-
公开(公告)号:KR100862194B1
公开(公告)日:2008-10-09
申请号:KR1020070034102
申请日:2007-04-06
Applicant: 한국전자통신연구원
Abstract: A device and a method for sharing infringement accident information, and a network security system including the same are provided to enable domains included in the network security system to share the information related to infringement accidents occurring in the network security system by using a standardized Internet format and transfer protocol. A controller(111) which comprises a reporting unit(111-1), a reporting analyzing unit(111-2), a tracking request unit(111-3) and a tracking execution unit(111-4) controls operation of a security management device by detecting an infringement accident occurring in managed domains, and generating infringement accident information including a trust level of the managed domain, a seriousness level of the infringement accident, and priority of management actions, or analyzing the infringement accident information received from external domains. A message converter(112) generates a message by encoding the infringement accident information and extracts the infringement accident information by decoding the message received from the external domains based on an IODEF(Incident Objection Description Exchange Format)/RID(Real-Time Inter-network Defense) data format. A message transceiver(113) transceives the message with the external domains by using SOAP(Simple Object Application Protocol)/HTTPS(HyperText Transfer Protocol over Secure socket level).
Abstract translation: 提供了一种共享侵权事故信息的装置和方法,以及包括该网络安全系统的网络安全系统,以使网络安全系统中包含的域能够通过使用标准的因特网格式共享与网络安全系统中发生的侵权事故相关的信息 和传输协议。 一种控制器(111),包括报告单元(111-1),报告分析单元(111-2),跟踪请求单元(111-3)和跟踪执行单元(111-4)控制安全性 通过检测管理域中发生的侵权事故,产生管理域的信任级别,侵权事故的严重程度,管理行为的优先级,或分析从外部域收到的侵权事故信息的侵权事故信息,管理设备 。 消息转换器(112)通过对侵权事件信息进行编码来生成消息,并且通过根据IODEF(事件异常描述交换格式)/ RID(实时网络间)解码从外部域接收到的消息来提取侵权事件信息 防御)数据格式。 消息收发器(113)通过使用SOAP(简单对象应用协议)/ HTTPS(通过安全套接字级别的超文本传输协议)来收发与外部域的消息。
-
公开(公告)号:KR1020080040921A
公开(公告)日:2008-05-09
申请号:KR1020060108893
申请日:2006-11-06
Applicant: 한국전자통신연구원
Abstract: A method and an apparatus for managing security in large network environment are provided to detect an attack pattern of a network by classifying traffic information depending on a flow having the same characteristic, and to recognize attack situation by analyzing the statistical information. An apparatus for managing security is made up of a traffic receiver(110), a traffic classifier(120), a traffic analyzer(130) and an external interface(140). The traffic receiver collects traffic information(Net flow) from all router which are scattered in a large network in real time. The traffic classifier comprises multi hash table having a stratified structure, and stores the traffic information as traffic statistics information by classifying the traffic information into each flow group. The traffic analyzer receives the traffic statistics information, detects flows which show abnormal indication, and recognizes attack situation. The external interface notifies the present security situation to the outside according to the notified attack situation.
