Apparatus and method for generating attack scenario
The use of generative AI in the attack scenario generation method addresses the challenge of responding to complex cyber threats by generating and verifying attack scenarios, enhancing prediction and reducing processing costs and times.
Patent Information
- Authority / Receiving Office
- KR · KR
- Patent Type
- Patents
- Current Assignee / Owner
- 78RESEARCHLAB INC
- Filing Date
- 2025-06-11
- Publication Date
- 2026-07-15
AI Technical Summary
Existing systems face challenges in efficiently collecting and analyzing data to respond to complex and sophisticated cyber threats, necessitating a need for technology that can automatically generate predicted cyber attack scenarios and provide a reliable response.
An attack scenario generation method and apparatus using generative AI to collect, refine, and store data, generating and verifying attack scenarios based on collected information, and providing them to users.
This approach allows for the prediction and preparation of potential cyber threats, reduces processing costs and times, and increases the reliability of attack scenarios by providing verified and up-to-date information.
Smart Images

Figure 112025065324955-PAT00001_ABST
Abstract
Description
Technology Field
[0001] The embodiments disclosed in this specification relate to a method and apparatus for generating attack scenarios, and more specifically, to a method and apparatus for generating cyber attack scenarios using AI. Background Technology
[0002] Due to the development of information and communication technology, almost all industries are connected to communication networks. Consequently, there is a possibility of causing damage to network-connected systems, the networks themselves, and data (cyber threats), and there are actual instances where cyber attacks occur through these networks.
[0003] In particular, the scale of systems and networks is becoming increasingly complex and massive, and the methods of cyber attacks and threats are also becoming more complex and sophisticated day by day. However, it is difficult for security personnel to directly collect and analyze data to respond to these cyber attacks and threats.
[0004] Therefore, to prevent such cyber threats and sophisticated cyber attacks, there has been a growing need for technology that automatically collects data related to cyber attacks, analyzes it to generate predicted scenarios for cyber attacks or threats, and enables a response.
[0005] Meanwhile, the aforementioned background technology is technical information that the inventor possessed for the derivation of the present invention or acquired during the process of deriving the present invention, and it cannot be considered as prior art disclosed to the general public prior to the filing of the present invention. Prior art literature
[0006] Korean Published Patent No. 10-2015-0008158 The problem to be solved
[0007] The embodiments disclosed in this specification aim to present an attack scenario generation apparatus and method that collect attack information using artificial intelligence, generate an attack scenario based thereon, and recommend it to a user.
[0008] The embodiments disclosed in this specification aim to present an attack scenario generation apparatus and method that provide a basis for generating an attack scenario along with an attack scenario.
[0009] The embodiments disclosed in this specification aim to present an attack scenario generation apparatus and method that perform verification on a generated attack scenario and provide a verified attack scenario.
[0010] The embodiments disclosed in this specification are intended to present an attack scenario generation apparatus and method capable of reducing processing costs and processing times. means of solving the problem
[0011] According to one embodiment, as a technical means for achieving the technical task described above, an attack scenario generation method is disclosed, comprising the steps of: collecting data through a network and refining the collected data to obtain attack information, and storing the attack information obtained by refining the collected data; and providing an attack scenario generated using a generative AI based on the attack information.
[0012] According to another embodiment, an attack scenario generating device is disclosed that includes a memory and at least one processor, operates by executing a program stored in the memory, collects data through a network, stores attack information obtained by refining the collected data, and provides an attack scenario generated using a generative AI based on the attack information.
[0013] According to another embodiment, a computer-readable recording medium is disclosed in which a program for performing an attack scenario generation method is stored, which is performed by an attack scenario generation device. The attack scenario generation method includes the steps of collecting data through a network, refining the collected data to obtain attack information, and storing the attack information obtained by refining the collected data, and providing an attack scenario generated using a generative AI based on the attack information.
[0014] According to another embodiment, a computer program stored on a computer-readable recording medium for performing an attack scenario generation method is disclosed, which is performed by an attack scenario generation device. The attack scenario generation method includes the steps of collecting data through a network, refining the collected data to obtain attack information, storing the attack information obtained, and providing an attack scenario generated using a generative AI based on the attack information. Effects of the invention
[0015] According to any one of the aforementioned means for solving the problem, by using artificial intelligence to collect attack information and generating attack scenarios based on it to recommend to users, it is possible to predict and prepare for potential cyber threats in advance.
