-
公开(公告)号:KR1020060042788A
公开(公告)日:2006-05-15
申请号:KR1020040091574
申请日:2004-11-10
Applicant: 한국전자통신연구원
IPC: G06F15/00
Abstract: 본 발명에 의한 네트워크 이벤트의 그래프 표현을 통한 보안 상황 분석 방법 및 그 장치는 네트워크 트래픽 정보와 보안 관련 이벤트 정보를 수집하는 단계; 상기 수집된 정보들로부터 보안관련 특성정보를 추출하는 단계; 상기 특성정보를 기초로 3차원 직각 좌표계에 상기 네트워크 트래픽 정보와 보안관련 이벤트정보들을 선으로 표현하는 단계; 및 상기 선의 조합에 따라 나타나는 패턴을 기초로 네트워크의 보안 이상 상태를 판정하는 단계;를 포함하는 것을 특징으로 를 포함하는 것을 특징으로 하며, 네트워크에서 발생하는 트래픽 데이터 및 보안 이벤트를 단순히 나열해서는 파악할 수 없는 네트워크 상의 보안 상황을 분석하고 정상 상태와 다른 이상 상황을 탐지할 수 있도록 해 주며, 또한 보안 장비로부터 발생하는 보안 이벤트에 적용할 경우 무수히 발생하는 보안 이벤트들 사이의 상호 연관 관계를 시각적으로 파악할 수 있게 해주며, 이를 통해 보안 이벤트의 통합을 통한 실제 보고 이벤트의 축약, 계속해서 발생하는 동일한 보안 이벤트(즉 공격)의 파악, 주로 감시해야 할 원천지 주소, 목적지 주소, 목적지 포트에 대한 정보를 획득할 수 있게 된다.
네트워크 보안, 시각화, 상호 연관성 분석, 트래픽 처리, 보안 이벤트-
公开(公告)号:KR100450770B1
公开(公告)日:2004-10-01
申请号:KR1020020067660
申请日:2002-11-02
Applicant: 한국전자통신연구원
IPC: H04L12/22
Abstract: PURPOSE: A system and method for tracking an attacker back and intercepting an attack in a security network is provided to trace the location of an attacker back in case that the attacker accesses a specific host via many hosts for the purpose of the stealing or change of important data. CONSTITUTION: A system and method for tracking an attacker back and intercepting an attack in a security network is comprised of a session logging part(240), a security management system(220), and a traffic interruption part(230). The session logging part(240) is installed and executed at each host(210-213). The security management system(220) executes an attacker tracking function at each domain. The traffic interruption part(230), having an interface for an external system, intercepts an attacker's traffic through the interface.
Abstract translation: 目的:提供一种系统和方法,用于在攻击者通过许多主机访问特定主机的情况下,追踪攻击者返回并拦截安全网络中的攻击以追踪攻击者的位置,以便窃取或更改 重要的数据。 用于在安全网络中跟踪攻击者并拦截攻击的系统和方法由会话记录部分(240),安全管理系统(220)和业务中断部分(230)组成。 会话记录部分(240)在每个主机(210-213)处被安装和执行。 安全管理系统(220)在每个域执行攻击者跟踪功能。 具有用于外部系统的接口的业务中断部分(230)通过接口拦截攻击者的业务。
-
-
公开(公告)号:KR1020150084123A
公开(公告)日:2015-07-22
申请号:KR1020140003781
申请日:2014-01-13
Applicant: 한국전자통신연구원
CPC classification number: G06F21/566
Abstract: 본발명은이상행위탐지장치및 방법에관한것으로, 시스템상에서프로세스가실행되는동안상기프로세스로부터수집한데이터에근거하여시스템자원별로발생한행위를분석하는행위분석부, 상기시스템자원별행위를기반으로생성된좌표상에각 시스템자원별행위분석결과를모델링하여상기시스템의자원들에대응하는프로세스행위모델을생성하는행위모델링부, 상기시스템자원별행위를기반으로생성된좌표상에구현된프로세스행위모델의형태에따라해당프로세스의의심행위를판별하는의심행위판별부, 및상기의심행위판별부의판별결과에따라의심행위가발생한프로세스를이상행위프로세스로탐지하는프로세스탐지부를포함한다.