Abstract translation: 提供一种用于管理大型网络环境中的安全性的方法和装置,用于通过根据具有相同特征的流分类业务信息来检测网络的攻击模式,并通过分析统计信息来识别攻击情况。 用于管理安全性的装置由业务接收器(110),业务分类器(120),业务分析器(130)和外部接口(140)组成。 流量接收方从实时分散在大型网络中的所有路由器收集流量信息(Net Flow)。 流分类器包括具有分层结构的多哈希表,并将流量信息作为流量统计信息存储,将流量信息分类到每个流组中。 流量分析仪接收流量统计信息,检测出异常指示的流量,识别攻击情况。 外部接口根据通知的攻击情况将当前的安全情况通知给外界。
-
-
公开(公告)号:KR101948622B1
公开(公告)日:2019-02-15
申请号:KR1020160016959
申请日:2016-02-15
Applicant: 한국전자통신연구원
IPC: H04L12/26 , H04L12/891 , H04L12/841 , H04L12/801
-
-
Patent Agency Ranking
公开(公告)号:KR1020170108330A
公开(公告)日:2017-09-27
申请号:KR1020160032041
申请日:2016-03-17
Applicant: 한국전자통신연구원
CPC classification number: G06F21/566 , G06N5/022
Abstract: 본발명은악성코드탐지장치및 방법에관한것이다. 본발명에따른장치는, 악성코드와정상실행프로그램들의행위를구분하여특정할수 있는특성인자를정의하고, 미리수집된악성코드를실행하여생성된프로세스에의해호출되는 API 호출이벤트중 상기정의된특성인자에해당하는 API 호출이벤트를 API 호출시퀀스로변환하며, 변환된 API 호출시퀀스의행위에대한유사도에따라행위패턴을생성하여행위패턴 DB에저장하는행위패턴생성부, 및타겟프로세스가실행되는경우, 상기타겟프로세스에의해호출되는 API 호출이벤트중 상기정의된특성인자에해당하는 API 호출이벤트를 API 호출시퀀스로변환하고, 변환된 API 호출시퀀스와상기행위패턴 DB에저장된시퀀스의행위에대한유사도에따라악성코드인지를판단하는악성코드탐지부를포함한다.
Abstract translation: 恶意代码检测装置和方法本发明涉 设备根据本发明,所述感染与定义性质。该参数特定的正常执行程序的行为的分离,即通过由运行恶意软件产生的过程调用的API调用事件的定义的属性预先收集 API调用转换为所述事件时,该参数的API调用顺序,行为模式生成单元,并存储在行为模式目标过程DB执行以产生与相似度为转换后的API调用序列充当按照行为模式 ,相似的API调用事件的目标是由该过程调用,所述API调用转换为对应于所定义的特性参数与API调用序列的事件的程度,并将其转换API调用序列与存储在模式DB的序列动作的动作 以及用于检测恶意代码的恶意代码检测单元。
-
公开(公告)号:KR1020170095503A
公开(公告)日:2017-08-23
申请号:KR1020160016959
申请日:2016-02-15
Applicant: 한국전자통신연구원
IPC: H04L12/26 , H04L12/891 , H04L12/841 , H04L12/801
CPC classification number: H04L67/06 , H04L43/026 , H04L47/2483 , H04L49/9057
Abstract: 본발명은광대역네트워크상에서대용량트래픽을통해전송되는패킷에파일관련정보가존재하는지를하드웨어적으로먼저확인하여재구성을위한분석대상패킷을선별하고, 선별된분석대상패킷들만을대상으로실시간파일재구성을수행하는, 고성능실시간전송파일재구성장치및 방법에관한것이다.
Abstract translation: 本发明是在硬件中首先确定是否在大的流量通过宽带网络传输数据包中的文件的信息中存在和筛选分析物包重建,执行实时文件重建只指定所选择的分析物包 更具体地说,涉及一种高性能实时传输文件重建设备和方法。
-
公开(公告)号:KR1020160087187A
公开(公告)日:2016-07-21
申请号:KR1020150006016
申请日:2015-01-13
Applicant: 한국전자통신연구원
Inventor: 김종현
IPC: H04L29/06
CPC classification number: H04L63/1416 , H04L63/1425 , H04L2463/146 , H04L63/1408 , H04L63/145
Abstract: 사이버블랙시스템이개시된다. 이시스템은, 모니터링된네트워크트래픽에서전체패킷데이터, 플로우데이터및 PE(Portable Executable) 파일을수집하는데이터수집부및 상기수집된전체패킷데이터, 플로우데이터및 PE 파일을기반으로상기사이버침해사고에대한원인을분석및 상기사이버침해사고를재현하는서버를포함한다.