[0016] In addition, according to any one of the aforementioned means for solving the problem, by providing the basis for generating the attack scenario along with the attack scenario, the validity of the attack scenario can be presented, thereby increasing the reliability of the attack scenario.
[0017] In addition, according to any one of the aforementioned means for solving the problem, for queries that can be converted into SQL queries, an attack scenario is provided based on the converted query, and for other queries, an attack scenario generated using generative AI is provided, thereby reducing processing costs and processing time.
[0018] In addition, according to any one of the aforementioned means for solving the problem, a highly reliable attack scenario can be provided to the user by providing a verified scenario.
[0019] In addition, according to any one of the aforementioned means for solving the problem, attack scenarios can be generated and provided to the user based on the latest cyber threat information.
[0020] The effects obtainable from the disclosed embodiments are not limited to those mentioned above, and other unmentioned effects will be clearly understood by those skilled in the art to which the disclosed embodiments belong from the description below. Brief explanation of the drawing
[0021] FIG. 1 is a block diagram illustrating the configuration of an attack scenario generation device according to one embodiment. FIG. 2 is a diagram illustrating the structure of a scenario generation framework according to one embodiment. Figure 3 is a diagram illustrating the process of providing an attack scenario using a judgment module. FIGS. 4 to 6 are flowcharts for explaining a method for generating an attack scenario according to one embodiment. Specific details for implementing the invention
[0022] Various embodiments are described in detail below with reference to the attached drawings. The embodiments described below may be implemented in various different forms. In order to explain the features of the embodiments more clearly, detailed descriptions of matters widely known to those skilled in the art to which the following embodiments belong have been omitted. Additionally, parts of the drawings unrelated to the description of the embodiments have been omitted, and similar parts throughout the specification have been given similar reference numerals.
[0023] Throughout the specification, when a configuration is described as being "connected" to another configuration, this includes not only cases where they are "directly connected," but also cases where they are "connected with another configuration in between." Furthermore, when a configuration is described as "including" another configuration, this means that, unless specifically stated otherwise, it does not exclude other configurations but may include additional configurations.
[0024] The embodiments will be described in detail below with reference to the attached drawings.
[0025] A "cyber attack scenario" refers to a standardized series of actions taken by a cyber attacker to achieve an attack objective using available attack techniques. For example, a cyber attack scenario may be constructed by listing information on attack points traversed from equipment corresponding to the initial attack point to equipment corresponding to the final attack objective, as well as attack techniques ranging from the initial to the final attack, based on previously collected cyber attack data and asset information. Hereinafter, "cyber attack scenario" may also be referred to as "attack scenario," and "attack scenario" shall be understood to mean "cyber attack scenario."
[0026] An attack scenario generation device is a device that generates and provides cyber attack scenarios using a Large Language Model (LLM) based on previously collected cyber threat data. For example, when a user query is obtained, the attack scenario generation device can generate a cyber attack scenario using a Large Language Model based on previously collected cyber threat data and cyber asset information.
[0027] The attack scenario generation device converts a user's query into an SQL query statement and searches a database storing attack scenarios based on the converted query statement to provide the attack scenario obtained from the search results to the user, or, only when it is difficult to convert the user's query into a query statement or there are no attack scenarios obtained from the search results, it generates an attack scenario using generative AI and provides the generated attack scenario to the user.
[0028] As described above, the attack scenario generating device (100) can be implemented as an electronic terminal or a server-client system.
[0029] At this time, the electronic terminal can be implemented as a laptop, portable terminal, wearable device, etc., which can connect to a remote server (20) via a network or connect to other electronic terminals and servers. Here, the laptop includes, for example, a laptop equipped with a web browser, etc., and the portable terminal can include, for example, a wireless communication device that guarantees portability and mobility, such as a PCS (Personal Communication System), PDC (Personal Digital Cellular), PHS (Personal Handyphone System), PDA (Personal Digital Assistant), GSM (Global System for Mobile communications), IMT (International Mobile Telecommunication)-2000, CDMA (Code Division Multiple Access)-2000, W-CDMA (W-Code Division Multiple Access), Wibro (Wireless Broadband Internet), a smartphone, a mobile WiMAX (Mobile Worldwide Interoperability for Microwave Access), etc., all kinds of handheld-based wireless communication devices. In addition, wearable devices are types of information processing devices that can be worn directly on the human body, such as watches, glasses, accessories, clothing, and shoes, and can connect to a server at a remote location or to another terminal via a network, either directly or through another information processing device.
