公开(公告)号：KR101219538B1

公开(公告)日：2013-01-08

申请号：KR1020090069418

申请日：2009-07-29

Applicant: 한국전자통신연구원

Inventor： 정치윤 ,  장범환 ,  손선경 ,  유종호 ,  김건량 ,  김종현 ,  나중찬 ,  조현숙

IPC: H04L12/22 ,  H04L12/26

CPC classification number: H04L63/1425

Abstract: 본발명은비주얼데이터분석기반의네트워크공격탐지장치및 그방법에관한것으로, 대량의트래픽데이터를실시간으로처리할 수있고, 트래픽이미지를생성할때 트래픽의볼륨, 국가정보, ISP 정보, 사용되는포트정보등의다양한정보들을삽입하여기존의트래픽볼륨기반의네트워크공격탐지기법들이탐지하지못했던공격들을탐지할수 있다. 또한, 본발명은비주얼데이터분석기법을사용하여네트워크트래픽을분석함으로써분석된결과가이미지패턴으로나타나기때문에공격의탐지결과를보고네트워크공격여부를직관적으로인지하고, 네트워크공격탐지정보와네트워크공격에대한이미지패턴과원본데이터등을표현하는사용자인터페이스를제공하기때문에네트워크관리자측면에서탐지된공격을신속하게검증할수 있다.

公开(公告)号：KR1020120105759A

公开(公告)日：2012-09-26

申请号：KR1020110023391

申请日：2011-03-16

Applicant: 한국전자통신연구원

Inventor： 손선경 ,  장범환 ,  나중찬

IPC: G06F21/20 ,  G06F19/00 ,  G06F17/40

CPC classification number: G06F21/564

Abstract: PURPOSE: A malicious code visualizing apparatus, a malicious code detecting apparatus, and a method thereof are provided to easily represent a structure, a shape, and a behavior of a malicious code executing file by visualizing a structure, a shape, and a behavior of an execution file having a malicious code. CONSTITUTION: A string extracting unit(102) unpacks a file according to packing a file having a malicious file and extracts strings. An entropy calculator(104) calculates entropy about the extracted string. A graph generating unit(106) sets up the string as a node and sets up directionality between nodes based on a connection relation about the string. The graph generating unit sets up a color of the node based on entropy about the string and generates a graph about the file. The entropy calculating unit calculates the entropy about the string. [Reference numerals] (102) String extracting unit; (104) Entropy calculating unit; (106) Graph generating unit; (110) Malicious code database; (AA) File

Abstract translation: 目的：提供恶意代码可视化设备，恶意代码检测设备及其方法，以通过可视化结构，形状和行为来容易地表示恶意代码执行文件的结构，形状和行为 具有恶意代码的执行文件。 构成：字符串提取单元（102）根据打包具有恶意文件的文件并提取字符串来解包文件。 熵计算器（104）计算关于提取的串的熵。 图形生成单元（106）将字符串设置为节点，并且基于关于字符串的连接关系在节点之间建立方向性。 图形生成单元基于关于该字符串的熵来建立该节点的颜色，并且生成关于该文件的图形。 熵计算单元计算关于该串的熵。 （102）串提取单元; （104）熵计算单元; （106）图形生成单元; （110）恶意代码数据库; （AA）文件

公开(公告)号：KR1020110070289A

公开(公告)日：2011-06-24

申请号：KR1020090127050

申请日：2009-12-18

Applicant: 한국전자통신연구원

Inventor： 김병구 ,  윤승용 ,  김익균 ,  김대원 ,  오진태 ,  장종수 ,  나중찬 ,  조현숙

IPC: H04L12/22

CPC classification number: H04L63/1466 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/1416

Abstract: PURPOSE: A web load attack blocking device using URI contents discrimination and an attack blocking method are provided to discriminate a malicious user with the use of the same URI contents in a short time. CONSTITUTION: A packet parser module(10) extracts the information of a client from a inflow payload packet. A hash generation module(20) applies a hash function to the extracted information of the packet parser module. A DDoS(Distributed Denial of Service) detection and protection module(30) receive the hash values of the hash generation module and the extracted information. The DDoS detection and protection module detects the load attack of a web server. In case of the message of a malicious user, the DDoS detection and protection module secludes a packet.

