-
公开(公告)号:KR100945247B1
公开(公告)日:2010-03-03
申请号:KR1020070100009
申请日:2007-10-04
Applicant: 한국전자통신연구원
IPC: G06F15/00
CPC classification number: G06F9/455 , G06F21/566
Abstract: 본 발명은 악성 코드 분석 방법 및 장치에 관한 것으로, 특히 가상 환경에서 취약점이 내포된 대상 프로그램을 이용하여 비실행 파일에 포함된 악성 코드를 안전하게 분석하기 위한 방법 및 장치를 제공한다.
이를 위하여 본 발명의 일실시 예에 따른 악성 코드 분석 방법은, 가상 환경에서 실행되며 취약점이 내포된 대상 프로그램에 의해 악성 코드의 분석을 원하는 비실행 파일을 로드(load)하는 단계; 상기 대상 프로그램의 레지스터(register) 값을 분석하고, 상기 레지스터 값이 노멀 코드(normal code) 영역 내를 가리키는지 판단하는 단계; 상기 레지스터 값이 상기 노멀 코드 영역 이외의 영역을 가리키는 경우 상기 대상 프로그램의 동작에 관한 로그(log) 정보를 저장하는 단계; 및 상기 저장된 로그 정보를 기반으로 상기 비실행 파일에 포함된 악성 코드를 추출 및 분석하는 단계를 포함함으로써, 가상 환경에서 악성 코드를 분석하여 악성 코드의 실행으로 인하여 발생할 피해를 방지할 수 있는 이점이 있다.
가상 환경, 악성 코드, 비실행 파일, 로그-
公开(公告)号:KR1020090130990A
公开(公告)日:2009-12-28
申请号:KR1020080056736
申请日:2008-06-17
Applicant: 한국전자통신연구원
CPC classification number: G06F21/554 , G06F21/52
Abstract: PURPOSE: An abnormal action interception device of an application program and a method thereof are provided to perform detection and interception of an abnormal action based on an action profile, thereby reducing a misjudgment rate of abnormal action detection. CONSTITUTION: An action monitor(311) detects actions of ongoing application programs(320). An abnormal action detector(312) decides whether the detected actions of the application programs are abnormal. If so, an abnormal action interceptor(313) intercepts execution of the actions of the application programs. An action profile extractor(317) generates an action profile by simulation of the application programs of analysis or source files of the application programs.
Abstract translation: 目的:提供一种应用程序的异常动作拦截装置及其方法,以基于动作简档来执行异常动作的检测和截取,从而减少异常动作检测的误判率。 构成:动作监视器(311)检测正在进行的应用程序(320)的动作。 异常动作检测器(312)判断检测到的应用程序的动作是否异常。 如果是这样,异常动作拦截器(313)拦截执行应用程序的动作。 动作简档提取器(317)通过模拟应用程序的分析应用程序或源文件来生成动作简档。
-
公开(公告)号:KR1020090125552A
公开(公告)日:2009-12-07
申请号:KR1020080051716
申请日:2008-06-02
Applicant: 한국전자통신연구원
CPC classification number: G06K9/00
Abstract: PURPOSE: A digital forensic apparatus and a method thereof are provided to analyze a page file according to a characteristic in a windows environment and use a suitable method for each characteristic. CONSTITUTION: A page file extracting unit(103) extracts a page file saved in a object storage medium. A storage page characteristic extracting unit(105) extracts a characteristic of a page saved in the extracted page file. A page classifying unit(109) compares a characteristic of the extracted page with one predetermined classification reference. The page classifying unit classifies the page according to the comparison result. A digital forensic executing unit(113) performs digital forensic correspondingly to the classified page.
Abstract translation: 目的:提供一种数字取证装置及其方法,用于根据Windows环境中的特性分析页面文件,并针对每个特征使用适当的方法。 构成:页面文件提取单元(103)提取保存在对象存储介质中的页面文件。 存储页面特征提取单元(105)提取保存在所提取的页面文件中的页面的特征。 页面分类单元(109)将提取的页面的特性与一个预定的分类参考进行比较。 页面分类单元根据比较结果对页面进行分类。 数字取证执行单元(113)对应于分类页进行数字取证。
-
公开(公告)号:KR1020090034648A
公开(公告)日:2009-04-08
申请号:KR1020070100009
申请日:2007-10-04
Applicant: 한국전자통신연구원
IPC: G06F15/00
CPC classification number: G06F9/455 , G06F21/566
Abstract: A method and an apparatus for analyzing the malware software within a non-executable file which uses the virtual environment use the object program having the weak point in the virtual environment are provided to analyze the malware included in the non-executable file safely. A program execution part(114) outputs register value of an object program by loading non-executable file analyzed in an object program. A program run analysis part(122) analyzes the outputted register value. In case the register value indicates a domain except a normal code domain, the program run analysis part stores log information about the operation of the object program in the log information database(124). A malware analyze part(126) extracts and analyzes malware included in the non-executable file based on log information. When the outputted register value begins to indicate domain except the normal code area, the program run analysis part begins to store the log information.
