公开(公告)号：KR1020090125552A

公开(公告)日：2009-12-07

申请号：KR1020080051716

申请日：2008-06-02

Applicant: 한국전자통신연구원

Inventor： 최영한 ,  김태균 ,  오형근 ,  이도훈

IPC: G06F9/06 ,  G06F15/00

CPC classification number: G06K9/00

Abstract: PURPOSE: A digital forensic apparatus and a method thereof are provided to analyze a page file according to a characteristic in a windows environment and use a suitable method for each characteristic. CONSTITUTION: A page file extracting unit(103) extracts a page file saved in a object storage medium. A storage page characteristic extracting unit(105) extracts a characteristic of a page saved in the extracted page file. A page classifying unit(109) compares a characteristic of the extracted page with one predetermined classification reference. The page classifying unit classifies the page according to the comparison result. A digital forensic executing unit(113) performs digital forensic correspondingly to the classified page.

Abstract translation: 目的：提供一种数字取证装置及其方法，用于根据Windows环境中的特性分析页面文件，并针对每个特征使用适当的方法。 构成：页面文件提取单元（103）提取保存在对象存储介质中的页面文件。 存储页面特征提取单元（105）提取保存在所提取的页面文件中的页面的特征。 页面分类单元（109）将提取的页面的特性与一个预定的分类参考进行比较。 页面分类单元根据比较结果对页面进行分类。 数字取证执行单元（113）对应于分类页进行数字取证。

公开(公告)号：KR1020080047261A

公开(公告)日：2008-05-28

申请号：KR1020070100391

申请日：2007-10-05

Applicant: 한국전자통신연구원

Inventor： 오형근 ,  백승현 ,  이철호 ,  이도훈

IPC: G06F11/00

Abstract: A method and a system for detecting an anomaly malicious code with a process behavior prediction technique are provided to detect the anomaly malicious code by making a prediction pattern based on combination between all behaviors generated from normal/malicious codes and related events, and comparing the prediction pattern with a behavior pattern generated from a new execution code. A database filtering module(200) filters malicious codes from execution codes executed in a system. A system resource monitoring module(3001) monitors system resources to collect individual event information generated from the executed execution codes. A reprocessing module(4001) reconfigures one integrated log representing a behavior property value of the execution codes by reprocessing the individual event information. A behavior prediction information processing module(500) extracts the behavior property value of an anomaly malicious behavior by inputting the integrated log in a learning algorithm. An anomaly malicious behavior detecting module(700) detects malicious behavior by comparing the anomaly malicious behavior property value extracted from the behavior prediction information processing module with behavior property value data reformed in the reprocessing module.

Abstract translation: 提供了一种利用过程行为预测技术检测异常恶意代码的方法和系统，用于通过基于从正常/恶意代码和相关事件产生的所有行为之间的组合进行预测模式来检测异常恶意代码，并比较预测 模式与从新的执行代码生成的行为模式。 数据库过滤模块（200）从系统中执行的执行代码过滤恶意代码。 系统资源监控模块（3001）监视系统资源以收集从执行的执行代码生成的各个事件信息。 重新处理模块（4001）通过重新处理各个事件信息来重新配置表示执行代码的行为属性值的一个集成日志。 行为预测信息处理模块（500）通过在学习算法中输入积分日志来提取异常恶意行为的行为属性值。 异常恶意行为检测模块（700）通过将从行为预测信息处理模块提取的异常恶意行为属性值与在再处理模块中改进的行为属性值数据进行比较来检测恶意行为。

公开(公告)号：KR100635130B1

公开(公告)日：2006-10-17

申请号：KR1020050061579

申请日：2005-07-08

Applicant: 한국전자통신연구원

Inventor： 이철호 ,  김은영 ,  오형근 ,  이진석

IPC: G06F15/00 ,  H04L12/22

Abstract: A system and a method for detecting a kernel backdoor through window network monitoring are provided to prevent illegal intrusion and information leakage caused from the kernel backdoor by transmitting information to a kernel backdoor detector in case that the information respectively received from a TDI(Transport Driver Interface) and NDIS(Network Driver Interface Specification) monitor is present at the same time. The TDI monitor(310) detects a network packet generated from a user process(350) and transmits detected network packet information to the kernel backdoor detector(300). The NDIS detector(320) detects the outgoing and incoming network packet network of a network protocol, and transmits the detected network packet information to the kernel backdoor detector. The kernel backdoor detector determines only the network packet passing the NDIS monitor as the kernel backdoor by analyzing a route of the network packet received from the TDI and NDIS monitor. The TDI monitor is placed between a user process layer and a network protocol layer including the kernel backdoor. The NDIS monitor is placed the network protocol layer and a mini port.

Abstract translation: 提供了一种通过窗口网络监视来检测内核后门的系统和方法，用于通过向内核后门检测器发送信息来防止由内核后门引起的非法入侵和信息泄露，在TDI（传输驱动程序接口 ）和NDIS（网络驱动程序接口规范）监视器同时存在。 TDI监视器（310）检测从用户进程（350）产生的网络分组并将检测到的网络分组信息发送到内核后门检测器（300）。 NDIS检测器（320）检测网络协议的输出和输入网络分组网络，并将检测到的网络分组信息发送到内核后门检测器。 内核后门检测器通过分析从TDI和NDIS监视器接收到的网络数据包的路由，仅确定通过NDIS监视器作为内核后门的网络数据包。 TDI监视器位于用户进程层和包含内核后门的网络协议层之间。 NDIS监视器放置在网络协议层和一个迷你端口上。

公开(公告)号：KR1020040056998A

公开(公告)日：2004-07-01

申请号：KR1020020083749

申请日：2002-12-24

Applicant: 한국전자통신연구원

Inventor： 오형근 ,  배병철 ,  김은영 ,  박중길

IPC: G06F15/00

Abstract: PURPOSE: A bad execution code detecting system and method is provided to calculate a risk degree by making a behavior analysis based on a security policy and to detect a bad execution code based on the calculated risk degree. CONSTITUTION: The system comprises a bad execution code management database(700), a system resource monitoring module, a security policy module(600), a bad execution code detection module(500), an update module(900), and an alarm module. The bad execution code management database(700) stores already known bad execution codes. The system resource monitoring module monitors a file system, a process and a network. The security policy module(600) establishes the first security policy for basically preventing a behavior on a specific file or directory by using the system resource monitoring module, and the second security policy for calculating a risk degree for each process and sensing a bad behavior. The bad execution code detection module(500) performs the first bad execution code detection via the database(700) and the second bad execution code detection via the security policy module(600). The update module(900) transmits new bad execution code data and important security policy data to the detection module(500) and the database(700).

Abstract translation: 目的：提供一种不良的执行代码检测系统和方法，通过基于安全策略进行行为分析，并根据计算出的风险程度检测不良执行代码来计算风险程度。 构成：系统包括不良执行代码管理数据库（700），系统资源监视模块，安全策略模块（600），不良执行代码检测模块（500），更新模块（900）和报警模块 。 坏执行代码管理数据库（700）存储已知的不良执行代码。 系统资源监控模块监视文件系统，进程和网络。 安全策略模块（600）通过使用系统资源监控模块和第二安全策略来建立用于基本上防止特定文件或目录上的行为的第一安全策略，以及用于计算每个进程的风险度并感测不良行为的第二安全策略。 不良执行代码检测模块（500）经由数据库（700）执行第一不良执行代码检测，经由安全策略模块（600）执行第二不良执行代码检测。 更新模块（900）将新的不良执行代码数据和重要的安全策略数据发送到检测模块（500）和数据库（700）。