公开(公告)号：KR100456622B1

公开(公告)日：2004-11-10

申请号：KR1020020029146

申请日：2002-05-27

Applicant: 한국전자통신연구원

Inventor： 김숙연 ,  장종수 ,  손승원

IPC: G06F15/00

Abstract: PURPOSE: A method for offering and executing a policy using a system function on a policy based network security management system is provided to increase expandability and flexibility of a policy server by generating a network security policy as referring the system function of a client, and offering it to the related policy client. CONSTITUTION: The system function having a different value for maintaining and managing each policy client is recognized mutually between the policy server and the policy client. The policy server generates, edits, or stores the network security policy referring the system function(S20). The policy server transfers the network security policy to the policy client(S30). The policy client replaces the system function with an actual value returned from the system function of the network security policy(S40). The policy client executes the network security policy(S50).

Abstract translation: 目的：提供一种在基于策略的网络安全管理系统上使用系统功能来提供和执行策略的方法，以通过产生参考客户机的系统功能的网络安全策略来提高策略服务器的可扩展性和灵活性， 它给相关的政策客户。 构成：在策略服务器和策略客户端之间相互识别具有用于维护和管理每个策略客户端的不同值的系统功能。 策略服务器参照系统功能生成，编辑或存储网络安全策略（S20）。 策略服务器将网络安全策略传送给策略客户端（S30）。 策略客户端用从网络安全策略的系统功能返回的实际值替换系统功能（S40）。 策略客户端执行网络安全策略（S50）。

公开(公告)号：KR1020040055513A

公开(公告)日：2004-06-26

申请号：KR1020020082207

申请日：2002-12-21

Applicant: 한국전자통신연구원

Inventor： 김건량 ,  장종수 ,  김기영

IPC: H04L12/22

CPC classification number: H04L63/205 ,  H04L63/1408 ,  H04L63/1441

Abstract: PURPOSE: An information model for a security policy of a policy-based network security system is provided to accept a detection policy, a cut-off policy, a sensing policy, an IP security policy and an alarm control policy by defining a policy information model. CONSTITUTION: A policy client system(120) analyzes packets accessing an internal network, detects an attack and transmits an alarm message to a policy server(110). The policy server(110) generates a systematical policy to cope with a possible attack through collective analysis by using traffic information, log information and alarm information received from multiple policy client systems(120). A policy storing unit(140) stores policies generated by the policy server(110). A policy determining module(112) transfers the policies of the policy storing unit(140) to the policy client system(120), and if a problem arises during performing a policy, the policy determining module(112) transfers it to a viewer(160). An alarm management module(114) stores alarm data transferred from the policy client system(120) in an alarm database(150) and transfers the alarm data and a result obtained by analyzing the alarm data to the viewer(160).

Abstract translation: 目的：提供基于策略的网络安全系统的安全策略的信息模型，通过定义策略信息模型来接受检测策略，截止策略，感知策略，IP安全策略和警报控制策略 。 规定：策略客户端系统（120）分析访问内部网络的分组，检测攻击并将警报消息发送到策略服务器（110）。 策略服务器（110）通过使用从多个策略客户端系统（120）接收到的交通信息，日志信息和报警信息，通过集体分析生成应对可能的攻击的系统策略。 策略存储单元（140）存储策略服务器（110）生成的策略。 策略确定模块（112）将策略存储单元（140）的策略传送到策略客户端系统（120），并且如果在执行策略期间出现问题，策略确定模块（112）将其传送给观众（ 160）。 警报管理模块（114）将从策略客户机系统（120）传送的报警数据存储在报警数据库（150）中，并将报警数据和通过分析报警数据获得的结果传送给观察者（160）。

公开(公告)号：KR1020040044209A

公开(公告)日：2004-05-28

申请号：KR1020020071890

申请日：2002-11-19

Applicant: 한국전자통신연구원

Inventor： 안개일 ,  김기영 ,  장종수

IPC: H04L12/22

CPC classification number: H04L63/1458 ,  H04L47/50 ,  H04L47/6215 ,  H04L47/6255

