Abstract: A method and apparatus for analyzing cyber threat intelligence data. The method includes: acquiring first and second CTI graphs including first and second CTI data, respectively, classified based on a first classification item; classifying the first CTI data and the second CTI data based on a second classification item determined depending on the first classification item; outputting a graph similarity of the first and second CTI graphs determined based on a first CTI similarity between the first and second CTI data when the first and second CTI data belong to the same classification as a result of the classification; setting the first CTI graph and the second CTI graph to be included in one group when the graph similarity is equal to or greater than a threshold value; and outputting CTI information including the first and second CTI data for each group.

Abstract: Disclosed herein are a method and system for collecting cyber threat intelligence (CTI) data. The system includes a management server that determines agent configuration values associated with an OSINT providing source, an agent that receives the agent configuration values from the management server, performs a data collection task for collecting the CTI data based on the agent configuration values, and transmits the CTI data and data collection status information to the management server, a threat information database where which the CTI data is logged, and a system database where the data collection status information is logged.

Abstract: Disclosed herein are a method and system for collecting cyber threat intelligence (CTI) data. The system includes a management server that determines agent configuration values associated with an OSINT providing source, an agent that receives the agent configuration values from the management server, performs a data collection task for collecting the CTI data based on the agent configuration values, and transmits the CTI data and data collection status information to the management server, a threat information database where which the CTI data is logged, and a system database where the data collection status information is logged.

Abstract: A method and apparatus for analyzing cyber threat intelligence data. The method includes: acquiring first and second CTI graphs including first and second CTI data, respectively, classified based on a first classification item; classifying the first CTI data and the second CTI data based on a second classification item determined depending on the first classification item; outputting a graph similarity of the first and second CTI graphs determined based on a first CTI similarity between the first and second CTI data when the first and second CTI data belong to the same classification as a result of the classification; setting the first CTI graph and the second CTI graph to be included in one group when the graph similarity is equal to or greater than a threshold value; and outputting CTI information including the first and second CTI data for each group.

Abstract: method and apparatus for generating incident graph database are provided, one of methods comprises, generating incident coverage using an apparatus for generating an incident graph database when the incident coverage comprising a first node and a second node connected by a first edge and constituting an incident graph database does not exist, determining whether each of the first node and the second node has additional connection based on a relationship type of the first edge using the apparatus for generating an incident graph database, expanding the incident coverage to further comprise an expansion node using the apparatus for generating an incident graph database, repeating the generating of the incident coverage, the determining of whether each of the first node and the second node has the additional connection, and the expanding of the incident coverage on all edges included in the incident graph database using the apparatus for generating an incident graph database and generating a first incident node

Abstract: Disclosed are methods, apparatus and programs for generating graph database of incident resources, one of the methods comprises receiving an incident resource data set, extracting valid incident resource information from the incident resource data set, setting a resource ID for a incident resource included in the valid incident resource information, setting each attribute ID for a plurality of constituent elements of the incident resource, setting a relationship between the incident resource in which the resource ID is set and the plurality of constituent elements in which the attribute ID is each set, generating a resource node of the incident resource based on the resource ID, generating each attribute node of the plurality of constituent elements based on the attribute ID, and generating a graph database in which the resource node and the attribute node are connected to each other by an edge indicating the set relationship.

Abstract: Provided are a method and apparatus for calculating a risk of cyber attacks, and, more particularly to a method and apparatus for calculating a risk of cyber attacks, by which the risk of cyber attacks is quantitatively calculated by analyzing cyber incident information associated with the cyber attacks.

Abstract: Provided are a method of collecting cyber incident information, the method being performed by an apparatus for collecting cyber incident information and comprises a first operation of collecting a cyber threat indicator through a first information sharing channel, a second operation of setting the collected cyber threat indicator as reference information and collecting an associated indicator retrieved from a second information sharing channel using the reference information, and a third operation of setting the associated. indicator as the reference information and repeating the second operation when it is determined that the associated indicator corresponds to the type of the reference information and that there is relevance between the cyber threat indicator and the associated indicator, wherein the second information sharing channel is determined according to the type of the reference information.