Abstract translation: 本发明涉及一种用于检测异常行为的设备和方法,其包括:行为分析单元,其基于在所述过程在所述系统上运行时从所述过程收集的数据分析在每个系统资源中发生的行为; 行为建模单元,对系统资源行为上的每个系统资源的行为分析结果进行建模,并创建与系统资源相对应的过程行为模型; 可疑行为判断单元,其根据在基于系统资源的行为生成的坐标上实现的过程行为模型的形状来确定可疑行为; 以及处理检测单元,其根据可疑行为判断单元提交的检测结果,通过使用异常行为处理来检测具有可疑行为的处理。
-
公开(公告)号:KR100862194B1
公开(公告)日:2008-10-09
申请号:KR1020070034102
申请日:2007-04-06
Applicant: 한국전자통신연구원
Abstract: A device and a method for sharing infringement accident information, and a network security system including the same are provided to enable domains included in the network security system to share the information related to infringement accidents occurring in the network security system by using a standardized Internet format and transfer protocol. A controller(111) which comprises a reporting unit(111-1), a reporting analyzing unit(111-2), a tracking request unit(111-3) and a tracking execution unit(111-4) controls operation of a security management device by detecting an infringement accident occurring in managed domains, and generating infringement accident information including a trust level of the managed domain, a seriousness level of the infringement accident, and priority of management actions, or analyzing the infringement accident information received from external domains. A message converter(112) generates a message by encoding the infringement accident information and extracts the infringement accident information by decoding the message received from the external domains based on an IODEF(Incident Objection Description Exchange Format)/RID(Real-Time Inter-network Defense) data format. A message transceiver(113) transceives the message with the external domains by using SOAP(Simple Object Application Protocol)/HTTPS(HyperText Transfer Protocol over Secure socket level).
Abstract translation: 提供了一种共享侵权事故信息的装置和方法,以及包括该网络安全系统的网络安全系统,以使网络安全系统中包含的域能够通过使用标准的因特网格式共享与网络安全系统中发生的侵权事故相关的信息 和传输协议。 一种控制器(111),包括报告单元(111-1),报告分析单元(111-2),跟踪请求单元(111-3)和跟踪执行单元(111-4)控制安全性 通过检测管理域中发生的侵权事故,产生管理域的信任级别,侵权事故的严重程度,管理行为的优先级,或分析从外部域收到的侵权事故信息的侵权事故信息,管理设备 。 消息转换器(112)通过对侵权事件信息进行编码来生成消息,并且通过根据IODEF(事件异常描述交换格式)/ RID(实时网络间)解码从外部域接收到的消息来提取侵权事件信息 防御)数据格式。 消息收发器(113)通过使用SOAP(简单对象应用协议)/ HTTPS(通过安全套接字级别的超文本传输协议)来收发与外部域的消息。
-
Patent Agency Ranking
公开(公告)号:KR1020080040921A
公开(公告)日:2008-05-09
申请号:KR1020060108893
申请日:2006-11-06
Applicant: 한국전자통신연구원
Abstract: A method and an apparatus for managing security in large network environment are provided to detect an attack pattern of a network by classifying traffic information depending on a flow having the same characteristic, and to recognize attack situation by analyzing the statistical information. An apparatus for managing security is made up of a traffic receiver(110), a traffic classifier(120), a traffic analyzer(130) and an external interface(140). The traffic receiver collects traffic information(Net flow) from all router which are scattered in a large network in real time. The traffic classifier comprises multi hash table having a stratified structure, and stores the traffic information as traffic statistics information by classifying the traffic information into each flow group. The traffic analyzer receives the traffic statistics information, detects flows which show abnormal indication, and recognizes attack situation. The external interface notifies the present security situation to the outside according to the notified attack situation.
Abstract translation: 提供一种用于管理大型网络环境中的安全性的方法和装置,用于通过根据具有相同特征的流分类业务信息来检测网络的攻击模式,并通过分析统计信息来识别攻击情况。 用于管理安全性的装置由业务接收器(110),业务分类器(120),业务分析器(130)和外部接口(140)组成。 流量接收方从实时分散在大型网络中的所有路由器收集流量信息(Net Flow)。 流分类器包括具有分层结构的多哈希表,并将流量信息作为流量统计信息存储,将流量信息分类到每个流组中。 流量分析仪接收流量统计信息,检测出异常指示的流量,识别攻击情况。 外部接口根据通知的攻击情况将当前的安全情况通知给外界。
-
公开(公告)号:KR1020070035918A
公开(公告)日:2007-04-02
申请号:KR1020050116586
申请日:2005-12-01
Applicant: 한국전자통신연구원
CPC classification number: H04B7/2606 , H04W16/26 , H04W40/22 , H04W48/08 , H04W76/10
Abstract: An apparatus and method for transmitting relay station (RS) type information in a multi-hop relay cellular communication system are provided. In the RS type information providing method, an RS transmits a message including information about RS's type to an MS. The MS acquires the RS type information from the message and performs an initial connection procedure with the RS based on the RS type information.
