-
公开(公告)号:KR1020170089579A
公开(公告)日:2017-08-04
申请号:KR1020160009966
申请日:2016-01-27
Applicant: 한국전자통신연구원
Abstract: 본발명은단방향파일전송시스템및 방법에관한것이다. 본발명에따른시스템은, 오픈된비안전영역의제2 네트워크내 FTP 클라이언트로부터폐쇄된안전영역의제1 네트워크내 FTP 서버에저장된파일데이터의다운로드요청이있는경우, FTP 클라이언트로서동작하며제1 네트워크의 FTP 서버에저장된파일데이터를다운로드하여전달하는제1 서버및 상기제1 서버로부터전달되는파일데이터를파일데이터베이스에저장하고, FTP 서버로서동작하며상기파일데이터베이스에저장된파일데이터를상기제2 네트워크내 FTP 클라이언트로전송하는제2 서버를포함한다.
Abstract translation: 本发明涉及一种单向文件传输系统和方法。 当在打开的非安全区的第二网络中存在用于从封闭安全区的第一网络中的FTP服务器中存储的文件数据的请求时,根据本发明的系统作为FTP客户端运行, 第一服务器,用于下载和传输存储在第一网络的FTP服务器中的文件数据;以及第二服务器,用于将从第一服务器传输的文件数据存储在文件数据库中, 到FTP客户端。
-
公开(公告)号:KR101711022B1
公开(公告)日:2017-02-28
申请号:KR1020140001838
申请日:2014-01-07
Applicant: 한국전자통신연구원
Abstract: 본발명의일 실시예에따른제어네트워크침해사고탐지장치는제어네트워크를통해제어설비들과연결되는제어네트워크침해사고탐지장치에있어서, 상기제어네트워크를통해수집되는패킷을파싱하여플로우정보를추출하는플로우정보추출부, 상기플로우정보를이용하여플로우테이블을생성하는플로우정보관리부, 상기플로우테이블에저장된플로우정보를분석하여플로우패턴정보를생성하는플로우패턴정보생성부, 상기네트워크를통해상기제어설비들로부터설정정보를수집하는설정정보수집부, 및상기플로우정보관리부로부터전달되는상기플로우정보및 상기플로우패턴정보생성부로부터전달되는상기플로우패턴정보및 상기설정정보수집부로부터전달되는상기설정정보를이용하여상기플로우정보에대응되는플로우가정상인지여부를판단하는판단부를포함한다.
-
公开(公告)号:KR1020160002058A
公开(公告)日:2016-01-07
申请号:KR1020140080790
申请日:2014-06-30
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1425 , H04L12/40 , H04L41/142 , H04L43/026 , H04L67/12 , H04L69/16 , H04L69/329 , H04L2012/40228
Abstract: 본발명은모드버스통신패턴학습에기반한비정상트래픽탐지장치및 방법에관한것으로서, 본발명에따른모드버스통신패턴학습에기반한비정상트래픽탐지장치는 Modbus/TCP 프로토콜상의비정상트래픽을조기에탐지하고대응할수 있는것을특징으로한다. 본발명에따르면, 모드버스통신패턴학습에기반한여러다양한형태의비정상트래픽을탐지할수 있다. 즉, 제어시스템의안전한운영을방해할수 있는비정상트래픽을조기에탐지함으로써, 제어시스템간의통신서비스를안정적으로제공할수 있다. 특히 Modbus/TCP 프로토콜상의효과적인비정상트래픽을조기에탐지할수 있어서, 제어시스템인트라넷내의보안위협에대한신속한발견및 대응으로서비스의신뢰성을높일수 있고가용성을확보할수 있는이점이있다.
Abstract translation: 本发明涉及一种用于基于Modbus通信模式学习检测异常业务的装置和方法,其可以在早期阶段检测Modbus和传输控制协议(TCP)上的异常业务并且可以对其进行响应。 根据本发明,可以检测基于Modbus通信模式学习的各种形式的异常业务。 也就是说,可以在早期阶段检测到可能干扰控制系统的安全操作的异常业务,从而在控制系统之间稳定地提供通信服务。 特别地,可以在早期阶段检测到Modbus / TCP上的有效的异常流量,从而由于对控制系统的内联网中的安全威胁的及时检测和响应而提高了服务的可靠性,并且确保了可用性 。
-
公开(公告)号:KR1020140117753A
公开(公告)日:2014-10-08
申请号:KR1020130032212
申请日:2013-03-26
Applicant: 한국전자통신연구원
CPC classification number: G05B15/02 , H04L63/0263 , H04L63/1408 , H04L63/1425 , H04L63/1441 , H04L63/20 , H04L2012/40228
Abstract: The present invention relates to an abnormal traffic detection method on a control system protocol. The disclosed abnormal traffic detection method comprises the steps of testing whether session information exists in a management table if a received packet is a MODBUS request message; adding a new entry in the management table if the session information does not exist in the management table; testing whether a transaction ID within a corresponding table entry is the same as a transaction ID of the received MODBUS request message, if the session information exists in the management table; testing whether data of the received MODBUS request message is the same as data within a table entry, if the transaction ID of the table entry is not the same as that of the MODBUS request message; detecting the received data as an abnormal traffic if the transaction ID or the data of the data entry is the same as that of the MODBUS request message; and updating the table entry with packet information of the MODBUS request message if the data of the table entry is not the same as that of the MODBUS request message. Therefore, the present invention can detect and handle the abnormal traffic that disturbs a normal service connection or causes an error on the control system protocol, at an early stage, thereby providing a stable connection system between control systems which can rapidly detect and handle the abnormal traffic caused by a system and a network error as well as an intentional behavior of an invader.
