| CPC H04L 63/20 (2013.01) [H04L 63/1425 (2013.01)] | 16 Claims |
|
1. A method for automatically generating a playbook performed by a computing apparatus comprising:
periodically collecting asset information and CTI (Cyber Threat Intelligence) information of a target network;
extracting TTP (Tactics, Techniques, Procedure) information using the collected asset information and the collected CTI information;
retrieving a data source of the extracted TTP information;
generating a temporary playbook including a data component matching a detection method of the extracted TTP information among a plurality of data components of the retrieved data source;
verifying validity of the temporary playbook based on data component order information of the temporary playbook;
determining whether rearrangement of data components included in the temporary playbook is needed; and
when it is determined that rearrangement of the data components is needed:
rearranging data components included in the temporary playbook according to an analysis result of the data component order information and storing the rearranged temporary playbook as a final playbook,
wherein determining whether rearrangement of data components included in the temporary playbook is needed comprises automatically:
determining known order information or data component order information of another playbook as comparison target order information for data components of the temporary playbook;
calculating similarity between data component order information of the temporary playbook and the comparison target order information; and
determining, if the calculated similarity is less than a predetermined threshold, rearrangement of data components of the temporary playbook is needed, and
wherein calculating the similarity comprises:
converting the data component order information of the temporary playbook and the comparison target order information into a graph, respectively; and
calculating similarity between the converted graphs.
|