[0030] And the server can be implemented as a computing device capable of communicating with electronic terminals and networks, or as a cloud computing server.
[0031] FIG. 1 is a block diagram illustrating the configuration of an attack scenario generation device according to one embodiment.
[0032] Referring to FIG. 1, a device (100) according to one embodiment may include a memory (110), a control unit (120), a communication unit (130), and an input / output unit (140).
[0033] In memory (110), a program for generating attack scenarios may be installed and stored. Specifically, in memory (110), a first artificial intelligence model, which is a type of generative AI that analyzes queries obtained from users to generate attack information by extracting TTPs and IOCs from collected data and generates scenarios, and a second artificial intelligence model, which is a type of XAI (Explainable AI) that explains the basis for generating scenarios, may be stored or installed in the form of a program.
[0034] Additionally, data for generating attack scenarios may be stored in the memory (110). For example, the memory (110) may store previously collected cyber threat data, question-and-answer pairs for training an artificial intelligence model, generated attack scenarios, system configuration information subject to security, and data stored in the system (e.g., personal information, financial information, etc.). At this time, the generated attack scenarios may be stored in the form of a database.
[0035] The control unit (120) includes at least one processor such as a CPU, GPU, etc., and can perform the attack scenario generation method presented below by executing a program stored in memory (110). For example, the control unit (120) can perform the method by executing a program stored in memory (110) by a processor.
[0036] Additionally, the control unit (120) can control other components included in the attack scenario generation device (100). For example, the control unit (120) can obtain a user query through the input / output unit (140) and recommend an attack scenario to the user based on the user query.
[0037] The communication unit (130) can receive data and programs necessary for creating attack scenarios by performing wired or wireless communication with other devices or networks. For example, the communication unit (130) can collect cyber attack or cyber threat data by communicating with a server that provides services such as a messenger like Telegram, the dark web, GitHub, and X (formerly Twitter).
[0038] To this end, the communication unit (130) may include a communication module that supports at least one of various wired and wireless communication methods, and the communication module may be implemented in the form of a chipset. The wireless communication supported by the communication unit (130) may be, for example, WiFi (Wireless Fidelity), Wi-Fi Direct, Bluetooth, UWB (Ultra Wide Band), or NFC (Near Field Communication).
[0039] The input / output unit (140) may include an output device such as a display panel or wearable display device and a speaker for displaying recommended attack scenarios, and may include various types of input devices (e.g., keyboard, touchscreen, camera, etc.) for receiving input such as a query from a user.
[0040] Below, a method for generating an attack scenario according to an embodiment in which the control unit (120) operates by executing a program is described in detail. Unless otherwise specifically stated, the processes described below are performed by the control unit (120) executing a program stored in memory (110).
[0041] FIG. 2 is a diagram illustrating the structure of a scenario generation framework according to one embodiment.
[0042] Referring to FIG. 2, the attack scenario generation framework (200) may include a preprocessing module (210), a judgment module (220), and a generation module (230).
[0043] The control unit (120) can collect data from OSINT (Open Source Intelligence), that is, from publicly accessible sources. For example, the control unit (120) can collect data by accessing servers providing SNS, the dark web, GitHub, and messenger services and crawling posts. At this time, the control unit (120) records and stores log data regarding the source of the data and the method of collection, and can later generate grounds for creating an attack scenario based on this.
[0044] However, the collected data may be unstructured data written in natural language-based text, and the control unit (120) can refine the collected data using a preprocessing module (210), structure it into a preset format, and store it in memory (110).
[0045] The preprocessing module (210) can analyze the collected data to extract attack information. For example, the preprocessing module (210) can analyze the collected data (e.g., text-based posts, Twitter feeds, reports) to determine whether there is a CVE number used in a cyber threat or attack or a Github link where code related to a cyber threat or attack is posted within the collected data, and if there is, extract and store the CVE (Common Vulnerabilities and Exposures) number or Github link.