Abstract translation: 目的：提供使用URI内容辨别和攻击阻止方法的网页加载攻击阻止装置，以便在短时间内使用相同的URI内容来区分恶意用户。 构成：分组解析器模块（10）从流入有效载荷分组中提取客户端的信息。 散列生成模块（20）将哈希函数应用于所提取的分组解析器模块的信息。 DDoS（分布式拒绝服务）检测和保护模块（30）接收散列生成模块的散列值和提取的信息。 DDoS检测和保护模块检测Web服务器的负载攻击。 在恶意用户的消息的情况下，DDoS检测和保护模块会隐藏数据包。

公开(公告)号：KR1020110043982A

公开(公告)日：2011-04-28

申请号：KR1020090100758

申请日：2009-10-22

Applicant: 한국전자통신연구원

Inventor： 유종호 ,  장범환 ,  정치윤 ,  조아라 ,  김종현 ,  손선경 ,  김건량 ,  나중찬

IPC: G06Q50/10 ,  G06F21/60

CPC classification number: G06F21/60 ,  G06F17/30241 ,  G06Q50/32

Abstract: PURPOSE: A domain security state displaying device using geographic information and a method thereof are provided to enable a manager to make a countermeasure plan by instinctively notifying the source of an abnormality in an ISP network. CONSTITUTION: A security event collector(310) collects information from internet service providing system in order to prepare a security event. A security event analyzer(320) analyzes the existence of a web email or a web posting using the collected information. The security event analyzer maps the source IP address, a destination IP address, and a proxy IP address.

Abstract translation: 目的：提供使用地理信息的域安全状态显示设备及其方法，以使管理者能够通过本地地通知ISP网络中的异常源来做出对策计划。 规定：安全事件收集器（310）从互联网服务提供系统收集信息，以准备安全事件。 安全事件分析器（320）使用所收集的信息分析网络电子邮件的存在或网络发布。 安全事件分析器映射源IP地址，目的IP地址和代理IP地址。

公开(公告)号：KR100949803B1

公开(公告)日：2010-03-30

申请号：KR1020070133083

申请日：2007-12-18

Applicant: 한국전자통신연구원

Inventor： 장범환 ,  정치윤 ,  손선경 ,  김건량 ,  김종현 ,  유종호 ,  나중찬 ,  장종수 ,  손승원

IPC: H04L12/26

CPC classification number: H04L63/1416 ,  H04L29/12783 ,  H04L61/35 ,  H04L63/1441

Abstract: 보안 이벤트의 중요 속성들에 대한 조합 결과를 표시함으로써 네트워크의 성능을 저하시키는 이상 및 유해 트래픽 등을 직관적으로 인식하고 보안 상황을 실시간으로 용이하게 판단할 수 있도록 한 아이피 주소 분할 표시 장치 및 방법을 개시한다. 개시된 본 발명은 수집된 보안 이벤트들에서 공통 특성 정보를 이용하여 군집화하고, 군집화된 이벤트들의 IP주소들을 병렬좌표 및/또는 원형좌표로 분할 표시한다.

公开(公告)号：KR1020090030880A

公开(公告)日：2009-03-25

申请号：KR1020070096537

申请日：2007-09-21

Applicant: 한국전자통신연구원

Inventor： 손선경 ,  장범환 ,  정치윤 ,  김건량 ,  김종현 ,  유종호 ,  나중찬 ,  장종수 ,  손승원

IPC: H04L12/26

CPC classification number: H04L41/28 ,  H04L63/1416

Abstract: An apparatus and a method for visualizing a network state by using geographic information are provided to use a globe that everyone can easily understand, thereby easily checking a source site in which a security event occurs and a real site of a destination. A security event collecting unit(110) collects a security event from the outside. An IP(Internet Protocol) address converter(120) converts a source IP address within characteristic data of the collected security event and a destination IP address into geographic information based on a geographical information database(130). A network state display unit(140) displays flow of protocol security events between the source and the destination by a 3D screen including globe shape.

