ú´Ù. ÇÏÁö¸¸ ±×·³¿¡µµ ºÒ±¸ÇÏ°í ÀÌÀü ¿¬±¸µéÀº °¢ ·Î±×¿Â µÈ ³ëµåµé ÀÚüÀÇ ¿µÇâ ¹× °ü°è¼ºÀ» °í·ÁÇÏÁö ¾Ê¾ÒÀ¸¸ç, Á¦½ÃµÈ Ư¡ ¶ÇÇÑ ÀϺΠ¸ðµ¨¿¡¼´Â ¶³¾îÁö´Â °á°ú¸¦ Á¦°øÇϱ⵵ Çß´Ù. ¶ÇÇÑ ¿Ö ±×·¸°Ô ÆÇ´ÜÇß´ÂÁö ÆÇ´Ü¿¡ ´ëÇØ ¼³¸íÇÏÁö ¸øÇÑ´Ù´Â ¹®Á¦ Á¡µµ Á¸ÀçÇß´Ù. ÀÌ´Â °á°úÀûÀ¸·Î ¸ðµ¨ÀÇ ½Å·Ú¼º ¹× °ß°í¼º ¹®Á¦¸¦ ¾ß±âÇÏ°Ô µÈ´Ù. À̸¦ ÇØ°áÇϱâ À§ÇØ º» ¿¬±¸¿¡¼´Â PageRank Ư¡À» È°¿ëÇÑ RDP±â¹Ý ³»ºÎÀüÆÄ°æ·Î ŽÁö ¹× SHAP¸¦ ÀÌ¿ëÇÑ ¼³¸í°¡´ÉÇÑ ½Ã½ºÅÛÀ» Á¦¾ÈÇÑ´Ù. ÆäÀÌÁö·©Å© ¾Ë°í¸®Áò°ú ¿©·¯ Åë°èÀûÀÎ ±â¹ýÀ» È°¿ëÇØ ¿©·¯ ¸ðµ¨¿¡¼ È°¿ë °¡´ÉÇÑ Æ¯Â¡µéÀ» »ý¼ºÇÏ°í SHAPÀ» È°¿ëÇØ ¸ðµ¨ ¿¹Ãø¿¡ ´ëÇÑ ¼³¸íÀ» Á¦°øÇÑ´Ù. º» ¿¬±¸¿¡¼´Â ÀÌÀü ¿¬±¸¿¡ ºñÇØ ´ëºÎºÐÀÇ ¸ðµ¨¿¡¼ ´õ ³ôÀº ¼º´ÉÀ» º¸¿©Áִ Ư¡À» »ý¼ºÇß°í À̸¦ SHAPÀ» ÀÌ¿ëÇØ È¿°úÀûÀ¸·Î Áõ¸íÇß´Ù. |
¿µ¹®³»¿ë (English Abstract) |
As the Internet developed, various and complex cyber attacks began to emerge. Various detection systems were used outside the network to defend against attacks, but systems and studies to detect attackers inside were remarkably rare, causing great problems because they could not detect attackers inside. To solve this problem, studies on the lateral movement detection system that tracks and detects the attacker's movements have begun to emerge. Especially, the method of using the Remote Desktop Protocol (RDP) is simple but shows very good results. Nevertheless, previous studies did not consider the effects and relationships of each logon host itself, and the features presented also provided very low results in some models. There was also a problem that the model could not explain why it predicts that way, which resulted in reliability and robustness problems of the model. To address this problem, this study proposes an interpretable RDP-based lateral movement detection system using page rank algorithm and SHAP(Shapley Additive Explanations). Using page rank algorithms and various statistical techniques, we create features that can be used in various models and we provide explanations for model prediction using SHAP. In this study, we generated features that show higher performance in most models than previous studies and explained them using SHAP. |
Å°¿öµå(Keyword) |
³»ºÎÀüÆÄ°æ·Î ŽÁö
ÆäÀÌÁö·©Å© ¾Ë°í¸®Áò
¼³¸í°¡´ÉÇÑ ÀΰøÁö´É
¿ø°Ý µ¥½ºÆ®Åé ÇÁ·ÎÅäÄÝ
Ư¡ ÃßÃâ
Lateral Movement
Pagerank Algorithm
Explainable AI
Remote Desktop Protocol
Feature Extraction
|
ÆÄÀÏ÷ºÎ |
PDF ´Ù¿î·Îµå
|