Abstract: Disclosed are methods and programs for visualizing relations between incident resources using a graph database including a plurality of resource nodes and edges connecting the plurality of resource nodes, one of the methods comprises generating a first incident resource set including one or more nodes connected to a first incident resource node, which is one of the plurality of resource nodes, by N or less edges (where N is a natural number not less than 1), generating a second incident resource set including one or more nodes connected to a second incident resource node, which is another one of the plurality of resource nodes, by N or less edges, setting a first flag bit of the nodes included in the first incident resource set and a second flag bit of the nodes included in the second incident resource set to a first value, classifying the nodes included in each of the first and second incident resource sets based on the values of the first and second flag bits of each of the nodes included in each of the fir

Abstract: Provided is a violation information intelligence analysis system configuring an AEGIS along with a violation incident association information collection system, including a violation information management module configured to manage information and violation information intelligence analysis-related information received from the violation incident association information collection system, a collection information analysis module configured to extract a violation information ID based on the received information and to extract a relationship between the violation information ID and raw data, an intelligence generation and management module configured to generate intelligence based on a policy stored in the violation information intelligence analysis system in response to an intelligence generation request, convert a format of the intelligence in order to externally transfer the intelligence, and store history information, and an intelligence analysis module configured to support an in-depth information (N-dep

Abstract: Provided is a violation information management module configuring a violation information intelligence analysis system of an accumulated and integrated intelligence system (AEGIS), including a violation incident association information collection unit configured to analyze information received from a violation incident association information collection system and log the analyzed information, a violation information ID management unit configured to query a violation information DB about an ID of violation information and issue an ID to violation information to which an ID has not been assigned as a result of the query, and a violation information management unit configured to query the violation information DB about raw data or relationship information or store raw data or relationship information in the violation information DB and to query the violation information DB about information derived based on an analysis base defined by a system or administrator.

Abstract: Provided is a mechanism capable of assigning at least one index (ID) to violation abuse resources, violation association information, and violation information by taking into consideration organic relationships between the violation abuse resources, the violation association information, and the violation information when the generated violation abuse resources, the violation association information, and the violation information are collected through an external violation sharing channel or when they are collected or queried and of managing the generated violation abuse resources, the violation association information, and the violation information.

Abstract: A system and method for analyzing mobile cyber incidents that checks whether codes attacking the weaknesses of mobile users are inserted into collected URLs and whether applications are downloaded and automatically executed, without the agreement of users, so that if the mobile cyber incidents are analyzed through the manual analysis of a manager, the applications to be analyzed manually can be reduced.

Abstract: A method for detecting mobile cyber incidents includes: allowing a mobile incident collection server to determine whether new text is received; extracting the text original hash from the received new text by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash; if the attached file exists, extracting the attached file by means of the mobile incident collection server; and storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.

Abstract: A system for detecting mobile cyber incidents includes: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.

Abstract: A method for detecting mobile cyber incidents includes: allowing a mobile incident collection server to determine whether new text is received; extracting the text original hash from the received new text by means of the mobile incident collection server; allowing the mobile incident collection server to determine whether attached file exists on the basis of the extracted text original hash; if the attached file exists, extracting the attached file by means of the mobile incident collection server; and storing and managing the APP information of the extracted attached file as mobile cyber incident information in the mobile incident collection server.

Abstract: Disclosed is a method of detecting anomalies suspected of an attack based on time series statistics according to the present invention. The method of detecting anomalies suspected of an attack according to the present invention includes the steps of: collecting log data and traffic data in real-time and extracting at least one piece of preset traffic feature information from the collected log data and traffic data; and training through a time series analysis-based normal traffic training model using the extracted traffic feature information, and detecting abnormal network traffic according to a result of the training.

Abstract: A system and method for analyzing mobile cyber incidents that checks whether codes attacking the weaknesses of mobile users are inserted into collected URLs and whether applications are downloaded and automatically executed, without the agreement of users, so that if the mobile cyber incidents are analyzed through the manual analysis of a manager, the applications to be analyzed manually can be reduced.

Abstract: A system for detecting mobile cyber incidents includes: a mobile incident collection server adapted to collect text messages sent through communication company servers to produce text message detection information, to collect URL information based on real-time search words provided by search portals to produce URL detection information, and to collect basic information of application files being sold in application market servers to produce APK detection information; and a detection information DB adapted to receive, store and manage the text message detection information, the URL detection information and the APK detection information produced from the mobile incident collection server.