Abstract translation: 提供一种用于分析使用虚拟环境的非可执行文件中的恶意软件的方法和装置,使用虚拟环境中具有弱点的对象程序来安全地分析非可执行文件中包含的恶意软件。 程序执行部件(114)通过加载在对象程序中分析的不可执行文件来输出对象程序的寄存器值。 程序运行分析部分(122)分析输出的寄存器值。 在寄存器值指示除了正常代码域之外的域的情况下,程序运行分析部件将关于对象程序的操作的日志信息存储在日志信息数据库(124)中。 恶意软件分析部分(126)基于日志信息提取并分析包含在不可执行文件中的恶意软件。 当输出的寄存器值开始指示除正常代码区域之外的域时,程序运行分析部件开始存储日志信息。
-
公开(公告)号:KR100872435B1
公开(公告)日:2008-12-05
申请号:KR1020070058327
申请日:2007-06-14
Applicant: 한국전자통신연구원
CPC classification number: H04L41/0893
Abstract: A network management system and a method thereof are provided to manage a network based on the value of a network apparatus, thereby making network management considering characteristics of the network apparatus possible. A value-based network management system(10) comprises the followings: a value estimating part(101) collecting information about the value of network equipment; a storage(102) storing the value of the network equipment delivered from the value estimating part; a policy judging part(103) which compares the value of the network equipment, estimated at present, with the required value of the network equipment, delivered from a manager, to judge whether to apply the required value of the network equipment; and a policy executing part(104) which transmits a command for requesting the change into the required value to the network equipment, if the application is decided.
Abstract translation: 提供一种网络管理系统及其方法,用于基于网络装置的价值来管理网络,从而使网络管理考虑到网络装置的特性。 一种基于价值的网络管理系统(10)包括:收集关于网络设备价值的信息的价值估计部分(101); 存储从所述值估计部输出的所述网络设备的值的存储部(102) 策略判断部(103),其将目前估计的网络设备的值与从管理者发送的网络设备的所需值进行比较,判断是否应用网络设备的所需值; 以及策略执行部(104),如果应用被决定,则向网络设备发送用于请求改变为所需值的命令。
-
Patent Agency Ranking
公开(公告)号:KR1020080047261A
公开(公告)日:2008-05-28
申请号:KR1020070100391
申请日:2007-10-05
Applicant: 한국전자통신연구원
IPC: G06F11/00
Abstract: A method and a system for detecting an anomaly malicious code with a process behavior prediction technique are provided to detect the anomaly malicious code by making a prediction pattern based on combination between all behaviors generated from normal/malicious codes and related events, and comparing the prediction pattern with a behavior pattern generated from a new execution code. A database filtering module(200) filters malicious codes from execution codes executed in a system. A system resource monitoring module(3001) monitors system resources to collect individual event information generated from the executed execution codes. A reprocessing module(4001) reconfigures one integrated log representing a behavior property value of the execution codes by reprocessing the individual event information. A behavior prediction information processing module(500) extracts the behavior property value of an anomaly malicious behavior by inputting the integrated log in a learning algorithm. An anomaly malicious behavior detecting module(700) detects malicious behavior by comparing the anomaly malicious behavior property value extracted from the behavior prediction information processing module with behavior property value data reformed in the reprocessing module.
Abstract translation: 提供了一种利用过程行为预测技术检测异常恶意代码的方法和系统,用于通过基于从正常/恶意代码和相关事件产生的所有行为之间的组合进行预测模式来检测异常恶意代码,并比较预测 模式与从新的执行代码生成的行为模式。 数据库过滤模块(200)从系统中执行的执行代码过滤恶意代码。 系统资源监控模块(3001)监视系统资源以收集从执行的执行代码生成的各个事件信息。 重新处理模块(4001)通过重新处理各个事件信息来重新配置表示执行代码的行为属性值的一个集成日志。 行为预测信息处理模块(500)通过在学习算法中输入积分日志来提取异常恶意行为的行为属性值。 异常恶意行为检测模块(700)通过将从行为预测信息处理模块提取的异常恶意行为属性值与在再处理模块中改进的行为属性值数据进行比较来检测恶意行为。
-
公开(公告)号:KR100655492B1
公开(公告)日:2006-12-08
申请号:KR1020050097170
申请日:2005-10-14
Applicant: 한국전자통신연구원
Abstract: A system and a method for checking vulnerability of a web server by using a search engine are provided to efficiently check vulnerability with reduction of a vulnerability checking time and system overhead by checking the vulnerability of the probable web server after examining the web server probably including the vulnerability with the search engine in advance. A user terminal comprises a web server examining module(101) receiving a URL(Uniform Resource Locator) of the probable web server examined by the search engine after requesting the search engine to examine files probably including the vulnerability in response to an inputted keyword including a packet having the known vulnerability, and a web server vulnerability checking module(102). The web server vulnerability checking module sends a vulnerability checking query to the probable web server by parsing the URL received from the web server examining module, and checks the vulnerability in the web server with a response to the query or a returned message. The search engine constructs the system for obtaining the URL of the web server and transmitting the obtained URL to the web server examining module.
