-
公开(公告)号:KR101620931B1
公开(公告)日:2016-05-13
申请号:KR1020140117598
申请日:2014-09-04
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1425 , G06F17/30675 , G06F21/561 , G06F21/564 , G06F21/566 , H04L63/101 , H04L63/1408 , H04L63/145
Abstract: 기존악성샘플들과의유사성을기반으로유사도가가장높은악성샘플들을검색하여유사한데이터들을출력하고해당악성샘플들의제작자그룹정보를분석가에게제공함으로써분석가가상세분석에활용할수 있도록하는악성코드특징정보기반의유사악성코드검색장치및 방법을제시한다. 제시된장치는입력받은신규악성코드를신규악성코드샘플로서등록하되신규악성코드샘플의상세정보를추출하여등록하는악성코드등록부, 신규악성코드샘플의상세정보를분석하는악성코드분석부, 악성코드분석부에서의악성코드분석정보를근거로악성코드특징정보를포함한악성코드 DNA 정보를추출하는악성코드 DNA 추출부, 추출된악성코드 DNA 정보와기저장된악성코드샘플의악성코드 DNA 정보를 DNA 타입별로유사도비교를행하는악성코드 DNA 비교부, 및악성코드 DNA 비교부에서계산된유사도를기반으로신규악성코드샘플과기저장된악성코드샘플간의전체유사도를계산하여특정개수의악성코드샘플을유사악성코드검색결과로서추출하는유사악성코드검색부를포함한다.
Abstract translation: 一种基于恶意代码特征信息搜索类似恶意代码的装置和方法。 该装置包括用于将输入的新的恶意代码注册为新的恶意代码样本的恶意代码注册单元,以及提取和登记新的恶意代码样本的详细信息的恶意代码分析单元,用于分析新的恶意代码示例的详细信息 恶意代码DNA提取单元,用于提取包括恶意代码特征信息的恶意代码DNA信息,恶意代码DNA比较单元,用于将提取的恶意代码DNA信息与预先存储的恶意代码样本的恶意代码DNA信息进行比较,并计算其间的相似度; 一个类似的恶意代码搜索单元,用于根据计算的相似度计算新的恶意代码样本和预存的恶意代码样本之间的所有相似性,并提取特定数量的恶意代码示例。
-
公开(公告)号:KR101541158B1
公开(公告)日:2015-08-04
申请号:KR1020130140034
申请日:2013-11-18
Applicant: 한국전자통신연구원
CPC classification number: G06K9/00469 , G06K9/344 , G06K9/723 , G06K2209/01
Abstract: 대상웹사이트화면에대해지속적으로이미지샷과 OCR(Optical Character Recognition) 방법을통해문자열을추출하는방식과키워드비교를통해홈페이지위변조행위를판단할수 있는홈페이지위변조탐지장치및 방법을제시한다. 제시된장치는접근한홈페이지의전체화면에대한홈페이지이미지샷을생성하는홈페이지이미지샷생성모듈, 홈페이지이미지샷에서 OCR기법을이용하여문자열을추출하는문자열추출모듈, 추출한문자열에대하여홈페이지위변조판단을위한문자열을근거로정상문자열인지아니면변조문자열인지를비교하는문자열비교모듈, 문자열비교모듈의비교결과를근거로해당홈페이지에대한위변조판단을행하는홈페이지변조판단모듈, 및홈페이지변조판단모듈의판단결과를근거로홈페이지이미지샷에서추출한문자열을학습하여정상문자열또는변조문자열로분류하는문자열학습모듈을포함한다.
-
公开(公告)号:KR101505845B1
公开(公告)日:2015-03-26
申请号:KR1020140012641
申请日:2014-02-04
Applicant: 한국전자통신연구원
IPC: H04L12/70
CPC classification number: H04L67/146 , H04L63/14
Abstract: 본 발명의 실시예에 따른 패킷 처리 장치는 복수의 HTTP 패킷으로 구성된 패킷 그룹을 복수의 세션 파일로 분류하여, 분배하는 세션 처리부, 복수의 세션 파일에 기초하여 분배된 각각의 세션 파일에서 개별적으로 메타 데이터를 생성 및 콘텐츠를 추출하는 병렬 처리부 및 병렬 처리부에서 생성된 메타 데이터 또는 추출된 콘텐츠를 저장하는 저장부를 포함한다.
