Design of a Cyber Threat Information Collection System for Cyber Attack Correlation

Nowadays, the number of cyber threats is increasing continuously, and attack techniques are becoming increasingly advanced and intelligent. One important thing that should be noted with regard to this situation is the marked increase in similar cyber incidents which use the same IP, domain, and malicious code for one cyberattack. Therefore, it is essential to understand the correlation between cyberattacks that occur due to the re-use of the same attack infrastructure (IP, domain, malicious code, etc.) for different cyberattacks, in order to detect and respond promptly to similar cyberattacks. To understand the correlation between cyberattacks, it is necessary to collect the related data concerning the procedures and techniques of cyberattacks. This paper proposes the design details of the cyber threat information collection system according to such needs. The proposed system performs the function of collecting the attack infrastructure data (IoCs) exploited for the cyberattack from various open data sources (OSINT, Open Source INTelligence), and uses the collected data as an input value to collect more data recursively. The relationship of the collected data can also be collected, saved, and managed, so that the data can be used to analyze the collection of cyberattacks. The proposed system uses a virtualization structure and distributed processing technology to collect data stably from various collection channels.