[0046] At this time, the preprocessing module (210) can classify and store CVE numbers or GitHub links using an artificial intelligence model. For example, if Code A obtained by a GitHub link included in the collected data is determined to be a type of ransomware, the control unit (120) can classify Code A as ransomware and store it.
[0047] The artificial intelligence model can receive a CVE number, a GitHub link, or a code obtained from a GitHub link as input, and output an attack technique included in the input data. To this end, the control unit (120) can generate training data by labeling existing CVE numbers and codes as techniques that match on an attack knowledge-based framework such as the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, and can train the artificial intelligence model based on the generated training data.
[0048] Attack information may include at least one of TTP (Attacker's Tactic, Technique, Procedure) and IOC (Indicator of Compromise), and the preprocessing module (210) can extract attack information from collected data using a Named Entity Recognition (NER) model and refine the extracted attack information by structuring it.
[0049] To this end, the control unit (120) can receive text data and train a NER model to extract and output TTP and IOC. For example, the control unit (120) can generate training data by extracting and labeling parts corresponding to TTP and IOC within a sentence, and train a NER model to extract and output TTP and IOC within a text using the generated training data. As an example, the NER model can be implemented as spaCy.
[0050] Additionally, the preprocessing module (210) can convert the extracted attack information into a structured format and store it. For example, the preprocessing module (210) can convert the extracted attack information into a STIX (Structured Threat Information Expression) format and store it in memory (110). The stored attack information can be labeled as an attack technique and can be used as training data for the first artificial intelligence model to be described later.
[0051] Meanwhile, the control unit (120) can generate an attack scenario by executing the generation module (230). Specifically, the generation module (230) can generate an attack scenario using a first artificial intelligence model based on a large language model based on previously stored attack information, and can generate the basis for scenario generation together with the attack scenario. To this end, the control unit (120) can train the first artificial intelligence model based on training data that includes at least one of attack information labeled as an attack technique and an attack scenario labeled as an attack technique.
[0052] Additionally, the generation module (230) can generate an attack scenario using a first artificial intelligence model based on system information and asset information stored in memory (110). For example, the first artificial intelligence model may be a large language model based on LLaMA v3, and the first artificial intelligence model may learn attack information and previously generated attack techniques as described above.
[0053] For example, the generation module (230) can input system information and asset information into the first artificial intelligence model to obtain an attack scenario output from the first artificial intelligence model. Based on the latest attack information or multiple latest attack information regarding assets similar to the asset information included in the system to which the attack scenario is to be applied, the generation module (230) can generate a possible attack scenario by combining cyber attack techniques or cyber threat techniques using the first artificial intelligence model, and can store the generated attack scenario in memory (110).
[0054] In addition, the control unit (120) can provide grounds for generating an attack scenario by using a second artificial intelligence model, which is a type of XAI (Explainable AI). For example, the control unit (120) can generate grounds for generating an attack scenario based on information regarding attack information used in the data collection process and combination. Accordingly, the control unit (120) can provide the user with the background of how the attack scenario was generated and the process by which the scenario was created, thereby presenting the validity of the provided attack scenario and increasing the reliability of the recommendation result.
[0055] Meanwhile, the generation module (230) can generate an attack scenario based on a user's query. The generation module (230) inputs the query obtained from the user's input into a first artificial intelligence model, and the first artificial intelligence model analyzes the obtained query to generate an attack scenario. For example, the query may include requests related to cyber attacks, such as a target of attack, and the generation module can obtain an attack scenario that reflects the requests.
[0056] When the control unit (120) provides an attack scenario based on a user's query, it can provide the attack scenario in different ways depending on whether the user's query can be converted into an SQL query statement.
[0057] To this end, the control unit (120) can use the judgment module (220) to determine whether the user's query can be converted into an SQL query statement, and provide a recommendation scenario to the user based on the result of the judgment.
[0058] Figure 3 is a diagram illustrating the process of providing an attack scenario using a judgment module.
[0059] Referring to FIG. 3, the control unit (120) can determine whether a text query requesting the recommendation and creation of an attack scenario obtained from a user (security officer) can be converted into an SQL query statement using a judgment module (220).
[0060] To this end, the judgment module (220) may include a TEXT2SQL model for converting a user's text query into an SQL query statement, and the control unit (120) may input the user's query into the TEXT2SQL model included in the judgment module (220) to obtain the converted SQL query statement.