Abstract translation: 根据本发明实施例的分组处理装置包括:会话处理单元,将配置有多个HTTP分组的分组组分类成多个会话文件,并分发多个会话文件; 并行处理单元,分别从基于所述多个会话文件分发的每个会话文件生成元数据,并提取内容; 以及存储由并行处理单元生成的元数据或提取的内容的存储单元。
-
公开(公告)号:KR1020140049926A
公开(公告)日:2014-04-28
申请号:KR1020130096273
申请日:2013-08-14
Applicant: 한국전자통신연구원
CPC classification number: G06F9/5083
Abstract: 본발명은트래픽상황에따른 CPU와 GPU간의로드밸런스를가지는침입탐지장치및 방법에관한것으로, 다수의수신큐로부터유입되는패킷들을수신받아, 동일한플로우에속한패킷들을하나의작업큐에저장하는패킷포착부; 상기패킷포착부에저장된상기패킷들의개수를파악하여상기패킷들의문자열검사작업을상기 CPU 또는상기 GPU에분배하는문자열검토작업분배부; 상기 CPU 내에서, 상기패킷들의문자열과탐지규칙에정의된문자열의비교검사를수행하는 CPU 문자열검토부; 및상기 GPU 내에서, 상기패킷들의문자열과탐지규칙에정의된문자열의비교검사를수행하는 GPU 문자열검토부;를포함한다.
Abstract translation: 本发明涉及一种响应于CPU和GPU之间的交通状况的负载平衡器的入侵检测装置和方法。 该装置包括:分组获取单元,用于接收从多个接收队列到达的分组,并将属于相同流的分组存储在单个任务队列中; 字符串检查任务分配单元,用于确定存储在分组获取单元中的分组的数量,并且将分组的字符串检查任务分配给CPU或GPU; CPU字符串检查单元,用于将分组的字符串与在CPU内部的检测规则中定义的字符串进行比较; 以及GPU字符串检查单元,用于将分组的字符串与GPU内的检测规则中定义的字符串进行比较。 (附图标记)(110,GG)分组获取单元; (120,HH)字符串检查任务分配单元; (130,II)CPU字符串检查单元; (140,JJ)附加规则评估单位; (150)CPU通信单元; (200)图形处理装置; (210)GPU字符串检查单元; (AA,BB)网络接口; (CC,DD,EE,FF)接收队列; (KK)中央处理装置
-
公开(公告)号:KR101378115B1
公开(公告)日:2014-03-27
申请号:KR1020120123019
申请日:2012-11-01
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1416
Abstract: The present invention provides a device and a method for detecting network intrusion which perform perl compatible regular expressions (PCRE)-based pattern matching for a payload of packet using a network processor having a deterministic finite automata (DFA) engine. For the purpose, a device for detecting network intrusion according to the present invention includes: a network processor core for receiving packets from a network and transmitting a payload of the received packets to the DFA engine; a detection rule converter for converting a predetermined PCRE-based detection rule into a detection rule which has a pattern to which an only PCRE rule corresponding to the DFA engine is applied for detecting attack packets; and the DFA engine for performing PCRE pattern matching for a payload of packets based on the detection rule converted by the detection rule converter. [Reference numerals] (100) Detection rule converter; (220) Network processor core; (240) DFA engine; (AA) Detection rule; (BB) Packet; (CC) Intrusion detection result
Abstract translation: 本发明提供了一种用于检测网络入侵的设备和方法,所述网络入侵使用具有确定性有限自动机(DFA)引擎的网络处理器,对分组的有效载荷执行基于perl兼容的正则表达式(PCRE)的模式匹配。 为此,根据本发明的用于检测网络入侵的设备包括:网络处理器核,用于从网络接收分组并向DFA引擎发送所接收的分组的有效载荷; 检测规则转换器,用于将预定的基于PCRE的检测规则转换为具有与DFA引擎相对应的唯一PCRE规则的模式的检测规则,用于检测攻击包; 以及用于基于由检测规则转换器转换的检测规则对分组的有效载荷执行PCRE模式匹配的DFA引擎。 (附图标记)(100)检测规则转换器; (220)网络处理器内核; (240)DFA引擎; (AA)检测规则 (BB)包; (CC)入侵检测结果
-
Patent Agency Ranking
公开(公告)号:KR1020140027616A
公开(公告)日:2014-03-07
申请号:KR1020120086328
申请日:2012-08-07
Applicant: 한국전자통신연구원
CPC classification number: H04L63/1441 , H04L2463/144
Abstract: A device and a method for detecting an HTTP botnet based on the density of web transaction is disclosed. The device for detecting an HTTP botnet based on the density of web transaction according to the present invention includes a collection management part for extracting metadata from an HTTP request packet collected by a traffic collection sensor; a web transaction classification part for creating a gray list by extracting web transaction by analyzing the metadata and arranging the extracted web transaction according to the access frequency; and a filtering part for filtering the gray list based on a white list and a black list. [Reference numerals] (100) Collection management part; (200) Web transaction classification part; (300) Filtering part; (400) Black list management part; (500) White list generating machine