Abstract: PURPOSE: A device for protecting normal traffic from DoS(Denial of Service) and DDoS(Distributed Denial of Service) attacks, and a device therefor are provided to maintain a load of a queue having a high priority, which is used by normal traffic, even when the traffic is increased owing to a DDoS attack, thereby minimizing loss of the normal traffic. CONSTITUTION: A queue(505) has a high priority. A queue(506) has a low priority. A queue information table(502) stores service queue information of a specific STT where a specific packet is included. A queue mapper(503) updates the queue information table(502) based on a load of the STT and a load of the queue(505). A packet classifier(504) retrieves a service queue of the STT if a packet is received, selectively transmits the packet to the queue(505) or the queue(506) according to retrieved results, and supplies information on the received packet to the queue mapper(503). A buffer(507) buffers outputs of the queues(505,506), and supplies the buffered outputs to a network(509) to be protected.

Abstract translation: 目的：提供一种用于保护来自DoS（拒绝服务）和DDoS（分布式拒绝服务）攻击的正常流量的设备及其设备，用于维护正常流量使用的具有高优先级的队列的负载， 即使由于DDoS攻击而导致流量增加，从而最大限度地减少了正常流量的损失。 构成：队列（505）具有高优先级。 队列（506）具有低优先级。 队列信息表（502）存储特定分组的特定STT的服务队列信息。 队列映射器（503）基于STT的负载和队列的负载（505）来更新队列信息表（502）。 如果接收到分组，则分组分类器（504）检索STT的服务队列，根据检索结果选择性地将分组发送到队列（505）或队列（506），并将接收到的分组的信息提供给队列 映射器（503）。 缓冲器（507）缓冲队列（505,506）的输出，并将缓冲的输出提供给要保护的网络（509）。

公开(公告)号：KR100432421B1

公开(公告)日：2004-05-22

申请号：KR1020010082498

申请日：2001-12-21

Applicant: 한국전자통신연구원

Inventor： 김진오 ,  김익균 ,  김병구 ,  김기영 ,  장종수

IPC: G06F15/00

Abstract: PURPOSE: A method for analyzing a relation to an attack and a recording medium therefor are provided to supply various statistical and probable analysis data with respect to a currently executed attack by constructing intrusion prevention data to a knowledge base for using a network flexibly and executing an attack relation analysis. CONSTITUTION: It is checked whether the same attack is generated frequently and continuously(S1). A similar attack action is analyzed and a similar frequency is measured(S2). A latency of an attack is analyzed(S3). A possibility of the next attack and an attack method are estimated statistically(S4). Relation analysis data with respect to the generated attack are calculated based on the analyzed results. A knowledge base of intrusion detection data is constructed based on the calculated relation analysis data(S5).

Abstract translation: 目的：提供一种用于分析与攻击的关系的方法及其记录介质，以通过将入侵防止数据构建到知识库以灵活地使用网络并执行一个或多个关于当前执行的攻击的关于当前执行的攻击的各种统计和可能的分析数据 攻击关系分析。 构成：检查是否频繁且连续地产生相同的攻击（S1）。 分析类似的攻击行为并测量相似的频率（S2）。 分析攻击的延迟（S3）。 在统计上估计下一次攻击和攻击方法的可能性（S4）。 根据分析结果计算关于生成的攻击的关系分析数据。 基于计算出的关系分析数据构建入侵检测数据的知识库（S5）。