Abstract translation: 提供了一种利用搜索引擎来检查web服务器的漏洞的系统和方法,用于在检查可能包括web服务器的web服务器之后检查可能的web服务器的漏洞,以减少漏洞检查时间和系统开销来有效地检查漏洞 提前与搜索引擎进行漏洞。 用户终端包括:网络服务器检查模块(101),用于响应于输入的关键字(包括关键字),请求搜索引擎检查可能包括漏洞的文件,接收搜索引擎检查的可能的网络服务器的URL(统一资源定位符) 具有已知漏洞的分组,以及web服务器漏洞检查模块(102)。 Web服务器漏洞检查模块通过解析从Web服务器检查模块接收到的URL,向可能的Web服务器发送漏洞检查查询,并通过对查询或返回消息的响应来检查Web服务器中的漏洞。 搜索引擎构建用于获取网络服务器的URL并将获得的URL发送到网络服务器检查模块的系统。
-
公开(公告)号:KR1020170060280A
公开(公告)日:2017-06-01
申请号:KR1020150164488
申请日:2015-11-24
Applicant: 한국전자통신연구원
CPC classification number: H04L63/20 , H04L63/1408 , H04L63/1416 , H04L63/1425
Abstract: 탐지규칙자동생성장치및 방법이개시된다. 본발명에따른탐지규칙자동생성장치는, 입력받은악성트래픽파일의네트워크트래픽을분석하는분석부, 상기악성트래픽파일의악성시그니처를추출하는악성시그니처추출부, 그리고추출된상기악성시그니처와상기악성트래픽파일의패킷정보를이용하여탐지규칙을생성하는탐지규칙생성부를포함한다.
Abstract translation: 公开了一种用于自动生成检测规则的装置和方法。 根据本发明的检测规则自动生成装置中,恶意流量文件的分析网络流量分析器接收,恶意签名提取部,用于提取所述恶意流量文件的恶意签名,并提取恶意签名和恶意流量 以及检测规则生成单元,其使用文件的分组信息生成检测规则。
-
19.发明公开기하학적 왜곡에 강인한 점 기반 정보를 사용하는 정보 삽입 방법, 정보 추출 방법 및 정보 추출 장치 审中-实审信息插入方法,信息提取方法和信息提取装置使用基于DOT的信息稳健地进行几何失真
公开(公告)号:KR1020160092687A
公开(公告)日:2016-08-05
申请号:KR1020150013371
申请日:2015-01-28
Applicant: 한국전자통신연구원
CPC classification number: G06T1/0064 , G06T2201/0051 , H04N1/0087 , H04N1/32203 , G06K9/6289 , G06T3/60
Abstract: 대상에정보를삽입하고, 대상부터정보를추출하기위한방법및 장치가제공된다. 정보삽입장치는정보를적어도하나의점의집합으로변환할수 있고, 변환에의해생성된적어도하나의점의집합을대상에출력할수 있다. 정보추출장치는대상에출력된적어도하나의점의집합을식별할수 있고, 식별된적어도하나의점의집합으로부터정보를추출할수 있다.
Abstract translation: 提供信息插入方法,信息提取方法和信息提取装置。 信息插入装置可以通过转换将信息转换为至少一个点的集合,并将至少一个点的集合输出到目标。 信息提取装置可以识别到目标的至少一个点输出的集合,并从要识别的至少一个点的集合中提取信息。
-
公开(公告)号:KR1020160009825A
公开(公告)日:2016-01-27
申请号:KR1020140090128
申请日:2014-07-17
Applicant: 한국전자통신연구원
CPC classification number: H04L63/08 , G06F17/30011 , G06F21/53 , G06F21/554 , G06F21/556 , G06F2221/2129 , G06F2221/2137 , G06F2221/2147 , H04L63/105 , G06F21/60 , G06F21/30 , G06F21/62
Abstract: 불법유출시자가대응할수 있고불법유출근원지를추적할수 있는기능을, 보호하고자하는정보에탑재하여전자문서불법유출을원천차단할수 있도록하는전자문서불법유출방지방법및 장치를제시한다. 제시된장치는통제대상이되는전자문서를저장하기위한가상디스크를생성하고전자문서의외부반출을통제하는반출통제부, 전자문서의외부반출이합법한반출인지를인증하는반출관리서버부, 및반출관리서버부로부터불법반출을알리는결과를수신하게되면자기소멸을행하는자가대응에이전트부를포함한다.
Abstract translation: 公开了一种防止非法泄漏电子文件的方法和装置,其能够通过安装自身应对非法拦截的特征并且将非法泄漏源追踪到要保护的信息来从根本上阻止电子文件的非法泄漏。 所公开的装置包括:传送控制单元,用于生成用于存储目标要控制的电子文档的虚拟盘,并控制电子文档到外部的传送; 转让管理服务器单元,用于认证是否将电子文件转移到外部是合法的或非法的; 以及自动响应代理单元,用于当从所述传送管理服务器单元接收到指示非法传送的结果时,执行自毁。
-
-
-
-
-
-
-
-
-
Search Results
50
records
(took 0.022 seconds)