Abstract translation: 公开了一种基于网络交易密度来检测HTTP僵尸网络的设备和方法。 根据本发明的用于基于Web事务的密度检测HTTP僵尸网络的设备包括:收集管理部分,用于从由交通收集传感器收集的HTTP请求包中提取元数据; Web事务分类部分,用于通过分析元数据并根据访问频率安排提取的Web事务来提取Web事务来创建灰色列表; 以及用于基于白名单和黑名单对灰色列表进行过滤的过滤部分。 (附图标记)(100)收集管理部; (200)Web事务分类部分; (300)过滤部件; (400)黑名单管理部分; (500)白名单生成机
-
公开(公告)号:KR1020140022975A
公开(公告)日:2014-02-26
申请号:KR1020120075630
申请日:2012-07-11
Applicant: 한국전자통신연구원
CPC classification number: H04L63/0861 , G06F2221/2133
Abstract: A traffic control device based on CAPTCHA and a method thereof are provided. A traffic control device according to the present invention includes: a traffic monitoring unit for monitoring packets which are transmitted and received between an internal network and an external network; a CAPTCHA verification unit for transmitting a CAPTCHA request message corresponding to packet information to a client computer in the internal network, receiving a CAPTCHA response message corresponding to the CAPTCHA request message and verifying the CAPTCHA response message when the packet information corresponding to the packet does not exist in an access control list; a list management unit for detecting a control policy corresponding to the packet information from the access control list when the packet information exists in the access control list; and a traffic control unit for controlling traffic between the internal network and the external network based on a verified result of the CAPTCHA response message or the control policy. [Reference numerals] (110) Traffic control unit; (120) Traffic monitoring unit; (130) List management unit; (140) CAPTCHA verification unit; (20) External network; (250) Application; (AA) Client computer; (BB) CAPTCHA agent; (S301,S302) Packet transmission; (S303,S305) Packet information transmission; (S306) CAPTCHA request message; (S307) CAPTCHA response message; (S308,S309) Verified result transmission; (S310) Traffic allowance or cut-off; (S311) Update
Abstract translation: 提供了基于CAPTCHA的交通控制装置及其方法。 根据本发明的交通控制装置包括:交通监控单元,用于监视在内部网络和外部网络之间发送和接收的分组; CAPTCHA验证单元,用于向内部网络中的客户端计算机发送对应于分组信息的CAPTCHA请求消息,接收到与CAPTCHA请求消息相对应的CAPTCHA响应消息,并且当与分组对应的分组信息不对应时,验证CAPTCHA响应消息 存在于访问控制列表中; 列表管理单元,用于当访问控制列表中存在分组信息时,从访问控制列表中检测与分组信息相对应的控制策略; 以及流量控制单元,其基于所述CAPTCHA响应消息或所述控制策略的验证结果来控制所述内部网络和所述外部网络之间的流量。 (附图标记)(110)交通控制单元; (120)交通监控单位; (130)名单管理单位; (140)人机验证单位; (20)外部网络; (250)申请; (AA)客户端计算机; (BB)CAPTCHA代理; (S301,S302)分组传输; (S303,S305)分组信息传输; (S306)CAPTCHA请求消息; (S307)CAPTCHA响应消息; (S308,S309)验证结果传输; (S310)交通津贴或停车; (S311)更新
-
公开(公告)号:KR1020110138589A
公开(公告)日:2011-12-28
申请号:KR1020100058564
申请日:2010-06-21
Applicant: 한국전자통신연구원
CPC classification number: H04L63/0236 , H04L63/1458
Abstract: PURPOSE: A filtering apparatus based on IP and method thereof, and legality user identification apparatus and method thereof are provided to offer the convenience of a user by protecting IP from DDOS(Distributed Denial Of Service) attack. CONSTITUTION: A determination control unit(220) determines a packet which is transmitted from a user IP(Internet Protocol). In case the receive packet is not matched with a legality IP, the determination control unit determines the capacity of a web server. When the determination control unit determines the packet which is transmitted a legality user IP, a packet transmission unit(230) transmits the packet to the web server by controlling the determination control unit.