公开(公告)号：KR100432168B1

公开(公告)日：2004-05-17

申请号：KR1020010086312

申请日：2001-12-27

Applicant: 한국전자통신연구원

Inventor： 김병구 ,  정연서 ,  류걸우 ,  장종수

IPC: H04L12/22

Abstract: PURPOSE: A security gateway system using multiple intrusion detection objects and an intrusion detection method are provided to judge whether intrusion occurs, by generating the multiple intrusion detection objects on the basis of object-oriented modeling and analyzing contraction observation data with respect to a network packet according to each intrusion detection object. CONSTITUTION: A network packet information extracting and transmitting device(205) receives a network packet from a lower network layer, and generates contraction observation data. A network intrusion detection performing device(203) analyzes whether intrusion occurs by the contraction observation data generated in the network packet information extracting and transmitting device(205), and provides the analyzed result. An intrusion pattern database(204) stores intrusion patterns required for judging whether the intrusion occurs in the network intrusion detection performing device(203). A cyber patrol agent(202) manages the entire security gateway system, and generates and transmits an alarm message. An alarm processing device(201) transmits policy and the alarm message from the cyber patrol agent(202).

Abstract translation: 目的：提供一种使用多个入侵检测对象和入侵检测方法的安全网关系统，通过基于面向对象建模生成多个入侵检测对象并分析关于网络分组的收缩观察数据来判断入侵是否发生 根据每个入侵检测对象。 组成：网络分组信息提取和发送设备（205）从下层网络层接收网络分组，并产生收缩观察数据。 网络入侵检测执行设备（203）通过在网络分组信息提取和发送设备（205）中生成的收缩观察数据来分析是否发生入侵，并提供分析结果。 入侵模式数据库（204）存储用于判断网络入侵检测执行设备（203）中是否发生入侵所需的入侵模式。 网络巡逻代理（202）管理整个安全网关系统，并生成并发送警报消息。 警报处理设备（201）从网络巡逻代理（202）发送策略和警报消息。

公开(公告)号：KR100401064B1

公开(公告)日：2003-10-10

申请号：KR1020010081104

申请日：2001-12-19

Applicant: 한국전자통신연구원

Inventor： 김건량 ,  김숙연 ,  김명은 ,  김기영 ,  장종수 ,  손승원

IPC: G06F15/16

Abstract: PURPOSE: A method for checking a collision at editing a policy in a network security policy managing tool is provided to complement an operation mechanism of a network security policy managing tool based on a policy server. CONSTITUTION: It is judged whether an appendix is executed or new object is created with respect to a reusable object(S41). If new object is created, a corresponding object is selected(S42) and an attribute of the selected object is inputted(S43). If a rule object is created, an attribute of the rule object is inputted. In addition, it is checked whether a rule object having an identical name or keyword exists(S44). In the case that a condition object, an action object, a variable object, or a value object is created except a rule object, it is checked whether an object of the same name exists. In addition, when an attribute is inputted, it is checked whether a value possessed in a range defined by the attribute is inputted, and the corresponding object is created(S45-S46). It is judged whether an object to be appended exists after creating the object(S47). If an object to be appended exists, the stage is returned to the stage (S41).

Abstract translation: 目的：提供一种在编辑网络安全策略管理工具中的策略时检查冲突的方法，以基于策略服务器来补充网络安全策略管理工具的操作机制。 构成：判断是否执行了附录或者针对可重用对象创建了新对象（S41）。 如果创建了新对象，则选择对应对象（S42），并输入所选对象的属性（S43）。 如果创建规则对象，则输入规则对象的属性。 另外，检查是否存在具有相同名称或关键字的规则对象（S44）。 在除规则对象之外创建条件对象，动作对象，变量对象或值对象的情况下，检查是否存在具有相同名称的对象。 另外，当输入属性时，检查是否输入了由该属性定义的范围中拥有的值，并且创建对应的对象（S45-S46）。 在创建对象之后判断是否存在要附加的对象（S47）。 如果存在要附加的对象，则将该阶段返回到阶段（S41）。