-
公开(公告)号:KR1020040042397A
公开(公告)日:2004-05-20
申请号:KR1020020070686
申请日:2002-11-14
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1458
Abstract: PURPOSE: A system and a method for coping with distributed service denial attack are provided to remove an agent and a master program, isolate a real attacker on a network, and actively cope with the distributed service denial attack. CONSTITUTION: An intrusion detection system(110) extracts alarm data according to the detection of service denial attack. An active security management system(100) analyzes the alarm data. If the service denial attack is distributed service denial attack, the active security management system(100) generates a back-tracking sensor for back-tacking a distributed service denial attacker and transmits the back-tracking sensor. The active security management system(100) transmits a mobile sensor(140) to a host back-tracked by the back-tracking sensor, and removes a master or agent program in the host. The active security management system(100) generates a back-tracking sensor using an IP(Internet Protocol) address of the host which transmits a packet to the removed program, and transmits the back-tracking sensor. An active security node(120) executes the transmitted back-tracking sensor, and back-tracks the distributed service denial attack host. If the back-tracked host is a real attacker, the active security node(120) blocks a traffic generated from the real attacker.
Abstract translation: 目的:提供一种解决分布式服务拒绝攻击的系统和方法,以删除代理和主程序,隔离网络上的真实攻击者,并主动应对分布式服务拒绝攻击。 构成:入侵检测系统(110)根据服务拒绝攻击的检测提取报警数据。 主动安全管理系统(100)分析报警数据。 如果服务拒绝攻击是分布式服务拒绝攻击,则主动安全管理系统(100)生成用于反向分布式服务拒绝攻击者的后跟踪传感器,并发送后跟踪传感器。 主动安全管理系统(100)将移动传感器(140)发送到由后跟踪传感器反向跟踪的主机,并且移除主机中的主机或代理程序。 主动安全管理系统(100)使用向所移除的程序发送分组的主机的IP(因特网协议)地址生成后跟踪传感器,并发送回跟踪传感器。 主动安全节点(120)执行发送的反向跟踪传感器,并且回溯分布式服务拒绝攻击主机。 如果后跟主机是真正的攻击者,则主动安全节点(120)阻止从真实攻击者产生的流量。
-
公开(公告)号:KR1020040039552A
公开(公告)日:2004-05-12
申请号:KR1020020067660
申请日:2002-11-02
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/1416 , H04L63/1458 , H04L63/1466 , H04L2463/146
Abstract: PURPOSE: A system and method for tracking an attacker back and intercepting an attack in a security network is provided to trace the location of an attacker back in case that the attacker accesses a specific host via many hosts for the purpose of the stealing or change of important data. CONSTITUTION: A system and method for tracking an attacker back and intercepting an attack in a security network is comprised of a session logging part(240), a security management system(220), and a traffic interruption part(230). The session logging part(240) is installed and executed at each host(210-213). The security management system(220) executes an attacker tracking function at each domain. The traffic interruption part(230), having an interface for an external system, intercepts an attacker's traffic through the interface.
Abstract translation: 目的:提供一种用于跟踪攻击者返回并拦截安全网络中的攻击的系统和方法,用于跟踪攻击者的位置,以防攻击者通过许多主机访问特定主机,以窃取或更改攻击者 重要资料。 构成:用于跟踪攻击者并拦截安全网络中的攻击的系统和方法包括会话记录部分(240),安全管理系统(220)和业务中断部分(230)。 会话记录部分(240)在每个主机(210-213)处被安装和执行。 安全管理系统(220)在每个域执行攻击者跟踪功能。 具有用于外部系统的接口的流量中断部分(230)通过该接口拦截攻击者的流量。
-
-
-
-
-
-
-
-
-
Search Results
37
records
(took 0.023 seconds)