Abstract translation: 目的:提供一种基于IP及其方法的过滤装置及其合法用户识别装置及方法,通过保护IP免受DDOS(分布式拒绝服务)攻击,提供用户的便利。 构成:确定控制单元(220)确定从用户IP(因特网协议)发送的分组。 在接收分组与合法IP不匹配的情况下,确定控制单元确定web服务器的容量。 当确定控制单元确定发送合法用户IP的分组时,分组传输单元(230)通过控制确定控制单元将分组发送到web服务器。
-
39.发明授权
公开(公告)号:KR101055267B1
公开(公告)日:2011-08-09
申请号:KR1020100019869
申请日:2010-03-05
Applicant: 한국전자통신연구원
Abstract: PURPOSE: A distribution site identification method of an active-X control, security vulnerability detection method, and immunization method are provided to recognize the distribution of an active-X control. CONSTITUTION: A checking object URL is obtained by performing a search engine query in a distribution site identification server(S202,S203). The checking object URL is accessed through the implementation of a web browser(S204,S205). It is determined whether to use active-X control in the accessed detection target(S206). The information of the corresponding active-x control is collected and recorded in the distribution present condition DB(S208).
Abstract translation: 目的:提供Active-X控件的分发站点识别方法,安全漏洞检测方法和免疫方法,以识别主动X控件的分布。 构成:通过在分发站点识别服务器中执行搜索引擎查询来获得检查对象URL(S202,S203)。 通过Web浏览器的实现访问检查对象URL(S204,S205)。 确定是否在被访问的检测目标中使用主动X控制(S206)。 相应的active-x控制的信息被收集并记录在分配当前状态DB中(S208)。
-
公开(公告)号:KR1020090130990A
公开(公告)日:2009-12-28
申请号:KR1020080056736
申请日:2008-06-17
Applicant: 한국전자통신연구원
CPC classification number: G06F21/554 , G06F21/52
Abstract: PURPOSE: An abnormal action interception device of an application program and a method thereof are provided to perform detection and interception of an abnormal action based on an action profile, thereby reducing a misjudgment rate of abnormal action detection. CONSTITUTION: An action monitor(311) detects actions of ongoing application programs(320). An abnormal action detector(312) decides whether the detected actions of the application programs are abnormal. If so, an abnormal action interceptor(313) intercepts execution of the actions of the application programs. An action profile extractor(317) generates an action profile by simulation of the application programs of analysis or source files of the application programs.
Abstract translation: 目的:提供一种应用程序的异常动作拦截装置及其方法,以基于动作简档来执行异常动作的检测和截取,从而减少异常动作检测的误判率。 构成:动作监视器(311)检测正在进行的应用程序(320)的动作。 异常动作检测器(312)判断检测到的应用程序的动作是否异常。 如果是这样,异常动作拦截器(313)拦截执行应用程序的动作。 动作简档提取器(317)通过模拟应用程序的分析应用程序或源文件来生成动作简档。
-
-
-
-
-
-
-
-
-
Search Results
44
records
(took 0.031 seconds)