公开(公告)号：KR1020030056148A

公开(公告)日：2003-07-04

申请号：KR1020010086312

申请日：2001-12-27

Applicant: 한국전자통신연구원

Inventor： 김병구 ,  정연서 ,  류걸우 ,  장종수

IPC: H04L12/22

CPC classification number: H04L63/1416 ,  H04L63/1433 ,  H04L63/1441

Abstract: PURPOSE: A security gateway system using multiple intrusion detection objects and an intrusion detection method are provided to judge whether intrusion occurs, by generating the multiple intrusion detection objects on the basis of object-oriented modeling and analyzing contraction observation data with respect to a network packet according to each intrusion detection object. CONSTITUTION: A network packet information extracting and transmitting device(205) receives a network packet from a lower network layer, and generates contraction observation data. A network intrusion detection performing device(203) analyzes whether intrusion occurs by the contraction observation data generated in the network packet information extracting and transmitting device(205), and provides the analyzed result. An intrusion pattern database(204) stores intrusion patterns required for judging whether the intrusion occurs in the network intrusion detection performing device(203). A cyber patrol agent(202) manages the entire security gateway system, and generates and transmits an alarm message. An alarm processing device(201) transmits policy and the alarm message from the cyber patrol agent(202).

Abstract translation: 目的：提供一种使用多个入侵检测对象和入侵检测方法的安全网关系统，通过在面向对象建模的基础上生成多个入侵检测对象并分析相对于网络包的收缩观察数据，来判断是否发生入侵 根据每个入侵检测对象。 构成：网络分组信息提取与发送装置（205）从下层网络层接收网络分组，生成收缩观察数据。 网络入侵检测执行装置（203）通过网络分组信息提取和发送装置（205）中生成的收缩观察数据来分析入侵是否发生，并提供分析结果。 入侵模式数据库（204）存储用于判断入侵检测执行装置（203）中是否发生入侵所需的入侵模式。 网络巡逻代理（202）管理整个安全网关系统，并生成并发送警报消息。 报警处理装置（201）从网络巡逻代理（202）发送策略和报警消息。

公开(公告)号：KR1020030050619A

公开(公告)日：2003-06-25

申请号：KR1020010081104

申请日：2001-12-19

Applicant: 한국전자통신연구원

Inventor： 김건량 ,  김숙연 ,  김명은 ,  김기영 ,  장종수 ,  손승원

IPC: G06F15/16

Abstract: PURPOSE: A method for checking a collision at editing a policy in a network security policy managing tool is provided to complement an operation mechanism of a network security policy managing tool based on a policy server. CONSTITUTION: It is judged whether an appendix is executed or new object is created with respect to a reusable object(S41). If new object is created, a corresponding object is selected(S42) and an attribute of the selected object is inputted(S43). If a rule object is created, an attribute of the rule object is inputted. In addition, it is checked whether a rule object having an identical name or keyword exists(S44). In the case that a condition object, an action object, a variable object, or a value object is created except a rule object, it is checked whether an object of the same name exists. In addition, when an attribute is inputted, it is checked whether a value possessed in a range defined by the attribute is inputted, and the corresponding object is created(S45-S46). It is judged whether an object to be appended exists after creating the object(S47). If an object to be appended exists, the stage is returned to the stage (S41).

Abstract translation: 目的：提供一种在网络安全策略管理工具中编辑策略时检查冲突的方法，以补充基于策略服务器的网络安全策略管理工具的运行机制。 构成：判断是否执行了附录，或者针对可重用对象创建了新对象（S41）。 如果创建新对象，则选择对应的对象（S42），并输入所选对象的属性（S43）。 如果创建了规则对象，则输入规则对象的属性。 此外，检查是否存在具有相同名称或关键字的规则对象（S44）。 在除规则对象之外创建条件对象，动作对象，变量对象或值对象的情况下，将检查是否存在同名的对象。 此外，当输入属性时，检查是否输入了由属性定义的范围内具有的值，并创建了相应的对象（S45-S46）。 在创建对象后，判断是否存在要附加的对象（S47）。 如果要附加的对象存在，则将舞台返回到舞台（S41）。