Abstract translation: 提供一种通过使用地理信息可视化网络状态的装置和方法，以使用每个人都可以容易理解的地球仪，从而容易地检查发​​生安全事件的源站点和目的地的真实站点。 安全事件收集单元（110）从外部收集安全事件。 IP（因特网协议）地址转换器（120）基于地理信息数据库（130）将收集的安全事件的特征数据中的源IP地址和目的地IP地址转换为地理信息。 网络状态显示单元（140）通过包括球形形状的3D屏幕来显示源和目的地之间的协议安全事件的流程。

公开(公告)号：KR1020090009622A

公开(公告)日：2009-01-23

申请号：KR1020070073059

申请日：2007-07-20

Applicant: 한국전자통신연구원

Inventor： 김종현 ,  김건량 ,  손선경 ,  장범환 ,  정치윤 ,  유종호 ,  나중찬 ,  장종수 ,  손승원

IPC: H04L12/26 ,  H04L12/22

CPC classification number: H04L45/00 ,  H04L45/12 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04L2463/146

Abstract: A back-tracking system based on log and a method thereof using a center division technique capable of quickly searching the actual location of an attacker are provided to apply connection information of a network router collected from a network managing server and log information of an invasion alarm. A log information input module(101) collects log information toward the invasion alarm of a network attacker from an intrusion detection system(120). A reverse invasion process module(103) extracts necessary log information and analyzes log information of the collected invasion alarm. If the log information of the invasion alarm is inputted, a centroid node detection module(104) collects the connect information of the network router from the network management server(110).

Abstract translation: 提供一种基于日志的后跟踪系统及其使用能够快速搜索攻击者的实际位置的中心分割技术的方法，以应用从网络管理服务器收集的网络路由器的连接信息和入侵警报的日志信息 。 日志信息输入模块（101）从入侵检测系统（120）向网络攻击者的入侵警报收集日志信息。 反向入侵处理模块（103）提取必要的日志信息并分析所收集的入侵报警的日志信息。 如果入侵报警的日志信息被输入，则质心节点检测模块（104）从网络管理服务器（110）收集网络路由器的连接信息。

公开(公告)号：KR100862194B1

公开(公告)日：2008-10-09

申请号：KR1020070034102

申请日：2007-04-06

Applicant: 한국전자통신연구원

Inventor： 김현주 ,  장범환 ,  이수형 ,  김건량 ,  방효찬 ,  손선경 ,  정치윤 ,  김종현 ,  박원주 ,  유종호 ,  나중찬 ,  장종수 ,  손승원

IPC: G06F11/00 ,  G06F21/00

Abstract: A device and a method for sharing infringement accident information, and a network security system including the same are provided to enable domains included in the network security system to share the information related to infringement accidents occurring in the network security system by using a standardized Internet format and transfer protocol. A controller(111) which comprises a reporting unit(111-1), a reporting analyzing unit(111-2), a tracking request unit(111-3) and a tracking execution unit(111-4) controls operation of a security management device by detecting an infringement accident occurring in managed domains, and generating infringement accident information including a trust level of the managed domain, a seriousness level of the infringement accident, and priority of management actions, or analyzing the infringement accident information received from external domains. A message converter(112) generates a message by encoding the infringement accident information and extracts the infringement accident information by decoding the message received from the external domains based on an IODEF(Incident Objection Description Exchange Format)/RID(Real-Time Inter-network Defense) data format. A message transceiver(113) transceives the message with the external domains by using SOAP(Simple Object Application Protocol)/HTTPS(HyperText Transfer Protocol over Secure socket level).