[0061] If the conversion is successful, the control unit (120) can obtain an attack scenario based on the converted SQL query. For example, the control unit (120) can search for an attack scenario stored in memory (110) using the SQL query and provide the attack scenario obtained as a result of the search to the user. When providing an attack scenario, the control unit (120) can provide grounds for selecting the attack scenario using a second artificial intelligence model, which is a type of XAI (Explainable AI). For example, the control unit (120) can input the user's query and search logs into the second artificial intelligence model and obtain grounds for selecting the attack scenario from the second artificial intelligence model.
[0062] On the other hand, if the conversion fails, the control unit (120) can recommend an attack scenario obtained using the generation module (230) to the user. Specifically, the control unit (120) can generate an attack scenario by inputting a query into the first artificial intelligence model (LLM Engine) included in the generation module (230) and provide it to the user along with the basis for scenario generation generated by the second artificial intelligence model.
[0063] Additionally, even if the conversion is successful, if the search fails (i.e., if there are no suitable attack scenarios in the search results), the control unit (120) can provide the user with the attack scenario obtained using the generation module (230), or the attack scenario and the basis for scenario generation. For example, the control unit (120) can obtain an attack scenario based on the converted SQL query. For example, the control unit (120) searches for attack scenarios stored in memory (110) using the SQL query, and if no attack scenarios are found, the control unit (120) can generate an attack scenario by inputting a query into the first artificial intelligence model (LLM Engine) included in the generation module (230), and provide this to the user along with the basis for scenario generation generated by the second artificial intelligence model. For example, the control unit (120) inputs the user's query and search logs into the second artificial intelligence model and obtains the basis for selecting the attack scenario from the second artificial intelligence model.
[0064] As described above, the control unit (120) can reduce processing costs and response times by providing attack scenarios using legacy methods such as search, without using an artificial intelligence model that consumes a lot of resources for queries converted into SQL query statements.
[0065] Meanwhile, the control unit (120) may verify the generated attack scenario and provide only the verified attack scenario to the user. That is, the control unit (120) may perform a simulation based on the generated attack scenario to verify the consistency of the attack scenario and provide the verified attack scenario to the user. The control unit (120) may perform a simulation of the attack scenario in a trial and error manner to determine whether there are any problems with the execution of the attack scenario simulation.
[0066] For example, the control unit (120) can verify the consistency of an attack scenario by performing a simulation on the attack scenario and verifying whether the attack scenario that is the subject of the attack simulation is actually usable in an attack, whether it is suitable for the system to which the attack scenario is to be applied, or whether the transition between stages is natural. If an error is found during the verification process, the control unit (120) can correct the error in the attack scenario and repeat the procedure of performing a simulation on the corrected attack scenario again.
[0067] Once the consistency verification of the attack scenario is complete, the control unit (120) can normalize the attack scenario into a preset format, generate it, and provide it to the user, while also labeling the generated attack scenario with attack techniques (meta tagging) and storing it in memory (110). In addition, the control unit (120) can convert SIEM (Security Information and Event Management) rules based on the simulation results or generate a report on the simulation results. Furthermore, based on the simulation results, the control unit (120) can visualize the attack of the attack scenario, analyze the attack path, and collect feedback based on this to retrain the first artificial intelligence model.
[0068] As described above, in one embodiment, the attack scenario generation device can provide a highly reliable attack scenario to the user by providing a verified scenario.
[0069] In the embodiments above, the term 'part' refers to a software or hardware component such as a field programmable gate array (FPGA) or an ASIC, and the 'part' performs certain roles. However, the meaning of 'part' is not limited to software or hardware. The 'part' may be configured to reside in an addressable storage medium or configured to run one or more processors. Accordingly, as an example, the 'part' includes components such as software components, object-oriented software components, class components, and task components, as well as processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, and variables.
[0070] The functions provided within the components and 'parts' can be combined into fewer components and 'parts' or separated from additional components and 'parts'.
[0071] In addition, the components and '~parts' may be implemented to play one or more CPUs within the device or secure multimedia card.
[0072] FIGS. 4 to 6 are flowcharts for explaining a method for generating an attack scenario according to one embodiment.