公开(公告)号：KR1020030050307A

公开(公告)日：2003-06-25

申请号：KR1020010080720

申请日：2001-12-18

Applicant: 한국전자통신연구원

Inventor： 허영준 ,  류걸우 ,  장종수

IPC: H04L12/22

CPC classification number: H04L63/1416 ,  H04L63/1433

Abstract: PURPOSE: A Ladon-SGS(Security Gateway System), its security policy setting method and a harmful traffic detection alarm generating method are provided to control an illegal intrusion or a harmful traffic by analyzing a large scale network traffic and packet information. CONSTITUTION: A communication processor(21) sets connection with a security policy server and a Ladon-SGS and transfers and receives information according to security policy. A system controller(22) performs operations related to initialization of the Ladon-SGS and controls an overall system. A security policy processor(23) converts the security policy transferred from a security policy server into a form applicable to the Ladon-SGS. An intrusion detection analyzer(24) analyzes an intrusion as occurred through a network and transfers an analysis result to an intrusion detection alarm processor. An intrusion detection alarm processor(25) analyzes an intrusion alarm importance according to a pre-set security policy on the basis of information related to the intrusion type analyzed by the intrusion detection analyzer(24), compares the importance with a reference value, and determines whether to cope with it by a system or transfer it to the security policy server. A security policy storing unit(26) stores the security policy which has been converted by the security policy processor(23), the intrusion detection and corresponding results of the detected intrusion. A firewall processor(27) cuts off an illegal intrusion defined by a firewall policy and a harmful traffic.

Abstract translation: 目的：提供Ladon-SGS（安全网关系统），其安全策略设置方法和有害的流量检测报警生成方法，通过分析大规模网络流量和分组信息来控制非法入侵或有害流量。 规定：通信处理器（21）设置与安全策略服务器和Ladon-SGS的连接，并根据安全策略传输和接收信息。 系统控制器（22）执行与Ladon-SGS的初始化相关的操作并控制整个系统。 安全策略处理器（23）将从安全策略服务器传送的安全策略转换为适用于Ladon-SGS的形式。 入侵检测分析器（24）通过网络分析入侵，并将分析结果传送到入侵检测报警处理器。 入侵检测报警处理器（25）根据与入侵检测分析器（24）分析的入侵类型相关的信息，根据预设的安全策略分析入侵报警重要性，将重要性与参考值进行比较，以及 确定是否由系统处理或将其传输到安全策略服务器。 安全策略存储单元（26）存储由安全策略处理器（23）转换的安全策略，入侵检测和检测到的入侵的相应结果。 防火墙处理器（27）切断了防火墙策略和有害流量所定义的非法入侵。

公开(公告)号：KR100317131B1

公开(公告)日：2002-04-24

申请号：KR1019980052176

申请日：1998-12-01

Applicant: 한국전자통신연구원

Inventor： 장종수

IPC: H04L12/851

Abstract: 본 발명은 서비스 품질의 구분이 가능한 인터넷 트래픽 관리 기능 모듈 및 그 방법을 제공하는데 그 목적이 있다.
본 발명에 따르면, 데이터 통신망 접속부로부터 입력되는 패킷 데이터를 선별적으로 관리하는 데이터 서비스 처리 방법을 이용하는 데이터 통신망 트래픽 관리 방법에 있어서, 데이터 통신망 접속부로부터 입력되는 패킷 데이터를 서비스 클래스 별로 입력 제어하는 제 1 단계와; 상기 제 1 단계에서 서비스 클래스 별로 입력된 패킷 데이터를 패킷 처리 정책에 따라 데이터 서비스 처리하는 제 2 단계와; 상기 제 2 단계에서 처리된 패킷을 출력하는 제 3 단계를 포함하여 이루어지는 것을 특징으로 하는 데이터 통신망 트래픽 관리 방법이 제공된다.