Abstract translation: 本发明涉及一种控制系统协议的异常流量检测方法。 所公开的异常业务检测方法包括以下步骤:如果接收的分组是MODBUS请求消息,则测试会话信息是否存在于管理表中; 如果管理表中不存在会话信息,则在管理表中添加新条目; 如果会话信息存在于管理表中,则测试对应的表项中的事务ID是否与所接收的MODBUS请求消息的事务ID相同; 如果表项的事务ID与MODBUS请求消息的事务ID不相同,则测试接收的MODBUS请求消息的数据是否与表条目中的数据相同; 如果事务ID或数据输入的数据与MODBUS请求消息的数据相同,则检测接收到的数据为异常流量; 以及如果所述表项的数据与所述MODBUS请求消息的数据不相同,则更新具有所述MODBUS请求消息的分组信息的所述表条目。 因此,本发明可以早期检测和处理干扰正常业务连接或引起控制系统协议错误的异常业务,从而在控制系统之间提供稳定的连接系统,可以快速检测和处理异常 由系统造成的流量和网络错误以及入侵者的有意行为。
-
公开(公告)号:KR101219538B1
公开(公告)日:2013-01-08
申请号:KR1020090069418
申请日:2009-07-29
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1425
Abstract: 본발명은비주얼데이터분석기반의네트워크공격탐지장치및 그방법에관한것으로, 대량의트래픽데이터를실시간으로처리할 수있고, 트래픽이미지를생성할때 트래픽의볼륨, 국가정보, ISP 정보, 사용되는포트정보등의다양한정보들을삽입하여기존의트래픽볼륨기반의네트워크공격탐지기법들이탐지하지못했던공격들을탐지할수 있다. 또한, 본발명은비주얼데이터분석기법을사용하여네트워크트래픽을분석함으로써분석된결과가이미지패턴으로나타나기때문에공격의탐지결과를보고네트워크공격여부를직관적으로인지하고, 네트워크공격탐지정보와네트워크공격에대한이미지패턴과원본데이터등을표현하는사용자인터페이스를제공하기때문에네트워크관리자측면에서탐지된공격을신속하게검증할수 있다.
-
Patent Agency Ranking
公开(公告)号:KR1020120105759A
公开(公告)日:2012-09-26
申请号:KR1020110023391
申请日:2011-03-16
Applicant: 한국전자통신연구원
CPC classification number: G06F21/564
Abstract: PURPOSE: A malicious code visualizing apparatus, a malicious code detecting apparatus, and a method thereof are provided to easily represent a structure, a shape, and a behavior of a malicious code executing file by visualizing a structure, a shape, and a behavior of an execution file having a malicious code. CONSTITUTION: A string extracting unit(102) unpacks a file according to packing a file having a malicious file and extracts strings. An entropy calculator(104) calculates entropy about the extracted string. A graph generating unit(106) sets up the string as a node and sets up directionality between nodes based on a connection relation about the string. The graph generating unit sets up a color of the node based on entropy about the string and generates a graph about the file. The entropy calculating unit calculates the entropy about the string. [Reference numerals] (102) String extracting unit; (104) Entropy calculating unit; (106) Graph generating unit; (110) Malicious code database; (AA) File
Abstract translation: 目的:提供恶意代码可视化设备,恶意代码检测设备及其方法,以通过可视化结构,形状和行为来容易地表示恶意代码执行文件的结构,形状和行为 具有恶意代码的执行文件。 构成:字符串提取单元(102)根据打包具有恶意文件的文件并提取字符串来解包文件。 熵计算器(104)计算关于提取的串的熵。 图形生成单元(106)将字符串设置为节点,并且基于关于字符串的连接关系在节点之间建立方向性。 图形生成单元基于关于该字符串的熵来建立该节点的颜色,并且生成关于该文件的图形。 熵计算单元计算关于该串的熵。 (102)串提取单元; (104)熵计算单元; (106)图形生成单元; (110)恶意代码数据库; (AA)文件
-
公开(公告)号:KR1020110043982A
公开(公告)日:2011-04-28
申请号:KR1020090100758
申请日:2009-10-22
Applicant: 한국전자통신연구원
CPC classification number: G06F21/60 , G06F17/30241 , G06Q50/32
Abstract: PURPOSE: A domain security state displaying device using geographic information and a method thereof are provided to enable a manager to make a countermeasure plan by instinctively notifying the source of an abnormality in an ISP network. CONSTITUTION: A security event collector(310) collects information from internet service providing system in order to prepare a security event. A security event analyzer(320) analyzes the existence of a web email or a web posting using the collected information. The security event analyzer maps the source IP address, a destination IP address, and a proxy IP address.