[0073] The attack scenario generation method illustrated in FIGS. 4 to 6 includes steps processed chronologically in the attack scenario generation device (100) illustrated in FIGS. 1 to 3. Therefore, even if the content is omitted below, the content described above regarding the attack scenario generation device (100) illustrated in FIGS. 1 to 3 can also be used in the attack scenario generation method according to the embodiment illustrated in FIGS. 4 to 6.
[0074] Referring to FIG. 4, the attack scenario generating device (100) can collect data through a network and store attack information obtained by refining the collected data (S410).
[0075] Specifically, the attack scenario generating device (100) can collect data by crawling data such as posts uploaded to public sources such as messengers like Telegram, the dark web, and social media, and can obtain attack information by refining the collected data.
[0076] For example, the attack scenario generation device (100) can extract at least one of TTP and IOC from collected data using a NER model, structure the extracted data to generate attack information, and store the generated attack information in memory (110).
[0077] Next, the attack scenario generation device (100) can generate and provide an attack scenario using a generative AI based on attack information (S420).
[0078] For example, the attack scenario generation device (100) can generate an attack scenario using a generative AI based on one or more attack information stored in memory, as shown in FIG. 5 (S510). Alternatively, the attack scenario generation device (100) can generate an attack scenario based on asset information and system information stored in memory in addition to the attack information.
[0079] At this time, the attack scenario generation device (100) can perform a simulation with the generated attack scenario to verify the attack scenario and provide the verified attack scenario to the user (S520).
[0080] Meanwhile, the attack scenario generating device (100) can provide an attack scenario based on a user's query consisting of text, as shown in FIG. 6.
[0081] For example, referring to FIG. 6, the attack scenario generation device (100) inputs a user's query into a TEXT2SQL model and converts it into an SQL query statement (S610). If conversion is possible, it searches for a previously generated attack scenario based on the converted SQL query statement and provides the attack scenario obtained (i.e., found) as a result of the search to the user (S630). On the other hand, if conversion fails, it can generate and provide an attack scenario using a generative AI based on the user query and attack information (S620).
[0082] The method for generating an attack scenario according to the embodiment described through FIGS. 4 to 6 may also be implemented in the form of a computer-readable medium that stores instructions and data executable by a computer. In this case, the instructions and data may be stored in the form of program code, and when executed by a processor, may generate a specific program module to perform a specific operation. Furthermore, the computer-readable medium may be any available medium accessible by a computer and includes both volatile and non-volatile media, as well as removable and non-removable media. Additionally, the computer-readable medium may be a computer recording medium, which may include both volatile and non-volatile, removable and non-removable media implemented by any method or technique for storing information such as computer-readable instructions, data structures, program modules, or other data. For example, the computer recording medium may be a magnetic storage medium such as an HDD and an SSD, an optical recording medium such as a CD, DVD, or Blu-ray disc, or a memory included in a server accessible via a network.
[0083] In addition, the method for generating an attack scenario according to the embodiment described through FIGS. 4 to 6 may be implemented as a computer program (or computer program product) comprising instructions executable by a computer. The computer program includes programmable machine instructions processed by a processor and may be implemented in a high-level programming language, an object-oriented programming language, an assembly language, or a machine language. In addition, the computer program may be recorded on a tangible computer-readable recording medium (e.g., memory, hard disk, magnetic / optical medium, or SSD (Solid-State Drive), etc.).
[0084] Accordingly, the method for generating an attack scenario according to one embodiment described through FIGS. 4 to 6 can be implemented by executing a computer program as described above by a computing device. The computing device may include at least some of a processor, memory, a storage device, a high-speed interface connected to the memory and a high-speed expansion port, and a low-speed interface connected to a low-speed bus and a storage device. Each of these components is connected to one another using various buses and may be mounted on a common motherboard or mounted in other suitable ways.
[0085] Here, the processor can process instructions within the computing device, such as instructions stored in memory or storage devices to display graph information for providing a Graphic User Interface (GUI) on external input and output devices, such as a display connected to a high-speed interface. In another embodiment, a plurality of processors and / or a plurality of buses may be used together with a plurality of memories and memory types as appropriate. Additionally, the processor may be implemented as a chipset comprising a plurality of independent analog and / or digital processors.
[0086] In addition, memory stores information within a computing device. For example, memory may consist of volatile memory units or a set thereof. As another example, memory may consist of non-volatile memory units or a set thereof. Furthermore, memory may be other forms of computer-readable media, such as magnetic or optical discs.
