APPARATUS FOR ANALYZING CONNECTIONS ABOUT SECURITY EVENTS BASED ON RULE AND METHOD THEREOF

摘要

PURPOSE: A rule-based security event correlation analyzing device and a method thereof are provided to implement quick detection by performing correlation analysis by generating a user event memory without performing the correlation analysis of a security event. CONSTITUTION: A rule management unit(410) receives a security event generated from an IT security device(200) or a physical security device(100) to check an event requiring correlation analysis. An event management unit(420) analyzes the security event to delete or generate a user event memory or to check a correlation analysis target event. If the security event is received from the event management unit, a correlation processing unit(430) analyzes matching between a user event list and a correlation event of a rule database about a user ID in the security event. [Reference numerals] (100) Physical security device; (200) IT security device; (300) Event collector; (301) Collecting unit; (302) Standardizing unit; (303) Transmitting unit; (400) Linkage analyzer; (410) Rule management unit(RMU); (411) Rule DB version check unit; (412) Rule DB analysis event collecting unit; (413) Event filter unit; (420) Event management unit; (421) User event memory generating unit; (422) Event memory management unit; (423) User event memory deleting unit; (430) Linkage processing unit; (431) Rule DB analysis event inquiry unit; (432) User event memory requesting unit; (433) Detection transmitting unit; (434) Rule DB linkage event inquiry unit; (435) Linkage detecting unit; (500) User DB; (600) Rule DB