Abstract translation: 公开了一种网络黑盒系统,包括:数据收集单元,其收集所监视的网络流量中的总包数据,流数据和便携式可执行(PE)文件; 以及一个基于收集的总包数据,流数据和PE文件分析网络安全事件原因的服务器,并再现网络安全事件。 本发明是提供一种可以快速分析安全事件的原因并可以收集安全事件的证据数据的网络黑匣子系统及其方法。
-
公开(公告)号:KR1020130132261A
公开(公告)日:2013-12-04
申请号:KR1020130022675
申请日:2013-03-04
Applicant: 한국전자통신연구원
Abstract: The present invention relates to a method and an apparatus for quantifying threat conditions to recognize network threat in advance. The disclosed threat condition quantification method comprises a step of extracting a doubt domain by analyzing the packet pattern of a DNS traffic generated in a monitoring target network; a step of giving a corresponding security level to the predetermined security level according to the result for grasping the access IP in which the doubt domain is connected; a step of calculating an activation index according to a monitoring result of the doubt domain; a step of inferring the predicted attack amount in each doubt domain according to the predicted attack amount and the security level in each zombie computer. Therefore, the present invention recognizes the network threat condition in advance, prevents the attack based on the doubt domain and the predicted attack amount information, and generates an alarm for preventing the threat condition. [Reference numerals] (AA) START;(BB) END;(S201) Traffic packet pattern analysis;(S203) Doubt domain extraction;(S205) Access IP grasp;(S207) Security level provision;(S209) Access IP monitoring;(S211) Activation index calculation;(S213) Minimum prediction attack amount calculation;(S215) Maximum prediction attack amount calculation;(S217) Estimating prediction attack amount in each doubt domain
Abstract translation: 本发明涉及一种用于量化威胁状况以便事先识别网络威胁的方法和装置。 所公开的威胁状态量化方法包括通过分析在监控目标网络中生成的DNS流量的分组模式来提取怀疑域的步骤; 根据用于掌握其中连接有疑问域的接入IP的结果,将相应的安全级别提供给预定安全级别的步骤; 根据怀疑域的监视结果计算激活指数的步骤; 根据预测的攻击量和每个僵尸计算机的安全级别来推断每个疑问域中的预测攻击量的步骤。 因此,本发明提前识别网络威胁状况,防止基于怀疑域和预测攻击量信息的攻击,并且生成用于防止威胁状况的警报。 (S20)访问IP抓取;(S207)安全级别提供;(S209)访问IP监视;(S203)访问IP监视; (S211)激活指数计算;(S213)最小预测攻击量计算;(S215)最大预测攻击量计算;(S217)估计每个疑问域中的预测攻击量
-
公开(公告)号:KR1020120046891A
公开(公告)日:2012-05-11
申请号:KR1020100107238
申请日:2010-10-29
Applicant: 한국전자통신연구원
IPC: H04L12/22
CPC classification number: H04L63/0263 , H04L63/1408
Abstract: PURPOSE: A security information sharing apparatus between network domains and method thereof are provided to prevent network overload which are generated by transmitting and receiving huge sharing information by controlling information amount and desired information. CONSTITUTION: A domain selecting unit(240) selects other network domain which receives shared security information. A shared security information creation unit(250) creates sharing security information for the selected other network domain. An information masking unit(260) masks the shared security information according to an information masking policy. A protocol message creation unit(270) creates a protocol message for transmitting the protocol message to the selected other network domain.
Abstract translation: 目的:提供网络域之间的安全信息共享装置及其方法,以防止通过控制信息量和期望信息发送和接收巨大共享信息而产生的网络过载。 构成:域选择单元(240)选择接收共享安全信息的其他网络域。 共享安全信息创建单元(250)创建所选择的其他网络域的共享安全信息。 信息掩蔽单元(260)根据信息屏蔽策略掩蔽共享的安全信息。 协议消息创建单元(270)创建用于将协议消息发送到所选择的其他网络域的协议消息。
-
-
-
-
-
-
-
-
-
Search Results
72
records
(took 0.025 seconds)
