Military Information Leak Response Technology through OSINT Information Analysis Using SNSes

Open-source intelligence (OSINT), an information gathering and analysis system that utilizes public information on SNSes, is a necessary information gathering activity to counter terrorism and cyberterrorism. Although it is not possible to patrol cyberspace directly, as in real space, cyberspace can be patrolled by collecting information using OSINT technology. In this study, OSINT information analysis activities related to military information leakage are presented to SNSes. In this study, two or more OSINT collection tools are used to search for military information keywords, for characters’ names, and for personal identiﬁcation information about the characters. The results of 100,209 cases of military information keyword search and 471 cases of name search are presented. It was also conﬁrmed that personal identiﬁcation information was not searched because of the strengthening of personal information protection.


Introduction
As the use of SNSes is allowed in the military, there are continuous cases of leakage of military information through SNSes. is study is to present practical experiments and countermeasures for the leakage of military information through SNSes [1]. Open-source intelligence (OSINT), which is the collection and analysis of information using public information on SNSes, is a necessary information activity to counter terrorism and cyberterrorism. Terrorism is the most important aspect of real space, where victims, witnesses, and law enforcement agencies recognize terrorism [2]. Terrorism and cyberterrorism in cyberspace are difficult to recognize from the reports of victims and witnesses. Many terrorist attacks in cyberspace are difficult to identify [3]. Recently, military information has been leaked through SNS. Accordingly, intelligence agencies around the world are investigating military information leakage cases using SNS information collection technology. Information gathering channels on physical terrorism and cyberterrorism are equally applicable in cyberspace. Although it is not possible to directly patrol cyberspace, as in real life, it can be patrolled by collecting information using OSINT technology. In this study, OSINT information analysis measures related to military information leakage are presented to SNSes. To respond to military information leakage, Institute for the Study of Violent Groups (ISVG) and Study of Terrorism and Responses to Terrorism (START) were searched in the database of OSINT public information collected from SNSes worldwide, and the characteristics of Cyber reat Analysis and Sharing (C-TAS) were investigated [4]. To cope with substantial military information leakage, two or more OSINT collection tools were used to search for military information keywords, for person names, and for personal identification information. In this paper, studies that collected information from existing SNSes were analyzed. e performance of various OSINT tools for collecting information from SNSes was verified. It was conducted through an experiment to collect military information using OSINT technology on SNSes. An experiment was conducted on SNSes to collect military information with OSINT technology, and a countermeasure was suggested through this [5]. e rest of this paper is organized as follows. Section 2 presents related studies on collecting military information using OSINT tools. Section 3 presents various experimental results for actual military information collection through OSINT tools. Section 4 presents the results of collecting and responding to military information through OSINT tools for SNSes.

Related Work
To analyze the efficiency of OSINT information analysis to deal with military information leakage through SNSes, we investigated the collection of OSINT information on ISVG and START in the field of terrorism. Furthermore, the characteristics of Korea's C-TAS were analyzed through a research survey on cyber threat information collected on SNSes in response to cyberterrorism [6].

Purpose of OSINT Utilization.
Since September 11, 2001, terrorist attacks on Islamic fundamentalism have led to the increasing importance of OSINT technology, and OSINT has been actively utilized by the United States and NATO.
is is because terrorist organizations such as Al Qaeda, the Taliban, Hezbollah, and Hamas are active online. e U.S. and NATO recognize OSINT as important information collection channels along with existing information collection channels, Human Intelligence (HUMINT), and Technical Intelligence (TECHINT). OSINT is different from existing information activities, and interest in OSINT collection, database construction, and information analysis on SNSes is increasing. e application areas of OSINT for collecting SNS information are as follows: (i) Intelligence: the collection of information from OSINT and the secondary analysis of published information are used to understand important security threats, terrorism, and cyberterrorism. In OSINT, data mining, statistical analysis, location analysis, network analysis, and time-series pattern analysis are important [7]. (ii) SNS background survey (internet vetting): activities related to background surveys and profiles of specific individuals or groups. Recently, activities mainly take place in cyberspace, so they are more likely to collect information about the characteristics, history, and tendencies of specific individuals and organizations in online space than in offline space [8]. (iii) Crime investigation is an online activity used to secure criminal evidence. is activity, in contrast to digital forensics, includes information about witnesses and witnesses online [9].