Abstract translation: 提供了一种共享侵权事故信息的装置和方法，以及包括该网络安全系统的网络安全系统，以使网络安全系统中包含的域能够通过使用标准的因特网格式共享与网络安全系统中发生的侵权事故相关的信息 和传输协议。 一种控制器（111），包括报告单元（111-1），报告分析单元（111-2），跟踪请求单元（111-3）和跟踪执行单元（111-4）控制安全性 通过检测管理域中发生的侵权事故，产生管理域的信任级别，侵权事故的严重程度，管理行为的优先级，或分析从外部域收到的侵权事故信息的侵权事故信息，管理设备 。 消息转换器（112）通过对侵权事件信息进行编码来生成消息，并且通过根据IODEF（事件异常描述交换格式）/ RID（实时网络间）解码从外部域接收到的消息来提取侵权事件信息 防御）数据格式。 消息收发器（113）通过使用SOAP（简单对象应用协议）/ HTTPS（通过安全套接字级别的超文本传输​​协议）来收发与外部域的消息。

公开(公告)号：KR1020080040921A

公开(公告)日：2008-05-09

申请号：KR1020060108893

申请日：2006-11-06

Applicant: 한국전자통신연구원

Inventor： 방효찬 ,  김동영 ,  나중찬 ,  장범환 ,  김건량 ,  손선경 ,  김종현 ,  정치윤 ,  유종호 ,  이수형 ,  김현주 ,  박원주 ,  장종수

IPC: G06F15/00 ,  G06F17/00

Abstract: A method and an apparatus for managing security in large network environment are provided to detect an attack pattern of a network by classifying traffic information depending on a flow having the same characteristic, and to recognize attack situation by analyzing the statistical information. An apparatus for managing security is made up of a traffic receiver(110), a traffic classifier(120), a traffic analyzer(130) and an external interface(140). The traffic receiver collects traffic information(Net flow) from all router which are scattered in a large network in real time. The traffic classifier comprises multi hash table having a stratified structure, and stores the traffic information as traffic statistics information by classifying the traffic information into each flow group. The traffic analyzer receives the traffic statistics information, detects flows which show abnormal indication, and recognizes attack situation. The external interface notifies the present security situation to the outside according to the notified attack situation.

Abstract translation: 提供一种用于管理大型网络环境中的安全性的方法和装置，用于通过根据具有相同特征的流分类业务信息来检测网络的攻击模式，并通过分析统计信息来识别攻击情况。 用于管理安全性的装置由业务接收器（110），业务分类器（120），业务分析器（130）和外部接口（140）组成。 流量接收方从实时分散在大型网络中的所有路由器收集流量信息（Net Flow）。 流分类器包括具有分层结构的多哈希表，并将流量信息作为流量统计信息存储，将流量信息分类到每个流组中。 流量分析仪接收流量统计信息，检测出异常指示的流量，识别攻击情况。 外部接口根据通知的攻击情况将当前的安全情况通知给外界。

公开(公告)号：KR1020070035918A

公开(公告)日：2007-04-02

申请号：KR1020050116586

申请日：2005-12-01

Applicant: 한국전자통신연구원

Inventor： 장범환 ,  나중찬 ,  김건량 ,  김동영 ,  김진오 ,  김현주 ,  방효찬 ,  이수형 ,  손선경 ,  장종수 ,  손승원

IPC: H04L12/24 ,  H04L12/26

CPC classification number: H04B7/2606 ,  H04W16/26 ,  H04W40/22 ,  H04W48/08 ,  H04W76/10

Abstract: An apparatus and method for transmitting relay station (RS) type information in a multi-hop relay cellular communication system are provided. In the RS type information providing method, an RS transmits a message including information about RS's type to an MS. The MS acquires the RS type information from the message and performs an initial connection procedure with the RS based on the RS type information.