Abstract translation: 目的:提供使用地理信息的域安全状态显示设备及其方法,以使管理者能够通过本地地通知ISP网络中的异常源来做出对策计划。 规定:安全事件收集器(310)从互联网服务提供系统收集信息,以准备安全事件。 安全事件分析器(320)使用所收集的信息分析网络电子邮件的存在或网络发布。 安全事件分析器映射源IP地址,目的IP地址和代理IP地址。
-
公开(公告)号:KR100949803B1
公开(公告)日:2010-03-30
申请号:KR1020070133083
申请日:2007-12-18
Applicant: 한국전자통신연구원
IPC: H04L12/26
CPC classification number: H04L63/1416 , H04L29/12783 , H04L61/35 , H04L63/1441
Abstract: 보안 이벤트의 중요 속성들에 대한 조합 결과를 표시함으로써 네트워크의 성능을 저하시키는 이상 및 유해 트래픽 등을 직관적으로 인식하고 보안 상황을 실시간으로 용이하게 판단할 수 있도록 한 아이피 주소 분할 표시 장치 및 방법을 개시한다. 개시된 본 발명은 수집된 보안 이벤트들에서 공통 특성 정보를 이용하여 군집화하고, 군집화된 이벤트들의 IP주소들을 병렬좌표 및/또는 원형좌표로 분할 표시한다.
-
公开(公告)号:KR1020090030880A
公开(公告)日:2009-03-25
申请号:KR1020070096537
申请日:2007-09-21
Applicant: 한국전자통신연구원
IPC: H04L12/26
CPC classification number: H04L41/28 , H04L63/1416
Abstract: An apparatus and a method for visualizing a network state by using geographic information are provided to use a globe that everyone can easily understand, thereby easily checking a source site in which a security event occurs and a real site of a destination. A security event collecting unit(110) collects a security event from the outside. An IP(Internet Protocol) address converter(120) converts a source IP address within characteristic data of the collected security event and a destination IP address into geographic information based on a geographical information database(130). A network state display unit(140) displays flow of protocol security events between the source and the destination by a 3D screen including globe shape.
Abstract translation: 提供一种通过使用地理信息可视化网络状态的装置和方法,以使用每个人都可以容易理解的地球仪,从而容易地检查发生安全事件的源站点和目的地的真实站点。 安全事件收集单元(110)从外部收集安全事件。 IP(因特网协议)地址转换器(120)基于地理信息数据库(130)将收集的安全事件的特征数据中的源IP地址和目的地IP地址转换为地理信息。 网络状态显示单元(140)通过包括球形形状的3D屏幕来显示源和目的地之间的协议安全事件的流程。
-
公开(公告)号:KR1020090009622A
公开(公告)日:2009-01-23
申请号:KR1020070073059
申请日:2007-07-20
Applicant: 한국전자통신연구원
CPC classification number: H04L45/00 , H04L45/12 , H04L63/1416 , H04L63/1425 , H04L63/1441 , H04L2463/146
Abstract: A back-tracking system based on log and a method thereof using a center division technique capable of quickly searching the actual location of an attacker are provided to apply connection information of a network router collected from a network managing server and log information of an invasion alarm. A log information input module(101) collects log information toward the invasion alarm of a network attacker from an intrusion detection system(120). A reverse invasion process module(103) extracts necessary log information and analyzes log information of the collected invasion alarm. If the log information of the invasion alarm is inputted, a centroid node detection module(104) collects the connect information of the network router from the network management server(110).
Abstract translation: 提供一种基于日志的后跟踪系统及其使用能够快速搜索攻击者的实际位置的中心分割技术的方法,以应用从网络管理服务器收集的网络路由器的连接信息和入侵警报的日志信息 。 日志信息输入模块(101)从入侵检测系统(120)向网络攻击者的入侵警报收集日志信息。 反向入侵处理模块(103)提取必要的日志信息并分析所收集的入侵报警的日志信息。 如果入侵报警的日志信息被输入,则质心节点检测模块(104)从网络管理服务器(110)收集网络路由器的连接信息。
-
-
-
-
-
-
-
-
-
Search Results
82
records
(took 0.031 seconds)