ISVG (Institute for the Study of Violent Groups).
e US ISVG program is a research project that uses federal research funds to build databases related to terrorism. ISVG is responsible for Sam Houston State University's College of Criminal Justice.
e ISVG program uses OSINT information that can be collected on SNSes to build a database of information about terrorist organizations, terrorist organizations, and major terrorists around the world. Since 2004, more than 150,000 terrorist databases have been built. As can be seen in Figure 1, the database consists of a series of incident identification numbers that collect OSINT information from various SNSes on related events and people and organizations. Comprehensive incident information can be obtained by searching for specific terrorist events, people, and organizations [11]. About 20 researchers searched SNS information in real time and built a database to collect information on terrorist attacks in continents and regions. In addition, 11 additional language-related materials were searched, and the database entry language was English [12].

START (Study of Terrorism and Responses to Terrorism).
START is a program supported by the U.S. Department of Homeland Security and is being studied by the University of Maryland to collect information on terrorism. As shown in Figure 2, START builds a variety of databases, but the Global Terrorism Database (GTD) related to terrorist attacks collects information published on SNSes in an OSINT manner. Information on terrorist attacks around the world, including incident information, attack information, weapons information, and damage information, was compiled into a database [14]. It collects systematic data on terrorist incidents worldwide and has at present collected more than 110,000 pieces of information. For each terrorist incident, it provides the date, location, weapons used, nature of the terrorist, number of victims, and identification information about the terrorist. e GTD database is open to the Internet and can be used by anyone for browsing and research [15].

C-TAS (Cyber reat Analysis and Sharing).
It is necessary to immediately and preemptively respond to cyber threats and to build intelligence to prevent accidents. Cyber threat intelligence can be categorized according to the organization's expertise in collecting information, enabling OSINT to build databases [16]. As can be seen in Figure 3, the Korea Internet & Security Agency (KISA) has established a cyber threat analysis and sharing system (C-TAS) that shares information about threat IPs, malicious code, vulnerabilities, etc., among other types of information provided by registered agencies. In a way that shares information, Cyber reat Intelligence (CTI) is divided into reat Intelligence Service (TIS) and reat Intelligence Platform (TIP) in the form of a service or platform [18]. FireEye iSIGHT Intelligence provides CTI services at different levels based on API and web-based information values. is service assists with attacker synchronization, background, development environment, security issues, etc. [19]. Symantec's DeepSightTM Intelligence provides analysis and reputation information on major breaches of accident indicators. e main information provided provides reputation information such as IP, domain, URL, malware history, regional information, industrial information, owner information, and behavior information [20]. IBM provides cyber threat intelligence services and products to various service subscribers through IBM i2 services, which previously expanded Watson for cybersecurity services [21].

Comparative Analysis of Terrorism and Cyberterrorism OSINT.
is study investigates the construction of OSINT information published on SNSes and portal sites worldwide in response to terrorism and cyberterrorism [22]. As shown in Table 1, the anti-terrorism sector operates the ISVG and START databases in the United States. e purpose is to provide terrorist incidents, terrorists and organizations, sites of events, weapons used, and extent of damage to counterterrorism. In response to cyberterrorism, Korea's C-TAS has made cyber threat information, malicious code, and weaknesses unique to registered information security agencies. Researchers collect SNS information manually to counter terrorism, but information that is shared to counter cyberterrorism is characterized by automation [23].

Experiment
To cope with military information leakage, three experiments were conducted to analyze the efficiency of OSINT information analysis through SNSes. e SNS targets were Facebook and Instagram, and portal sites conducted OSINT information collection experiments on nine military information keywords, five military information names, and five military information personal identification numbers. In this paper, we presented the actual response results to the leakage of military information using SNS information   To solve these problems, it is necessary to understand the characteristics, advantages, and disadvantages of various search engines for OSINT information collection. At least two or more search engines should be utilized to ensure the reliability and validity of OSINT collection materials, depending on the nature of the data required for a particular subject.