[0087] And memory can provide a large amount of storage space to a computing device. Memory may be a computer-readable medium or a configuration containing such a medium, and may include, for example, devices or other configurations within a Storage Area Network (SAN), and may be a floppy disk device, a hard disk device, an optical disk device, or a tape device, flash memory, or other similar semiconductor memory device or device array.
[0088] The embodiments described above are for illustrative purposes only, and those skilled in the art will understand that the embodiments described above can be easily modified into other specific forms without altering the technical concept or essential features of the embodiments described above. Therefore, the embodiments described above should be understood as illustrative in all respects and not restrictive. For example, each component described as a single unit may be implemented in a distributed manner, and components described as distributed may likewise be implemented in a combined form.
[0089] The scope of protection sought through this specification is defined by the claims set forth below rather than by the detailed description above, and should be interpreted to include all modifications or variations derived from the meaning and scope of the claims and the concept of equivalents. Explanation of the symbols
[0090] 100: Attack Scenario Generator 110: Memory 120: Control unit 130: Communication unit 140: Input / Output unit
Claims
Claim 1 A method for generating an attack scenario performed by an attack scenario generating device, comprising: a step of collecting data through a network and storing attack information obtained by refining the collected data; and a step of providing an attack scenario generated using a generative AI based on the attack information, wherein the providing step comprises: obtaining a user query including requests regarding cyber attacks and requests for attack scenario recommendations and generation; if the user query can be converted into an SQL query, searching for a pre-generated attack scenario using the converted SQL query, and if there is a searched attack scenario, providing the searched attack scenario; and if the user query cannot be converted into an SQL query or there is no searched attack scenario, providing an attack scenario output from the generative AI by inputting the user query into the generative AI. Claim 2 A method for generating an attack scenario according to claim 1, wherein the storing step comprises the step of collecting data from a public source and generating attack information by extracting TTP and IOC information based on the collected data using a learned NER model. Claim 3 A method for generating an attack scenario according to claim 1, wherein the step of providing an attack scenario output from the generative AI comprises: a step of obtaining an attack scenario output from the generative AI by inputting the user query into the generative AI; and a step of verifying the attack scenario output from the generative AI by performing a simulation with the attack scenario output from the generative AI, and providing the verified attack scenario to the user. Claim 4 A method for generating an attack scenario according to claim 1, wherein the step of providing further comprises the step of generating a basis for generating the searched attack scenario or the attack scenario output from the generative AI using an artificial intelligence model, and providing the basis for generating the attack scenario together with the searched attack scenario or the attack scenario output from the generative AI. Claim 5 delete Claim 6 An attack scenario generation device comprising: a memory for storing a program and data for generating an attack scenario; and a control unit comprising at least one processor, which operates by executing a program stored in the memory, collects data through a network, stores attack information obtained by refining the collected data, and provides an attack scenario generated using a generative AI based on the attack information, wherein the control unit acquires a user query including a request regarding a cyber attack and a request for the recommendation and generation of an attack scenario, and if the user query can be converted into an SQL query, searches for a pre-generated attack scenario using the converted SQL query, and if there is a searched attack scenario, provides the searched attack scenario, and if the user query cannot be converted into an SQL query or there is no searched attack scenario, inputs the user query into the generative AI to provide an attack scenario output from the generative AI. Claim 7 In claim 6, the control unit is an attack scenario generation device that collects data from a public source and generates attack information by extracting TTP and IOC information based on the collected data using a learned NER model. Claim 8 In claim 6, the control unit acquires an attack scenario output from the generative AI by inputting the user query into the generative AI, performs a simulation with the attack scenario output from the generative AI to verify the attack scenario output from the generative AI, and provides the verified attack scenario to the user. Claim 9 In claim 6, the control unit generates the basis for generating the searched attack scenario or the attack scenario output from the generative AI using an artificial intelligence model, and provides the basis for generating the attack scenario together with the searched attack scenario or the attack scenario output from the generative AI. Claim 10 delete Claim 11 A computer program stored on a computer-readable recording medium that is performed by an attack scenario generating device and performs the method described in claim 1. Claim 12 A computer-readable recording medium having a computer program that performs the method described in paragraph 1.