SNS Target Military Information Keyword OSINT Search
Experiment. In this experiment, nine keywords related to military information leakage were collected from SNSes, and the amount of information collected and its accuracy were analyzed. e SNS targets were Facebook and Instagram, and the portal used four different OSINT search engines-Carrot2, WebSTAR, Biznar, and Imgur-on Google and Naver. Table 2 shows the characteristics of the OSINT search engines. In this experiment, four OSINTsearch engines were used to collect information on nine keywords related to military information leakage on SNSes: military secrets, defense industry preferences, defense companies, defense capabilities, improvement projects, officers, weapons systems, and defense projects. Table 3 shows the results of the OSINT information collection experiments: WebSTAR (94,927 cases), Biznar (4,816 cases), Carrot2 (465 cases), and Imgur (1 case). e Imgur OSINT search engine mainly searched for images, so the amount of information analyzed was small. e search volume by keywords was 100,209, followed by officers (62,214), defense (25,197), reserve (8,148), defense industry preferences (1748), defense industry companies (725), weapons systems (629), military secrets (584), defense agency projects (552), and defense improvement projects (412). e level of information collection was high, and the speed of information collection was slow. However, owing to the large amount of information collected, the   4 Security and Communication Networks accuracy of the information was low because of the large amount of information contained in the defect information.

SNS Target Person Name Keyword Search Experiment.
In this experiment, OSINT information was collected through statements about five people related to military information on SNSes, and the amount and accuracy of the information collected are discussed. e target SNSes were Facebook and Instagram, and the portal used three different OSINT search engines-Carrot2, Social Blade, and Social Searcher-to search Google and Naver. Table 4 shows the characteristics of the OSINT search engines. In this experiment, three OSINT search engines were used to collect information on five people involved with military information on SNSes. In this study, any information about related people is presented in a non-identifying manner. In Table 5 Carrot2 (440), Social Blade (31), and Social Searcher (2), respectively were information collection for OSINT information collection.
e Social Searcher OSINT search engine mainly searched for images, so the amount of information analyzed was small. e total collection volume was 471, followed by Person C (303), Person A (58), Person B (47), Person E (33), and Person D (30). e level of information collected was high, and the speed of information collection was high. Compared with the amount of information collected, the accuracy of the information was high because of the small amount of defect information.

Personal Identification Number Search Experiment for SNS Target Person.
In this experiment, OSINT information was collected from the personal identification numbers of five people related to military information on SNSes, and the amount and accuracy of the information collected were discussed. e target SNSes were Facebook and Instagram, and the portals were Google and Naver using two OSINT search engines, Carrot2 and Pipl. Table 6 shows the characteristics of the OSINT search engines.
In this experiment, two OSINT search engines were used to collect information using the personal identification numbers of five people involved in military information on SNSes. In this study, information about related people is presented in a non-identifying manner. In Table 7 Carrot2 (4) and Pipl (3), respectively, were information collection for OSINT information collection.
is is because the total collection volume is small, and the recent Personal Information Protection Law requires the government to delete personal identification numbers posted on SNSes. It was confirmed on the SNSes that, even if an individual agrees, his or her personal identification number would not be disclosed. e level of automation for collecting information was low, and the speed of collection was slow. Imgur [27] (i) Image-specialized hosting service (ii) Integrated image retrieval of major search engines 3.5. Expected Effect. As shown in Table 8, OSINT information is collected through SNSes, and the utilization of military information leakage is shown below. Regarding military information keywords, the amount of information was high, the accuracy of information was low, the level of automation was high, and the speed of collection was low.  [29] (i) Provides clustering information for main search engine results (i) Provides personal information through paid services (ii) Provides SNS-saved archive information retrieval function for people

Conclusion
OSINT, an information gathering and analysis system that utilizes public information on SNSes, is a necessary information activity to counter terrorism and cyberterrorism. It is impossible to respond without recognizing the collection of information about terrorism in real space. erefore, terrorist awareness is the most important stage, and in real space, victims, witnesses, and law enforcement agencies recognize terrorism. Terrorism and cyberterrorism in cyberspace are difficult to recognize from the reports of victims and witnesses. Many terrorist attacks in cyberspace are difficult to identify. Although it is not possible to patrol directly in cyberspace, as in real space, cyberspace can be patrolled by collecting information using OSINT technology. In this study, OSINT information analysis activities for military information leakage were presented to SNSes. In this study, two or more OSINT collection tools were used to search for military information keywords, characters' names, and the personal identification information of characters. Regarding the utilization of OSINT information through SNSes to cope with military information leakage, the amount of information, accuracy of the information, automation level, and collection speed were low. e overall utilization rate was excellent. Regarding statements by military intelligence officials, the accuracy of the information and the accuracy of the information were intermediate, and the speed of automation and collection was high. Owing to the strengthening of the Personal Information Protection Law, the personal identification numbers of military intelligence personnel were considered to be ineffective. Further research will be conducted on the combination of location information on terrorism and cyber threat information and the correlation with relevant secondary information.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.